Unsung (And Under-Sung) Heroes Of Security

  /     /     /  
Publicated : 22/11/2024   Category : security

Unsung (And Under-Sung) Heroes Of Security


Youve heard of the cybersecurity rock stars, but there are plenty of other major contributors to the industry who deserve kudos. In celebration of Dark Readings 10th anniversary, meet a few of these folks.


Even when it was tiny, the cybersecurity field had no shortage of big personalities. When the industry was altered by a new, outstanding piece of work, sometimes it would also herald the birth of a new security rock star (who might also be an outstanding piece of work).
Other times, the people who carried out tremendous feats go largely unrecognized by history, even as their work lives on. Brilliant discoveries and creations. Better ways of doing the same old thing. Or simply the support or mentorship someone needed to create do those revolutionary things.
Here are just a handful of people of the people whove made big impacts on information security, who we feel havent quite enough credit from security professionals. Some of them we doubt youll know. Others you may recognize, but we wouldnt call them household names, not if we were only counting the nerdiest of homes. 
However, you most
definitely
know their work. 
 
The Team That Discovered Cross-site Scripting
Back when most people in IT were obsessed with Y2K -- now just a sidebar in the history books -- a team of security researchers at Microsoft and elsewhere gave a name to something that would have a far longer, far darker life: cross-site scripting.
XSS is still a security nightmare, ranked number three on the latest OWASP Top 10 Web Application Vulnerabilities List. Although its the Microsoft Security Research that
claims credit
 for picking the common name, theres a longer list of contributors who are officially credited in
CERTs original advisory
, recorded as malicious HTML tags embedded in client Web requests. Credit goes to Marc Slemko, Apache Software Foundation member; Iris Associates; iPlanet; the Microsoft Security Response Center, the Microsoft Internet Explorer Security Team, and Microsoft Research.
 
Jeff Forristal
If there is a vulnerability class that is perhaps more pernicious than cross-site scripting, it would have to be injection attacks -- currently reigning at number 1 on the OWASP Top 10. And the Big Daddy of them all, of course, is SQL injection.
The world learned about SQL injection in 1998 thanks to Jeff Forristal, then known more commonly as rain.forest.puppy. Forristal went on to be among the leaders in establishing responsible disclosure policies, and made his mark on everything from web apps, to mobile, and physical device security. Hes now CTO of Bluebox Security.
 
Shari Steele, John Perry Barlow, John Gilmore, & The Whole EFF Crew
 
All the way back in 1990, two concerned citizens -- Sun Micrososystems employee John Gilmore and poet/essayist/lyricist/cattle rancher John Perry Barlow -- came to the legal aid of a man they felt was being wronged by the US Secret Services electronic surveillance practices. From there, the Electronic Frontier Foundation (EFF) was born.
Since then, the attorneys and staff at EFF have made it their job to know the ins and outs of every technology, online privacy, cybersecurity, and surveillance law the world can throw at us. 
Shari Steele came on board early, serving as legal director for eight years, executive director for 15 years, and now board member. She led the way on some of the issues that hit infosec pros closest to home -- advising the US Sentencing Commission on sentencing guidelines for the Computer Fraud and Abuse Act and the National Research Council on US encryption policy.  
 
Special Agent Elliott Peterson & The Rest Of The Operation Tovar Crew 
The
disruption
 of CryptoLocker and the GameOver Zeus botnet in spring 2014 -- dubbed Operation Tovar by law enforcement -- was revolutionary, because it created a brand new model for the way organized cybercrime groups are taken down. 
It was remarkable for to reasons. First, law enforcement made it a higher priority to disrupt/dismantle the cybercriminals infrastructure than to capture the criminals themselves; they made only one indictment. Second, the effort was an enormous collaborative effort between both public and private entities in many countries.
Special Agent Elliott Peterson of the FBI was one key member of the team that led the operation, but certainly everyone involved in uniting the forces of good across 11 countries deserves accolades. 
 
John Reed & Citigroups Executive Team In The Mid-90s 
You might have heard of Steve Katz, the worlds first CISO. But how about a shout-out for the people who had the idea of hiring him in the first place?
As Katz explained to Tom Field of Bank Info Security
, he was working for JP Morgan in the mid-1990s when another financial services organization, Citigroup, experienced a security incident. (This was back when such things were taboo and kept very hush-hush.)
Citigroup CEO John Reed put together a committee of executives, which, according to Katz, realized that security was not just a technological issue but a business issue. They created the position of chief information security officer (CISO), and after months of interviews, Katz landed the job, with support from Citi that was absolutely incredible.
 
The US Postal Service (!)
When sifting through applicants for new information security staff, employers often look for five letters: CISSP. 
ISC(2) created the CISSP certification back in the early 90s, but if it hadnt been for a timely influx of cash from the US Postal Service, it might never have survived to become what it is today. As
Harold Hal Tipton explained in an ISC(2) interview

 
Carey Nachenberg
Hardly any security products have made it to household name status, but Norton Antivirus indubitably has. Nortons co-creator Carey Nachenberg -- now Symantecs senior-most engineer -- is also a name you should know.
In addition to Norton AV, Nachenberg conceived Symantec Insight, the industrys first reputation-based endpoint security tool. He also holds a whopping 85 patents.
Steve Christey Coley
Researchers love to dig up vulnerabilities -- tens of thousands of them. Left to themselves, vuln researchers might treat bugs much like kids treat toys -- have unreasonable arguments about whose were the coolest, then lose track of them entirely once they got a bit old.
Someone needs to bring order to this chaos, and create systems for prioritizing, rating, and cataloguing these bugs. Steve Christey Coley has been one of the foremost of these appsec entymologists. He was co-creator and editor of the
Common Vulnerabilities and Exposures (CVE) list
 and chair of the CVE editorial board for 16 years. He  was technical lead for CWE, the Common Weakness Scoring Scoring System and an active contributor to related community-driven efforts like CVSS and CVRF.
Now taking on the next frontier in infosec challenges, Coley is a principal information security engineer at The MITRE Corporation, supporting the FDAs Center for Devices and Radiological Health efforts to improve medical device security. 
Related Content:
10 Newsmakers Who Shaped Security In The Past Decade
Epic Security #FAILS Of The Past 10 Years
10 Biggest Mega Breaches Of The Past 10 Years
The 10 Worst Vulnerabilities of The Last 10 Years
 
 

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Unsung (And Under-Sung) Heroes Of Security