A garbled pager message was how Caleb Sima learned that he had landed his first interview for a security position. It was the mid-'90s, before online job sites – when job boards were all the rage and pagers, not iPhones, served as personal mobile communicators.
Sima, then a teenager, had spotted a job opening for a security engineer at a company called SecurityFirst in Atlanta. "It was super-unusual. Nobody had positions called 'security'" then, he recalls. Sima's pager had broken, so the callback number didn't display fully on the device. As a result, he had to painstakingly dig through his call logs to find the phone number to respond and set up the interview.
He got the job, where his main responsibility was firewall management for the company's data center. It was there he got his hands on the intrusion detection system (IDS) tool RealSecure by Internet Security Systems (ISS). "I was constantly finding ways to bypass it. I was on the phone with ISS all the time with their engineering team," he recalls.
ISS (now part of IBM) eventually hired Sima, where his first position was on the quality assurance team. A few months later, he was recruited to ISS's elite X-Force white-hat hacking team. Of note, he was only 17 years old. Sima, who had dropped out of high school during the Internet boom, says ISS became his real-world school. "There were guys sitting in a room reverse-engineering software, and I was writing code for signatures, finding exploits, and all of the rest of that stuff," he says.
This was where the renowned pioneer of Web application security first started finding security holes in Web applications. Web pen testing wasn't really a thing yet in the mid- to late-'90s, so Sima and his colleagues were charting new territory.
"I started finding SQL injection before they called it [that]," Sima says.
In one of his first pen-test engagements, he was able to gain admin access to the Web server – with less than a day of hacking. "There was a login form only, nothing else, so that was the only thing I could target," Sima recalls.
But he hit the mother lode after noticing the Web page source included a thread of comments between the Web admin and developer that showed the admin page information. "I was like, 'Holy crap, who puts that stuff in Web pages?" he recalls. So he got admin access and uploaded his own scripts to the server.
During a client pen-testing engagement for ISS at BellSouth, Sima demonstrated to the head of security how an attacker could hack into the company's website and grab customer information, such as billing. BellSouth was sold and wanted Sima to create a tool. Sima recalls the manager's reaction: "'Dude, you need to make a product that automates that stuff; I would buy it.'"
With the blessing of ISS, Sima built the Web testing tool as a freelance project for the former regional telco. He made $20,000.
Sima took the basic automated scripts he had and then rolled them into an automated hacking tool that ultimately evolved into his first commercial product, WebInspect, and the core of his first startup, SPI Dynamics. "At first it was just me working on this thing with scripts and doing consulting on my own to bring in cash," he says of his startup's early days. He later brought in his co-founders, Brian Christian and Wade Malone, to officially launch the company.
"No one would give us money" at first, he says. The team worked out of a dingy, one-room office located behind a strip club in downtown Atlanta. "We would find needles, bullet-shell casings in the parking lot," he says, and they'd see cops on stakeouts there during the day. "We couldn't pay the bills at times."
But by 2002, SPI Dynamics finally began to take off and raise capital. In 2007 the company was acquired by HP, which had been competing with IBM for a Web app-scanning tool purchase. Sima became chief technologist for HP's Application Security Center, where he headed up its security solutions and led development of a cloud-based security service.
His flair for demonstrating website vulnerabilities shocked a few HP software employees during a presentation he gave for them. Sima showed how he could hack into the HP Expense and HR system via a Web application. "I could get all the execs' comp; I was able to [theoretically] fire or give them raises," he says. Of course, "I blacked out the comp information," he adds, and had received permission from management beforehand for the demo he hoped would help hit home the importance of Web security.
Sima once even hacked into his dentist office's Internet kiosk via a cross-site scripting (XSS) flaw to show how he could pivot into sensitive systems. "I pointed out to my dentist office that I was able to get access to the patient records through their kiosk via XSS," he told Dark Reading in a 2007 interview.
After three years at HP, Sima departed for code analysis firm Armorize and, later, CodeSecure, where he served as CEO for over a year.
All that was missing from Sima's resume was an enterprise gig. That came in 2016, when he joined Capital One as its managing vice president of cybersecurity. Frustrated that there were too many security startups flooding the market and spreading hype, he saw the Capital One position as an opportunity to get up close and dig into the actual problems organizations were facing with security. Vendors don't typically know the whole picture of security challenges companies face, he says.
Among the projects Sima spearheaded at the bank was a vendor relationship program aimed at streamlining and improving communications with security vendors pitching their wares. Not surprisingly, large organizations such as Capital One get inundated with vendor pitches and contacts. Among the requirements of the project: that vendors in their initial outreach give an elevator pitch about their products and the problems they solve, as well as a video link to a demo. Then the bank would respond quickly regarding whether to set up a meeting.
It provided the firm with basic "rules of engagement" for vendors: "If you want to pitch to us, here's what I need from you," Sima explains.
As part of the process, Sima also helped set up at Capital One a "cyber test kitchen," a designated test lab for the proof-of-concept phase of testing vendor products by the security teams assigned to certain vendor products.
Sima left Capital One last November. "I was traveling two weeks out of the month" between his home in San Francisco and the company's home offices in the Washington, D.C., area, he says. "My daughter was born, and I said, 'I gotta call it.'"
In the Real Kitchen
Sima has since moved from the cyber test kitchen to a side business out of his real kitchen (not to mention he completed Harvard Biz School's Program for Leadership Development). He's currently teaming with his wife – famed chef Kathy Fang – to launch a new baby-food business that evolved out of Fang's personal experience of making her own baby food for their eight-month-old daughter Ava. Fang, head chef and owner of Fang restaurant in San Francisco, had been making her own baby food for Ava for a healthier and broader palate option than commercial baby foods. "We started like many parents, buying our vegetables ... blending and turning them into puree that you would freeze and melt and feed to your baby," Sima says.
After watching a chef on a cooking show freeze-dry a ramen broth that maintained both the taste and nutrients, Fang, who also holds a champion title on the Food Network's popular "Chopped" series, decided to test the process out on her homemade baby food. It worked, and the couple started carrying the freeze-dried powder food with them on outings and social events with Ava. Their friends began asking Fang if they could buy the freeze-dried meals, which are prepared with warm water or breast milk.
"Now it's in demand," Sima says of the baby food, which has names like "My Sweet Pea" (sugar snap peas, baby spinach, and baby kale), "Goldilocks Chicken Porridge" (chicken breast broth, koshihikari rice), and "Smashing Pumpkins" (kabocha, pumpkin, and carrots). The couple is in the process of setting up the new side business.
Even for a veteran entrepreneur like Sima, doing so has been a whole new experience, including meeting with a food lawyer (yes, there is such thing). "What are the laws with baby food, getting a co-packer, what it looks like to scale" and how to get licenses are some of the legal issues, he says.
He's also helping security startups. Sima, CEO and co-founder of Bluebox Security, currently serves on the board of pen-testing-as-a-service firm Cobalt.io. In addition, he is working with venture capital firms as well as what he describes as an "offensive wireless gig" for a client using a product he built "that's not quite public yet."
Sima has some unfinished business in enterprise security, though. "I want to go back to the enterprise side again. I feel like there's more for me to learn," he says.
First hack: Figuring out how to run the first version of Doom on only 2MB of RAM by not loading the audio driver.
What Sima's co-workers don't know about him that would surprise them: I have the entire dialogue for the first "Ace Ventura" movie memorized.
Security must-haves: Single sign-on and the sentry from the first "Robocop" movie.
Fun fact: I could walk into a kitchen at a Long John Silver's today and immediately be their best cook.
On the state of WebAppSec: I don't think it's evolved that much at all.
Quotable: I was never a foodie, and I'm still not a foodie.
Comfort food: Portuguese sausage, scrambled eggs, and rice-spam musubi.
In his music playlist right now: Tool, Korn, Disturbed, Linkin Park
Ride: Electric scooters until SF decided to ban them.
R&R: Playing with my daughter!
Next career: Bartender at a bar on the beach.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.