Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

05:30 PM
Connect Directly

What's Cooking With Caleb Sima

Security Pro File: Web app security pioneer dishes on his teenage security career, his love of electric scooters, Ace Ventura - and a new baby food business venture with his wife and famed chef, Kathy Fang.

A garbled pager message was how Caleb Sima learned that he had landed his first interview for a security position. It was the mid-'90s, before online job sites – when job boards were all the rage and pagers, not iPhones, served as personal mobile communicators.

Sima, then a teenager, had spotted a job opening for a security engineer at a company called SecurityFirst in Atlanta. "It was super-unusual. Nobody had positions called 'security'" then, he recalls. Sima's pager had broken, so the callback number didn't display fully on the device. As a result, he had to painstakingly dig through his call logs to find the phone number to respond and set up the interview.

He got the job, where his main responsibility was firewall management for the company's data center. It was there he got his hands on the intrusion detection system (IDS) tool RealSecure by Internet Security Systems (ISS). "I was constantly finding ways to bypass it. I was on the phone with ISS all the time with their engineering team," he recalls.

ISS (now part of IBM) eventually hired Sima, where his first position was on the quality assurance team. A few months later, he was recruited to ISS's elite X-Force white-hat hacking team. Of note, he was only 17 years old. Sima, who had dropped out of high school during the Internet boom, says ISS became his real-world school. "There were guys sitting in a room reverse-engineering software, and I was writing code for signatures, finding exploits, and all of the rest of that stuff," he says.

This was where the renowned pioneer of Web application security first started finding security holes in Web applications. Web pen testing wasn't really a thing yet in the mid- to late-'90s, so Sima and his colleagues were charting new territory.

"I started finding SQL injection before they called it [that]," Sima says.

In one of his first pen-test engagements, he was able to gain admin access to the Web server – with less than a day of hacking. "There was a login form only, nothing else, so that was the only thing I could target," Sima recalls.

But he hit the mother lode after noticing the Web page source included a thread of comments between the Web admin and developer that showed the admin page information. "I was like, 'Holy crap, who puts that stuff in Web pages?" he recalls. So he got admin access and uploaded his own scripts to the server.

During a client pen-testing engagement for ISS at BellSouth, Sima demonstrated to the head of security how an attacker could hack into the company's website and grab customer information, such as billing. BellSouth was sold and wanted Sima to create a tool. Sima recalls the manager's reaction: "'Dude, you need to make a product that automates that stuff; I would buy it.'"  

With the blessing of ISS, Sima built the Web testing tool as a freelance project for the former regional telco. He made $20,000.

Sima took the basic automated scripts he had and then rolled them into an automated hacking tool that ultimately evolved into his first commercial product, WebInspect, and the core of his first startup, SPI Dynamics. "At first it was just me working on this thing with scripts and doing consulting on my own to bring in cash," he says of his startup's early days. He later brought in his co-founders, Brian Christian and Wade Malone, to officially launch the company.

"No one would give us money" at first, he says. The team worked out of a dingy, one-room office located behind a strip club in downtown Atlanta. "We would find needles, bullet-shell casings in the parking lot," he says, and they'd see cops on stakeouts there during the day. "We couldn't pay the bills at times." 

But by 2002, SPI Dynamics finally began to take off and raise capital. In 2007 the company was acquired by HP, which had been competing with IBM for a Web app-scanning tool purchase. Sima became chief technologist for HP's Application Security Center, where he headed up its security solutions and led development of a cloud-based security service.

His flair for demonstrating website vulnerabilities shocked a few HP software employees during a presentation he gave for them. Sima showed how he could hack into the HP Expense and HR system via a Web application. "I could get all the execs' comp; I was able to [theoretically] fire or give them raises," he says. Of course, "I blacked out the comp information," he adds, and had received permission from management beforehand for the demo he hoped would help hit home the importance of Web security.

Sima once even hacked into his dentist office's Internet kiosk via a cross-site scripting (XSS) flaw to show how he could pivot into sensitive systems. "I pointed out to my dentist office that I was able to get access to the patient records through their kiosk via XSS," he told Dark Reading in a 2007 interview.

After three years at HP, Sima departed for code analysis firm Armorize and, later, CodeSecure, where he served as CEO for over a year.

Enterprise Bug
All that was missing from Sima's resume was an enterprise gig. That came in 2016, when he joined Capital One as its managing vice president of cybersecurity. Frustrated that there were too many security startups flooding the market and spreading hype, he saw the Capital One position as an opportunity to get up close and dig into the actual problems organizations were facing with security. Vendors don't typically know the whole picture of security challenges companies face, he says.

Among the projects Sima spearheaded at the bank was a vendor relationship program aimed at streamlining and improving communications with security vendors pitching their wares. Not surprisingly, large organizations such as Capital One get inundated with vendor pitches and contacts. Among the requirements of the project: that vendors in their initial outreach give an elevator pitch about their products and the problems they solve, as well as a video link to a demo. Then the bank would respond quickly regarding whether to set up a meeting.

It provided the firm with basic "rules of engagement" for vendors: "If you want to pitch to us, here's what I need from you," Sima explains.

As part of the process, Sima also helped set up at Capital One a "cyber test kitchen," a designated test lab for the proof-of-concept phase of testing vendor products by the security teams assigned to certain vendor products.

Sima left Capital One last November. "I was traveling two weeks out of the month" between his home in San Francisco and the company's home offices in the Washington, D.C., area, he says. "My daughter was born, and I said, 'I gotta call it.'"

In the Real Kitchen
Sima has since moved from the cyber test kitchen to a side business out of his real kitchen (not to mention he completed Harvard Biz School's Program for Leadership Development). He's currently teaming with his wife – famed chef Kathy Fang – to launch a new baby-food business that evolved out of Fang's personal experience of making her own baby food for their eight-month-old daughter Ava. Fang, head chef and owner of Fang restaurant in San Francisco, had been making her own baby food for Ava for a healthier and broader palate option than commercial baby foods. "We started like many parents, buying our vegetables ... blending and turning them into puree that you would freeze and melt and feed to your baby," Sima says.

After watching a chef on a cooking show freeze-dry a ramen broth that maintained both the taste and nutrients, Fang, who also holds a champion title on the Food Network's popular "Chopped" series, decided to test the process out on her homemade baby food. It worked, and the couple started carrying the freeze-dried powder food with them on outings and social events with Ava. Their friends began asking Fang if they could buy the freeze-dried meals, which are prepared with warm water or breast milk.

"Now it's in demand," Sima says of the baby food, which has names like "My Sweet Pea" (sugar snap peas, baby spinach, and baby kale), "Goldilocks Chicken Porridge" (chicken breast broth, koshihikari rice), and "Smashing Pumpkins" (kabocha, pumpkin, and carrots). The couple is in the process of setting up the new side business.

Even for a veteran entrepreneur like Sima, doing so has been a whole new experience, including meeting with a food lawyer (yes, there is such thing). "What are the laws with baby food, getting a co-packer, what it looks like to scale" and how to get licenses are some of the legal issues, he says.

He's also helping security startups. Sima, CEO and co-founder of Bluebox Security, currently serves on the board of pen-testing-as-a-service firm Cobalt.io. In addition, he is working with venture capital firms as well as what he describes as an "offensive wireless gig" for a client using a product he built "that's not quite public yet."

Sima has some unfinished business in enterprise security, though. "I want to go back to the enterprise side again. I feel like there's more for me to learn," he says.


First hack: Figuring out how to run the first version of Doom on only 2MB of RAM by not loading the audio driver.

What Sima's co-workers don't know about him that would surprise them: I have the entire dialogue for the first "Ace Ventura" movie memorized.

Security must-haves: Single sign-on and the sentry from the first "Robocop" movie.

Fun fact: I could walk into a kitchen at a Long John Silver's today and immediately be their best cook.

On the state of WebAppSec: I don't think it's evolved that much at all.

Quotable: I was never a foodie, and I'm still not a foodie.

Comfort food: Portuguese sausage, scrambled eggs, and rice-spam musubi.

In his music playlist right now: Tool, Korn, Disturbed, Linkin Park

Ride: Electric scooters until SF decided to ban them.

R&R: Playing with my daughter!

Next career: Bartender at a bar on the beach.




Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
7/17/2018 | 4:46:15 AM
Re: Great Story!
This is how we can get to know that technology has evolved. Security risks have grown and thus needing security experts who are more proficient in the field. Back then, this isn't a major concern so the jobscope of such a personnel does not really entail that much. Today, everyone is afraid and is concerned about the security of their online activities and it is a market that needs professionals.
Joe F.
Joe F.,
User Rank: Apprentice
7/12/2018 | 11:49:05 PM
Great Story!
I had the privilege of working with Caleb when he was with Armorize, helping him to establish the company in the US. I learned a ton about security in a short time for sure. Great to be able to catch up on what he's doing. Good luck to him and the wife on the new venture. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.
PUBLISHED: 2020-07-13
The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...