informa
/
Risk
News

Grossman: White Hat, Blue Belt

Web security expert Jeremiah Grossman talks Web security meltdown, the dangers of surfing - big waves and the Web - and Brazilian jiu-jitsu

Jeremiah Grossman worries that Web security is nearing the breaking point. "Right now we have a really good understanding of how broken the Web is, and I think the inflection point is coming," he says. It's just a matter of when the bad guys decide to set their sights more on Websites than client machines, he says: "When is Web app security going to experience its first 'Blaster?' "

Figure 1:

The Web security pioneer, who today is considered one of the top experts in the hot area of Web application security, says there's no way to rebuild the around 135 million Websites overnight. "The Web is already built, and any mistakes have already been made," says Grossman, who is founder and CTO of WhiteHat Security, a Web security services firm.

He sees both his mission and his company's as empowering organizations to better secure their Websites. "If you can know where the vulnerabilities are, then you can commit that [intelligence] to the Web app firewall, for instance, to block exploits on those vulns," he says. "Then security guys are back in the fight, because right now, they are out" for the most part.

Grossman, 30, conducted some of the earliest Website hacking research while working for Yahoo from 2000 to 2002 as The Hacker Yahoo (his boss's title was The Paranoid Yahoo). "I was heavily focused on Web app security there, before that term was even being used by anybody. My job was to hack everything Yahoo had," he says. "I was hacking stuff night and day to figure out what the bad guys were up to. And my job [eventually] went from finding [holes] to building defense to keep them [hackers] out."

Like most of his contemporaries in security, Grossman chose security research employment over getting his college degree. After leaving both his native Hawaii and surfing big waves at 18 to study electrical engineering at a small college in Thousand Oaks, Calif., he also worked part time as a Unix administrator at biotech firm Amgen. "When I got an offer letter from Yahoo, I took it to my guidance counselor and asked her what the top student would make coming out of this school and it wasn't even close to what was on the offer letter," he says. "I asked her if there was any reason I should stay, and she said, 'Because you'll never come back.' And of course, she was right."

But it didn't take long for Grossman to discover that assessing Websites manually was an endless cycle. "I did the math: My assessments were about 40 man hours per Website for 600 Websites, which came out to about 11 and a half years of work," he says. "Even if it was job security, I would never get it [the work] done."

So he dug around in search of a better solution. "The problems we were having [at Yahoo] were not unique to us. No one had a good handle on it," he says. "So I figured there was a business opportunity here."

Grossman started up WhiteHat Security in late 2002, initially doing consulting for banks and then eventually, building Sentinel, the vulnerability assessment platform that's at the heart of White Hat's services, which include hands-on support from its in-house security experts. The company now has about 120 clients, mostly in retail/e-commerce, financial services, and health care, for its service, and takes care of around 700 to 800 of their Websites each day.

Interestingly, Grossman initially wasn't really interested in security at all. He was too busy surfing Maui's big waves when he first started "breaking" video games and fiddling with his dad's new Commodore 64 PC, he says.

"Computers and technology were my passion, not necessarily security," he says. "Security was never a core focus of mine, but it was always kind of a hobby."

Meanwhile, Grossman's latest hobbies are Brazilian jiu-jitsu, an anything-goes martial art and combat sport, and Australian rules football. Right now, he's participating in jiu-jitsu three or four nights a week, even while on the road, where he attends academies in different cities where he's traveling. He got into it about a year and a half ago, but it was a disaster: "They put me with an older woman half my size and she kicked the crap out of me for 30 minutes. It was no fun for a 'macho' twentysomething to be beaten by an older woman," he quips.

He was around 275 pounds at the time, and went on to fight 300-pound plus men. "I didn't do very well. I sucked at it," he says. "So I decided to drop down a weight class and will be competing again at a lower weight class with guys my size now," he says. "Brazilian jiu-jitsu is the most physically demanding thing I've ever done. It's that hard."

It was Grossman's Ultimate Fighting Club interest that attracted him to the sport: "I was always a big UFC fan, and they are all Brazilian jiu-jitsu-trained." In Australian rules football, he plays ruckman -- the player who does the equivalent of a face-off in ice hockey, but with a vertical leap often accompanied by mid-air collisions with opposing players "in the ruck." Still, Grossman says his passion for Aussie rules football and Brazilian jiu-jitsu are nowhere near as extreme as the sports he grew up doing in Hawaii.

"It's not as dangerous as what we did in Hawaii -- big-wave surfing and jumping off waterfalls," he says.

Personality Bytes

  • Bad day at the office: "I had to lay off some of my friends when White Hat was struggling in the early days. We were about to run out of money... It really bothered me. I felt that they were being penalized by my inability to be successful for the company."

  • What stinks about Web security: "IT security has no control over Website vulnerabilities because the Website developers don't work for them...They have a different boss and different set of action items. It's difficult to improve the Web security problem because there's no one around to fix it."

  • What rocks about Web security: "Our customers can make strategic decisions using our data. If we are noticing vulnerabilities of one particular type, for example, the changes have to be a framework issue."

  • Recent hacks:"Most of the research I do now I'm unable to reveal... Most of the big R&D gets productized. I do release little hacks on my blog for fun, though."

  • Hacker buddy: "RSnake -- Robert Hansen."

  • After hours: "Brazilian jiu-jitsu."

  • Ready for some football: "Australian rules football, with the Golden Gate Australian Rules Football League (GGAFL)."

  • Just downloaded from iTunes: "Pain, Gorillaz, Billy Talent."

  • Comfort food: "Any kind of Mexican food."

  • Hangout: "Home."

  • PC or Mac? "Mac."

  • Surfin' in CA: "No... It's too cold. They are hardcore here."

  • Wheels: "A GMC SUV. I left my hot rod in Hawaii."

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • WhiteHat Security
  • Recommended Reading:
    Editors' Choice
    Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
    Joshua Goldfarb, Director of Product Management at F5