Community advocate for secure software
Community advocate for secure software
Michael Coates, director of security assurance for Mountain View, Calif.-based Mozilla Corporation, is a rising leader. He credits much of his success to collaborative communities, where his careful curiosity about information security led to his “testing, assessing and breaking critical computer systems.” He is a long-standing advocate of collaboration with peers to solve problems and build solutions.
“Can you imagine if the medical community never shared any information or never shared their knowledge with each other,? says Coates. “Most companies are very secretive about their security practices. Therefore, there's not much knowledge sharing in a very challenging field.”
Coates worked for several firms before Mozilla, including a stint with Motorola, and as a senior application security consultant at Aspect Security, a consultancy in Columbia, Md. Through his earlier positions, he built his competencies in security practices and gained a keen technical understanding of application security with regard to threats, vulnerabilities, controls and architecture.
Occupation: director of security assurance, Mozilla; chairman, Open Web Application Security Project (OWASP)
College: University of Illinois, Urbana-Champaign 2004, B.S. computer science; DePaul University 2009, M.S. computer, information & network security
Accomplishments: Leads a global security team responsible for the secure design, creation and deployment for Firefox and Mozilla web applications.
Jeff Williams, the CEO of Aspect Security, credits Coates' success to a rich combination of technical skill and an affinity to work with people.
“Michael has just the right mix of technical expertise and calm demeanor to encourage people on all sides of the applications security challenge to participate and get productive,” says Williams.
For Coates, building collaboration with others is key to learning the root cause of problems, which subsequently leads to effective strategy development.
“Mike finds hard problems like active application defense,” says John Steven, internal chief technology officer of Cigital, a Dulles, Va.-based consultancy. “Rather than cobbling together Powerpoint presentations touting himself, he pauses, thinks deeply about the cause, and then builds consensus around a simple strategy and tool.”
And building consensus with his peers has had a definite appeal to Coates. It led to his participation in the Open Web Application Security Project (OWASP), an organization self-described as making “software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.” His involvement provided him with many relationships and projects on which to collaborate with others in an open source environment. He presently serves as chairman of the OWASP Board.
“OWASP is a completely open and volunteer organization,” says Coates. “I used it as as a professional resource for many years.” At OWASP, he worked on AppSensor, which he cites as one of the major accomplishments of his career. “The project provides prescriptive guidance for creating attack-aware and self-defending applications,” he says. “I created the AppSensor project during OWASP's 2008 Summer of Code”
Jeremiah Grossman, chief technology officer for WhiteHat Security, has worked with Coates in his present position with Mozilla, but also as a colleague at OWASP.
“No matter the role, I've always found Michael to be an extremely competent application security professional,” says Grossman. “Even more importantly, especially given his position, is that he is consistently a very measured personality. While he may not make big leaps, what he is very good at is building group consensus and moving forward productively and consistently, inch by inch.”
Coates has contributed not just to the private sector, but also the public sector. “As an active leader of OWASP and the [U.S. Department of Homeland Security's] Software Assurance Forum, he is helping our public-private collaboration efforts aimed at delivering more resilient software,” says Joe Jarzombek, director for software assurance at the DHS. He says Coates is particularly savvy in helping to shift the paradigm away from the “victim mentality” that all software is exploitable. He lauds him as a true leader in community partnership efforts that enable stakeholders to build security into their software designs and code implementations, but also require cyber defenses that are proactive, not reactive.
“Michael Coates has been engaged in several initiatives that have focused on developing rugged software that is attack-aware and self-defending,” says Jarzombek “He is enabling more people to secure their part of cyber space, and his personal leadership and initiative have significantly changed the way people think about software resilience and security.”
Coates advises anyone in the security profession to be inquisitive and tinker with technology. “When you pull this lever over here, or turn this knob over there, what happens?” says Coates. “Could that mean something is very wrong? Break into your machine and figure out how to fix them. The more you can get into things, the better you're going to be overall.”
And, don't be afraid to get your hands dirty, he says. “Be curious about how things work.”
[An earlier version of this story incorrectly stated that Michael Coates worked for the Mozilla Foundation].