Our year-end special section recognizes a number of individuals who represent the highest degree of professionalism in the security space. These six just missed the final cut, but deserve to be called out nonetheless for their achievements.
Katie Moussouris (left), senior security strategist, Microsoft: It wasn’t too long ago that Microsoft was in the dog house for how it handled software security. Critics decried the number of critical vulnerabilities across its portfolio of products, its poor communication with researchers and its slow patch response time. How things have changed. And Moussouris, who joined the company in 2007, has been a key player in turning Microsoft’s security reputation around. She now leads security community outreach and strategy, and among the initiatives she has launched are Windows security training programs; the BlueHat contest, which challenges researchers to develop defense technologies for $250,000 in prizes; and Microsoft Vulnerability Research (MSVR), a global program for sharing information about software bugs.
Becky Bace, chief strategist, Center for Forensics, Information Technology and Security (CFITS) at the University of South Alabama: Bace began her career as an engineer and research manager at the National Security Agency, where she became one of the security industry’s first prominent females, earning the title “Den Mother of Intrusion Detection.” After government service, she set her sights on Silicon Valley, where she served as a venture capital consultant. Earlier this year, Bace transitioned to academia, where she now will collaborate with the public and private sectors on security research initiatives.
Zane Lackey, security engineering manager, Etsy: It may not have the star power of Facebook, Amazon or eBay, but Etsy, an online marketplace for vintage and handmade items, is one of the safest places on the web to visit and shop. Under Lackey’s security tutelage, Etsy (the web’s 166th most trafficked site, according to the Alexa Web Information Service, part of Amazon.com) requires that new engineers endure a several-week-long training “bootcamp” to understand its code base. Once they are ready to go, developers analyze applications and turn over new code at astonishingly frequent rates – a process that prevents new vulnerabilities from being discovered and exploited. Also this year, Etsy launched a rewards program for researchers who find bugs on the site, and improved shopper security by introducing two-factor authentication, login history and full-site SSL encryption.
Morgan Marquis-Boire (right), Google engineer; and Bill Marczak, computer science Ph.D. student, University of California, Berkeley: The pair – in conjunction with the Citizen Lab at the University of Toronto – tracked and published findings around sophisticated surveillance software known as FinSpy. But what made their discovery so noteworthy was that the spyware tool was being used by oppressive governments, such as in Bahrain, to eavesdrop on citizens’ phone calls and emails – and it was produced by U.K.-based company Gamma Group.
Kevin Fu, associate professor of computer science, University of Massachusetts Amherst: Serious risks are arising as more and more devices become Windows capable and internet connected. Among the most alarming are those embedded devices necessary to keep people alive that also are becoming web enabled, such as defibrillators and insulin pumps. Through his research, Fu is helping to raise awareness about these endpoints’ susceptibility to malware.