2016 has been a pretty amazing year for me in many ways, so much so, I wanted to look back on just how much I've achieved in such a short space of time. Sometimes I'm so focused on looking forwards at the next target that I forget to look behind me.
New job, new role
One of the biggest changes for me came right at the start of the year when I quit my job. I worked for a company called PenTest, since acquired by Secarma, which is one of the best companies I've worked at, and there's been some great ones along the way too (hi Avecto!). Leaving the safety of a well paid position in a successful company to 'go it alone' (sort of) is a pretty tough call to make, especially when you're leaving behind expenses, an annual (all expenses paid) snowboarding trip and more staff social events than you'd care to shake a stick at!
Still though, my move wasn't about being unhappy in my role but came from wanting to try something new and take a more independent path. I left to join forces with another familiar name in the security field, Ivan Ristić, creator of the SSL Labs Test and author of Bulletproof SSL and TLS amongst other notable successes. Ivan had a great idea for a new product and needed somebody to help out on the security research front. To bootstrap the startup we wanted to start delivering security training so I took a large role in that too, delivering most of the training courses, both nationally and internationally, throughout 2016. The product, Hardenize, took shape at an impressive rate and I first publicly spoke about it at the Swiss Cyber Storm in October to announce our closed alpha. At the time of writing development is still progressing at an impressive rate and you're welcome to visit the site and request an invite to join our next round of alpha or maybe beta participants.
One thing that I'd started working on during my time at PenTest was my public speaking. I'd given a few nervous talks at our local OWASP Chapter meetings in Manchester and finally gave my first 'proper' conference talk in December '15 at PasswordsCon. From that and throughout 2016 I continued to work on and improve my pubic speaking and I'm fortunate to have spoken at some really nice events.
OWASP - Manchester
dotSecurity - Paris
This was a bit of a short notice conference to fill a gap as a speaker dropped out on short notice. I found out on the Wednesday evening and spoke on the Friday morning!
InfoShare - Gdansk
This was my first really big conference with 1,000 seats in the audience. The topic was, of course, my favourite HTTP response header, CSP.
BSides - London
I was very lovingly scribbled onto the Lighting Talk track by Zoë Rose and told shortly before I was due to speak!
SteelCon - Sheffield
Easily the best conference I've been to, I've attended SteelCon since it was founded in 2014 and was delighted to speak there this year. The topic was a more in-depth talk on the technical details of the car hacking work I did with Troy and my dealings with the ICO.
BSides - Manchester
Next up was my talk at BSides Manchester with an awesome title borrowed from Czech Security Researcher Michal Špaček.
OWASP - London
Another OWASP Chapter meet, I love these events because you get to meet really awesome people from the community in a casual setting with pizza and beer. It's great for making connections.
Fronteers - Amsterdam
It was a break from the norm for me to speak at a conference that wasn't focused on security, in fact, mine was the only talk on security at the conference!
Swiss Cyber Storm - Luzerne
Possibly the coolest name I've heard for a conference, the Swiss Cyber Storm was a great event and again a little different from the casual/hacker conferences I normally attend and speak at. This conference felt a lot more 'up market' but a great time was still had!
You can find full details on all of my engagements on my Speaking page and get in touch with me if you'd like me to speak at an event.
As I mentioned earlier, one of the roles I took up when I left my job was to start delivering security training. You can find more details on my Training page and again, please feel free to get in touch if you're interested. Initially the training took the form of in-house training to large organisations and involved lots of national travel to cities like Manchester and London. Later in the year we expanded to offer public training too and our first course was a great success!
At the time of writing we're planning more courses in London throughout 2017 and I'm bringing a training up North to Manchester too! Keep an eye out for details of those. International training is also possible and I recently delivered a full week at SURFnet in The Netherlands!
De beste TLS training in de wereld. Lees Joost van Dijk's blog op https://t.co/UxHopaOH2e en schrijf je gelijk in voor de training.— SURFnet (@SURFnet) September 20, 2016
Of course, with all of the travel for training and conferences I've racked up quite a few air miles and stayed at a few nice places along the way! International travel, or even national travel, can look quite glamorous but there are the downsides too. Being away from my family is hard and even though you don't do much, sitting around in bus and train stations or sat on a flight is actually quite a draining experience. Of course this isn't a complaint, I do it because it's immensely rewarding but for those out there who thinks it's like a mini holiday each time, or are looking to get into it themselves, I'd just advise you to consider the negative aspects too. If you want more information Troy Hunt did an awesome blog on what goes into his international speaking trips which admittedly are a little more action packed than mine but it's interesting to see that other people have the same experiences.
I first created securityheaders.io back in Feb 2015 and it's fair to say that whilst it was functional, it was a pretty basic service. I created it out of a need for the tool in my own day to day work and figured I'd host it online as a free to use service for everyone. It saw some steady growth and adoption but I felt it was lacking and I could do more with it. In Dec 2015 the new version was ready to go and I pulled the trigger right before the New Year. Since the launch of the new version and all throughout 2016 the site has seen an incredible growth in usage despite the fact that it isn't advertised anywhere other than coverage it gets on this very blog. It's had numerous updates in 2016 to add more functionality, respond to user feedback and implement new features. The site passed through the 2,000,000 scan milestone in 2016 quite comfortably!
Again, first launched in 2015, report-uri.io was built as a result of me needing the tool myself. I saw CSP as a technology with great potential and reporting was incredibly valuable but difficult and/or costly to implement. To try and help raise the adoption of CSP I created report-uri.io to remove that burden from site admins.
With the expectation that only myself and a few site admins that I know would use the service, I wasn't prepared for the growth the site would see in 2016. In September 2015 I was already seeing 1.3 million reports a week through the service which to me was incredible given my expectations. Things just kept growing from there and usage exploded requiring me to make several upgrades including a major update, further improvements, another major update, performance optimisations and eventually the introduction of rate limiting to try and cope with the sheer amount of inbound reports I was processing by late 2016. Despite all of this and some pretty aggressive rate limiting the service is still processing close to 200,000,000 reports a week! I expect to break through that pretty awesome figure before 2016 is out.
Over the last few years I've had research published in various news outlets, both national and international, and 2016 saw some really good coverage for me too. There's an archive of all of my coverage on the Media page but the biggest step for me came this year when I made my first TV appearance! The Yahoo breach got a lot of attention and the BBC were looking for someone to go on the breakfast news to talk about it. Thanks to a recommendation from Jess Barker I got a call from the BBC news desk asking what my plans were for the following morning. They wanted me to be sat on the couch, live on TV, in a little over 8 hours! Needless to say there was much panic and a rather restless night before my hour and a half drive to the studio to get ready.
The first appearance was at a little after 06:30 with Charlie and Naga on BBC Breakfast!
Following my BBC Breakfast appearance I was also invited to speak on BBC news too!
This year I've also taken some great strides forward on the blog front too. The most notable change was probably my visual refresh to bring a much cleaner and lighter theme to the site. It was also a great opportunity to add my Training, Speaking and Media pages to give those aspects of my professional life a little more exposure. A lot of time and effort goes into writing blogs and at the time of writing, including this post, I've published a total of 50 blogs so far! There's been some really interesting ones that include the car hacking I did with Troy Hunt and the vulnerable smartphone app for using Electric Vehicle charge points to my ultimate WiFi Wardriving setup and the research I published showing the huge surge in the adoption of HTTPS on the web.
My blog will continue to develop throughout 2017 and I already have ideas on the horizon for research and projects that will feature quite prominently! Watch this space. Also, if you're interested in advertising on or sponsoring my blog, get in touch.