Episode #252 with Rami McCarthy

Security Startups, Jobs

Author

Seth Law
July 19, 2024

This week on Episode #252 of Absolute AppSec, Ken (@cktricky) and Seth (@sethlaw) are joined by Rami McCarthy to discuss security startups, jobs, and market challenges. Rami can be found blogging about all things security at https://ramimac.me/, where you can go on a few side quests along various topics. The full episode can be viewed below:

After graduating from college, Rami gained practical experience at a local boutique consultancy, BSR, which was acquired by the NCC Group. There, Rami performed traditional security consulting services, including web application penetration tests, network penetration tests, Nessus scans, and cloud security. Seeking to be a part of projects with more sustained impacts rather than remain in the cyclical nature of consulting, Rami transitioned to in-house roles. He joined a startup with about 150 employees, where he helped establish the security functions while operating just below the current CISO. Rami moved to Figma for some years before starting his sabbatical. During this time, he has focused on sharing his insights through his blog, sharing the expertise he has accumulated over the years.

“Curiosity, networking, and choosing the right management culture are key to thriving in the security industry.”

Rami McCarthy

Currently, Rami has taken on advisory roles with several startups, including Conducto (an ASPM) and PZero Security (cloud access governance). He engages with these companies primarily through his insights about the space, buyer personas, and research insights. He is also involved with Latio Tech, an initiative by James Berthoty that aims to provide practitioner-oriented insights into security products. Here, Rami’s role often includes providing counterbalancing perspectives, especially given his background in cloud provider, product security, and application security.

In this episode, Rami starts by discussing the complexity of advising and the potential conflicts of interest that exist within the security industry, especially when CISOs have stakes in the companies they recommend. This means advocating for running proof of value rather than only proof of concept, ensuring the security tools provide real benefits. He also emphasized the importance of transparency and ethical behavior to maintain trust in these relationships. Due to the market’s complexity, difficulty in benchmarking and categorizing security products is common. Ravi stressed the importance of honest marketing and accusation presentation of products to avoid misleading potential customers.

"Take a good manager over a good company, anyday.”

Rami McCarthy

This is followed by a discussion on staff engineering positions and how to grow into a security career. The trio talks about promotions and how organizations continue to push senior technical resources into management roles, often reducing resource effectiveness. The health of a company's management culture can significantly impact an individual's career trajectory. In the current industry, Staff Engineer positions are not always available, especially in smaller organizations. Rami gives some hints on identifying companies that value this expertise, including investing time in building a strong network within the security industry, being active at BSides conferences, and reviewing TL;DR Sec’s Staff Security Engineer Guide. He also recommends reaching out to industry leaders, after all, “"The worst that can happen is someone is too busy and doesn't answer you."

Episode #252 was sponsored by Redpoint Security.  Redpoint Security. Redpoint specializes in "Code Security by Coders," bolstered by years of experience testing applications and conducting code reviews against all types of applications, including web, mobile, AI and traditional apps. Redpoint also offers training to help ground your teams in better security practices across the development lifecycle. So check out redpointsecurity.com for more information and put your company on a path to better security.

Overall, interesting insights from someone advising companies on growth, who has also produced some great content via tldrsec.com. Be sure to catch this episode on your preferred platform. Rami as also a member of the podcast Slack, so feel free to ask him questions there. And check out the new Absolute AppSec Merch at merch.absoluteappsec.com. In closing, remember Rami’s take.

“Security is a market for lemons”

Rami McCarthy

Stay Secure,

Seth & Ken

https://youtu.be/lGSFHzkEJcI - Episode #132 - Supply Chain Attacks, What I Wish I Knew Starting in Security

https://youtu.be/l9HcKeLXVjw - Episode #179 - Starting in AppSec, Threat Modeling

https://youtu.be/4Pw_BJciR5o - Episode #52 - Serialization Vulns, Career Growth, and Hacking your Happiness with Chris Gates

Absolute AppSec Happenings

https://www.wired.com/story/priscila-queen-of-the-rideshare-mafia/ - As discussed during this episode, subversion of security controls can result from multiple motivations. This story from Wired shows bypass of rideshare KYC controls in order to work and earn money.

https://franklyspeaking.substack.com/p/assessing-the-wiz-google-deal - Google is acquiring Wiz, in case you missed it. Frank has a good analysis of where it fits and why it makes sense.

https://www.cnbc.com/2024/07/12/snowflake-shares-slip-after-att-says-hackers-accessed-data.html - When will it end? Will someone please think of the children? More fallout from the alleged Snowflake breach. This time it’s AT&T, any bets on the next revelation?