With 2013 coming to a close, I thought it pertinent to look back at the year we've had and also forward to what's promising to be an incredibly exciting 2014 for us.
2013 for SensePost, was a year of transition. With a new leadership structure in myself, Shane and Dominic, we had a chance to stamp our style and vision and also learn from Charl and Jaco. One of the first leadership choices was to expand our reach and open our first office in London, aptly in a borough called Hackney. Here, we grew our family and welcomed some amazing people into the plak. After a few short months, we had outgrown the office and needed to look for bigger premises, this time in another aptly named area: Whitechapel (think Jack the Ripper).
Back in South Africa, after moving to bigger premises down the road, we finally got a chance to make it feel like home. These two new offices have allowed us to continue to grow at a steady pace, whilst still keeping the SensePost vision and vibe alive.
On a technical level, as this is what we are really about, we've had an amazing year. As part of this new vision, we made some key appointments:
Craig Swan, who originally was part of the assessments team and left, returned home to assume the role of Training Manager. On a training front, we've had one of the busiest years to date. From Blackhat in Las Vegas, Brasil and Seattle, to 44Con in London, for our friends in the US and our courses held in Southern Africa, we've trained hundreds of students in the art of offensive security. We've also created two new courses for the Hacking by Numbers series, one concentrating on mobile assessments and the other on malware reverse engineering. However, we are not resting on our laurels and with Craig on-board, 2014 is looking like being an amazing year for education at SensePost.
Victor Tadden, an experienced technical Project Manager, joined the assessment team to help us be more efficient with our delivery of projects. He brings with him a wealth of software dev experience and has already made a significant impact in the way we work, especially managing to wrangle pen testers together daily for scrum meetings, a feat many will tell you is akin to herding cats.
Tiago Rosado joined us from Portugal to head up our Managed Vulnerability Service, a key service line that many of our clients rely on for a more holistic view of their security posture. Our MVS service line is being revamped for 2014 and Tiago will help us achieve this.
Marc Peiser became our IT Manager and with him, brought a wealth of UNIX experience, having worked for a massive global bank. Marc's aim for 2014 is to ensure that our internal networks are not only robust but also allow us to do what we do. Surprisingly enough, we are frequently attacked and having defense in depth approach to IT is as important to us as it is to our clients.
Internally, we've welcomed some new family members, said goodbye to some.We value those who choose to work here very highly, we want work to be a creative environment where people can have fun, grow and most importantly enjoy coming to work. Nothing makes me more proud than seeing a plakker accepting new challenges, often defining the way the security industry works, or helping others with their security needs. As the penetration industry matures, one of my main goals for 2014 is to ensure that our proven hacker ethos remains.
2013 saw us presenting at conferences throughout the year and for the first time in our history, in a total of eight different countries over five continents. Our research included vulnerabilities in the Internet of things, distributed surveillance frameworks, security analysis of the Trustzone OS and Mobicore and finally using Spatial Statistics to detect Fast-Flux botnet Command and Control (C2) domains.
Technical prowess is still at the very heart of what we do at SensePost. We love to pwn and 2014 will see us continuing to write new tools, approach old problems with a new way of thinking and just being, well, us.
In November, after months of negotiations, came the news that we were to be acquired by SecureData Europe. This new chapter for us will usher in a new era of growth and development for us at SensePost and we are truly excited to be part of the SecureData Europe family.
Overall it was a fantastic year, especially for us, the new EXCO. I am extremely proud to stand alongside some incredibly talented people and call them colleagues and look forward to 2014 and what it brings.
From everyone at SensePost, we wish you a Merry Christmas and best wishes for the New Year.
Considering how freely i've ranted on our blog over the past few years i found it incredibly hard to to write this post. SensePost has been my home for the better part of a decade and i have been firstname.lastname@example.org much more than i have been haroon meer.
In truly boring last post manner i wanted to quickly say thanks to everyone for making it such a fun ride. From the awesome people who took a chance on us when we were scarily young and foolish, to the guys (and girls) who joined us to help make SP elite. From the many customers who tolerated my sloppy dressing to Secure Data Holdings who have been awesome in every interaction we have ever had with them. From the people who have used our tools, read our work and contributed ideas to the people who read this blog (Hi Mom!).
Seriously.. thanks muchly!
It's been an awesome 10 years and with the quality of guys that remain at SensePost, it's a safe bet that the next 10 are going to be even better..
The question that everyone asks me is "what now?". The short answer still has 2 parts..
With Penetration Testing and Research over the past while I've spent a lot of time and energy trying to find new ways to break stuff, and new ways to break into stuff.. (it's been incredibly fun!)
I'm hoping now to be able to aim the same sort of bull-headedness at defending stuff, and at building solutions that give applications and networks a fighting chance.
I'll still pop in occasionally at the SensePost offices (mainly to have the coffee and lose at foosball), and my relationship with Secure Data Holdings also remains intact (Other than our historical relationship, Thinkst is doing some consulting work for SDH, making them our first customer!). Hey.. you might even still find me bending your ear on this blog..
So.. all that remains is to say thanks again.. it's been amazingly fun, incredibly rewarding and "rockingly leet"
After ten fascinating years, during which many people have contributed in so many ways to the place that is SensePost, by strange coincidence it falls on me to pen the words that mark our first decade in existence. To quote Robert Hunter: "What a long strange trip it's been". SensePost was officially founded on February 14, 2000. Of everyone who was involved at that time, I'm the only one still working here, which earns me the dubious honor of 'oldest employee'. Do I get a gold watch? I meant to think much more over the last few weeks and months about how we should celebrate this day, or what I would write in a letter like this, but in the end (business being business) I'm writing this in a rush on a Sunday evening, with another three big things to complete before I allow myself to go to bed. Then again much of our success (in so far as we've been a success) happened in hurry on a Sunday night, so let's not write this little piece off too soon, shall we?
The vision for SensePost developed between myself and Roelof Temmingh late in 1999. To be fair, Roelof was by far the more skilled and experienced at that time, and the notion of a commercial venture rooted in computer hacking as a service was born primarily with him. But I like to think I played a small part in shaping and molding the ideas that formed during the early part of that summer. Certainly I believe it was my epiphany that as long as we waited for others to make the calls, we would never never really be in charge of our own destiny, that finally convinced us to leave our jobs and set out on this new venture. It was the height of the 'dotcom' boom, we knew more about everything than anyone, and we thought we'd be rich before two years were out. Of course it wasn't that simple, but its been a crazy happy journey nevertheless and I don't regret a minute of it.
It wasn't all about money of course. There was also a dream. We saw a small group of people, technical, hard working, passionate about computers and security, and with poor fashion sense. We had wild ideas about a grunge-style internet cafe with drinks named after shell commands, big screens and 70's pop. I also recall some discussions about a scooter with a fax machine mounted on it, but we won't go there. Basically, we had no idea what we were doing. Yup. Roelof and I had passion, idealism, energy, a whole lot of arrogance, and a little bit of skill, but not much more. We were 24 years old, had about US$ 6,000 between us, and probably barely enough collective business acumen to open a cheque account.
Help came from a very unexpected place. As it turned out the managing director of the company we were leaving, an ueber-suite, the boss of our boss, public enemy number one, prime-evil himself, had resigned the company just weeks before we did. His name is Luc de Graeve and instead of calling down the gods of corporate South Africa to punish us for our insolence, he kindly and gently offered us advice and support, which we eventually, suspiciously, accepted. And so was formed a relationship that would culminate with Luc becoming a major shareholder and our managing director for eight years until after we eventually sold to Secure Data in 2008.
In the sidelines at that time, but a secret member of our troupe right from the start, was Chris Erasmus. Chris has joined a team Roelof was starting at our previous company and we promised to invite him in the moment SensePost was on its feet. And so Chris joined us as a shareholder only a few short months after we started. Although Chris was the first of the founders to leave, he played a formative role in establishing our culture, values and identify. His sincere manner and unique stye left an indelible impression on each of us and on the business itself that can still be felt today.
And then there was Jaco. Jaco van Graan had also worked with Roelof, Luc and me, but had left before the rest of us to take a security job at a major ISP. On the side, he and two friends had started an accounting and audit practice called TJC. They planned to specialize in helping small businesses like ours and approached us with a very attractive proposal. Before too long Jaco would join us as 'financial director' and BS 7799 specialist. We wondered at the time whether it wasn't too soon to require a full time financial manager, but the indisputable balance and control we've had in all our financial and commercial matters since that day testify that it was the right call.
Next join our team was Haroon Meer. We met him online while he worked at Durban university and invited him to come visit us at the 'office' we ran out of Roelof's master bedroom. He soon went on to join the directors and eventually become our technical director and in many ways the heart and soul of our business. After I finish writing this post, I have to write some words for his farewell. His contract with Secure Data has expired and he's moving on to his next big adventure. I sincerely wish him well, but already miss him dearly.
The contract I'm referring to with Secure Data is part of the purchase agreement with them. Under that agreement three of the shareholders - myself, Haroon and Jaco - were obliged to stay for a fixed term after the purchase. That period has not yet ended, but Secure Data has allowed for him to break a little early. In this, and many other things, Secure Data has been a good partner to us. The decision to sell the business back in 2008 was a not an easy one and we entered into the deal and subsequent contract period with more than a little trepidation. But Dean and Johan have understood us well and have graciously allowed us to continue being who we are. Thus, I say with confidence, that nothing has changed in our culture or values since joining Secure Data. I suspect this is unusual in such cases, and I'm extremely grateful for it. Indeed, Dean has proven to be wise and insightful leader.
So our tenth birthday also marks the end of our journey with Haroon. Of the original people, only myself and Jaco now remain. I feel I've said goodbye to too many people over the past decade. I hate it. But I've also come to learn that the business is bigger than any individual one of us. Each time somebody leaves I dread it, and each time we somehow survive. Over the years the business has grown from strength to strength and today we boast much more skill, energy and talent than Roelof, Haroon, Chris, Luc, Jaco or I ever had.
Time doesn't allow me to tell the whole SensePost story in detail and I guess there's really not all that much to tell. But there are some players I just have to mention: My deepest love and respect to Roelof - my friend and mentor - and Luc - long our leader and the biggest set of footsteps anyone ever had to follow. @haroonmeer - I've already said how much I'll miss you. Chris - I hope to see you again soon. Kim, Gareth, Lizelle, Christoff, Herman, Jacof, Nithen, George, BradleyW, Craig, Lohan, Frank, James, Glenn - thank you all sharing a part of your journeys with us. And to our customers: I can't mention you by name, but some of you have supported us from the very beginning, and all of you have been gracious, patient, loyal and extremely supportive. Thank you! Without you we would lack any meaning. And I must mention … Black Hat. Ping and Jeff gave us a chance when nobody had to, and opened up the door that would eventually allow us to become a truly global company with customers on all five continents. Thank you Ping and Jeff. My hope is only that we can give people the kind of leg-up that Black Hat gave us.
So how have we done over the last ten years? The other day Haroon - ever our conscience - mentioned Sun CEO Jon Schwartz's memo at the time of the acquisition by Oracle. Haroon was saying how he kept record of the memo to remind himself of the kind of company he wants to work for, so I thought it might offer a good benchmark against which we can judge ourselves…
Schwartz: "Sun's people have always stood apart as the brightest, most passionate, and most inspiring… I've always been surrounded by the best and brightest individuals I've ever come across…"
I certainly don't count myself amongst the best and the brightest, and SensePost is certainly no Sun, but I can say honestly and sincerely, in the words of Schwartz himself: It's "been an honor and privilege, for which I'm enormously thankful".
Schwartz: "[Our] Technology, alongside our employees and partners, have changed the world"
From the beginning, SensePost has had the courage to build and release technologies that make a difference to how we think and work, have made a difference to our industry and ultimately to our customers. And we're still doing it today. Sure, our's is a small galaxy, but I'm proud of the difference we've made in it.
Schwartz: "Amidst the toughest market and customer situations imaginable, I'm proud we've always acted with integrity, with a sense for what's right, and not simply what's expedient."
This is perhaps the part of our makeup of which I'm the most proud. SensePost has always been a values-driven organization and I believe I can say with all truth that we've never compromised on our values. We've been fair and honest in all our dealings with our customers, our staff, our suppliers and even our competitors. I'm proud to say that I can't think of one person in our industry, in South Africa or abroad, that I'd be ashamed to run into.
Much of what's happened over the last ten years has taken me by surprise, so its hard to comment intelligently on what the next ten years will hold. But what I do know is this: At its heart, I believe, SensePost is about learning. Learning and teaching. We believed at the time (arrogantly I suppose) that we knew more than anyone else. Not anyone else in the whole world I mean, but the more than the people and businesses we were dealing with at the time. And our heart… was to teach them.
This spirit of teaching is still at the heart of our business model, and must remain at our own hearts also. Teaching is how we add value to everyone we deal with - our staff, but most especially our customers. Its a generous spirit, for to teach is a fundamentally generous thing. Teaching is not about fame or money, its about sincerely caring for the other and wanting to empower and enable them. The fame and money, if you're lucky, will follow.
To be a good teacher, however, one must first be a student. Thus, as the rate of technological development catapults, and as the world around us becomes ever more complex, we need to learn. We need to hunger for knowledge, insight and understanding and seek it out at every cost. We need to work harder, think deeper, push ourselves at every opportunity. The moment we stop doing this. The moment we start to make assumptions and take things for granted… that will be the moment when we start to fail.
And to end, two more quotes from Schwartz:
"We're known as self-starters, capable of ethically managing through complexity and change, for delivering when called upon, and for inventing and building the future. With the world economy stabilizing, I'm very confident you'll land on your feet. You're a talented, tenacious group, and there's always opportunity for great people."
So, to Jaco's team in finance - thank you for keeping the wheels turning and for reminding us what it is to 'serve' others. To the analysts in our assessment team - thank you for the continuous quality and passion of your work. That's how we roll. To the VMS team and developers, you hold the keys to our future. Keep it up - your moment will soon come. To Shane and Bradley, sales and presales - you are our link to our customers and the rudder that steers our ship. To Dominic in consulting - thanks for joining us at last. To Junaid ... welcome on board. May your full potentials be realized with us. To others that have already left us - thank you for sharing with us - may you have success wherever your paths have taken you.
"Thank you, again, for the privilege and honor of working together."
URL for Schwartz's memo to Sun: http://news.cnet.com/8301-1001_3-10440125-92.html