Listen to the latest episode of the Secure Developer podcastListen now

The Secure Developer | Ep 47

Security Insights from an Integration Platform

with Tad Whitaker

About this episode:

In the age of startups, diverse employee backgrounds are increasingly important for companies to be resilient and deeply innovative. People’s prior experience helps their work in security both in expected and unexpected ways. Our guest today, Tad Whitaker, has one of the most interesting backgrounds we’ve yet to encounter. From working as a gold miner to a newspaper reporter to a private investigator, Tad’s journey to landing his role as a security engineer at CircleCI has been very colorful. He is also a core member of the Bay Area OWASP leadership that hosts bi-monthly security meetups in San Francisco. Outside of work, Tad volunteers with several different organizations, including The Wall of Sheep at DefCon, Mission Bits, Telegraph Academy and the San Francisco Youth Baseball League. In this episode, Tad shares his interesting background with us and the different ways that have overlapped with current work in security. We also gain some insights into the structure at Circle, from how his team works to their relationship with the development team. The dynamic relationship between development and security is not one we encounter often, so it is refreshing to hear. Tad also walks us through compliance and how adhering to mandated compliance standards have helped and hindered his work.

Links Mentioned in Today’s Episode:


Secure Development
Security Culture
Security Engineering

Episode Transcript

[[0:01:25.0] Guy Podjarny: Hello, everybody. Thanks for tuning back in to The Secure Developer. We have another great episode for you today. We have one of the more modern dev tooling companies represented here today with Tad Whitaker, who is the Security Engineering Manager at Circle. Thanks for joining the show, Tad.

[0:01:40.7] Tad Whitaker: Hi. Thanks for having me on.

[0:01:43.1] Guy Podjarny: So, Tad, I like to ask this for every guest that comes on the show, but you’ve got an especially interesting answer to do it. Can you tell us a little bit the story of how you got into this role that you have? Then we’ll dig into what that role is, but just what was that journey that got you to security as a whole and this role specifically?

[0:02:01.0] Tad Whitaker: Sure. I’m the head of security here at Circle. I have been in that position since I more or less started at Circle three and a half years ago. I was our first formal security engineer. I came off the support desk after about six months. But I think I started at Circle when I was 40. That was my first tech job. I do have an unconventional background.

I grew up with a lot of, I would say I was steeped in bad behavior growing up, just some of my relatives and whatnot. That’s always just been the dark side of human behavior has always been something that’s just been around me growing up. When I was in college, the very first thing that I had declared as a major was computer science, because I heard Trent Reznor from nine inch nails had the same computer that I did and this was in 1994 and they said, you can study anything. I thought, “Oh, wow. That sounds pretty cool. I want to learn more about my machine.”

I dropped out after three days, because the University of Wyoming where I went, put me in senior level calculus and a couple of things like that. Literally within three days, it was obvious I was going to get straight Fs and fail out of college if I didn’t go do something else. That was the first time that I tried to get into computers back in ’94.

Then I transferred over and became a journalism major. I wanted to be an investigative reporter at The New York Times, or The Wall Street Journal; in particular those Tad Whitakero. I finished up journalism school and moved out here at the Bay Area and was a reporter here in the Bay Area, primarily up in Marin County. I tended to cover a lot of investigative and hard-hitting things.

I covered San Quentin and I watched a couple of executions there. I did a lot of investigative work around gun ownership in Marin County, which is surprising given how liberal it is. I always like the – I guess the conflict around the job.

After about eight years of that, it was obvious that there wasn’t a lot of future in investigative reporting for somebody who had a six-month old kid at home. I left that and went to work for a short-only hedge fund manager. He liked to hire former reporters who would dig into companies and help him discover malfeasance. I did that for a couple of years.

Then the financial crisis happened. That guy made a fortune in the middle of that and then just had no more work for me. There I was with a little kid at home and everything and nowhere to get a job. I applied to the State of California to get my private investigator’s license and got that. Just started cold calling lawyers and other hedge funds and big private investigation agencies. I had to do something.

That actually led to me starting and running my own PI practice that went on for about eight years. It was great. I had a full-time lawyer working for me and an accountant. Then I really ran it like an agency with lots of contractors. We worked on big things that most people have heard about and read about in the news. But after about six years of that, I started really getting interested in the technology behind bad behavior.

It’s not that I wanted to use hacking tools in my job, but understanding how somebody could bring a website down as a 13-year-old was something I needed to know about. I started learning about just hacking tools and went to my first OWASP meetup here in the Bay Area. I remember being blown away at how accessible that little community was. I went in and the guy leading it, there were maybe 50 people there, but the guy leading the meeting was the chief information security officer at Tad Whitakeritter. That blew me away that that guy was just standing there with a slice of pizza and a beer in his hand and would sit there and talk to me for a half an hour.

One thing led to another and that was right when boot camps became a big thing. On a whim, I just enrolled in a Python boot camp. That started a week later and that program was actually garbage, because I didn’t really know how to teach it. As soon as I was done with that I thought, “Oh, I’m going to go back to my PI practice and I can write some scraping tools or whatever,” but I was hooked with the technology. I actually wound up shutting down my PI practice and handing everything off and going back to do a second boot camp called Hack Reactor. That one was legit. That was one of the hardest things I’ve ever gone through. That’s how I landed at CircleCI.

Then it didn’t take very long for our CTO to realize that I was the guy who sent himself to DefCon and did all this stuff. I had a hacking machine that was sitting on my desk and he said, “You know, we really need somebody like you just focused on helping customers and pointing out things that none of us are aware of.”

[0:07:37.3] Guy Podjarny: That’s how you got into the security role in there.

[0:07:39.6] Tad Whitaker: Yeah.

[0:07:40.6] Guy Podjarny: That’s an incredible story. Oftentimes in the world of startups and I guess the growth companies as a whole – the whole notion of resilience and a variety of background is touted and how to be militant. The story you just outlined is quite a broad perspective on it.

Do you feel, having gone through this journey and clearly, it’s got you to the point where you are, but how much do you feel your – the skills built during this journalism and PI type work, how much, if at all, does it manifest in your security engineering type role?

[0:08:19.8] Tad Whitaker: A lot. Even though being a newspaper reporter isn’t the same as being a penetration tester for the NCC group for 10 years before I started here. I think ultimately what I brought and what the value that I really brought to CircleCI from the very first day of being a security engineer here were solid instincts around right and wrong and what looks good and what looks bad.

I know one of the things that really helped shape that a long time ago was the very first reporter job I had. I actually covered the California energy crisis in around 2000. What was going on there with everybody missing power here in the Bay Area and everything, it literally did not make sense. Tad Whitakero and Tad Whitakero did not add up to four. The regulators didn’t understand it and everything. Then about six months into it, I went to see the CEO of Enron speak at the California Commonwealth Club. Here was this master of the universe, he was the CEO, former McKinsey guy, he’s the CEO of the seventh most valuable company on the world, he had just been paid a 160 million dollars in stock that year. I was looking at a literal lord of the universe.

That guy stood up and turned the commonwealth club and just lied to everyone. We know it was lying, because about six weeks later is when that whole house of cards collapsed. As soon as all that happened, for a lot of us who had been in the middle of it, there was just this forehead slapping, “Oh, my God. We were actually not wrong.” That’s always been this really big perspective-shaping –

[0:10:11.9] Guy Podjarny: Of validation of trust your instincts in that moment.

[0:10:15.7] Tad Whitaker: Good behavior and doing the right thing in understanding motivation and why people might do things is not that complicated. To this day, I still actually drink my tea out of an Enron coffee mug that I bought back then. That sits right on my desk every single day.

[0:10:32.1] Guy Podjarny: That’s awesome. As a fresh reminder for a different type of adversary, I guess, if you think of it that way.

[0:10:37.4] Tad Whitaker: Yeah, exactly. Where that comes into play here at Circle, is I have to help secure our product and I have to provide trust to our customers, so that they have faith that they can trust us with source code and the secrets to their production environments and their builds.

I also need to make sure that our company as a whole is secure inside for our employees too. I really do straddle both of those.cWhen I first started, we didn’t have an HR person, we didn’t have an IT person and we didn’t have a lawyer. It was almost like, as soon as they sent out the e-mail naming me as the first security engineer, there were just all these Slack pings, where people heard –

[0:11:22.5] Guy Podjarny: All developed that one thing done.

[0:11:25.2] Tad Whitaker: Yes. People started reporting all these things that were inappropriate, or wrong, or whatever, or the needed to be fixed. That’s really where it started. It’s just really about trying to follow my gut.

[0:11:38.1] Guy Podjarny: Well, this is like, I can probably dig into the story a whole lot more, but let’s going to switch to this reality of Circle. Maybe let’s start from the end a little bit. You run the social security engineering group. Tell us a little bit about what does it look like and what’s the structure of the team? How many rough people? How do you divide responsibilities?

[0:11:57.8] Tad Whitaker: Right now, I report to security is underneath the chief technology officer, Rob Zuber. One year ago, it was Rob and me and another security engineer named Tito. Tito is a staff security engineer. He used to be a back-end engineer. He’s very code, super technical and savvy. Lots of experience. I tended to handle a lot of the softer aspects and Tito was the technical wing of our little pair. About a year ago, we hired a VP of platform from Puppet. He is an awesome guy, named Mike Stahnke.

had been the very first security engineer at Puppet. He helped scale security up and then SRE. He definitely was one of the people who really helped scale Puppet.

He came here and he immediately interviewed me. After that, freed up four job recs. We were stretched pretty thin about a year ago. At the time, he got a compliance person hired and a couple of security engineers who are coders by nature. Then he also brought over a manager from Puppet to just help gel everything.

Right now, I have four people who report to me and I report to that other manager from Puppet. Right now, we’ve got somebody who’s basically dedicated to compliance and security analysis triage. Then three people, three security engineers who right now, all wear the same hat. It’s still a little reactive. They’re primarily dedicated to product security, some incident response, and a fair amount of ops work that we have right now, around vulnerability management and intrusion detection that all came out of our SOC 2 and FedRAMP compliance.

[0:14:05.0] Guy Podjarny: Got it. Okay. So, it’s interesting. It’s a good both the tidal and the makeup of the team. It’s an engineering team, instead of a tool’s providers, or technical sofTad Whitakerare-oriented people in that group. How does this work? How does this group, how does your group work with development?

You mentioned for instance, vulnerability management, or intrusion detection. When do you engage with development? How do you manage responsibilities beTad Whitakereen you and the dev teams? Also, maybe give us a rough sense of size, like you told us the size of the engineering team, but what’s the rough size of the dev, of the engineering organization as a whole?

[0:14:45.3] Tad Whitaker: I think we have 75 engineers. As a whole, we have basically one security engineer to every 50 people at CircleCI. I know that’s a pretty good ratio. I saw a Slack thread a little while ago, where a whole bunch of CISOs were asked what their security engineer to headcount ratio was. Most people fell in the one to 100, to 150. The best one was I think one to every 25 employees, which seemed really incredible. Right now, we’re at about one to 50. As far as devs, I think we have 75 engineers.

[0:15:26.2] Guy Podjarny: Okay, cool. We’ve got, yeah and I agree, that’s a good ratio. Actually, an even better ratio when you think about how that relates to the engineering side, so to engineers. How do you work? How do you collaborate with those 75 folks?

[0:15:38.8] Tad Whitaker: I’m lucky that the concept and value of security here among our engineering department is largely something I inherited. There were maybe 20 engineers full-time when I started. Just given the nature of what CircleCI does, we are that literal last inch before your valuable, intellectual property goes into production. We have access to that IP and that code and we also have the skeleton keys to your environment.

The architecture and the way that Circle was set up, even before I got here, had to be done with security at the front of every decision. That really does come from our Chief Technology Officer down and it was largely something that I didn’t have to build. The way that I had to work it initially, I was the only security engineer for the first year and a half.

A lot of what I wound up doing was around people security and not product security, because we had done such a good job in instilling the value of secure development. A lot of the work that I did was always just distributed through management initially and that’s really the culture here. Security’s job is not to fix things, it’s to influence everybody else’s decisions.

With vulnerability management, we had to set that up with our FedRAMP authorization. Tito set up a service using Tad Whitakeristlock and his service generates JIRA tickets that go out and automatically assign tickets to every single dev team that uses a particular image that might have a vulnerability in it. That’s really all up to developers for patching. We don’t handle any of that. We maintain the service, but we do literally no patching.

[0:17:52.0] Guy Podjarny: I love the direct relationship. I guess, how do you handle the tracking of that? Does that still sit in your team of knowing whether developers do that? Or is even the tracking, or the monitoring a part of the dev quality metrics, if you will?

[0:18:08.2] Tad Whitaker: Tito is the one who has historically been in charge of monitoring that, just because he’s the one who’s the closest to it. He also tends to sit in the delivery meetings and that type of stuff with the tech leads for all those various development teams. So, he’s the one who’s done a lot of the hounding on that. That’s actually something that our compliance person is going to wind up taking over eventually. Because one of the things that FedRAMP is actually requiring us to do now is to upload monthly vulnerability scan results that show what we scanned and how quickly they were patched. We’ve got that automated to a point that Tito just doesn’t need to be doing that anymore.

[0:18:51.1] Guy Podjarny: Got it. Okay, so it’s being tracked automatically, but I guess the governance activity, or the collection of that data is still a security team setup, or investment? I guess, the cycles were on your team to get that done. It’s awesome to hear that the direct flow and people pick up the problem for there. Is there any activity that happens whether by you, or by the dev teams to celebrate folks that do that well, the people that have fixed the vulnerability or something?

[0:19:17.5] Tad Whitaker: We haven’t done anything. That’s actually a great suggestion. We haven’t done anything around celebrating. We have some teams who are militant about fixing their vulnerabilities and some that are slow. I guess, I would be a little hesitant to call out the ones that are so great without – I don’t want to shame anybody. But we do have some more security championship stuff.

My girlfriend is a game designer and she designed some CircleCI logo stickers, but they are made out of walnut. She uses a laser cutter to make them and they have a little pasta strainer that’s on the top of the little CircleCI to make it look like a little kid’s hard hat that they would go steal from the kitchen when they’re playing war or something. These are laser cut and they smell like burnt wood, which is really awesome. They’re designed to be laptop stickers. I hand those out to people that do a good job, showing some extra level paranoia. We’re just keeping the ship tight.

[0:20:26.5] Guy Podjarny: Yeah, that’s excellent. Actually, that’s the most artisanal security reward variant, I guess, that I’ve heard of. That’s awesome. Definitely very creative on it.

[0:20:40.1] Tad Whitaker: We did one other thing last year when we put our – this is in service of going public with security champions and making that something that people want to achieve. Last year when we had our big engineering and product off-site, we did it in Las Vegas and we hired a group called [inaudible 0:20:57.9] that has a secure code platform, like security engineering platform.

We hired those people to fly out to Las Vegas and they led a four-hour capture-the-flag. We had paired everybody in the engineering department according to their roles, where the average of Tad Whitaker people was an E3 or an E4. We had our principal engineer with our one associate engineer. We made the middle ground even for all these pairs. Everybody was set up and did this thing live. At the end, we had prizes.

One of our engineering managers is a hobbyist lock, or a competitive lock picker. He brought a whole bunch of that year from North Carolina and did this big workshop with lock-picking. We definitely try and make it fun, rather than a burden.

[0:21:56.3] Guy Podjarny: Yeah. No, that’s excellent as well. So good gamification, I guess in that process, but good education.

[0:22:02.8] Tad Whitaker: Exactly.

[0:22:04.1] Guy Podjarny: You mentioned before that you refer to compliance and doing some of that work that you built there. How big a role did compliance play in your agenda, or in the plans of what is it that you build, and maybe even requiring some things from the rest of the org?

[0:22:21.2] Tad Whitaker: I’ll be upfront and say it shaped almost everything that we did. The very first meeting that I had with Rob when he promoted me to first security engineer, he sat there and said, “You’re doing a great job just handling all these security questionnaires and making on-the-fly decisions as a support engineer and I want to formalize that.” He said, “Do you know what SOC 2 is?” I said, “No, I’ve never heard of that before.”

He said, “Well, I want you to go out and find out about it, because any big customer that we are going after asks about it.” He said, “I’m not sure exactly what all it entails, but you should probably use that as a roadmap for most of your decisions.”

I went to an auditing firm that I knew from my days being a PI and a certified fraud examiner and they just sent me their spreadsheet of all their controls. It was really interesting, because on the one hand, some of it was a little dry. On the other – Reading through this list was so informative, because there was not one bad thing on there that we shouldn’t do. None of it seemed like a burden. I just looked at it and I thought, “Oh, my God. If we actually did all of this, the whole place would operate so smoothly and customers would like that.”

Now I really understand why some big customer asks if we have a SOC 2 report. Because if you do all this stuff, you’ve got a lot of redundancy built in to prevent bad things from happening, where if they do happen, you know it instantly. We started it with some SOC 2 work, but then FedRAMP actually landed right in our laps, where the federal government was creating this new program called FedRAMP Tailored. They were trying to get an initial group of 10 high-flying Silicon Valley type startups in it.

They chose Slack, Zendesk, github and us and a few others and they basically fast-tracked us through that process. I’ve heard that that costs a half a million dollars, if you want to go pay for it. They paid for the entire thing. That was nothing that was really planned, but it was this opportunity that we just did not pass up.

[0:24:49.5] Guy Podjarny: How much of a big leap – I mean, it sounds like a great opportunity to take advantage of, how big a leap was it from SOC 2, maybe even in relative terms from pre-SOC 2 where you just tried to do what’s right to SOC 2 FedRAMP, how are these equal size jumps? What would you say is the level of effort or change?

[0:25:10.4] Tad Whitaker: We did FedRAMP first and then SOC 2, which is usually the opposite direction most people do it.

[0:25:16.6] Guy Podjarny: Yeah, that’s basically the other around. Yeah.

[0:25:20.0] Tad Whitaker: When the federal people were standing there saying, “We want you to be – Hey, it’s January. We want this to be completely done by September 30th and we’ll foot the bill.” Sure, we gladly accepted it. It was bumpy for sure, because they were still figuring out what this FedRAMP Tailored program really meant. The very first meeting that I had with them they said, “Okay, we need a list of all your sub-contractors and vendors and their FedRAMP number.”

I sat there quietly and I said, “AWS and Google are Tad Whitakero of 400 that we use.” None of the other ones are FedRAMP authorized. That’s the whole point of this program is to make this more accessible.

[0:26:06.1] Guy Podjarny: Is to allow them to be.

[0:26:07.8] Tad Whitaker: Oh, yeah. They said, “Well, that’s not going to work.” I just said, “Well, I know you’re the federal government, but I’m just telling you the reality is no one has this, because the burden is so high to get into your program.” They came back a few weeks later and they said, “Okay, that’s fine. We’re going to hold our nose a little bit on this, but every one of the vendors has to be SOC 2 and ISO certified.”

I said, “I’m going to say it again. Almost none of them are going to have that.” There was all this hand-wringing. That was January of that year, then there was all this hand-wringing around, “Well, can they do this?”

I think the reality is they had to accept that, because github and Slack and everybody else that they were bringing into this was in the exact same position. There was a fair amount of back-and-forth with the federal government getting up to speed on what was and wasn’t in scope. That was one of the harder parts I would say initially, but because we only had a 130 people at that time, the CTO and I could make decisions and say we’re going to do something and just do it. There weren’t a lot of moving parts in the company. I think that made it relatively painless, just because we weren’t trying to do this with 900 people. SOC 2 was harder because of that.

[0:27:37.6] Guy Podjarny: SOC 2, because there were more people in the company to change their behaviors?

[0:27:41.5] Tad Whitaker: Yeah.

[0:27:43.5] Guy Podjarny: When you think about these jumps, I guess another angle, how much of the effort was sofTad Whitakerare? You had to build stuff into the product and change it, versus processes and people and wavy ratios, right?

[0:27:59.5] Tad Whitaker: Yeah. There wasn’t a lot of soft Tad Whitaker process, I would say for FedRAMP. Again, just given the nature of our product, we did a lot of the good behaviour right out of the gate. There was no big re-architecture situation. We didn’t have to start encrypting a whole bunch of stuff that we hadn’t been encrypting. There wasn’t anything that fundamental, but it was really more around setting up some maybe basic security practices.

We did vulnerability management with an asterisk next to it, but when the FedRAMP order was here, he wanted to see everything we scanned. Like how soon did we patch it? He wanted reports and he wanted it in spreadsheets. It was really more about setting up monitoring and being able to verify that and have somebody look at it and know that we were going to have an auditor in here looking at it going forward.

[0:29:03.9] Guy Podjarny: Okay. I think oftentimes for many companies, that’s an encouraging statement, because there’s this concern of the unknown. “I’m going to do SOC 2. I’m going to do FedRAMP.” Each of them, there’s the whole fear of the unknown above and beyond the practice itself. It’s good inside to hear that it was less around the sofTad Whitakerare, granted you might have had a slightly more solid foundation than some others, but it’s less around the sofTad Whitakerare and code changes that you needed. It’s more around formalizing how you approach, how you access data, how you track what happened and audited. It’s a little bit less, I guess artisanal to use that word.

Maybe one more question on compliance before we move on, which is do you feel like how much of these compliance or percentage roughly of SOC 2 or FedRAMP would you have rather not do? Today when you look at this, what percentage of the work you do, which is just necessary evil because you have to suck it up to be compliant, versus things that you actually think are good security practices that you should be doing?

[0:30:08.8] Tad Whitaker: What percentage?

[0:30:10.8] Guy Podjarny: Well, just is it a lot? Is it a little?

[0:30:12.9] Tad Whitaker: Yeah. Again, I think some of the – I have to give that in Tad Whitakero answers, I would say. For SOC 2, there’s really nothing in that framework that I find disagreeable and I actually really think it makes our product safer for customers to use. It makes CircleCI a better to work. I think an example of that, it requires annual performance reviews for every person in the company. That wasn’t happening before.

I went Tad Whitakero years without a performance review. I don’t really care. But I know that that’s not a great way to manage people. People perform best when they have regular and consistent and truthful feedback. If you know that they’re getting that quarterly and annually, you know that people are going to be doing a better job and they’re going to be feeling their work matters, and is on target. That just makes for a better place to work.

Now I know in HR, that’s been a lot of toil. I’m sure even though I like that, they probably view it as a real hassle. But again, to me, that’s part of building a really secure company and not just the product. And not just a function.

[0:31:28.8] Guy Podjarny: It’s a good force and function. Yeah.

[0:31:30.3] Tad Whitaker: Some of the FedRAMP stuff is a little archaic, I would say. We have to do these quarterly inventories of all of our assets. We run our own Mac fleet and have well over a 100 Mac machines that we administer and everything. That’s a very small percentage of our whole company. We basically just have this spreadsheet that has no IP addresses or anything in it, because they’re just Amazon. We have to do that every quarter. There’s a fair amount of old practices, I would say in FedRAMP that just don’t really seem that relevant, but it’s part of doing business for them.

[0:32:17.4] Guy Podjarny: Indeed. Sometimes you do need to absorb some of that cost. I think we had three topics so far and I think all three are interesting from your journey into security, to know the way you structure things in Circle, to this whole common compliance narrative. I think we’re going along anyway, but I want to make sure that I touch on one thing, which is you’re actually the co-founder of Shecurity. I don’t know if I’m pronouncing it correct. Shecurity, which is about like women’s insecurity. Can tell us a little bit about that? That sounds like a great initiative.

[0:32:45.7] Tad Whitaker: That very first meeting that I went to at OWASP, I sat down next to this big, burly guy wearing all black and he had all these DefCon patches and everything and his head was the size of a bowling ball and was all bald and he looked as menacing as they come. He was this super cuddly guy named Matt Torbin. I mean, that’s who I sat down at my very first OWASP meetup and we just became friends.

He was a front-end developer at RSA, who really wanted to get into security. He made this big leap at the same time that I did to switch over to security. He started working at a company as a security engineer. I think he was their first one and when they wanted to hire another one. All the candidates were just white men and he was frustrated by the talent pool, because diversity and inclusivity was really important to him based on his background and his history.

He was telling the head of hiring over there, I think the company is Look Out. He told him, he said, “You know, if I could just get a roomful of 10 women who came out of boot camps and teach them how to use Burp Suite over the course of about 10 hours, I would probably hire one of them. They would have enough skills to get going to handle what we need here.” They said, “Well, why don’t we just do that?”

They organized this little 10-person hacker day, where he showed about 10 women how to use, I think it was Burp Suite and they wound up hiring one of them. He was telling me about that and I was like, “Dang, why didn’t you let me know about that?” I used to do a lot of mentoring through something called Mission Day, where I would go into public high schools here in San Francisco and teach JavaScript to low-income students.

We just started talking about it and there was a recruiting company that just focuses exclusively on security engineers who had been recruiting me. I said, “Hey, I don’t want a job somewhere, but are you guys interested in trying to build out a little workshop that would just help train women into security engineers?” That turned into a full-day event with 200 or 250 attendees. We had a bunch of people from HackerOne teach a full day on Burp Suite and a whole bunch of that stuff and we’ve now had five of them, then three in San Francisco, one in Boston, one in Toronto and we’ve got a couple of more scheduled this year.

[0:35:29.6] Guy Podjarny: That’s excellent. That’s a great story, creative thinking and fundamental initiative from it. Do you keep track? Do you have a Slack for all the alumni of this program?

[0:35:41.9] Tad Whitaker: We do. Yeah. We have a dedicated Slack group to it, the Day of Shecurity and anybody who’s gone and attended gets to be in there. We have a job board and we have a mentoring system in there. We’re really trying to build it into a community, more than just a workshop at this point. We’ve also started branching out into doing every other month meetups that are called Day of Shecurity presents. Those are all led by women.

I think the one that’s coming up in a couple of weeks, I just looked at that. There are four speakers and all four of them are women security engineers. This is really about giving women a platform and an opportunity to get out and become security leaders.

[0:36:26.4] Guy Podjarny: That’s excellent. Well, that’s awesome and love the initiative of it and we’ll definitely post a link to onto the podcast notes.

[0:36:35.2] Tad Whitaker: Awesome. Thank you.

[0:36:35.8] Guy Podjarny: Encourage those women who’s listening, or encourage everybody listening to tell women around that you think they might find it interesting to try those out. Sounds greatly valuable to me.

[0:36:45.5] Tad Whitaker: It’s been really valuable. It’s probably one of the most rewarding things that I’ve been involved at. The last one that we had was right down the street here from CircleCI was at the Federal Reserve Bank of San Francisco. I think there were 400 people at it. Having gone to DefCon and some of these things, it was amazing standing there the morning of registration. Everybody’s handing out the little wrist bands and the lanyards and the bags and all the stuff and it was just 100% women walking in. It was the most unsecurity conference I’ve ever been to.

[0:37:20.9] Guy Podjarny: Yeah. Massively different experience than what you get at a security event.

[0:37:24.4] Tad Whitaker: Right?

[0:37:25.3] Guy Podjarny: Yeah. Yeah. Well, that’s amazing. Tad, this has been excellent. Before I let you go, I do like to ask every guest coming on the show one question, which is if you have one pet peeve, or one piece of advice, or something like that that you’d like to tell a team looking to level up their security foo, what would that bit of advice be?

[0:37:46.0] Tad Whitaker: Make security fun. It is fun. I think almost everybody that I’ve ever met likes to know about the bad side of behavior in one way or another. The accountant really likes to read about financial embezzlement stories, or the HR people know some incredible blow-ups that have happened. People like to talk about this. I think it’s utilizing that instinct that everybody in every team has and keeping it light and fun is I think the best thing to have.

[0:38:22.2] Guy Podjarny: Yeah. No, that’s excellent advice. I definitely follow it and I think it’s a great, great device to keep people engaged and see a bit of security, that’s not just risk management and the likes. That’s great advice.

Tad, this has been excellent. Thanks a lot for coming onto the show.

[0:38:37.2] Tad Whitaker: Thank you, Guy.

[0:38:38.4] Guy Podjarny: Thanks everybody for tuning in. I hope you join us for the next one.

[0:38:41.7] Tad Whitaker: Thanks for having me. I really appreciate it.


Tad Whitaker

Engineering Manager at CircleCI

About Tad Whitaker

Tad is an Engineering Manager at CircleCI. He has also worked as a newspaper reporter and a private investigator. Outside work, he loves being a dad and is a founder of Day of Shecurity, a technical hacking conference to bring more women into infosec. Tad also maintains a blog that explores basic security concepts.

The Secure Developer podcast with Guy Podjarny

About The Secure Developer

In early 2016 the team at Snyk founded the Secure Developer Podcast to arm developers and AppSec teams with better ways to upgrade their security posture. Four years on, and the podcast continues to share a wealth of information. Our aim is to grow this resource into a thriving ecosystem of knowledge.

Hosted by Guy Podjarny

Guy is Snyk’s Founder and President, focusing on using open source and staying secure. Guy was previously CTO at Akamai following their acquisition of his startup,, and worked on the first web app firewall & security code analyzer. Guy is a frequent conference speaker & the author of O’Reilly “Securing Open Source Libraries”, “Responsive & Fast” and “High Performance Images”.

Join the community

Share your knowledge and learn from the experts.

Get involved

Find an event

Attend an upcoming DevSecCon, Meet up, or summit.

Browse events
We use cookies to ensure you get the best experience on our website.Read Privacy Policy