Interacting with academia is an important part of what I do as CTO of Cigital. Though I have been known to lecture at Stanford, CMU, Cornell, Harvard, NC State, Purdue and a bunch of other places, I have a special place in my heart for the University of Virginia (where I studied Philosophy as an undergraduate) and Indiana University (where I earned a dual Ph.D. in computer science and cognitive science).

Alf Weaver, a CS professor at UVa recently asked me to lecture to his Electronic Commerce Technologies course. I was happy to oblige. When I asked what I should lecture about, I got back a one word answer—startups.

Not quite sure of what to do, I decided to draw on my own experience at Cigital. In 1995 when I joined Cigital, it was known as Reliable Software Technologies (or RST) and had a grand total of seven employees. I’m proud to say that today Cigital has over 120 employees and offices in Virginia, NY, Boston, Silicon Valley, India, and Amsterdam.

Helping Cigital evolve has been both hard work and a joy. Here is a list of seven lessons I’ve learned through my own startup years, each boiled down to four words or less:

1. Think and write.
2. Build a network.
3. Follow the Categorical Imperative.
4. Achieve the Buddha calm.
5. Develop a rhythm.
6. Follow your passion.
7. Build great stuff.

The original powerpoint from the CSCS 4753 “Electronic Commerce Technologies” lecture can be found here.

An article version of the talk can be found here.

This is a guest post by Cigital’s resident songwriter, Paco Hope.

In an effort to go down in history as the “Weird Al Yankovic” of Software Security, I’ve released my latest single: This time it’s “White Hat Hacker Man” to the tune of Billy Joel’s “Piano Man.”

And here are the lyrics:

It’s five o’clock on a Saturday
The developers are trying again
The release manager waits in his cubicle
for the build scripts and smoke tests to run

He says how will we do this by Monday?
The security tests haven’t begun
It’s buggy and brittle
and does just a little
of what the sales guys downtown say it can

NIST 800-53, FIPS 140-2, PCI….

Chorus:
Break our new app white hat hacker man
Break our new app tonight
Cause we’re all scared to death of the auditor
But you’ll make us feel alright.

Now Bob down the hall is a friend of mine
He uses tools right off the shelf
He can do just a scan
or maybe try something canned,
but he’s better than doing it yourself.

He says “why do we need these consultants?
I can do all this stuff just the same.”
He doesn’t realize, when the hackers come,
Who the management’s going to blame.

CISSP, MSCE, SANS GIAC

Chorus:
Break our new app white hat hacker man
Break our new app tonight
Cause we’re all scared to death of the auditor
But you’ll make us feel alright.

Now Dave’s the development manager
And security’s a pain in his ass
Cause he knows first and foremost
Features get him his bonus
So security always comes last

Chorus:
Break our new app white hat hacker man
Break our new app tonight
Cause we’re all scared to death of the auditor
But you’ll make us feel alright.

Well it’s been a long day in security
The dev manager gives a sad smile
He knows this release
Despite all their pleas
Will miss their deadline by a mile

And metasploit overflows buffers
And the shell code runs on servers galore
And they burned another sprint
Instead of building security in
So assessments will go on some more

CCIE, OWASP, PMP

Chorus:
Break our new app white hat hacker man
Break our new app tonight
Cause we’re all scared to death of the auditor
But you’ll make us feel alright.