Interview with Andy Willingham, Co-host of Southern Fried Security Podcast
Recently I had the honor of interviewing Andy Willingham, co-host of Southern Fried Security podcast and author of the blog Andy IT Guy. Below is our interview. Thanks again Andy for taking the time to be interviewed.
FIS: Can you tell us a little about yourself for those that might not know you?
AW: I’m just a ordinary guy who stumbled into computers and later on security. Luckily I seemed to have a knack for doing security and an interest in it. I’ve never been an “elite haxor” but more on the nuts and bolts of day to day security and the program management of security.
FIS: You are one of a handful of people that co-host the Southern Fried Security podcast. What made you guys decide to start a podcast?
AW: I met Steve Regan when Panda Security hosted their first “Security Bloggers Conference” in Madrid, Spain back in 2009. They had invited both of us to participate. We hit it off and kept in touch after we got back to the states. We talked about doing a podcast but never got it going then one day Martin Fisher approached me about doing one when we were both looking for a new job a were considering starting our own consulting firm. We thought it would be a good way to let our customers know what we were all about. I then thought this would be a good time to bring Steve in and later we decided that we needed some “Young, Sparkly blood” so we invited Joseph Sokoly to join us.
FIS: I know that you have been in the information security field for awhile, are there any trends that you are seeing that people new to the field should be aware of?
AW: The biggest trends that I see are that we are behind the curve on most things because Security is still a bolt on and not built in to applications. The best way to approach security is to assume that you are already compromised and figure out how to deal with it.
FIS: What are certain skills that you feel that a security professional should have that would help them maybe in their current roles or help them to grow professionally in the security field?
AW: It really depends on what your career goals are. I think that having an understanding of infrastructure components and application development is important for most hands on security professionals. If you don’t understand these things it is hard to know how to protect them. Also having what some call a “security mindset” is vital. You have to think about security in most things that you see. When you see a design doc you should automatically start thinking “What is wrong with this and how can I take advantage of it to gain access.” If you look at it only from a “What you see is what you get” mindset then you will miss lots of things that could go wrong.
FIS: There is always a lot of talk about what certifications a security professional should and shouldn’t have. What is your opinion on this?
AW: Certifications are for HR and hiring managers. I’ve known certified people who didn’t know jack and I’ve known people who can run circles around most everyone else who don’t have any certifications. That doesn’t mean that there isn’t some value in them but it will differ for each person. If you want/need certifications then you need to seriously consider your career goals and how each cert can aide you on reaching your goal.
FIS: If you could give one piece of advice to those who might be looking to enter the infosec field what would that be?
AW: Make sure you are doing it for the right reason. Don’t do it because you think it’s sexy or because you think that you will get rich. Both of those are false ideas for 99.9% of those in security. Do it because you are passionate about security and want to do something that can make a difference for the company you work for.
FIS: Where do you see the InfoSec field going in the next 5-10yrs?
AW: I’m not real good at viewing the future in the crystal ball. If the last 5 – 10 years are any indication then we will be where we were then. I do think that either the business will finally latch on to security being key to survival or our continued failure will doom us to the basement and only for those critical systems that have to be almost bulletproof.
FIS: What do you think of all the breaches that we have had so far in 2011? Do you think that security isn’t being taken as serious as it should be with some of the big name companies that were attacked?
AW: No, I think that many of them take it seriously but software is complex and if you buy something that is insecure then all of your good work will be put in jeopardy.I do think it’s a shame that we are still falling to vulnerabilities that were around 7 or 8 years ago. There is no real reason for SQL Injection to still be an attack vector today.
FIS: If people would like to hear more from you where can they find you?
AW: I blog (occasionally) at www.andyitguy.com , You can hear me on the Southern Fried Security Podcast www.southernfriedsecurity.com , or follow my one or two tweets a week on Twitter @andywillingham.
