This month, CSO tweeterviews Dafydd Stuttard, also known as @PortSwigger on Twitter, about his security philosophy, his inspiration for his web app testing tool Burp Suite, and his affinity for a nice glass of port Joan Goodchild @msjoanieg Tell us first about your background in the industry. How did you get started in security? Dafydd Stuttard @PortSwigger My first job was as an IT auditor, which was pretty dull. I got to know some much cooler people doing pen testing, who taught me. @msjoanieg: And what first appealed to you about pen testing? As opposed to auditing, did you find it exciting? @PortSwigger: I got to solve weird problems, and be devious, both of which appealed. @msjoanieg: Fun! OK, so tell us how you came up with the @PortSwigger handle….. @PortSwigger : It’s a pun. When I started, most tools had “port” in the name (port scanner etc.). I was quite partial to a glass of port … @msjoanieg: Ah, a much tamer answer than I anticipated 🙂 So being in security has not lead you to be a habitual “port swigger”? @PortSwigger: Not exactly – I pretty much only do web apps these days, and the buzzwords don’t sound as quaffable. @msjoanieg: LOL. OK, What would you point to as one of the most major changes in security since you first started in the profession? @Port Swigger: More attack surface, more threats, more determined attackers, more gov-sponsored attacks. Very marginally improved defenses. @msjoanieg: What, in your opinion, could the industry do better to score higher than “marginally improved” when it comes to defenses? @PortSwigger: Unfortunately attack/defense is too asymmetric a challenge, and defense not (currently) commercially critical – that may change. @msjoanieg: Speaking of defenses, you’re the creator of the Burp Suite for performing security testing of web apps. What was your inspiration? @PortSwigger: I was a lazy pen tester and wanted to automate my work. The tools at the time were primitive, so I started writing my own. @msjoanieg: Interesting. And what about today? What’s your security philosophy? And how do you apply it to your daily work? @PortSwigger: I can’t say I have a burning desire to secure the world. I just like writing sectools. On a personal level, I err on paranoia. @msjoanieg: Complete this sentence: If I weren’t working in security, I would ________________ @PortSwigger: I would probably be doing something geeky, with computers, writing a lot of code, and working just as hard. @msjoanieg: Sounds like your career is right where it should be then! OK, time to pass the bottle of port. Who should CSO tweet with next? @PortSwigger: @stevelord would be fun – he organizes the great #44Con. And @stevelord does look exactly like his profile pic, btw. Related content feature Why CSOs and CISOs need to care about machine learning Michael A. Davis of CounterTack explains the security challenges around machine learning, and how some of the issues can be solved for free (yes, free!) By Joan Goodchild May 03, 2017 2 mins Data and Information Security IT Leadership Security news How CISOs can explain privacy to the C-suite With the recent moves by the FCC, it is imperative that chief security officers make the company aware of privacy issues. By Ryan Francis Apr 13, 2017 5 mins Privacy Careers Security feature Realistic ways to lock down IoT How CSOs can best secure and understand IoT devices that enter their organization's network infrastructure By Joan Goodchild Apr 07, 2017 1 min Application Security Security news Follow the money! Where VC security investment is occurring By Joan Goodchild Mar 22, 2017 1 min Technology Industry IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe