Editor’s note: Nick Merritt is TrustedSite’s VP of Security and is the lead architect of the TrustedSite Security solution. In his rich career history spanning the last 15 years, Nick has gained many insights into the cybersecurity landscape. He wants to share what he’s learned with you.
Recently we sat down with Nick to have an in-depth conversation about everything from his career path to the future of cybersecurity. In this blog series, we’ll be sharing excerpts from his interview so you can get to know Nick and learn from his unique perspective.
In this post, we’re talking with Nick about how he got to where he is in his career today, from his beginnings as a developer to becoming TrustedSite’s Head of Security, and the lessons he’s learned along the way.
First question, how and when did you get your start in your career? What inspired you to get into this line of work?
The path to being a security engineer was not apparent to me right at the beginning of my career.
I have always been a curious person. I need to know how things work. I remember from a young age disassembling everything from our kitchen phone to my sister's walkman. I even wired our kitchen phone to a cassette tape recorder to record both sides of the conversation before speakerphones were a thing. These ridiculous tinkerings made me a pretty good troubleshooter.
Being a security practitioner means you have to be an excellent troubleshooter because you usually look at things without the source code. You're looking at things from the outside, and troubleshooting allows you to anticipate what the person thought when they built it. So, my career took a path where I got better and better at troubleshooting.
My first tech job was writing automation scripts to install Microsoft patches. The company was called Everdream, started by the now-famous Technoking, also known as Elon Musk. Microsoft would publish disruptive patches for end-users that requested multiple reboots per day. My job was to reverse engineer patches and repackage them to minimize disruption by reducing the reboots occurring during non-business hours.
Even though we were reverse-engineering security patches, we had no training on the security repercussions. We were so preoccupied with whether we could do it, and we didn't have the experience to consider whether we should do it. It is eye-opening to reflect upon this now, knowing that there were no protections to prevent a malicious actor from installing malware into our automation process.
My leap into becoming a security-focused practitioner was when my company hired a consulting company to train us on proper secure coding. They opened my eyes to the fact that hacking is not magic. That made me realize that my troubleshooting and reverse engineering experience gave me an advantage in security auditing.
Once I had that training, I started doing security research. You couldn't jump on the internet to learn about security auditing like you can today. You had to go to the bookstore and start reading, and there was no guide on where to start. There weren't security hacking classes that gave you real-world training.
How did you study? What was your approach to that?
I remember going to the bookstore and guessing what I needed to learn. I needed to know about computer networking. I needed to understand how network protocols work. I looked at every O’Reilly book and bought the ones I thought would be helpful. I took those back to my job, and after work, I would sit there with the books and study after everyone left. I had all these books in my cubicle for a while, and people would come by asking about them. That's how motivated and curious I was about learning security. Suddenly, I wanted to know how it all worked.
Building on the earlier question, how did you get to where you are in your career today?
Because I had done so much studying, I thought I knew my stuff. So then I started looking for security companies that I could transition my career to, and I found HackerSafe out in Napa. I was interviewed by Ben Tyler (now TrustedSite's CTO) and Joe Pierini back in 2006. Rich Murphy (now TrustedSite's VP of Sales) was also there. It was humbling because Joe gave me a thumbs down, but Ben gave me a thumbs up, so they gave me a chance and hired me.
They promoted me to support leader within six months, but I wanted to move into engineering. I ended up hiring someone to take my position in support. Then I moved to the engineering team to work with Ben Tyler researching efficient methods for detecting injection vulnerabilities.
Back then, no one would believe that we were finding real vulnerabilities. We had to prove that we could break in just like an attacker.
Back then, no one would believe that we were finding real vulnerabilities. We had to prove that we could break in just like an attacker. My job was to exploit vulnerabilities to verify that I could access their credit cards or private customer data. For example, I would exploit injection vulnerabilities detected by the scanner, and then I would create a proof of concept to demonstrate to the customer that the problem was real.
But a year later, HackerSafe was sold to McAfee, and my job at McAfee became only about maintenance, and almost no innovation occurred. If I stayed at McAfee, I felt like I might stay there for years, but if I ever had to get a new job after that, I wouldn't have any clue what to do in the industry. I felt like I would just lose all my skills because it wasn't very challenging. So I went off on a security adventure.
During that time, I became proficient with web application penetration testing, the most challenging type of security auditing. It requires you to think and reverse engineer what the developer has created and see where they left flaws. So I taught myself to become an expert in web application security.
I went to work for a consulting company that provided all facets of security auditing services, from physical to web application security. They hired me as a senior web application pentester.
I took on a few physical security gigs when they needed an extra resource. I also did social engineering, but I didn't enjoy it. I hate that feeling when I call somebody and get them to give me their password. After several physical and social engineering engagements, I decided to look for another opportunity dedicated to web application security.
A recruiter from a large internet company contacted me asking me if I wanted to do a web application security audit. They put me on auditing the admin interface for a very well-known music platform. To make a long story short, I figured out how to bypass and become an admin without a username and password. They gave me no users or roles. They just said, here's the login page, have at it, good luck. I ended up figuring out how to break in and become the “super admin” for the platform. It was so exciting. I couldn't believe it. I presented it to the company, and they didn't want to talk about it. They just said, great job on the report, and they fixed it. They had me verify the fix. They said thank you, and then the gig was over.
Next, I joined a company that specializes in PCI compliance. They hired me as a senior web application security auditor. I conducted hundreds of security audits from banks, credit unions, and some of the largest e-commerce companies. I knew exactly where to look for security flaws as every company seemed to make the same mistakes. I did pentest, after pentest, until I could do them in my sleep.
At this point, I was a bit burned out as a pentester who spent most of my time siloed, and when talking to a customer, it was to deliver bad news regarding my security findings. Then, I received a call from Tim Dowling (now TrustedSite’s CEO), who I briefly worked for at McAfee, regarding an opportunity with a startup company called OneLogin. They needed a subject matter expert on implementing single-sign-on who could talk to customers. It turns out it is tough to find authentication architects who enjoy speaking with customers. A subject matter expert who speaks to customers is equivalent to what most people know as a sales engineer.
I became the first sales engineer for OneLogin. My time at OneLogin was crucial to finetuning my security skills in auditing authentication. It was refreshing to work with customers where I did not start the conversation with bad news about their security findings. Also, implementing single-sign-on was enlightening on my understanding of authentication flaws. It was surprising to learn that single-sign-on implemented incorrectly is just as bad as using proprietary or homegrown authentication.
I spent several years at OneLogin, and it had grown from under ten to over a hundred employees rather quickly. I had a handful of sales engineers working for me and spent several months in Europe, training our international sales team. It was a great experience, but I was starting to get the itch for something new when I got a call from Tim Dowling, who had left OneLogin for a new startup called Kenna Security.
I became the lead sales engineer for Kenna Security shortly after being introduced by Tim Dowling. Kenna Security was a startup company that realized companies had so much security data they were effectively becoming paralyzed and had no idea where to allocate resources. They coined the question of “How do you know which vulnerabilities to fix first?”
Now to fast forward, I became the lead security architect for the sales engineers at WhiteHat Security before their acquisition by NTT Security. It was a dream opportunity for me since many consider WhiteHat Security the authority on web application security.
At WhiteHat Security, I noticed a surprising trend that customers seemed to have no idea how many web applications they have on the internet. It was not a surprise to the customer either. When I brought up the subject, the customer would acknowledge the concern and then ask for help. It was shocking since this inventory should be easy to do; just gather up your DNS records, use a few command-line tools, sprinkle in some script automation. Then voilà, you should have most of your inventory figured out.
One weekend, I created a prototype tool to find a company’s web applications. Shortly after I completed my prototype, a customer permitted me to try it on their company, and it was a wild success. The customer and our sales team were thrilled since more web applications meant the customer needed to buy more services. It quickly spiraled out of control since every salesperson wanted a discovery report for their customers. I had only created a prototype, and the process was still largely manual, especially cleaning up the data and putting it neatly into a report. The next thing I knew, the sales team was trying to sell my weekend prototype and asked me for a whitepaper explaining the technology and how much we should charge. That’s when I had to put on the breaks and remind them this is not a company product.
To make a long story short, I presented my prototype and source code to our product team and said I would be happy to help create an official product, but they did not seem interested. I found out shortly after that an acquisition was in the process by NTT Security which explained to me why they were not receptive to a change.
After the NTT Security acquisition, I realized change and innovation would only get more challenging.
What motivated you to come back and work with the team at TrustedSite?
Suddenly I realized a security gap caused by rapid development and competitive pressure emerged since the beginning of my career. Companies have been building and discarding online projects for years. Today, these companies have enormous attack surfaces, yet only the most recently developed web applications are being security audited.
I created a slide deck explaining this emerging gap and presented it to the executive team at TrustedSite, and here we are! I’ve now been TrustedSite Head of Security for the past three years.
To be continued
In the coming weeks, we’ll be sharing additional excerpts from our interview with Nick Merritt that will give you an inside look at his role in making TrustedSite Security what it is today. Stay tuned!