How Sarbanes-Oxley changed the information security profession


This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."

Download it now to read this article plus other related content.


Melting Pot

By the time Symantec bought @stake in 2004, the talent drain was well under way. Zatko had left in 2002. The Litchfield brothers had left to start NGS Software, along with Chris Anley and a couple of other @stakers. Snyder and Swiderski took off for jobs in Microsoft's new security organization. Adrian Ludwig, an application security consultant, jumped at a chance to create the Secure Software Engineering team at Macromedia (now Adobe), and four other @stake employees later followed.

"Everybody's mindset was 'Let's break even.' We did way better than a lot of other companies that didn't make it as long as @stake did," says Christien Rioux, a former L0pht member who joined @stake at its founding. "I don't think there were any hurt feelings. Everyone was pleased that @stake had a sustainable business model. But the question was, would it ever expand or grow."

Since the acquisition, the critical mass of talent assembled at @stake has spread out across a number of industries, creating a diaspora that has served as the foundation for any number of start-ups, security teams and consulting shops.

To wit:

  • Frank Heidt, Rex Warren and

    Requires Free Membership to View

  • Kevin Rich, all former @stake employees, founded security consultancy Leviathan Security in Seattle.

  • Aitel, another NSA and @stake veteran, started pen-test software provider Immunity Security.

  • Former @stakers Goldsmith, Dai Zovi and Snyder, along with Thomas Ptacek, founded Matasano Security in New York.

  • @stake veterans Tim Newsham, Alex Stamos and Himanshu Dwivedi founded iSEC Partners in San Francisco.

  • George Gal, a former @stake consultant, founded Virtual Security Research in Boston.

  • Of the L0pht members who joined @stake, Wysopal and Rioux, known as Weld Pond and Dil-dog, respectively, are at Veracode, an application security company; Brian Hassick, who went by Brian Oblivion, is working for a defense contractor; Zatko works at BBN; Grand, known as Kingpin, runs his own company, Grand Idea Studio; Karl Kasper, known as John Tan, does penetration testing in the financial services industry; and Paul Nash, known as Silicosis, remains at Symantec.

The role @stake and its people played in shaping today's security industry was significant, and it's clear its influence will be felt for many years.

"We had the biggest congregation of application security experts by far. At some point it just couldn't grow anymore because we had already amassed everyone," says Wysopal. "I'm surprised by how often we bump into an ex-@staker. We're everywhere, running security teams, doing application testing, everything. It was a great place."



@stake, where are they now? (PDF)

@stake was the place to work if you were a security researcher or ­consultant. Wondering what became of some members of @stake? Wonder no more.


This was first published in January 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: