November 27, 2018
Calum has always been interested in figuring out how computers work through experimentation. Aged just nine he started programming basic games in Scratch for his friends in primary school. “It was just pong-type stuff to begin with but it made me realise I preferred making games to playing them"
The more he built, the more hacking became a point of interest for him and he began lurking on hacking forums to learn how to protect what he was building. “I was fascinated by the ingenious methods people had devised to manipulate systems”. The more seasoned hackers impressed upon Calum the necessity of knowing how to build first before breaking. "I was constantly told that to be a good hacker you must first be a good programmer.” So he took a step back and taught himself C in 3 months and then Python, before moving on to web application security. He put this new learning into practice by competing in ‘capture the flag’ challenges on EnigmaGroup and HackThisSite.
By the time he was 16 he was able to secure a work placement at a reputable Scottish security firm Sapphire.
As I started getting more into the practical side of security, I found the problem-solving aspect of it just clicked with me.
His boss was so impressed he wrote a letter of recommendation to Abertay University which allowed Calum to leave school and pursue a BSc (Hons) in Ethical Hacking.
While studying Calum landed an internship pen-testing for Vodafone. Despite his young age he was thrown in at the deep-end, testing a mobile banking app responsible for a over 40% of Tanzania’s mobile banking transactions.
They suspected that people were committing fraud they just didn’t know how - managed to figure it out pretty quick, which was fun.
In his final year at Abertay, Calum took PWK in 60 days obtaining OSCP aged just 20. Calum first encountered OnSecurity when a colleague at Vodafone showed him the portal. "When I saw how much hassle it would save pen-testers I figured I’d better go talk to these guys when I was finished studying and we kept in touch”. Now he’s building new features into the portal as part of our dev team in between penetration tests.
It varies, some days I’ll be performing penetration tests for clients, other days I’ll be working with the dev team to design and implement new features for our online portal.
Aside from various web application penetration tests, I have been working with Tom and Dave to design and implement our new scoping and invoice estimation tool which allows clients to get instant quotes for penetration tests. Additionally, I’ve been completely re-implementing OnSecurity’s API.
The new office opening in Bristol will be really cool hub for our pentesters and devs. I’m definitely a bit apprehensive about moving down to start a new life, but I’d say excitement is the underlying emotion there. In the short term, we have some phishing campaigns coming up which are always fun.
I make things, and I break things.
I once spent a summer fundraising door-to-door for Cancer Research. It was a real eye opener, to see how those with less tended to be the ones that gave more.
When developers are designing security controls, they should operate under the assumption that everything has been compromised. This means building in layers of security from the start.
My computer, or my guitar, depends how bad the fire is.
‘Separate ways’ by Journey – The video alone is a priceless work of 80’s art.
“Perfect is the enemy of good” - I largely agree, but too often it’s used to justify mediocrity.
Probably BGP hijacking or a botnet of Internet-of-things toasters, certainly not Kim Kardashian - sorry Kim.
Excessive worrying is counterproductive. Your experience is subjective and perspective is everything.
I can naturally perform Kechari Mudra (Google it)