Starting early

Calum has always been interested in figuring out how computers work through experimentation. Aged just nine he started programming basic games in Scratch for his friends in primary school. “It was just pong-type stuff to begin with but it made me realise I preferred making games to playing them”

First a maker then a breaker

The more he built, the more hacking became a point of interest for him and he began lurking on hacking forums to learn how to protect what he was building. “I was fascinated by the ingenious methods people had devised to manipulate systems”. The more seasoned hackers impressed upon Calum the necessity of knowing how to build first before breaking. “I was constantly told that to be a good hacker you must first be a good programmer.” So he took a step back and taught himself C in 3 months and then Python, before moving on to web application security. He put this new learning into practice by competing in ‘capture the flag’ challenges on EnigmaGroup and HackThisSite.

Real world experience

By the time he was 16 he was able to secure a work placement at a reputable Scottish security firm Sapphire.

As I started getting more into the practical side of security, I found the problem-solving aspect of it just clicked with me.

His boss was so impressed he wrote a letter of recommendation to Abertay University which allowed Calum to leave school and pursue a BSc (Hons) in Ethical Hacking.

While studying Calum landed an internship pen-testing for Vodafone. Despite his young age he was thrown in at the deep-end, testing a mobile banking app responsible for a over 40% of Tanzania’s mobile banking transactions.

They suspected that people were committing fraud they just didn’t know how - managed to figure it out pretty quick, which was fun.

In his final year at Abertay, Calum took PWK in 60 days obtaining OSCP aged just 20. Calum first encountered OnSecurity when a colleague at Vodafone showed him the portal. “When I saw how much hassle it would save pen-testers I figured I’d better go talk to these guys when I was finished studying and we kept in touch”. Now he’s building new features into the portal as part of our dev team in between penetration tests.

Quick Q&A with Calum:

What’s typical day like?

It varies, some days I’ll be performing penetration tests for clients, other days I’ll be working with the dev team to design and implement new features for our online portal.

What have you been working on mostly since joining OnSecurity?

Aside from various web application penetration tests, I have been working with Tom and Dave to design and implement our new scoping and invoice estimation tool which allows clients to get instant quotes for penetration tests. Additionally, I’ve been completely re-implementing OnSecurity’s API.

What are you most excited about in the coming months?

The new office opening in Bristol will be really cool hub for our pentesters and devs. I’m definitely a bit apprehensive about moving down to start a new life, but I’d say excitement is the underlying emotion there. In the short term, we have some phishing campaigns coming up which are always fun.

How would you describe your job to a child?

I make things, and I break things.

What’s the most unusual or interesting job you’ve ever had?

I once spent a summer fundraising door-to-door for Cancer Research. It was a real eye opener, to see how those with less tended to be the ones that gave more.

What are 3 words to describe OnSecurity?

• Innovative
• Agile
• Fun

What’s your number 1 security tip?

When developers are designing security controls, they should operate under the assumption that everything has been compromised. This means building in layers of security from the start.

If your house was burning down, what’s the one non-living thing you would save?

My computer, or my guitar, depends how bad the fire is.

What’s your guilty pleasure?

‘Separate ways’ by Journey – The video alone is a priceless work of 80’s art.

What popular quote to you hate?

“Perfect is the enemy of good” - I largely agree, but too often it’s used to justify mediocrity.

What will finally break the internet?

Probably BGP hijacking or a botnet of Internet-of-things toasters, certainly not Kim Kardashian - sorry Kim.

What’s the most important thing you have learned in the last five years?’

Excessive worrying is counterproductive. Your experience is subjective and perspective is everything.

Unexpected fact

I can naturally perform Kechari Mudra (Google it)