Tony Perez, GM of the Security Product Group at GoDaddy, formerly the Co-Founder / CEO of Sucuri, and a former US Marine, will be facilitating the Security by Default topic at HostCamp 1.0 this year. Tony is a passionate, charismatic leader who believes in a world where security should be seamless and transparent to the everyday website owner.
In his current role at GoDaddy, he overlooks the strategic direction of the security portfolio across GoDaddy products. At Sucuri, Tony and the team built a website security product from a startup to a multi-national organization focused on preventing hacks and remediating compromises for 100’s of thousands of website owners around the world. Today, that number has grown into the millions.
What To Expect
Tony will start with an overview of the current state, highlighting recent trends and patterns in security across WordPress. He’ll then open a discussion on why the topic matters and what the obstacles and opportunities are to improving security by default across the Open Web.
Q&A with Tony
I asked Tony a few questions and included his answers below.
How you do explain the concept of security by default on the web to someone new to the topic?
I start by asking, “What if you didn’t have to worry about the most basic hardening tips when securing your site? Would that be something interesting to you?” At its core, this is what I believe we as an industry should work to solve. WordPress has done an amazing job leading the charge on this, from the Mark Jaquith commit years ago that generated random passwords by default, to the auto-updates being used to quickly patch vulnerabilities as they are released. It’s the idea that we should start off with the most practical, functional, security settings possible when installing our applications.
Why is security by default important in the context of WordPress infrastructure?
Regardless of how much has been done as a community to improve the platforms security posture, there is still an external narrative that renders smirks and creates undertones about the insecure nature of the platform. I blame us, the community for this problem. For years I have said that the thing that propelled WordPress was its extensibility, but it’s Achilles heel is also its extensibility. Coincidently, what the platform chooses not to do, I think service providers (like hosts) have the ability to do. This is especially important for the specific cohort that makes up the biggest (in quantity of sits) cohort of the platform – consumers, micro-businesses, the everyday entrepreneurs. Could there ever be a time where a WordPress user never has to worry about security?
What have been some of the highlights (or lowlights?) of your experience dealing with security over your career?
The low-lights are always talking to customers that have lost everything. Over the past year, I have had more and more engagements with everyday entrepreneurs finding themselves in their most vulnerable state – hacked. These calls and engagements are just so hard. You can feel the pain the person on the other end of the call is going through; maybe they are dependent on their business to pay bills, maybe it’s how they survive, maybe it’s an attachment that I can share when it’s something you’ve poured your soul into. Whatever it is, you can’t help but want to help and yet, sometimes, there is little you can do. These are always the toughest moments. There is an element here that also includes the personal frustrations of how the hacks are happening -> I don’t understand why you didn’t use a strong password. I don’t understand why you didn’t update, there is a big button asking you to. I don’t understand why you didn’t think you had to maintain your site. If we were dealing with advanced attacks that’d be one thing, but to see a website owner lose everything because they used “password” as their password; that’s infuriating. And the kicker is, I can’t be mad at the user; instead, I’m mad at myself, the community, the service providers for not making it easier, more transparent, more seamless.
The high-lights are always fun, whether it’s seeing what we are able to do as a company – affecting so many people around the world – or the innovation the team is bringing forward with how we mitigate attacks or detect and remediate issues. These are always pretty exhilarating, there is honestly no greater feeling than being able to positively affect people’s lives. This extends well beyond our customers, but to our employees, and to those quiet followers that enjoy our research and contributions back to the world. That’s why we, I, do it.