Security Products
Showing results for 
Search instead for 
Do you mean 

How ShadowLabs empowers Fortify

jhaddix ‎08-07-2013 08:06 AM - edited ‎09-25-2015 10:27 AM

We get stopped a lot asking about the ShadowLabs group here at Fortify on Demand. We use it in our recruiting, and you might have seen a few of us at Defcon this year. With this in mind  we thought it was about time we went full-disclosure. 



A bit of history...


HP has many groups of security consultants.  One of which was the Professional Services group known as the Application Security Center (ASC). This is really where we started, pre-Fortify. We were former members of SPI Dynamics, and we were also a mash-up of pentesters from all over working as the assessment arm of ASC. We did app assessments of all kinds; thick, binary, web, network, etc. This was a highly technical, albeit pretty normal, consultancy structure.


Then everything changed with Fortify. Upon acquisition, Fortify on Demand was really shown as the way of the future. We are convinced that the Security as a Service (SaaS) model, powered by both software and expert testers, cannot be beat. We settled on that model and began to assemble an even more technical team. 





A few things started happening very quickly:


  • Through delivery of tests we amassed a wealth of exploit/security knowledge that got fed back into our methodologies
  • Leaders on each team (web, mobile, static) started to stand out
  • Additional talent was brought on


As the team expanded, a need grew to showcase our best and brightest. This is how ShadowLabs was born.



The Requirements...


Out of the 120+ employees at FoD, only a small fraction are ShadowLabs members, with more members being inducted twice a year.


Anyone on the FoD team is eligible to become part of ShadowLabs. The goal is not to divide the team, but instead to encourage excellence through a transparent list of entrance criteria and offer recognition to those that reach that mark.



The requirements for ShadowLabs membership are divided into three equal parts:


  •  Technical: The candidate must possess deep technical ability in one or more domains of security testing (static, web, mobile, etc.), and must have demonstrated a driving passion for continuously improving their technical skills.
  •  Dedication: The candidate must be considered by peers and management to be an extremely hard worker who is willing to go above and beyond for the team.
  •  Contribution: The candidate must have contributed to the team in a tangible way. This includes but is not limited to: conducting internal or external trainings, conducting public presentations on the behalf of FoD, performing key client pitches/demos, or by developing tools, systems, processes, or techniques that have improved our practice.



Our Mascot and Designs…


Meet Meticon… he’s the crazy fusion of the Fortify namesake (a castle) and our love for all things Transformers:



He’s been sighted destroying iPhones on this year’s team shirt design:





He also likes to tag along with us to client sites:




The Future…


FoD will continue to give back to the community with research gained from the work we do in the web and mobile space. You’ll also see us a lot at cons and through various OWASP events and projects.


And on that note, be sure to check out some a couple of our projects headed by ShadowLabs members:


  • The OWASP Mobile Top 10 (Jason Haddix and Daniel Miessler)
  • The SecLists Project (Daniel Miessler and Jason Haddix)


If you see a ShadowLabs member make sure to say hi. Also, if you are looking for a gig with a really fun and dedicated team contact us! We are looking for more web and mobile testers to join our elite team.


We look forward to seeing you out and about!

About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
1-3 December 2015
Discover 2015 London
Discover 2015 in London, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
November 2015
Software Online Expert Days
Join us online to talk directly with our Software experts.
Read more
View all