Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

How ShadowLabs empowers Fortify

jhaddix ‎08-07-2013 08:06 AM - edited ‎09-25-2015 10:27 AM

We get stopped a lot asking about the ShadowLabs group here at Fortify on Demand. We use it in our recruiting, and you might have seen a few of us at Defcon this year. With this in mind  we thought it was about time we went full-disclosure. 



A bit of history...


HP has many groups of security consultants.  One of which was the Professional Services group known as the Application Security Center (ASC). This is really where we started, pre-Fortify. We were former members of SPI Dynamics, and we were also a mash-up of pentesters from all over working as the assessment arm of ASC. We did app assessments of all kinds; thick, binary, web, network, etc. This was a highly technical, albeit pretty normal, consultancy structure.


Then everything changed with Fortify. Upon acquisition, Fortify on Demand was really shown as the way of the future. We are convinced that the Security as a Service (SaaS) model, powered by both software and expert testers, cannot be beat. We settled on that model and began to assemble an even more technical team. 





A few things started happening very quickly:


  • Through delivery of tests we amassed a wealth of exploit/security knowledge that got fed back into our methodologies
  • Leaders on each team (web, mobile, static) started to stand out
  • Additional talent was brought on


As the team expanded, a need grew to showcase our best and brightest. This is how ShadowLabs was born.



The Requirements...


Out of the 120+ employees at FoD, only a small fraction are ShadowLabs members, with more members being inducted twice a year.


Anyone on the FoD team is eligible to become part of ShadowLabs. The goal is not to divide the team, but instead to encourage excellence through a transparent list of entrance criteria and offer recognition to those that reach that mark.



The requirements for ShadowLabs membership are divided into three equal parts:


  •  Technical: The candidate must possess deep technical ability in one or more domains of security testing (static, web, mobile, etc.), and must have demonstrated a driving passion for continuously improving their technical skills.
  •  Dedication: The candidate must be considered by peers and management to be an extremely hard worker who is willing to go above and beyond for the team.
  •  Contribution: The candidate must have contributed to the team in a tangible way. This includes but is not limited to: conducting internal or external trainings, conducting public presentations on the behalf of FoD, performing key client pitches/demos, or by developing tools, systems, processes, or techniques that have improved our practice.



Our Mascot and Designs…


Meet Meticon… he’s the crazy fusion of the Fortify namesake (a castle) and our love for all things Transformers:



He’s been sighted destroying iPhones on this year’s team shirt design:





He also likes to tag along with us to client sites:




The Future…


FoD will continue to give back to the community with research gained from the work we do in the web and mobile space. You’ll also see us a lot at cons and through various OWASP events and projects.


And on that note, be sure to check out some a couple of our projects headed by ShadowLabs members:


  • The OWASP Mobile Top 10 (Jason Haddix and Daniel Miessler)
  • The SecLists Project (Daniel Miessler and Jason Haddix)


If you see a ShadowLabs member make sure to say hi. Also, if you are looking for a gig with a really fun and dedicated team contact us! We are looking for more web and mobile testers to join our elite team.


We look forward to seeing you out and about!

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all