The Pen Testing Couple

When longtime partners Tanya Secker and Martin Murfitt began jobs in information security in the early 2000s, both figured they were taking up a career that carried a short shelf life.

"I thought that people like us are going to find the problems, and there are going to be solutions, and they won't need us anymore," Murfitt recalled. "My prediction was the whole industry would fall in on itself. That obviously hasn't happened."

But the pair, who have been dating for more than 11 years after meeting at a former company, failed to account for the biggest factor of all: People. Developers still cut corners – often in the name of deliverability over security – and users still make regrettable decisions, like clicking on rogue links, choosing weak passwords or failing to apply patches. Combined, they allow weaknesses to persist and be exploited. And, as a result, cybercriminals continue to prosper, and the need for security never dies.

"We didn't think people would keep making the same stupid mistakes," Secker said. "But a lot of the vulnerabilities we see are similar to the most prevalent bugs as when I started. It's because creativity and security don't play well together."

Murfitt spends his days managing customer accounts, performing penetration tests and mentoring QA consultants. He also leads Trustwave's "netpen think tank," which helps shape the direction of network penetration testing at Trustwave.

Secker, 36, and Murfitt, 40, haven't gone anywhere. They are still both working as penetration testers, for the past decade as part of the elite Trustwave SpiderLabs team and moving up the ranks: Secker now serving as the EMEA practice lead and Murfitt as a managing consultant.

Penetration tests, part of the Managed Security Testing service at Trustwave, are designed to go beyond a traditional vulnerability assessment by simulating a malicious individual or group trying to infiltrate an organization. Over the years, as data breaches and other security incidents have become more probable, organizations have largely deserted the won't-happen-to me, pearl-clutching attitude in favor of a more proactive strategy that accepts breaches as inevitable and places the need for detection over prevention – or at least on similar ground. Pen testing is a crucial part of this shifting mindset.

While Secker and Murfitt may describe their daily responsibilities as being roughly the same to those who are unacquainted with security, industry practitioners would understand just how distinct their specialties are. Secker concentrates on applications, whereas Murfitt focuses on networks. Their divergent fortes have developed into something of a rivalry in their Gibraltar apartment, where they share a home office.

"When it comes to applications, one of the coolest things is the logic," Secker said. "Each application is different, and the context – and what it should and shouldn't be doing – is very different as well. Network pen testing is more monotonous."

Murfitt, as one would expect, takes a slightly different stance.

"Application testing is more of an audit than a simulated attack, but Tanya doesn't agree with me," he said. "I see it as being more developer focused and concerned with deviations and discrepancies of how it functions. You're not thinking about an attacker trying to get their hands on the gold."

This playful trading of barbs gives way to shared elation anytime one of them achieves the holy grail of the penetration testing profession: gaining full "pwnage." Compromising an application or network during a pen test usually sets off in an impromptu celebration. What does it entail? "Oh, you don't want to know," Secker said, with a discernible hint of embarrassment. "We do a little 'root dance.'"

Secker, who played the primary role of growing Trustwave's EMEA application security practice, said she has excelled as a female in a male-dominated industry by compromising vulnerable apps – but never compromising who she is.

The boogie speaks to the couple's free-spirited personality, which includes a yearly sojourn to nature. Secker and Murfitt call Gibraltar home, a British overseas territory situated on a narrow peninsula of Spain's southern Mediterranean coast. But while the territory has stunning views and vistas punctuated by the iconic Rock of Gibraltar, each summer the couple and their dog, Sally, flee the densely populated metropolis for an idyllic and remote plot of land bordering the Guadiaro River, where they go minimalist – living and working in a camper trailer for a few weeks. The vehicle is equipped with a 4G antennae, allowing them to continue their pen testing, but that is where the tech ends.

"We like our simple living," Murfitt said.

The daily agenda includes yoga in the morning and a swim in the river in the evening. "We've got many fruit trees, yielding figs, oranges, persimmons and loquats" said Secker, who describes her and partner as hippies at heart. "And we have a summer allotment where we grow our own tomatoes, chilies and peppers to name a few."

Another summer tradition for the adventurous couple is a visit to the DEFCON security conference, which Secker and Murfitt have annually attended since they met. After the show, they like to rent a Mustang convertible and cruise the Western United States.

For Murfitt, who was raised in England, and Secker, who has called Gibraltar home since pretty much birth, information security was not initially on their radar – which is a similar upbringing for most people who grew up in the pre-Internet age but now work in the security field.

But in 2001, after Murfitt graduated with a degree in physics, he used some of the computer science competence he acquired in his modules and gaming development experience to land a job at a company that sold vulnerability scanning and penetration testing services. While Murfitt was getting settled in the real world, Secker was planning to do a business course at a Gibraltar community college. But a friend who was "one of the lucky ones" who owned a PC in 1999 persuaded Secker to switch to computer studies because she wanted some company. Cliché as it is, the rest is history.

"I just loved it from the beginning," Secker said. A couple of months into her coursework, she began tinkering with security, quickly sharpening her skills enough that she was able to hold her own in IRC chat rooms, as well as help a teacher contain a variant of the pernicious NetBus Trojan.

Not long after, she transferred to Solent University in the U.K. Despite being one of only three women, out of some 200 people, working toward a computer science-related degree at the Southhampton school, Secker was more concerned with piquing her curiosity and hacking systems than sweating the gender imbalance. Not long after, she realized why she loves hacking so much: because it helps enable her "flair for abusing assumptions."

"We all assume stuff in our daily lives, and it's kind of unnatural to move away from that," Secker said. "Every security vulnerability comes down to human assumption. When people see a name field, they think that's where they put their name and think nothing else of it. They're not thinking this is could be a good entry point to execute arbitrary code."

Murfitt similarly experiences a rush. "There's a bit of an addictive quality to hacking," he said.

Both he and Secker are deeply passionate and prideful in their work. They are aware of how critical penetration testing is for organizations wanting assurances before the attackers – and regulators – come knocking. And if 2017 is any indication, a year that broke the record for the most number of reported vulnerabilities, amounting to more than 20,000 according to Risk Based Security, the security industry has a far longer shelf life than Secker and Murfitt could have ever imagined.

The pair's decade-old Abbey Aventura 320 is built for extended getaways. It comes fully equipped with a refrigerator, oven, double bed (plus two singles), shower, heater and air conditioner. Plus, it's eco-friendly. "We have a compost toilet, not a yucky chemical toilet," Secker said.

As proof, look no further than the 2018 Trustwave Global Security Report, which found that 100 percent of web applications Trustwave tested displayed at least one vulnerability. The top flaws impacting applications have persisted for well over a decade, weaknesses like cross-site scripting, SQL injection, broken authentication and sensitive data exposure. "Nine times out of 10, the application is going to be internet facing, and that could be a way in to the internal customer network," Secker said, attributing these enduring bugs to the fact that "creativity and security don't play well together" – meaning many apps are rushed to market before secure development is fully considered.

On the network side, Murfitt concentrates on external and internal testing, but it is the latter which has come into greater focus. Whether it is a laptop or desktop workstation, a smartphone or point-of-sale terminal, a printer or a medical instrument, or even a server in a data center, endpoints are far and away the most preferred entry point for attackers.

While the point of origin for external pen tests is the web, internal pen tests begin on a private local area network from an appliance that simulates a compromised machine. Murfitt generally looks for common vulnerabilities that could indicate a lack of hardening and patching – weaknesses like beatable passwords and networking protocols that should have been disabled – which can be used to "expand his influence" in the network, laterally moving to more prized systems.

A prime example of an inherently insecure Windows protocol is Server Message Block version 1 (SMBv1), an approximately 30-year-old networking protocol that Microsoft has declared insecure and which it has recommended to disable, but which remains enabled by default. Last spring, SMBv1 – through a vulnerability dubbed "EternalBlue" – gave rise to the insidious WannaCry and Petya/NotPetya ransomware outbreaks.

Secker and Murfitt spend most of their time together, including sharing a dance anytime one of them acquires "root" on a system. "People said (our relationship) would make or break us," Murfitt said. "But it seems to have worked."

Murfitt and Secker prefer to remain at the pinnacle of their profession. To make his pen test engagements more streamlined and enhanced, he has created a "black bag" of some 50 bespoke utilities. The tools – with names like "fastdomaindigger" and "fastshareenum" – are helpful when attacking Windows domains, for example. Secker, meanwhile, has released various security advisories while working at Trustwave for well-known vendors such as VMware and VLC. She was also instrumental in incorporating response time limits into Trustwave SpiderLabs' vulnerability disclosure policy.

While most couples rely on their chemistry to keep the relationship strong, Secker and Murfitt have a second reason to cherish their rapport: They make an optimal tag team for engagements that require a physical presence. To hear them tell some of the stories, it becomes easy to imagine them as the Bonnie and Clyde of pen testing.

Each one knows their role: As a shrewd poet who has been known to conceptualize a complete ballad about a subject in mere minutes, Murfitt clearly has a way with words, making him appear trustworthy and likable. Secker is more systematic in her approach, making sure everything goes exactly as planned. "Martin is often called the mad professor," Secker said. "He's more of a politician. He thinks I'm more of a lawyer. I'm more analytical and precise in the way I see things. Martin is fluffier."

That combination worked like a charm to help them pull off a successful social engineering pen test at a bank in Dubai.

"I walked in pretending to be someone working for the bank, so all the attention would be turned to me, while Martin snuck in and started pen testing their network," Secker recalled. "He got in there and spoofed an email pretending to come from the CEO to all the relevant staff at the bank, saying he was authorized to work on the network. When they eventually found him, he told them to check their email."

In another engagement, Secker used her knack for meticulously constructing fake IDs, which are indistinguishable from the real thing. She equipped her partner with credentials that allowed him to walk into a U.K. retail store and walk out with credit card details that he was able to abscond thanks to a "containment breakout" vulnerability on the point-of-sale system Secker had discovered previously. Martin pretended to be an IT manager and claimed the location was having issues with its backups – with the cherry on top being, of course, that he uploaded the stolen credit card numbers to a USB stick.

While these types of escapades are mostly behind them, the couple regularly collaborate and ping ideas off one another – and they rarely become annoyed by their close quarters. "People said it would make or break us," Murfitt said. "But it seems to have worked."

In 2006, their romance began when they met at another pen testing company. "She was one of a kind," Murfitt recalled of when he first met Secker.

Quite literally she was, as the firm's only female pen tester at the time.

"Overall, I've been incredibly lucky at all the companies I have worked at because I've been treated as part of the team and not a specifically a 'girl,'" she said.

Just consider how she responds to friends when they ask for help troubleshooting a computer issue.

"I tell them, 'I don't fix things, I break them.'"

Doesn't sound like a woman you'd want to mess with anyway.