SBN

Instructor Spotlight: David Hazar, MGT516 Co-Author

Blog_-_Hazar.png

David is a security consultant based in Salt Lake City, Utah focused on vulnerability management, application security, cloud security, and DevOps. David has 20+ years of broad, deep technical experience gained from a variety of hands-on roles serving the financial, healthcare, and technology industries. In his many roles, including 3 years with a top security consulting firm, he has focused on helping integrate and automate security testing and other important security controls into both on-premise and cloud environments. He has also developed and led technical security training initiatives at many of the companies he has worked for, is an instructor for and contributor to SEC540: Cloud Security and DevOps Automation, and a co-author and instructor for MGT516: Managing Security Vulnerabilities: Enterprise and Cloud. David holds a BS in information systems and a master’s of information systems management from Brigham Young University along with numerous other technical and security certifications.

SANS: What made you choose to work in tech/security?

David Hazar: I was working for a local municipality and they dragged me into the Payment Card Industry audit for the Energy Department, which was accepting credit card payments through its website. They also had me replace their firewalls and improve their network security. After I become established in the security space, I got sucked into application security because of my development background.

SANS: As an instructor, what is your teaching philosophy?

David Hazar: I have participated in a wide variety of IT functions throughout my career – everything from
developer to server admin, network admin, domain admin, telephony admin, database admin/developer, security engineer, risk manager, and AppSec engineer. I have also worked in a wide variety of environments from startups to large enterprises and consulting. This broad range of experience enables me to understand technology from many different angles and to relate to my students regardless of their technology or company background.

I have a unique perspective on vulnerability management because most people only get to see the problems associated with Virtual Machines (VMs) for a handful of companies. I have worked with numerous organizations to help them understand why they are failing and what they can do to solve their VM problem. I integrate these stories and experiences throughout the courses I teach.

SANS: Why do you enjoy teaching about vulnerability management and the cloud?

David Hazar: While vulnerability management is not the sexiest security topic, it is easily one of the most important. In fact, it’s the basis for all that we do in security. Think of how much less important such areas as penetration testing, threat hunting, and war gaming would be if we could truly solve this one problem. I love digging into VM datasets to identify root cause issues for the companies I am working with so that they truly understand what needs to change in order to succeed. I also enjoy aggregating and analyzing data in order to make more meaningful, targeted reports. Finally, automating solutions to common problems with common solutions is a big part of what I like about vulnerability management. These are some of the keys to being successful in the long term.

SANS: What’s your advice for someone taking a SANS course for the first time? Attending their first event?

David Hazar: Come prepared, that is, read the course prerequisites and laptop requirements, especially if you are attending SEC540; research the event ahead of time to see what SANS@Night talks and events are available; and reach out to your network to see who you know is attending. And don’t forget to make sure you do some research on the best places to eat while you are there!

SANS: What has been the highlight of your career so far?

David Hazar: It is always rewarding to see all the people who I have trained over the years, both for companies I’ve worked for and with SANS, move on to bigger and better things. One recent highlight was seeing a company reduce its vulnerability count from over 12 million vulnerabilities to less than 5 million after overcoming some particularly challenging technical debt. It was not a short or painless process, but it was all due to drilling down to the root cause and convincing the business to make and fund a change.

SANS: How has security changed in your specific industry over the past five years? Where do you expect it to go next?

David Hazar: With respect to VM and AppSec, there has not been too much change, and that’s part of the problem. While the security side of VM and AppSec has remained relatively stagnant, the IT and development landscape has shifted many times and will continue to shift in the foreseeable future. Think agile, DevOps, virtualization, containers, cloud, serverless, etc. As we move to a world where almost everything is defined in code, the traditional infrastructure VM processes and procedures will hopefully be automated out of existence.

SANS: What are your interests or hobbies?

David Hazar: I enjoy skiing and snowboarding with my family (when they agree to be seen with me!), watching my daughter play high school basketball, and cooking/eating.

SANS: What is a quote that inspires your work and why?

David Hazar: “I don’t talk to myself because I’m crazy.”
“No?”
“I do it because I’m awesome.” – Brandon Sanderson, Words of Radiance


*** This is a Security Bloggers Network syndicated blog from SANS Blog authored by SANS Blog. Read the original post at: http://feedproxy.google.com/~r/SANSForensics/~3/e1Nx3XnMkFo/instructor-spotlight-david-hazar