CIS Benchmarks Community Volunteer Spotlight: Joseph Testa
CIS Benchmarks are the only consensus-developed security configuration recommendations both created and trusted by a global community of IT security professionals from academia, government, and industry. The community brings real-world experience and expertise to the process to ensure we are addressing the most prevalent cybersecurity for technologies. We value all of our volunteers and encourage you to join!
Joseph Testa is a Database Security Engineer with Database Security Consultants in Ashville, Ohio. He has been a part of the CIS Benchmarks Community for three years.
Please share a little about yourself.
I've worked as a Security Engineer for 12 years, specializing in Oracle and Cassandra Databases.
Why did you decide to join the community?
I noticed back in 2018 that CIS was looking for editors for the CIS Oracle Database Benchmark. At the company I was working for then, I had been asked to implement a security framework as we had none for Oracle. I looked at CIS and implemented the then-current CIS Oracle Benchmark.
I developed an entire Linux framework to scan all 1,500+ Oracle databases. I saved the results in an Oracle Database dedicated to housing each line item in the CIS Benchmark (compliant or violation). I then used the data to trend over time, to see if we were becoming more or less compliant.
Since CIS was looking for new editors, and I had been using the CIS Benchmark for four years, it was time for me to give back to the community.
What is your role in the community?
Volunteer editor/contributor for CIS Oracle and Cassandra Database Benchmarks.
What is your favorite part about contributing?
Amazingly, all of it, and here is why: Every aspect needs to be done to understand the CIS Benchmarks as a whole. People contribute questions/tickets that help all of us think outside the box when it comes to ideas/concepts for the Benchmarks.
It's easy to become pigeon-holed into just doing the same thing in the same environment. It's great to see other people's experiences and how they use the various databases, so we can make sure to mold the CIS Benchmarks to become better as time goes on.
How did you get into cybersecurity?
It was when I was asked to build that security framework around our Oracle Databases seven years ago. I looked at NIST and CIS and was happier with how CIS was laid out, and technically the specifics of how to decide on whether each item in the CIS Benchmark is compliant or not.
What is one thing you would tell folks about the CIS Benchmarks Community?
It's a great group of people who are always looking for consensus on how the CIS Benchmarks should evolve. If you have a passion for security and want to help design/develop the next version of a particular CIS Benchmark, then by all means become part of the community and volunteer your time. It is very rewarding.
What are your favorite cybersecurity blogs, podcasts, or books?
I usually read the latest version of Oracle and Cassandra Database manuals for security additions/deletions/changes for each next version. I also am subscribed to various email lists, such as Cybersecurity Essentials, SearchSecurity on TechTarget.com, as well as a few others on TechTarget.com.
What impact has COVID had on the need for CIS Benchmarks?
With so many people working remotely, security has become paramount. Unfortunately, there are too many script kiddies sitting around with nothing better to do. Quite a few companies that might not have had a security posture in the past have had to do a serious paradigm shift to deal with security.
The CIS Benchmarks help these companies get at least something in place. It is always better when the company CISO asks, "How do we protect 'X'?" to be able to say, "We are protecting our data/assets by using the CIS Benchmark for 'X', than to say "Huh?"
What advice would you give someone just starting out in cybersecurity OR starting out in the community?
Learn as much as you can, but do not try to be an expert in everything; it is not possible. Pick an area, whether it be operating systems, databases, networking, etc., and then narrow down your expertise from there. For example, mine is Oracle and Cassandra right now. Will I expand into SQL Server? Maybe. Other NOSQL databases? Maybe. Yet to be seen. Just the two are keeping me
Do you want to share anything else?
Thank you to Joseph and to all of our CIS Benchmark Community volunteers!