DevSecCon London 2018 Presentation

Here are slides for my presentation at DevSecCon London, “Building Effective DevSecOps
Teams Through Role-Playing Games.” It uses the aspect of social interaction in role-playing games as a model for working with DevOps teams to build secure apps and making sure the app’s threat models include social dimensions. Automation is critical to building, testing, and scaling […]

(ISC)2 Security Congress 2018 Presentation

Here are slides for my presentation, “DevOps Is Automation, DevSecOps Is People.” It’s about exercising communication skills, establishing empathy, and considering threat models that consider people. Communication skills are a part of inserting security into the DevOps process. Empathy is about understanding not only the engineering constraints that DevOps teams face, but also the population […]

OURSA Recap

Last week I attended the OURSA conference. I tweeted during the conference and wrote up some reasons why I enjoyed the content so much. Briefly, the format (~15 minute presentations followed by panel discussion) kept the themes well-focused. It was also impressive that the conference stayed so well on schedule. But these are more superficial […]

OWASP AppSec Cali 2018 Presentation

Here are slides for my presentation, “DevOps Is Automation, DevSecOps Is People.” For me, automation is one of the most compelling aspects of DevOps. Without automation you won’t reach scale, you’ll struggle with maintenance and patch management, and you’ll only have a foggy notion of the risk your app has. In addition to scaling, we […]

The Fourth Year of the Fourth Edition

Today is the fourth anniversary of the fourth edition of Anti-Hacker Tool Kit. Technology changes quickly, but many of the underlying principles of security remain the same. The following is an excerpt from the introductory material. Welcome to the fourth edition of the Anti-Hacker Tool Kit. This is a book about the tools that hackers use to […]

Cybercroissant Podcast Episode

While I was at DevSecCon earlier this year I had a chance to record a podcast episode with Cybercroissant. You can find it on their site. During the conversation I brought up a parallel between magic tricks and hacking. That idea is perhaps better described in the introduction to my last book, which I’ve excerpted […]

DevOps Is Automation, DevSecOps Is People

A lot of appsec boils down to DevOps ideals like feedback loops, automation, and flexibility to respond to situations quickly. DevOps has the principles to support security, it should have to knowledge and tools to apply it. Real-world appsec deals with constraints like time, budget, and resources. Navigating these trade-offs requires building skills in collaboration […]

ISC2 Security Congress, 4416 – GBU Slides

My presentation on the good, the bad, and the ugly about crowdsourced security continues to evolve. The title, of course, references Sergio Leone’s epic western. But the presentation isn’t a lazy metaphor based on a few words of the movie. The movie is far richer than that, showing conflicting motivations and shifting alliances. The presentation […]

Now One Week All Year

The annual summer conference constellation of the week of Black Hat, BSides, and DEF CON usually brings out a certain vocal concern about personal device security. Some of the concern is grounded in wry humor, using mirth to illustrate a point. Some of it floats on ignorance tainted with misapplied knowledge. That’s fine. Perform the […]