Here are slides for my presentation at DevSecCon London, “Building Effective DevSecOps Teams Through Role-Playing Games.” It uses the aspect of social interaction in role-playing games as a model for working with DevOps teams to build secure apps and making sure the app’s threat models include social dimensions. Automation is critical to building, testing, and scaling […]
Author Archives: Mike Shema
(ISC)2 Security Congress 2018 Presentation
Here are slides for my presentation, “DevOps Is Automation, DevSecOps Is People.” It’s about exercising communication skills, establishing empathy, and considering threat models that consider people. Communication skills are a part of inserting security into the DevOps process. Empathy is about understanding not only the engineering constraints that DevOps teams face, but also the population […]
OURSA Recap
Last week I attended the OURSA conference. I tweeted during the conference and wrote up some reasons why I enjoyed the content so much. Briefly, the format (~15 minute presentations followed by panel discussion) kept the themes well-focused. It was also impressive that the conference stayed so well on schedule. But these are more superficial […]
OWASP AppSec Cali 2018 Presentation
Here are slides for my presentation, “DevOps Is Automation, DevSecOps Is People.” For me, automation is one of the most compelling aspects of DevOps. Without automation you won’t reach scale, you’ll struggle with maintenance and patch management, and you’ll only have a foggy notion of the risk your app has. In addition to scaling, we […]
The Fourth Year of the Fourth Edition
Today is the fourth anniversary of the fourth edition of Anti-Hacker Tool Kit. Technology changes quickly, but many of the underlying principles of security remain the same. The following is an excerpt from the introductory material. Welcome to the fourth edition of the Anti-Hacker Tool Kit. This is a book about the tools that hackers use to […]
Cybercroissant Podcast Episode
While I was at DevSecCon earlier this year I had a chance to record a podcast episode with Cybercroissant. You can find it on their site. During the conversation I brought up a parallel between magic tricks and hacking. That idea is perhaps better described in the introduction to my last book, which I’ve excerpted […]
DevSecCon London 2017
Ah, London — the city responsible for most of my music collection. Also, the city where I recently had the fortune to present at DevSecCon. DevSecCon examines the challenges facing DevSecOps (and DevOps) practitioners. It emphasizes how to work with people to make tools and process part of the CI/CD pipeline. This resonates with me greatly because […]
DevOps Is Automation, DevSecOps Is People
A lot of appsec boils down to DevOps ideals like feedback loops, automation, and flexibility to respond to situations quickly. DevOps has the principles to support security, it should have to knowledge and tools to apply it. Real-world appsec deals with constraints like time, budget, and resources. Navigating these trade-offs requires building skills in collaboration […]
ISC2 Security Congress, 4416 – GBU Slides
My presentation on the good, the bad, and the ugly about crowdsourced security continues to evolve. The title, of course, references Sergio Leone’s epic western. But the presentation isn’t a lazy metaphor based on a few words of the movie. The movie is far richer than that, showing conflicting motivations and shifting alliances. The presentation […]
Now One Week All Year
The annual summer conference constellation of the week of Black Hat, BSides, and DEF CON usually brings out a certain vocal concern about personal device security. Some of the concern is grounded in wry humor, using mirth to illustrate a point. Some of it floats on ignorance tainted with misapplied knowledge. That’s fine. Perform the […]