DevSecCon London 2018 Presentation

Here are slides for my presentation at DevSecCon London, “Building Effective DevSecOps
Teams Through Role-Playing Games.” It uses the aspect of social interaction in role-playing games as a model for working with DevOps teams to build secure apps and making sure the app’s threat models include social dimensions. Automation is critical to building, testing, and scaling […]

(ISC)2 Security Congress 2018 Presentation

Here are slides for my presentation, “DevOps Is Automation, DevSecOps Is People.” It’s about exercising communication skills, establishing empathy, and considering threat models that consider people. Communication skills are a part of inserting security into the DevOps process. Empathy is about understanding not only the engineering constraints that DevOps teams face, but also the population […]

OURSA Recap

Last week I attended the OURSA conference. I tweeted during the conference and wrote up some reasons why I enjoyed the content so much. Briefly, the format (~15 minute presentations followed by panel discussion) kept the themes well-focused. It was also impressive that the conference stayed so well on schedule. But these are more superficial […]

OWASP AppSec Cali 2018 Presentation

Here are slides for my presentation, “DevOps Is Automation, DevSecOps Is People.” For me, automation is one of the most compelling aspects of DevOps. Without automation you won’t reach scale, you’ll struggle with maintenance and patch management, and you’ll only have a foggy notion of the risk your app has. In addition to scaling, we […]

The Fourth Year of the Fourth Edition

Today is the fourth anniversary of the fourth edition of Anti-Hacker Tool Kit. Technology changes quickly, but many of the underlying principles of security remain the same. The following is an excerpt from the introductory material. Welcome to the fourth edition of the Anti-Hacker Tool Kit. This is a book about the tools that hackers use to […]

DevOps Is Automation, DevSecOps Is People

A lot of appsec boils down to DevOps ideals like feedback loops, automation, and flexibility to respond to situations quickly. DevOps has the principles to support security, it should have to knowledge and tools to apply it. Real-world appsec deals with constraints like time, budget, and resources. Navigating these trade-offs requires building skills in collaboration […]

ISC2 Security Congress, 4416 – GBU Slides

My presentation on the good, the bad, and the ugly about crowdsourced security continues to evolve. The title, of course, references Sergio Leone’s epic western. But the presentation isn’t a lazy metaphor based on a few words of the movie. The movie is far richer than that, showing conflicting motivations and shifting alliances. The presentation […]

RVAsec 2017: Managing Crowdsourced Security Testing

This June at RVAsec 2017 I continued the discussion of metrics that reflect the effort spent on vuln discovery via crowdsourced models. It analyzes data from real-world bounty programs and pen tests in order to measure how time and money might both be invested wisely in finding vulns. Here are the slides for my presentation. We […]

OWASP AppSec EU 2017 Presentation

Here are the slides for my presentation at OWASP AppSec EU this year: The Flaws in Hordes, the Security in Crowds. It’s an exploration of data from bug bounty programs and pen tests that offers ways to evaluate when a vuln discovery strategy is efficient or cost-effective. OWASP records the sessions. I’ll post an update once […]