(ISC)2 Security Congress 2018 Presentation

Here are slides for my presentation, “DevOps Is Automation, DevSecOps Is People.” It’s about exercising communication skills, establishing empathy, and considering threat models that consider people. Communication skills are a part of inserting security into the DevOps process. Empathy is about understanding not only the engineering constraints that DevOps teams face, but also the population […]

OURSA Recap

Last week I attended the OURSA conference. I tweeted during the conference and wrote up some reasons why I enjoyed the content so much. Briefly, the format (~15 minute presentations followed by panel discussion) kept the themes well-focused. It was also impressive that the conference stayed so well on schedule. But these are more superficial […]

DevOps Is Automation, DevSecOps Is People

A lot of appsec boils down to DevOps ideals like feedback loops, automation, and flexibility to respond to situations quickly. DevOps has the principles to support security, it should have to knowledge and tools to apply it. Real-world appsec deals with constraints like time, budget, and resources. Navigating these trade-offs requires building skills in collaboration […]

ISC2 Security Congress, 4416 – GBU Slides

My presentation on the good, the bad, and the ugly about crowdsourced security continues to evolve. The title, of course, references Sergio Leone’s epic western. But the presentation isn’t a lazy metaphor based on a few words of the movie. The movie is far richer than that, showing conflicting motivations and shifting alliances. The presentation […]

RVAsec 2017: Managing Crowdsourced Security Testing

This June at RVAsec 2017 I continued the discussion of metrics that reflect the effort spent on vuln discovery via crowdsourced models. It analyzes data from real-world bounty programs and pen tests in order to measure how time and money might both be invested wisely in finding vulns. Here are the slides for my presentation. We […]

OWASP AppSec EU 2017 Presentation

Here are the slides for my presentation at OWASP AppSec EU this year: The Flaws in Hordes, the Security in Crowds. It’s an exploration of data from bug bounty programs and pen tests that offers ways to evaluate when a vuln discovery strategy is efficient or cost-effective. OWASP records the sessions. I’ll post an update once […]

The Harry Callahan Postulate

What kind of weight do you put in different browser defenses? Process separation? Plugin isolation and sandboxes? Tab isolation? X-Frame-Options, X-XSS-Protection? Built-in reflected XSS protection? NoScript? HSTS, HPKP? Automatic updates? Anti-virus? Safe browsing lists? Instead of creating a matrix to compare browsers, versions, and operating systems try adopting the Harry Callahan Postulate: Launch your browser. […]