March 28, 2018 | Managing AppSec
The life of a commercial software developer is a difficult one. Or at least we have to assume it is because of how many of them half-ass it when code starts to get complicated. Okay, maybe that’s unfair. Maybe it’s not all half-assing. It’s complicated. Literally. There’s many functions that are overly complex. They are so complex with so many variables and interactions as to be actually... READ MORE›
February 1, 2018
The hardest part of growing up is that everything you’re allowed to do is communicated in a general sense and everything that you’re not allowed to do is enumerated specifically and in detail AFTER you’ve gotten in trouble for doing it. So you’re told things like, “Go play in the yard.” Yet you get chewed out for very specifically flooding the yard to play mud football. Apparently the lawn, the... READ MORE›
May 30, 2017
Have you ever walked into a room to get something and the moment you got there you forgot what it was that you wanted? That memory glitch is caused by a refresh in your working memory that happens when you enter a new space or environment. Apparently the evolutionary algorithm at work in humans developed this way to increase your situational awareness and keep prehistoric you from becoming a... READ MORE›
March 30, 2017 | Secure Development
Do you know the story about the princess who saved her kingdom from a dragon? I'd be surprised if you heard of this particular fairy tale, because I invented it to teach a lesson about secure software development. In this story, a king sacrificed poor children to appease a dragon, which is not a very nice thing for a king to do. But the important part is why he thought this was a good way to... READ MORE›
October 3, 2016 | Intro to AppSec
Video Transcript All this is a dam and it's my metaphor for security. Sure, it's a bit overused and simplistic, so work with me. A dam is used for more than just pooling water or preventing flooding, it's also used to reclaim land, provide a fresh water supply, generate electricity, just like business level security is more than just preventing against attacks or protecting assets. It... READ MORE›
May 9, 2016 | Intro to AppSec
Your application security is a problem. So why are you just hearing about this now? Is Big Security suppressing this information? Or could it be that unless there's a huge breach that makes the staff come in on a weekend that anyone bothers to care? It's probably the second one. It's tough to give priority to something that seems to be not a problem the moment. It's true that you... READ MORE›
March 24, 2016 | Intro to AppSec
According to a CERT 2015 advisory of the top 30 vulnerabilities, nearly all are application vulnerabilities. But that's not why application security is the most important part of the security ecosystem. According to Business Insider, there are approximately 1.8 billion mobile web users and 1.6 desktop web users. Mobile apps are dominating how people access the Internet; of desktop users, the... READ MORE›
March 22, 2016 | Managing AppSec 10
I'm this security guy. I have a sweet resume with lists of security stuff I did. I got security skills certifications to show I can actually do security and not just be a moderately adequate opponent in Trivial Pursuit Security Edition. So people come to me and ask me to solve their security problems like, “Our client accesses our mojingle over the doobywassy blah blah hackers.”... READ MORE›
October 27, 2015 | Managing AppSec 3
Over the last year, I've been fortunate to consult on securing some important and highly targeted networks. I know they're highly targeted because they were attacked multiple times. So they needed perfect security. I know in the cyber security business we say that perfect security is impossible and even pretty good security can be ridiculously hard to scale, even on an enormous budget. Which is... READ MORE›