Pete Herzog

Pete knows how to solve very complex security problems. He's co-founder of the Institute for Security and Open Methodologies (ISECOM). He created the international standard on security testing and analysis and Hacker Highschool.
Posts by Pete Herzog

It’s Complicated - Operational Security for Developers

March 28, 2018  | Managing AppSec

Application complexity and porosity

The life of a commercial software developer is a difficult one. Or at least we have to assume it is because of how many of them half-ass it when code starts to get complicated. Okay, maybe that’s unfair. Maybe it’s not all half-assing. It’s complicated. Literally. There’s many functions that are overly complex. They are so complex with so many variables and interactions as to be actually... READ MORE

What You Don’t Do for Secure Programming

February 1, 2018  | Secure Development

How to not secure your code

The hardest part of growing up is that everything you’re allowed to do is communicated in a general sense and everything that you’re not allowed to do is enumerated specifically and in detail AFTER you’ve gotten in trouble for doing it. So you’re told things like, “Go play in the yard.” Yet you get chewed out for very specifically flooding the yard to play mud football. Apparently the lawn, the... READ MORE

Security Starts With a Scope: Answer These Questions Before You Code

May 30, 2017

Scoping Application Environment

Have you ever walked into a room to get something and the moment you got there you forgot what it was that you wanted? That memory glitch is caused by a refresh in your working memory that happens when you enter a new space or environment. Apparently the evolutionary algorithm at work in humans developed this way to increase your situational awareness and keep prehistoric you from becoming a... READ MORE

The Princess and the Dragon: A Modern AppSec Fairy Tale

March 30, 2017  | Secure Development

Do you know the story about the princess who saved her kingdom from a dragon? I'd be surprised if you heard of this particular fairy tale, because I invented it to teach a lesson about secure software development. In this story, a king sacrificed poor children to appease a dragon, which is not a very nice thing for a king to do. But the important part is why he thought this was a good way to... READ MORE

Why Data Breaches Still Happen

October 3, 2016  | Intro to AppSec

Video Transcript All this is a dam and it's my metaphor for security. Sure, it's a bit overused and simplistic, so work with me. A dam is used for more than just pooling water or preventing flooding, it's also used to reclaim land, provide a fresh water supply, generate electricity, just like business level security is more than just preventing against attacks or protecting assets. It... READ MORE

4 Quick and Painless Steps to Get an AppSec Program Going at Your Software Company

May 9, 2016  | Intro to AppSec

Painless AppSec

Your application security is a problem. So why are you just hearing about this now? Is Big Security suppressing this information? Or could it be that unless there's a huge breach that makes the staff come in on a weekend that anyone bothers to care? It's probably the second one. It's tough to give priority to something that seems to be not a problem the moment. It's true that you don't have time... READ MORE

Why AppSec is the Most Important Part of Your Security Ecosystem

March 24, 2016  | Intro to AppSec

applications security ecosystem

According to a CERT 2015 advisory of the top 30 vulnerabilities, nearly all are application vulnerabilities. But that's not why application security is the most important part of the security ecosystem. According to Business Insider, there are approximately 1.8 billion mobile web users and 1.6 desktop web users. Mobile apps are dominating how people access the Internet; of desktop users, the... READ MORE

Why Application Security Is Better Than a Sharp Stick in the Eye

March 22, 2016  | Managing AppSec 10

I'm this security guy. I have a sweet resume with lists of security stuff I did. I got security skills certifications to show I can actually do security and not just be a moderately adequate opponent in Trivial Pursuit Security Edition. So people come to me and ask me to solve their security problems like, “Our client accesses our mojingle over the doobywassy blah blah hackers.”... READ MORE

3 Best Practices for Perfect Security: A Story

October 27, 2015  | Managing AppSec 3

Over the last year, I've been fortunate to consult on securing some important and highly targeted networks. I know they're highly targeted because they were attacked multiple times. So they needed perfect security. I know in the cyber security business we say that perfect security is impossible and even pretty good security can be ridiculously hard to scale, even on an enormous budget. Which is... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.