Book Review of The Phoenix Project
There is a great book out right now about devops and how it impacts your business. It is really good and you should definitely read it and buy 3 copies for your friends (or give those 3 copies to the people in your org stuck in 1997 doing waterfall and doing monthly or quarterly releases but I digress). The Amazon.com teaser for the book reads: Bill is an IT manager at Parts Unlimited....
My presentation at AppSec USA 2012
I delivered this deck at the OWASP Austin Lightning Talks during the July 2012 meeting.
DevOpsSec by Nick Galbreath at DevOps Days Austin
#DevOpsDays Notes from Nick Galbreath’s (@ngalbreath) talk on DevOpsSec at DevOps Days Austin. Kicks off with “Trust but Verify” which is a saying I use regularly. Nick, also scopes the talk to AppSec for the audience. Ops and Security have commonalities, both have latent problems: Ops has failure that has yet to happen, Security has unexploited vulnerabilities. Also,...
How a BigCo Actually Got Some Innovation Done by...
Michael Cote (@cote) goes through the history of crowbar and how they got it done at Dell. There are two types of people in the world… those that understand DevOps and those who dont. They had to attack the competing ideas against crowbar internally and externally and did so with metaphors (soup vs. sandwich). He also mentioned speaking through your customers and use their...
DevOps and Security talk at DevOps Days by James...
Great talk at DevOps Days Austin by James Turnbull. Here are a couple notes that stood out to me. Teaching the auditors to read the puppet manifests gives them the power to figure out what is in the org. Creating empowerment and common language between groups. Security Ops is not that different from regular Ops, they are just focused on one specialty. Some security people are some of the...
Adversity: Good for Software, Good for the Soul
Yesterday, I spoke at Hackformers on the topic of Adversity. The premise was that adversity is ultimately good for software as it makes it stronger and as a result: rugged. I took a big bite at the apple and decided to extend that premise to the soul as well. I should step back for a second and say that @hackformers is a Christian organization of Information Security professionals. We get...
Top 5 SXSW Interactive Sessions I am most looking...
Every year I am pumped to go to SXSW Interactive as it is in my backyard and gets bigger and better every year. This year, here are the talks I am most looking forward to. The Lean Startup: The Science of Entrepreneurship - I have been following Eric (@ericries) for a while and hoping by attending this session I will get some ideas to take back to work. Our team works like a start up inside a...
Books I am reading right now
The Tangled Web: A Guide to Securing Modern Web Applications Metaprogramming Ruby: Program Like the Ruby Pros The Cucumber Book: Behaviour-Driven Development for Testers and Developers Release It!: Design and Deploy Production-Ready Software The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws Hacking: The Art of Exploitation, 2nd Edition The last two I am...
Yes, I consider the DevOps movement to be an affront to my craft. How could I...– “DevOps is Ruining My Craft”
Pen Testing in the Cloud
Matt Tesauro (@matt_tesauro) discussed how testing in the cloud can be done and also did brief overview of OWASP WTE (Web Testing Environment) and its history. It is astounding to hear that there have been over 300,000 downloads of the project and how it evolved. The project started out—or at least Matt’s involvement started during—the OWASP Summer of Code in 2008. After ...
Rugged software is software that is going to run as intended, regardless of the...– Interview with @danielcornell on Rugged Software at the agile admin blog
Coding Secure Infrastructure in the Cloud using the PIE framework presented at LASCON 2012.
Rugged by design DevOps by culture →
These are the R’s of a Rugged DevOps implementation. Wrote this short blog post after going through some old slides from last fall.
Monitoring Sucks but Alerting is Beautiful →
The devops toolchain is not complete without an elegant way of handling alerts. I write for the agile admin blog and posted this today on my team’s use of PagerDuty and how to implement it into your devops team.
The average Software Security Group size is 1.99% of development group size– What’s in Your Program? Application Security Maturity in 2011 presented by Joel Scambray, January 31, 2012 at Austin OWASP Chapter. Taken from BSIMM data.
certifiable: a comment on infosec certs and...
There are a lot of people out there who think that security certifications are a waste of time and are just for people who value paper over experience and for certification issuing organizations to cash in. I differ in opinion, and here is why: Education. Not everyone is fortunate (or unfortunate depending on your perspective) enough to land a pure infosec job. The certs and the training and...
the history of security engineering
Just getting into ‘The Tangled Web’ by Zalewski and highly recommend the book after getting only a few pages in. He cleverly weaves together the history of security and how security engineering appears to be a firm discipline on the outside but has limited substance on the inside. As such the industry started to form a culture where insecure software is ‘ok’ as long as the...