Melissa: Chief Information Security Officer
Noah: Security Engineer
Amber: Head of Assurance and Compliance
Melissa: How can we get a list of all Cloud deployed applications?
Noah: We don’t have any capability. Everything changes so fast, CI/CD and infrastructure as code makes it rather hard to track deployments across the environment.
Melissa: We have 50 vendors, and we cannot answer that question?
Noah: We can build it. It would be helpful for the Application Security teams, the Incident Response Team, and the Compliance team. DevOps and Architecture teams might find it useful too.
Amber: Would I be able to get…
Executive Strategy Meeting
Jim: VP Engineering
Tanya: Head of Security
Matt: Application Security Lead
Jim: We are two weeks away from our next product. We have kept it quiet for competitive reasons, but this is our next billion-dollar bet. It is a social media app with geolocation capabilities and is open to all ages. Market research has been highly favorable, especially in teens. We are excited.
Angela: Great Jim, I know you and your team have done a lot of work on this project. Tanya, has your team completed the review? …
Debbie: What is our Threat Modeling backlog?
Mark: We have about 30 new applications in the backlog and 90 older ones that need a review. Roughly 120 — we might add more.
Debbie: How quickly are we going through the backlog?
Mark: To be honest, not quickly enough, between scheduling meetings with the Engineering teams, getting architecture diagrams and the actual Threat Modeling session with the Engineering team takes up to 2 weeks per Threat model. The team is overworked, and it just never ends. As soon one is done, it is perhaps outdated. Engineering teams are continually updating the…
Every transformation requires energy. Creation of the Universe, a new life, carbon crystalizing into a diamond. On a tundra, where there is minimal energy, everything remains static, and even the dead do not decompose. We, humans also need the energy to transform into something new, something different. Usually, the impetus of that comes from a significant event in our lives. Such an event is emotionally charged. An event that shakes the current status, a powerful and charged event, with so much energy that it forces change, usually is an extreme event, something traumatic, something extraordinary. All that energy from that…
It is hard. Perhaps I had too much coffee today. Not an outlier. I drink 6 to 7 cups of coffee by noon. Black, no sugar, the best way to get most out of those coffee beans. No shit, I am wide awake at 3:00 AM while I hear Allie, my dog, snore peacefully a few feet away.
I read all these Medium articles that fill up my feed, while on my way to work, on my way back. On the train, when everyone else is busy not paying attention to everyone else. Every one of them insightful, every one…
Chris Houlder and I have co-authored this article
Security incident response is the cybersecurity capability that can directly prevent a company from becoming headline news. It is one of the most important and unquestionably the first cybersecurity capability that should be built and matured. When everything else has failed, and it will fail, a documented, well-rehearsed and efficiently executed incident response plan can ensure that the failure is graceful and outcome effectively managed within the law for all those that are impacted.
Ahsan and Chris have over three decades of combined experience in building and operating security incident response capabilities…
This is the second part of the article on Asset Management, the previous article can be found under here.
Just Enough Asset Management(JEAM) design was influenced by the concepts and definition of Minimum Viable Product(MVP); what is the least amount of data, engineering and operational effort required to create and operate a viable JEAM product. The concept was applied rigorously during the conception and design of the JEAM, anything that didn’t meet that criteria was thrown out or moved to a higher layer. The design can always be improved but the MVP principle should always be front and center in…
Bob: One of our systems got compromised. We are seeing Command and Control traffic going out.
Laura: I have a few questions:
What do we know about the system?
What is the business criticality of this system and what application is it running?
What type of data is stored and who are the owners and business unit responsible for the system?
Bob: It is still early in our investigation, we are looking into it. We don’t have too many details about the asset at this time; we don't even have access, we know it is hosted in the Public Cloud…
This is the second part of the Application Security series. Here is the link to the first part, Seven common mistakes of Secure Software Development Programs. Like all other business investment, Cybersecurity investments are business investments prioritized by risk to get the most value out of the investment and as Cybersecurity professionals most of us are aware of this fundamental principle. Yet we find ourselves taking a purist view on our investments and taking Cybersecurity as an absolute. However, as the focus on Cybersecurity increases, a more pragmatic, value-based approach is a lot more pertinent. …
Secure Software Development often comes up as a discussion topic among security and engineering leadership as quite a few organizations struggle to build programs that can show measurable success across the full portfolio.
Along with the failure to set clear measurable goals, often there is an insufficient focus on shifting the cultural, resulting in overall lackluster performance in building a Secure Software Development program. Building a Secure software practice is a strategic, multi-year initiative and if not done right most companies see it as too disruptive. This gets a lot of focus if it is not producing tangible results. Leadership…