SLDC, SOC 2, and Other Four Letter Words

by    •   May 18, 2018
posted in Development, Op-Ed

Developers gonna develop. That’s why we’re developers. We want to set some implementation goal and then make that a reality. We like to stay heads down and focus on the immediate task at hand. Unfortunately, this can sometimes cause collateral damage. Secondary objectives can get ignored or even trampled in the race to meet the primary target. It’s also likely that other promising developments will get missed as they fall off the main path. Dealing with these issues is one of the many functions of compliance regulations.
 Read more “SLDC, SOC 2, and Other Four Letter Words”

Eyes on the Ground: Why You Need Security Agents

by    •   April 28, 2017
posted in How To Strengthen Security

A post based on the talk I just gave at SOURCE Boston 2017

If you answer Yes to one or more of the following questions, you probably have agent fatigue! Do not worry, I’m here to help and we can work through this.

  • Do you often find yourself booting into safe mode?
  • Do you regularly look for programs in the taskbar to kill?
  • Do you look for reasons why your computer seems so sluggish after IT did something to it?
  • Do you wonder why you even pay for that thing on your computer?
  • Do you have employees who complain about installed software?
  • Do you look for ways to meet compliance requirements in software?
  • Do you care about security?

Read more “Eyes on the Ground: Why You Need Security Agents”

C++ in the Linux kernel

by    •   October 28, 2016
posted in Development

I’ve seen some crazy things. I’ve also done some crazy things. I’m going to tell you about one of them.

conversation-1.pngA developer walks into a bar. He then gets completely and totally plastered before talking to his boss. That conversation then results in him accepting the task of writing a Linux kernel module in C++. I was that developer, minus the walking into a bar and getting plastered part. While I did put up a token effort to advocate doing the development in C, I got overruled. I then threw myself to the task with gusto.

Read more “C++ in the Linux kernel”

How to Educate Yourself About Cloud Security

by    •   July 29, 2016
posted in Cloud Security Planning

Given the constant changes affecting today’s security industry — whether it’s the explosion of big data, the global shift to cloud-based business models, or the hundreds of technical innovations that occur each day — keeping your security knowledge up-to-date has never been more important. Whether you’re a security professional, a security provider, or a security consumer, there’s a massive need for immediately available, ongoing education.

Read more “How to Educate Yourself About Cloud Security”

Boston SOURCE Conference 2016: I Got the T-Shirt and a Whole Lot More

by    •   May 23, 2016
posted in Op-Ed

The SOURCE Conference held in Boston last week was a terrific opportunity to meet a lot of fascinating industry folks while sharing great ideas about the intersection of business, technology, and security. I attended some outstanding presentations, which I’ve highlighted below, and also gave my own talk, “How Security Changes In the Cloud and Why You Care,” which I’ll summarize in a later post.
Read more “Boston SOURCE Conference 2016: I Got the T-Shirt and a Whole Lot More”

A Glimpse Into Boston Secure World 2016

by    •   April 1, 2016
posted in Op-Ed

I attended day two of Secure World Boston on Wednesday.  I find that taking notes during sessions helps me learn more — plus, it means I can put together a short blog post to more easily share with you what I learned about PCI compliance, cyber assurance, and using the public cloud for enterprise security. Here are some of the highlights… Read more “A Glimpse Into Boston Secure World 2016”

Whitelisting is Dead, Long Live Whitelisting!

by    •   February 3, 2016
posted in Op-Ed

I believe in application control, often called application whitelisting. A lot of FUD (fear, uncertainty, and doubt) gets spread about today’s cyber threats. Bad actors continue to break in through not-so-advanced and not-very-persistent threats (as opposed to APTs). The entire situation often gets spun horribly, with whitelisting companies claiming a panacea and non-whitelisting security companies asserting it’s too expensive. Nevertheless, I still believe that application whitelisting will take over as the defacto way to secure our digital endpoints, and NIST agrees. Read more “Whitelisting is Dead, Long Live Whitelisting!”

Highlights From Facebook’s [email protected] (@SecatScale)

by    •   November 13, 2015
posted in Op-Ed

Facebook hosted [email protected] in Boston on November 12, 2015 and I attended. It took place at a fun venue, Artists for Humanity, a nonprofit organization dedicated to enhancing the arts in Boston public schools. Facebook will post videos and notes on their Engineering blog (here are the notes from 2014), but following are my notes and highlights.
Read more “Highlights From Facebook’s [email protected] (@SecatScale)”