How Is the Water?

There are these two young fish swimming along and they happen to meet an older fish swimming the other way, who nods at them and says “Morning, boys. How’s the water?” And the two young fish swim on for a bit, and then eventually one of them looks over at the other and goes “What the hell is water?” -David Foster Wallace One summer night as we sat down for dinner I couldn’t help but notice my 5 year old daughters fixation with the salad my wife had prepared.

2019 Breach Trends - Based on Open Source Data

It’s that time of year again, time to look back on breach data from the previous year, and reflect on trends. A little history is needed before jumping in. I started cataloging breach data about 3 years ago and have tried to capture 3 critical attributes needed to understand the why and the how: How did the actor get access, why did they seek access, and what type of actor were they?

DevSecOps - Culture

Should I quit my job? It’s day one of DevSecCon Seattle and Tanya Janca has just wrapped up her Keynote “Security is everybody’s job”. Tanya asks for questions and the first question is: “I don’t feel like my company takes security seriously, should I quit my job?”. Tanya’s answer to the question was: “Yeah, quit your job. There’s plenty of job openings out there. Why stay there?” Wait, what? I thought Tanya was a DevSecOps champion.

DevSecOps - OODA Loop

How is it a single bad actor could gain access to the data of over 100 million credit applicants when that data should have been protected by a company with the resources of over 45,000 employees? What superpowers did that single bad actor have that none of those 45,000 employees possessed? It turns out that bad actor, Paige Thompson, didn’t have any super powers. It turns out Paige could OODA Loop faster than Capital One and all of it’s 45,000 employees.

DevSecOps - Pull the Andon Cord

American car manufacturers found themselves caught off guard when they started to lose market share in the 80s. Americans were losing to Japanese manufacturers who could offer something they couldn’t: both price and quality. How did the Japanese do it? The Americans wanted to figure it out so they sent analysts to Japan where something curious happened, the Japanese welcomed them with open arms. It seems the Japanese were excited to share what they had learned.

DevSecOps - Systems Thinking

Every system is perfectly designed to get the results it gets - W. Edwards Deming Seems most in the tech world have heard of DevOps, but never Deming - the father of quality. Deming’s ideas were the catalyst for Lean Manufacturing, and in turn DevOps to DevSecOps. While many of us have heard “Security is everyone’s job”, we don’t know it’s borrowed from Deming’s quote: Quality is everyone’s job. Did you know he was primarily addressing management with that quote?

You're Not the Customer

If you are not paying for it, you’re not the customer; you’re the product being sold. @andlewis If you asked me: What company has full access to un-hashed passwords, email accounts, social media accounts and location data, for the sole purpose of monetizing that data, on over 1 million people around the globe? Until a few days ago I’d answer: Google maybe, but don’t they hash/salt passwords? Let’s back up a bit.

Dishes in the Sink

Have you ever witnessed a broken process that was obviously broken and doomed fail? Not because it couldn’t work. The process would never work simply because the owner of the process was blind to why it didn’t work: The human factor. I’ve seen this in security all too often. We often want to ignore how our brains work and [blame the training] (https://ericalexander.org/posts/security-awareness-training-what-works/) or blame human nature. Proposed fixes are often more training or threats of termination.

Security Awareness Training - What Works?

Need to be PCI, CJIS, or NIST 800-53 compliant? If so, Security Awareness Training (SAT) isn’t optional. What if you’re not bound by those security requirements? What if you could take a pragmatic approach and do it, not because you have to; rather, your only motivation is to reduce risk. Let’s say you’re launching a new cryptocurrency exchange. You’re not bound by any compliance requirement, but, you’re also a major target.

Make Change Happen

“Look at email, go to meetings, discuss designs, have my head explode because people are retarded, look at vuln reports on production servers, head explodes because people haven't patched shit in 2 fuckin years, send emails, write power point presentations telling management how bad their people suck, talk to some lawyers, respond to an incident then go the fuck home to do it all over again the next day.” That’s from a reddit thread on what security engineers do in a typical day.

Uptime Is the Evil of Secure

Who hates uptime? If we’re talking system uptime, then yeah, this guy hates uptime. Service uptime? Love it. Metrics? Love those also. My favorite metrics are aggregates. I love single values that can tell a story. Uptime is one of the best aggregates. Uptime tells us the obvious: How long has it been up? It also tells us the not so obvious: How good are we at patching systems and how good are we at designing resilient services?

Can They Code?

We have a coding skill set requirement for engineering candidates at The Trade Desk. It’s a requirement for everyone from our DBAs to our Information Security Engineers. I can probably guess what you may be thinking. Let’s get some common arguments out of the way. “Software Engineers should focus on writing code. Let me focus on my discipline” “There’s a shortage of InfoSec candidates. Why further limit the talent pool?”

Infosec Hierarchy of Needs

Ever pondered the natural order of reducing risk in InfoSec or the natural order of working towards compliance? It’s something I’ve been thinking about lately. Maybe it’s related to the recurring conversation my wife and I have on the topic of Maslow’s hierarchy of needs. Maslow’s hierarchy helps us understand the essential nature of needs and why some needs are only achieved when we’ve built the right foundation by solving needs in lower tiers.

Getting the Blog Back Together

I used to have a blog. My old blog content is probably still hiding somewhere on archive.org. The death of my last blog was the culmination of a fading interest in blogging and a desire to simplify by reducing the number of things that needed my attention and time. I eventually came to the realization that I wanted to do other things and maintaining a blog wasn’t one of them.