Being an Agile Security Officer: pwn the process

This is the third part of my 'Being an Agile Security Officer series'. As mentioned in my previous blog, in the Agile world the Product Owner is the person who translates business and customer desires into work items for the teams. To do this, product owners have several techniques and means at their disposal. In this blog I will focus on the backlog and the definition of done. As a security officer it's important to understand their purpose and to learn how they can help you achieve your goals.

Read more →

Being An Agile Security Officer: Security Stakeholdership mindset

This is the second part in my blog series about 'being an agile security officer'. In this blog I will focus on the mindset of security stakeholdership in Agile and DevOps environments.

In the Agile world the Product Owner is the person who translates business and customer desires into work items (user stories) for the teams. The actual desires and requirements however are provided by stakeholders. Stakeholders are usually representatives of the business and end-users; in the new world security officers should start taking up the role of security stakeholders. The Product Owner usually has multiple stakeholders to take into consideration. As a security stakeholder you have to 'compete' with other stakeholders for the most valuable changes. It has become, more than ever, important to be able to translate your requirements into actual value.

Read more →

Being An Agile Security Officer

Whenever I give a presentation, training, or just talk to security teams, it becomes clear that over the years a gap has been created between application security and development. A gap we created consciously and with intent and that became painfully visible with the introduction of Agile and DevOps. Suddenly exhaustive information security policies with checklists and penetration tests became serious impediments. The challenge we are facing now is how to bridge this gap again.

Fortunately this challenge is easier to solve as it appears to be. The key to success is to split the security officer function more Agile minded roles with different responsibilities and duties. In the coming blogs I will dive deeper into the different aspects of these roles and the differences in the responsibilities and duties. But first we need to take a little trip down to memory lane to understand how we ended up in this situation.

Read more →

Security is dead, long live security

Last week the 7th edition of BruCON was held. For those unfamiliar with it, BruCON is a security conference where everybody with an interest in security can share their views and findings. As always it was a great mixture of technology, philosophy, personal opinions and hands-on workshops.

This year however I noticed a certain pattern in some of the talks. Chris Nickerson gave a presentation about "how to make a pentester's life hell" based on experience, Shyma Rose shared her views on risk management, Mark Hillick showed us how the security was improved at Riot Games and David Kennedy provided his opinion on the state of the information security industry nowadays. All four of them basically told pieces of the same tale from a different perspective and I will try to provide my viewpoint on the matter in this blog.

Read more →

Stuff to think about when you're going to a conference.

I go to conferences and meetings a lot and many of them are security related. Most security conferences provide tips and tricks how to make the experience as safe as possible. On non-security related conferences however this is not custom so I was asked to provide some generic guidelines what to think about when you are attending a conference or other event.Read more →