Archiv pro měsíc: Duben 2014

OWASP Top 10 Privacy Risks Project with Florian Stahl and Stefan Burgmair

The OWASP Top 10 Privacy Risks Project aims to develop a top 10 list for privacy risks in web applications because currently there is no such catalog available. I spoke with co-leads Florian Stahl and Stefan Burgmair about how the project was started, the selection process for the top 10 risks and their future plans. About Florian Stahl Florian Stahl is a German security and privacy consultant and evangelist. He achieved his master’s with honors in information systems science at the University of Regensburg in Germany and his master's in computer science at Växjö Universitet in Sweden. Florian started his professional career at the Swedish security software vendor Cryptzone in Gothenburg in 2006. He came back to Germany in 2009 and worked as consultant for Ernst & Young in Munich before moving on to msg systems where he currently holds the position as Lead Consultant. Florian has CISSP and CIPP/IT certifications and speaks fluent German, English and Swedish. His aim is to follow a holistic approach by combining technical, organisational and social measures to protect information. He is regular speaker at conferences and writes articles for magazines and on his blog securitybydesign.de. He leads the OWASP_Top_10_Privacy_Risks_Project. About Stefan Burgmair Stefan Burgmair is a German student at the Munich University of Applied Sciences. After he gained his B. Sc. title in Information Systems and Management he now writes his master thesis on the "Top 10 Privacy Risks for Web Applications" at the msg systems. Together with his advisor Florian Stahl, he is managing the OWASP Top 10 Privacy Risks Project.

OWASP Top 10 Privacy Risks Project with Florian Stahl and Stefan Burgmair

The OWASP Top 10 Privacy Risks Project aims to develop a top 10 list for privacy risks in web applications because currently there is no such catalog available. I spoke with co-leads Florian Stahl and Stefan Burgmair about how the project was started, the selection process for the top 10 risks and their future plans. About Florian Stahl Florian Stahl is a German security and privacy consultant and evangelist. He achieved his master’s with honors in information systems science at the University of Regensburg in Germany and his master's in computer science at Växjö Universitet in Sweden. Florian started his professional career at the Swedish security software vendor Cryptzone in Gothenburg in 2006. He came back to Germany in 2009 and worked as consultant for Ernst & Young in Munich before moving on to msg systems where he currently holds the position as Lead Consultant. Florian has CISSP and CIPP/IT certifications and speaks fluent German, English and Swedish. His aim is to follow a holistic approach by combining technical, organisational and social measures to protect information. He is regular speaker at conferences and writes articles for magazines and on his blog securitybydesign.de. He leads the OWASP_Top_10_Privacy_Risks_Project. About Stefan Burgmair Stefan Burgmair is a German student at the Munich University of Applied Sciences. After he gained his B. Sc. title in Information Systems and Management he now writes his master thesis on the "Top 10 Privacy Risks for Web Applications" at the msg systems. Together with his advisor Florian Stahl, he is managing the OWASP Top 10 Privacy Risks Project.

The Run Up to a Massive Cyber Security Month with Tom Brennan

In anticipation of Security Awareness Month in October, Tom Brennan is planning an event featuring a cross section of various cyber groups in New York and New Jersey. A few weeks ago, I attended a Meet Up in New York City where many of the local groups got together to talk about what they are working on and how that plays into the October event. The Meet Up was VERY loud, so the sound quality leaves a bit to be desired, but the passion and enthusiasm still comes through. The first segment of the show is an introduction with Tom Brennan as he talks about the cross-group event he put together in March and his plans for creating a large, cross-cyber group event for Security Awareness Month in October. I then spoke with Ian Amit, one of the OWASP chapter leaders for New York. He describes what he is working on for the OWASP chapter in New York. Izabela Pelszynska joins us to speak about the Women in Security group, and we end with a round table discussion of the upcoming event in October.

The Run Up to a Massive Cyber Security Month with Tom Brennan

In anticipation of Security Awareness Month in October, Tom Brennan is planning an event featuring a cross section of various cyber groups in New York and New Jersey. A few weeks ago, I attended a Meet Up in New York City where many of the local groups got together to talk about what they are working on and how that plays into the October event. The Meet Up was VERY loud, so the sound quality leaves a bit to be desired, but the passion and enthusiasm still comes through. The first segment of the show is an introduction with Tom Brennan as he talks about the cross-group event he put together in March and his plans for creating a large, cross-cyber group event for Security Awareness Month in October. I then spoke with Ian Amit, one of the OWASP chapter leaders for New York. He describes what he is working on for the OWASP chapter in New York. Izabela Pelszynska joins us to speak about the Women in Security group, and we end with a round table discussion of the upcoming event in October.

Wolfgang Goerlich on a Real World Example of The Phoenix Project in Action

At 2014 SOURCE Boston, Josh Corman told me that Wolfgang Goerlich had an interesting DevOps story to tell. I sat down and spoke with Wolfgang and was astounded to hear a tale that could have come straight out of Gene Kim's book, The Phoenix Project. Listen in as Wolfgang describes the process of taking over a project that was mired in technical debt, falling behind in deliverables to stakeholders and in need of a new way of thinking. To me, this story is one of the strongest statements for DevOps that I've heard. About Wolfgang Goerlich As Vice President of Consulting Services at VioPoint, Wolfgang supports clients by advising, identifying, and assisting in managing information security risk as well as mentoring VioPoint’s consulting team. Wolfgang, known for his outstanding leadership in the technology and information security community, is the co-founder of OWASP Detroit and an organizer of the annual BSides Detroit conferences as well as an accomplished speaker at regional and national security events.

Wolfgang Goerlich on a Real World Example of The Phoenix Project in Action

At 2014 SOURCE Boston, Josh Corman told me that Wolfgang Goerlich had an interesting DevOps story to tell. I sat down and spoke with Wolfgang and was astounded to hear a tale that could have come straight out of Gene Kim's book, The Phoenix Project. Listen in as Wolfgang describes the process of taking over a project that was mired in technical debt, falling behind in deliverables to stakeholders and in need of a new way of thinking. To me, this story is one of the strongest statements for DevOps that I've heard. About Wolfgang Goerlich As Vice President of Consulting Services at VioPoint, Wolfgang supports clients by advising, identifying, and assisting in managing information security risk as well as mentoring VioPoint’s consulting team. Wolfgang, known for his outstanding leadership in the technology and information security community, is the co-founder of OWASP Detroit and an organizer of the annual BSides Detroit conferences as well as an accomplished speaker at regional and national security events.

Dwayne Melancon – What InfoSec Can Learn from Video Games

Dwayne Melancon, CTO of Tripwire, has an interesting idea: turn your team into gamers, let them build their internal images and support that vision. This isn't the type of thing you'd expect to hear at a security conference. In this short conversation, I talk with Dwayne about how to implement employee game theory within your project team. About Dwayne Melancon I was a contributor to both the Visible Ops Handbook and Visible Ops Security Handbook, working with authors Gene Kim, Kevin Behr, and George Spafford. As part of this effort, I have worked as a researcher with Carnegie Mellon’s SEI, the University of Florida, and the IT Process Institute in their studies and benchmarking of IT best practices. I work with numerous corporations around the world on IT service management improvement and IT security, and have teamed with the Institute of Internal Auditors in its pursuit of Generally Accepted IT Principles. As a frequent, highly-rated speaker at national and regional itSMF, ISACA, ISSA, IIA and other industry events, I present on how to achieve world-class IT results. Using a framework of essential IT controls, I provide operations, security, and audit audiences with prescriptive steps they can take to improve IT change policies, procedures and systems.

Dwayne Melancon – What InfoSec Can Learn from Video Games

Dwayne Melancon, CTO of Tripwire, has an interesting idea: turn your team into gamers, let them build their internal images and support that vision. This isn't the type of thing you'd expect to hear at a security conference. In this short conversation, I talk with Dwayne about how to implement employee game theory within your project team. About Dwayne Melancon I was a contributor to both the Visible Ops Handbook and Visible Ops Security Handbook, working with authors Gene Kim, Kevin Behr, and George Spafford. As part of this effort, I have worked as a researcher with Carnegie Mellon’s SEI, the University of Florida, and the IT Process Institute in their studies and benchmarking of IT best practices. I work with numerous corporations around the world on IT service management improvement and IT security, and have teamed with the Institute of Internal Auditors in its pursuit of Generally Accepted IT Principles. As a frequent, highly-rated speaker at national and regional itSMF, ISACA, ISSA, IIA and other industry events, I present on how to achieve world-class IT results. Using a framework of essential IT controls, I provide operations, security, and audit audiences with prescriptive steps they can take to improve IT change policies, procedures and systems.

Melissa Elliot on the HeartBleed Bug at Yahoo

The HeartBleed bug is running rampant on many major sites such as Chase and Yahoo while people are scrambling madly to find solutions. At the SOURCE Boston Conference this morning, I caught up with Melissa Elliot from VeraCode as she was examining the impact of the HeartBleed on Yahoo, using software from Jared Staffer of JSPenguin.org. I asked her to describe what she was seeing. Have a listen... About Melissa Elliot I am 0xabad1dea (the zero-x is silent), a professional application security researcher also known as Melissa Elliott. If my name breaks your website we have a personal problem. My long-term goal is to convince programmers that the security of everything from the global economy all the way up to online Pokémon battles is in their hands and they need to take that responsibility seriously. My primary means of interacting with the community is through my extremely active Twitter account.

Melissa Elliot on the HeartBleed Bug at Yahoo

The HeartBleed bug is running rampant on many major sites such as Chase and Yahoo while people are scrambling madly to find solutions. At the SOURCE Boston Conference this morning, I caught up with Melissa Elliot from VeraCode as she was examining the impact of the HeartBleed on Yahoo, using software from Jared Staffer of JSPenguin.org. I asked her to describe what she was seeing. Have a listen... About Melissa Elliot I am 0xabad1dea (the zero-x is silent), a professional application security researcher also known as Melissa Elliott. If my name breaks your website we have a personal problem. My long-term goal is to convince programmers that the security of everything from the global economy all the way up to online Pokémon battles is in their hands and they need to take that responsibility seriously. My primary means of interacting with the community is through my extremely active Twitter account.