Cloud has transformed the nature of the technology used to build systems. It also expanded the attack surface.
In this post, our group CISOs shares 5 Security principles to help founders, builders, and security practitioners respond to emerging and novel digital threats.
The C100 list was released today and I must say that it took days to review and verify references for several hundred candidates. Here are a few reasons why I consider the C100 award special:
- Experienced CISOs review and select the winners
- All candidates must have at least five years of experience as a CISO or equivalent position
- We consider the candidates’ involvement and leadership roles in professional organizations
- Volunteering and activism are part of the selection criteria
- Last but not least, the board considers mentoring, teaching, and educating future cybersecurity professionals across business and technical functions
The criteria are super transparent, and there is no fee or financial requirement at any point associated with the C100 awards.
To all winners of the C100 2022, I salute you!
Congrats to Glilot for organizing a great event for their CISO advisors and startup leaders during RSA. There were some great discussions with the group. Time well spent!
If you are attending RSA, come join Emilio and I on this panel about Dev environments on June 7, 2:30 PM at the Mourad! Emilio is a very experienced practitioner and I look forward to talking to him about this vital topic for any company developing SaaS products.
Pantheon 2022 was an absolute success. This year the conference took place at the historic Los Angeles Coliseum. Tom Howard and Sendur Sellakumar did a superb job describing the company’s vision to propel the industry forward with technology. During this presentation, they provided some of the concrete findings the company made from mining data.
Although I wasn’t present at the conference (because I was on vacation in Mexico with my family), I was humbled by Tom Howard’s off script shout-out to InfoSec and specifically to my work around 23:45 in the video below.
It was a pleasant surprise to see my employer’s announcement about our Smart Trust Center today on LinkedIn. ServiceTitan’s “self-serve” access allows customers to gather information about the company’s security program quickly. This includes audit reports, security certifications, results from automated scores tools, whitepapers, security policies, and a plethora of information grouped into tiles.
I’m honored to join this community and serve on the 2022 CISOs Top 100 CISO (C100) Board of Judges. I appreciate the opportunity to work with this esteemed group of experienced CISOs and be part of an award with transparent criteria and is not shy to show the faces of the board of judges.
With so many outstanding podcasts out there, I feel biased to call “A Virada” my favorite Brazilian Podcast. A Virada is a podcast about innovation and the future of markets and it’s a true forward thinking podcast. In 2021, A Virada made the top of iTunes list in the business category, passing internationally acclaimed podcasts such as the Harvard Business Review (HBR). Above all, the two hosts are what make this podcast so special to me: the head of Prana Venture Capital Bruno Peroni and the co-founder of Superplayer & Co, Gustavo Goldschmidt, my younger brother.
In this episode in Portuguese of A Virada we talked about Information Security, the current threat landscape, privacy, Internet of things (IoT), and much more.
One of the biggest threats to your personal information is a lack of cybersecurity. The same rings true for organizations that need to protect their data. This course offers you a strong understanding of what you can do as an individual contributor to help keep your organization’s data safe. In this course, Cassio goes over processes for identifying data that needs to be protected, as well as classifying and sorting data most effectively. He explains data processing, including how to address some common mistakes and remove processing bias. Cassio provides a detailed look into privacy policies, training, and breaches, as well as sharing proven strategies to manage privacy risks.
I’m feeling ecstatic to receive the CISOs Top 100 CISOs award from CISO CONNECT! This recognition is truly a collective win with the help of my amazing team and executive leadership that supports our initiatives day in and day out! Without this collaborative effort, we wouldn’t be where we are.
A heartfelt shoutout to my incredible colleagues and former board members at OWASP LA and the OWASP Foundation for working tirelessly with me to give back to the security community outstanding educational opportunities and the AppSec California conference, which many consider one of the best Application security conferences in the world! I cannot thank you all enough for your support!
– Announcement: https://lnkd.in/gaKUQVW
– C100 Winners: https://lnkd.in/gMVJD6E
I’m thrilled with my alma mater’s invitation to be the keynote speaker of this year’s SE Day event. By choosing a keynote on application security for a software engineering conference, PUC-RS sends a strong message to its students that security and privacy are indeed paramount.
For the last 7 years, I’ve been a certified bitcoin professional. Because of the continuous enhancements in the field, this certification expires every two years. This is the 4th year I take the test.
A Certified Bitcoin Professional is knowledgeable about the Bitcoin blockchain, Bitcoin transactions, and how the Bitcoin network operates. CBPs are able to apply Bitcoin technology to their professional area of expertise and understand privacy aspects, double-spending, and other issues that relate to the currency.
ServiceTitan won the ISE® West Executive Forum and Awards 2020 in the “project” category, debunking a little company called T-Mobile that you may have heard about.
Winners and nominees in other regions include equally small companies such as Aflac, Cox, Southwest, Mastercard, ADP, and others.
Pantheon will be an online conference this year and ServiceTitan is maintaining its high standards of quality. The company shipped 5 large boxes of professional video equipment to my home to practice and record material for the conference. Can’t wait to see the result.
Brazil’s General Data Protection Law has officially come into effect. The new law has a lot of similarities with GDPR and CCPA/CPRA, however, LGPD’s applicability is NOT limited only to businesses and organizations above a particular size but applicable to businesses of all sizes, with the exception of journalistic, artistic, and academic purposes, or public safety and national defense.
Every company that processes data in Brazil or sells services to Brazilian consumers needs to comply. In this talk with Julio Lanes, Partner at Andrade Maia Law Firm, Julio and I chatted a bit of my personal experience with the impact of privacy laws in the US and how companies reacted to it.
I had a great conversation with AppSec thought leader Nabil Hannan on the NetSPI’s Agent Of Influence podcast. During our talk, we covered a broad range of topics, industries, and application profiles.
Some highlights of our conversation include:
- Does one size fits all in AppSec?
- How do you create a safe environment to promote open test of highly sensitive systems?
- Are open-source solutions more secure?
- The fundamental difference between security software and software security
The COVID-19 situation opens up new work from home risks and cybercriminals are taking advantage of it. One of the ways companies can prepare employees is to send out simulated phishing tests. In my article Improve Your Company’s Resilience Against Phishing Attacks By Inviting Employees To Phish I describe Phish a Phriend, a more engaging, effective, and fun way for enterprises to roll out their phishing tests.
I feel truly honored for being selected as one of the 87 extraordinary employees who was selected to go to Cabo. Founders’ Club is the highest honor awarded at ServiceTitan and recognizes you as one of the top performers in a company full of star performers.
Honored to be one of the nominees for the T.E.N Information Security Executive (ISE) Award North America 2019. T.E.N. is a technology and information security executive networking and relationship marketing firm. The award is given to top-ranking decision makers representing organizations in the academic and public sectors, commercial, financial services and health care.
I am this year’s winner of the (ISC)2 Information Security Leadership Americas and I feel deeply honored to be selected by a program created by an organization with over 140,000 members that recognizes outstanding leadership and achievements in workforce improvement of information security and management professionals throughout the private and public sectors in North, Central, and South America.
I’m traveling to Yerevan in Armenia for the first time next week and I’m really looking forward to all the upcoming events, including the opportunity to meet the OWASP Armenia community, give a talk at the American University of Armenia, attend the Hive Ventures Summit, attend the WCIT, meeting the staff and ServiceTitan, and hire our first information security team member overseas.
Yerevan , Armenia: Cascade Complex monument landmark of Yerevan capital city of Armenia
Providing growth opportunities for my team members is paramount. When HR asked all ServiceTitan interns who wanted to be featured on a LinkedIn post about the 2019 internship experience, Sid was the first person companywide to volunteer. Sid had many internship options and I’m glad he chose to join the team.
Happy 40th birthday, FACIN school of Computer Science at PUC-RS! Thankful for all I learned from you. I am honored to be part of your history and humbled to be one of the 6 selected alumni case studies (in all 40 years) featured in the 40th-anniversary commemorative book.
Leaders have a significant responsibility in personally understanding and managing cybersecurity as a key risk area. They must learn how to proactively protect their organizations and customers from the ever-increasing threat of cyberattacks. I felt honored and humbled when a chapter in Brazil of the Young Presidents Organization (YPO), a global network of young chief executives with approximately 24,000 members in more than 130 countries, invited me to fly all the way to South America to speak on the topic of roles and responsibilities to their local group of business leaders.
The Media and Entertainment (M&E) industry has many “crown jewels” that require protection from hackers and malicious insiders. These jewels include intellectual property like video content and concept art, business data like highly sensitive email conversations, and personnel records. They also include the availability of content streams to ensure consistent, accurate delivery of media assets. It’s an area where digital security, innovation, conversion, and file content management is converging to redefine the daily experiences of M&E businesses.
This month I passed the strict review and approval process to become a qualified Trusted Partner Network (TPN) assessor. The TPN is a joint venture between two major entertainment industry associations, the Motion Picture Association (MPA) and the Content Delivery & Security Association (CDSA), the worldwide leaders in third-party entertainment industry assessments.
Securing the modern attack surface is a critical challenge you must effectively address to reduce cyber exposure and protect your enterprise. The Mighty guide Reducing Cyber Exposure from Cloud to Containers provides insights and lessons from 29 industry leaders (e.g., @daveshackleford, @csima, @lady_nerd, @planetlevel, @weldpond) on this topic.
Brazil’s Superior Electoral Court (TSE) selected me to test the electronic voting machines that will be used in the 2018 presidential elections. In this interview (in Portuguese) conducted by the TSE, all security researchers who provided relevant findings described their work and explained why the test is important.
The Brazilian government selected me as one of the security researchers who will test the nation’s electronic voting system. I’m honor and excited about the opportunity to contribute to the security of this critical infrastructure component.
On August 1st Bitcoin was split into Bitcoin (BTC) and the clone coin Bitcoin Cash (BCH). The means of this split was both a source code “hard fork,” creating an incompatible and independent cryptocurrency, in conjunction with a clone of the entire blockchain. Everyone who had bitcoins (BTC) before the fork has the same number of coins in bitcoin cash (BCH). In an article for the ITSP magazine, I explained the security and risks related to this split by discussing the motives, technical differences, and the consequences to the ecosystem.
Read the full article: Bitcoin’s Fork And Its Security Implications (two-part article)
According to ITSP TV, the panel at ADP was extremely informative. Check out the video:
UNC Charlotte 17th annual Cyber Security Symposium was a sold out event. Humbled with the opportunity to take the main stage. Although this is an academia event, there were more far more professionals than students. Kudos to the organization for a great event!
So grateful for the strong attendance of over 600 people at my talk about Bitcoin. As of today, one Bitcoin is worth US$400. How far will it go?
Super excited about my upcoming talk at RSA 2016! With 33,000 attendants RSA is one of the biggest, best known, and most respected security events of the year. Here is a picture of a general session.
(ISC)2 congress was a massive success with over 20,000 attendants. Happy to be able to contribute to the show as a speaker. Below is a picture of Monday’s lunch. I always wonder how the kitchen is able to serve everyone at the same time. One day I’ll ask for a tour of the kitchen… It will make me a better man (and a better cook).
Working with Jim Manico is a joy! I hope we can present again soon.
Following the huge success of the previous event, OWASP AppSec California is promising to be one of the hottest conferences in 2015. The lineup of keynotes and speakers is top-notch and the venue is truly unique. Seating is limited so you really need to hurry up to get in!
Reviewing my talk for next week. Really excited about contributing and collaborating with FS-ISAC on critical security threats facing the global financial services sector.
The CIO series which currently operates in Europe, the Middle East, Africa, and many cities in North America is coming to Los Angeles. The event’s mission is to create a world-class platform of end-user-driven academia to help executives make the right decisions for their organizations. I’ll be speaking at the Los Angeles event along with the Coca-Cola CIO, E&Y CTO, Carefusion CIO, and LA Unified School District CIO.
Wow! The organization committee highlighted my talk as one of the exciting conference briefings! The pressure is on! Better to brush up on my Portuguese for next week!
I am thrilled to share this one: my excellent friends Tin Zaw, Richard Greenberg, Edward Bonver, Stuart Schwartz, and Kelly FitzGerald were voted the best OWASP chapter leaders in the world and will receive the WASPY Awards during the Global OWASP AppSec USA 2013! Great job people!
Speaking of OWASP AppSec USA 2013, let me take a moment to plug this excellent conference and the impressive lineup of speakers. If you have never been to a Global AppSec (USA, Europe, Latin America, or Asia) before, I highly recommend checking it out!
The Black Hat Briefings are a series of highly technical information security conferences that bring together some of the most prestigious names from the full spectrum of security thinkers. The conference organization does a superb job staying on the leading edge of new security trends as they emerge.
I was thrilled with the announcement of the first Black hat briefing in Brazil and even more thrilled when I was selected as one of the speakers! Brazil has long been reputed as the king of the banking Trojan. The few hackers who have been arrested are those who have committed such a huge scale of cybercrime that it was possible to arrest them under existing laws such as larceny and conspiracy. The local information security industry needs events such as BlackHat to learn and fight the ever-increasing number of new attack methods in cyberspace.
Wow! My roundtable session “Hot Topics in Security” at the Digital Insight Innovation Conference is indeed a hot session! Only a few days after the conference registration opened, the session reached maximum capacity. The organizers scheduled a second session on Tuesday for all of you who could not sign up for the first one.
SAFECode released some training material last week. Some of the main contributors are members of my former staff at Symantec.
If you are looking for this type of material, also consider Jerry Hoff’s excellent OWASP AppSec Tutorial Series
Lastly, my good friend Zully released a number of good videos about bitcoin security at Khan Academy.
This year OWASP initiated the first annual Web Application Security Person of the Year (WASPY) award and I’m truly honored to be among the finalists.
Kate Hartmann, one of the few OWASP full-time employees, once told me that babies are the number one project killer in the community, something I can now testify about… As sad as this statement may sound for a security practitioner, I believe this is the ultimate proof that the organization is indeed moved by passion. People dedicate countless hours and really love what they do. If you don’t believe my words, listen to Ivan Ristic’s interview in the OWASP podcast when he talks about OWASP!
I really cannot count how many individuals I met and I have come to admire and built a friendship with. OWASP not only made me a better professional but also a better person.
I’m sincerely touched by this nomination. Thanks, OWASP! See you in Austin!
- Bryan Sullivan – You Are Not Amy Winehouse: A New Plan for Reaching the Developer Community
- Michael Craigue – Security Development Lifecycle – A History in 3 Acts
- Chris Evans – Dosh4vulns — Google’s vulnerability reward programs
- Rob Rachwald – How Security Researchers Are Hurting the Business of Hacking
- Dinis Cruz – Making Security Invisible by Becoming the Developer’s Best Friends
- Maximiliano Soler Mantra – The Security Framework Slides
- Alexandre Braga – Como não escolher a sua senha! Será a senha gráfica o futuro das senhas?
- Rodrigo Montoro – HTTP Header Hunter: Looking for malicious behavior into your http header traffic
- Magno Logan – Segurança em Sites de Compras Coletivas: Economizando dor de cabeça!
- Wagner Elias – Automatizando análise passiva de aplicações web
David Ladd (Principal Security Program Manager, Microsoft Corporation), Gary McGraw (Chief Technology Officer, Cigital, Inc.) Kyle Randolph (Senior Manager, Security & Privacy, Adobe) and I will be serving at a RSA Panel titled “Making Sense of Software Security Advice: Best vs. Practiced Practices“. Reeny Sondhi (Director, Product Security, EMC Corporation) will be the moderator.
Join me from February 27- March 2 in San Francisco for five days of learning, sharing and networking. I’ve seen the agenda and the week promises to be a busy one! As a selected speaker for 2012, I’m pleased to be able to extend a discount of $200 off the current registration rate when you use my personal discount registration code. Simply enter the following code when you register online:
My personal discount registration code: ZSPDdJaIoqK
This offer cannot be combined with any other discounts and is valid for new registrations from December 6, 2011 through January 27, 2012. The code cannot be used retroactively. To find out more about RSA Conference and the packed agenda, visit: https://www.rsaconference.com/events/2012/usa/index.htm. Be sure to register using the discount registration code above to receive the $200 savings.
After listening to a number of talks at different conferences around the world, I’m convinced that even experts are confused about the various security initiatives, particularly SAFECode and BSIMM. As a consequence, organizations are confusing prevalent practices with effective ones. Some of the results of this misunderstanding are organizations trying to choose the most popular BSIMM practices and use them as criteria for suppliers or adopting BSIMM as a Secure Development Lifecycle framework.
This week SAFECode released “A SAFECode Perspective on Leveraging Descriptive Software Security Initiatives“. This brief paper addresses common questions on the differences between BSIMM’s descriptive model and SAFECode’s prescriptive guidance. If you are responsible for a large software security initiative, I highly recommend reading this paper.
Software Development has changed considerably from a decade or two ago. While writing secure code (secure programming) is still a critical component of the secure software lifecycle, there is a great deal more to consider. Formal and structured software development methodology became a necessity for any organization that develops code.
Despite its known flaws, certifications are a great way to attest outsourced development can build solutions with the same level of quality practiced in large and well-established enterprises. Certifications are a good way to verify a certain level of expertise has been reached among team members and to provide a meaningful measurement to customers. Engineers, especially in developing countries, should ponder the recognition a credible certification can bring to their work. I recently provided a quote to (ISC)2 about the value of CSSLP. The certification has reached the 1,000 certified professionals milestone this year and I wonder if it will eventually replace CISSP, known by many as the industry gold standard.
Speaking of (ISC)2, Caleb Sima, Tony UcedaVelez, Mikhael Felker, Stuart Schwartz and I will be speaking at the (ISC)² SecureSDLC 2011 – SoCal November 1st in Anaheim, CA. This should be a great one-day event.
It took more than a year to organize OWASP AppSec LatAm 2011 but the results were worth the effort. Equipped with numerous auditoriums that can accommodate up to 800 participants, PUC-RS provides a world-class infrastructure. The variety and quality of PUC-RS’s main restaurant are comparable to some Buffets in Las Vegas. In addition, many professors supported the event and were actively engaged in conversations on how to include application security education in the curriculum.
Bryan Sullivan and Michael Craigue, our two keynotes, delivered more than security knowledge in their presentations, they delivered wisdom. Bryan delivered a polished presentation that mixed big picture concepts with hard-core technical demos. Bryan’s unique mixture of skills makes his presentations interesting to all sorts of audiences. Michael Craigue’s conversational style and candidness made his presentation a must-see for everyone who wants to jump-start a security initiative at an enterprise. I highly recommend both.
The local organization worked incredibly hard to deliver a solid conference and great entertainment! Kudos to Alexandre Balestrin Correa (aka ABC), Jerônimo Zucco, L. Gustavo C. Barbato, Lucas C. Ferreira, Rafael Dreher, Gustavo Simon, Leonardo Goldim, Luiz Gava, Sarah Baso, Carolina Nogueira, Mauricio Pegoraro, Luciano Madeira, Adriene Barbato, Maximiliano Soler, Luis Otavio (aka LOD) and Ricardo Makino for a well done job! Argentina now has big shoes to fit for OWASP AppSec LatAm 2012!
(ISC)² Americas Information Security Leadership Awards 2011 took place yesterday. To my complete surprise, I received a special recognition award for community services! Wow, have you ever had the feeling you realized something about yourself just because someone told you?
There is nothing more enjoyable in life than being surrounded by highly motivated and passionate individuals. Performing community services is fulfilling and important: we all know there is a lot to do in application security and I believe we, the practitioners, have a social responsibility to help our communities.
Unfortunately, sometimes I see people leaving not-for-profit organizations because their bosses actively discourage this type of “distraction”. My personal experience as a manager and a practitioner is that these community services and work for an enterprise are symbiotic. In fact, all my staff at Symantec is encouraged to engage in this type of activity. This is a great way to retain, train and acquire talented employees. It’s good for the individual, the business, and the community. I hope other companies start to see things this way.
The Pontifícia Universidade Católica do Rio Grande do Sul’s (the Pontificia Catholic University of Rio Grande do Sul, often abbreviated as PUCRS) magazine featured an interview with me this month. I’m an alumnus of the school of Informatica and a big fan of the university.
As of 2009, the university had 10 courses with 5 stars, computer science being one of them. There are also 21 courses with 4 stars according to the Guia do Estudante: Computing and Mathematical Sciences and Engineering and Production.
The magazine is in Portuguese. Click on the picture to download and read the article on page 40.
The organization committee truly went out of its way to keep prices down and provide great deals for people who really want to take advantage of this event. One example of the great discounts the organization is giving way is the conference full package deal: for R$1,000 (approximately US$625) you can attend two classes and the conference. The deadline for early-bird registration discounts is August 31st. Check out the videos about Brazil and Porto Alegre in the conference visitor’s guide.
Sebastien Deleersnyder, Mano Paul, and I will be the keynote speakers at OWASP Global AppSec Asia 2011. Last year the conference had more than 500 attendants and this year the organization expects over 800 people coming from various verticals including government, information technology, services and consulting, telecommunications, finance, e-commerce, Internet, universities, and research institutes. Major news media will be covering the event.
There is a very high demand today for application security professionals in Asia. I have the privilege of working with many individuals in the People’s Republic of China I respect so much their technical knowledge, work ethics, and humbleness I could only wish we were fewer time zones apart! I hope to meet a lot more people alike in November. Please don’t be shy to come and chat if you see me around the conference floor.
I’ve been selected as a finalist for the Americas Information Security Leadership Award (ISLA) 2011. The ISLAs Program is held annually by the International Information Systems Security Certification Consortium ((ISC)²) to recognize outstanding leadership and achievements in workforce improvement of information security and management professionals. The gala dinner ceremony will be one among the many great events planned for the 57th ASIS Internation 2011 conference/(ISC)² Security Congress.
If you attend the conference, don’t miss Richard Tychansky, Hart Rossman, and Symantec’s Edward Bonver presenting case studies of large enterprises that have successfully integrated security engineering best practices into their Software Development Life Cycle (SDLC) to reduce defects and increase software resiliency and reliability. You can read more about this session here.
I just came back from the ISSA speaker dinner and I’m really excited about tomorrow’s event! ISSA clearly outgrew UCLA and the organization will need to deal with the growing pains of what is without a doubt going to be an outstanding conference. I’ll be serving at a panel with Steve Lipner (Microsoft), Gary McGraw (Cigital), and Jeremiah Grossman (WhiteHat). John Dickson (Denim Group) will be the moderator.
Other speakers include Marc Maiffret (eEye), Robert Brown (Western Bridge Corporate Federal Credit Union), Dan Cornell (Denim Group), Barbara Danzi (Garda Cash Logistics), Ariel Silverstone (Expedia), John Steven (Cigital), Mike Villegas (NewEgg, Inc.) and Tin Zaw (AT&T).
As much as I love to manage a global team that is as passionate about Software Security as Symantec’s Product Security, I’m still a software developer at heart. Needless to say, I had a real blast presenting at Better Software. “Cosmic Truths about Software Quality” by Karl Wiegers was a very insightful presentation about the real meaning of quality and how to achieve it. Backed by facts and research, Michael Mah made a very persuasive presentation on the real cost of offshoring and why geography matters.
According to the official conference numbers, my presentation about secure coding had one of the top ratings from all the 65+ speakers. Who said developers don’t care about security?
One of the best things about being one of the first speakers to present at a conference is that it’s possible to actually pay attention to the other talks. 😉
While there were several good talks, I highly recommend watching two: Bryan Sullivan’s “Hey You, Get Off Of My Cloud: Denial of Service in the *aaS Era” and Tom Brennan, Ryan Barnett’s “Checkmate with Denial of Service“.