Practical Privacy For Products And Services

My online course on Privacy is now available on LinkedIn

Course Description

One of the biggest threats to your personal information is a lack of cybersecurity. The same rings true for organizations that need to protect their data. This course offers you a strong understanding of what you can do as an individual contributor to help keep your organization’s data safe. In this course, Cassio goes over processes for identifying data that needs to be protected, as well as classifying and sorting data most effectively. He explains data processing, including how to address some common mistakes and remove processing bias. Cassio provides a detailed look into privacy policies, training, and breaches, as well as sharing proven strategies to manage privacy risks.

CISOs Top 100 CISOs (C100)

I’m feeling ecstatic to receive the CISOs Top 100 CISOs award from CISO CONNECT! This recognition is truly a collective win with the help of my amazing team and executive leadership that supports our initiatives day in and day out! Without this collaborative effort, we wouldn’t be where we are.

A heartfelt shoutout to my incredible colleagues and former board members at OWASP LA and the OWASP Foundation for working tirelessly with me to give back to the security community outstanding educational opportunities and the AppSec California conference, which many consider one of the best Application security conferences in the world! I cannot thank you all enough for your support!

– Announcement:

– C100 Winners:

SE Day 2021 – 3rd Edition

I’m thrilled with my alma mater’s invitation to be the keynote speaker of this year’s SE Day event. By choosing a keynote on application security for a software engineering conference, PUC-RS sends a strong message to its students that security and privacy are indeed paramount.

Passed My Certified Bitcoin Professional Exam… Again

For the last 7 years, I’ve been a certified bitcoin professional. Because of the continuous enhancements in the field, this certification expires every two years. This is the 4th year I take the test.

A Certified Bitcoin Professional is knowledgeable about the Bitcoin blockchain, Bitcoin transactions, and how the Bitcoin network operates. CBPs are able to apply Bitcoin technology to their professional area of expertise and understand privacy aspects, double-spending, and other issues that relate to the currency.

ServiceTitan Wins At The ISE® West Digital Awards Show

ServiceTitan won the ISE® West Executive Forum and Awards 2020 in the “project” category, debunking a little company called T-Mobile that you may have heard about.

Winners and nominees in other regions include equally small companies such as Aflac, Cox, Southwest, Mastercard, ADP, and others.

Pantheon 2020

Pantheon will be an online conference this year and ServiceTitan is maintaining its high standards of quality. The company shipped 5 large boxes of professional video equipment to my home to practice and record material for the conference. Can’t wait to see the result.

A Talk About Privacy And Brazil’s LGPD

Brazil’s General Data Protection Law has officially come into effect. The new law has a lot of similarities with GDPR and CCPA/CPRA, however, LGPD’s applicability is NOT limited only to businesses and organizations above a particular size but applicable to businesses of all sizes, with the exception of journalistic, artistic, and academic purposes, or public safety and national defense.

Every company that processes data in Brazil or sells services to Brazilian consumers needs to comply. In this talk with Julio Lanes, Partner at Andrade Maia Law Firm, Julio and I chatted a bit of my personal experience with the impact of privacy laws in the US and how companies reacted to it.

Agent On Influence Podcast

I had a great conversation with AppSec thought leader Nabil Hannan on the NetSPI’s Agent Of Influence podcast. During our talk, we covered a broad range of topics, industries, and application profiles.

Some highlights of our conversation include:

  • Does one size fits all in AppSec?
  • How do you create a safe environment to promote open test of highly sensitive systems?
  • Are open-source solutions more secure?
  • The fundamental difference between security software and software security

ServiceTitan Founders Club 2020

I feel truly honored for being selected as one of the 87 extraordinary employees who was selected to go to Cabo. Founders’ Club is the highest honor awarded at ServiceTitan and recognizes you as one of the top performers in a company full of star performers.

T.E.N Information Security Executive North America Awards 2019

Honored to be one of the nominees for the T.E.N Information Security Executive (ISE) Award North America 2019. T.E.N. is a technology and information security executive networking and relationship marketing firm. The award is given to top-ranking decision makers representing organizations in the academic and public sectors, commercial, financial services and health care.

Armenia, Here I Come!

I’m traveling to Yerevan in Armenia for the first time next week and I’m really looking forward to all the upcoming events, including the opportunity to meet the OWASP Armenia community, give a talk at the American University of Armenia, attend the Hive Ventures Summit, attend the WCIT, meeting the staff and ServiceTitan, and hire our first information security team member overseas.

Yerevan , Armenia: Cascade Complex monument landmark of Yerevan capital city of Armenia

Interns At ServiceTitan

Provide growth opportunities for my team members is paramount. When HR asked all ServiceTitan interns who wanted to be featured on a LinkedIn post about the 2019 internship experience, Sid was the first person companywide to volunteer. Sid had many internship options and I’m glad he chose to join the team.

Entrepreneurship Podcast

In this podcast in Portuguese, Eduardo and I talked about the importance of information security in the development and growth of startups and companies. We touched on case studies and I gave tips on how companies can start protecting their data.

Cybersecurity At The Board Level

Leaders have a significant responsibility in personally understanding and managing cybersecurity as a key risk area. They must learn how to proactively protect their organizations and customers from the ever-increasing threat of cyberattacks. I felt honored and humbled when a chapter in Brazil of the Young Presidents Organization (YPO), a global network of young chief executives with approximately 24,000 members in more than 130 countries, invited me to fly all the way to South America to speak on the topic of roles and responsibilities to their local group of business leaders.

M&E And Secure Content Creation

The Media and Entertainment (M&E) industry has many “crown jewels” that require protection from hackers and malicious insiders. These jewels include intellectual property like video content and concept art, business data like highly sensitive email conversations, and personnel records. They also include the availability of content streams to ensure consistent, accurate delivery of media assets. It’s an area where digital security, innovation, conversion, and file content management is converging to redefine the daily experiences of M&E businesses.

This month I passed the strict review and approval process to become a qualified Trusted Partner Network (TPN) assessor. The TPN is a joint venture between two major entertainment industry associations, the Motion Picture Association (MPA) and the Content Delivery & Security Association (CDSA), the worldwide leaders in third-party entertainment industry assessments.

OWASP AppSec Cali 2018 – THE BEST EVER!!!

Great weather, great speakers, greater trainers, great organization = sold out and awesome! Hollywood quality recordings of the talk are coming out soon.

Penetration Test Of Brazil’s Electronic Voting System

The Brazilian government selected me as one of the security researchers who will test the nation’s electronic voting system. I’m honor and excited about the opportunity to contribute to the security of this critical infrastructure component.

Bitcoin Hardfork

On August 1st Bitcoin was split into Bitcoin (BTC) and the clone coin Bitcoin Cash (BCH). The means of this split was both a source code “hard fork,” creating an incompatible and independent cryptocurrency, in conjunction with a clone of the entire blockchain. Everyone who had bitcoins (BTC) before the fork has the same number of coins in bitcoin cash (BCH). In an article for the ITSP magazine, I explained the security and risks related to this split by discussing the motives, technical differences, and the consequences to the ecosystem.

Read the full article: Bitcoin’s Fork And Its Security Implications (two-part article)

Dissecting Bitcoin Security At RSA

So grateful for the strong attendance of over 600 people at my talk about Bitcoin. As of today, one Bitcoin is worth US$400. How far will it go?

RSA 2016

Super excited about my upcoming talk at RSA 2016! With 33,000 attendants RSA is one of the biggest, best known, and most respected security events of the year. Here is a picture of a general session.

(ISC)2 Congress

(ISC)2 congress was a massive success with over 20,000 attendants. Happy to be able to contribute to the show as a speaker. Below is a picture of Monday’s lunch. I always wonder how the kitchen is able to serve everyone at the same time. One day I’ll ask for a tour of the kitchen… It will make me a better man (and a better cook).

OWASP AppSec California 2015 Rocks!

Following the huge success of the previous event, OWASP AppSec California is promising to be one of the hottest conferences in 2015. The lineup of keynotes and speakers is top-notch and the venue is truly unique. Seating is limited so you really need to hurry up to get in!

FS-ISAC, Here I Come!

Reviewing my talk for next week. Really excited about contributing and collaborating with FS-ISAC on critical security threats facing the global financial services sector.

CIO Event North America

The CIO series which currently operates in Europe, the Middle East, Africa, and many cities in North America is coming to Los Angeles. The event’s mission is to create a world-class platform of end-user-driven academia to help executives make the right decisions for their organizations. I’ll be speaking at the Los Angeles event along with the Coca-Cola CIO, E&Y CTO​, Carefusion CIO, and LA Unified School District CIO.

OWASP LA Rules!!!

I am thrilled to share this one: my excellent friends Tin Zaw, Richard Greenberg, Edward Bonver, Stuart Schwartz, and Kelly FitzGerald were voted the best OWASP chapter leaders in the world and will receive the WASPY Awards during the Global OWASP AppSec USA 2013! Great job people!

Speaking of OWASP AppSec USA 2013, let me take a moment to plug this excellent conference and the impressive lineup of speakers. If you have never been to a Global AppSec (USA, Europe, Latin America, or Asia) before, I highly recommend checking it out!

Black Hat Brazil

The Black Hat Briefings are a series of highly technical information security conferences that bring together some of the most prestigious names from the full spectrum of security thinkers. The conference organization does a superb job staying on the leading edge of new security trends as they emerge.

I was thrilled with the announcement of the first Black hat briefing in Brazil and even more thrilled when I was selected as one of the speakers! Brazil has long been reputed as the king of the banking Trojan. The few hackers who have been arrested are those who have committed such a huge scale of cybercrime that it was possible to arrest them under existing laws such as larceny and conspiracy. The local information security industry needs events such as BlackHat to learn and fight the ever-increasing number of new attack methods in cyberspace.

Hot Topics In Security

Wow! My roundtable session “Hot Topics in Security” at the Digital Insight Innovation Conference is indeed a hot session! Only a few days after the conference registration opened, the session reached maximum capacity. The organizers scheduled a second session on Tuesday for all of you who could not sign up for the first one.

Another Pleasant Surprise!

This year OWASP initiated the first annual Web Application Security Person of the Year (WASPY) award and I’m truly honored to be among the finalists.

Kate Hartmann, one of the few OWASP full-time employees, once told me that babies are the number one project killer in the community, something I can now testify about… As sad as this statement may sound for a security practitioner, I believe this is the ultimate proof that the organization is indeed moved by passion. People dedicate countless hours and really love what they do. If you don’t believe my words, listen to Ivan Ristic’s interview in the OWASP podcast when he talks about OWASP!

I really cannot count how many individuals I met and I have come to admire and built a friendship with. OWASP not only made me a better professional but also a better person.

I’m sincerely touched by this nomination. Thanks, OWASP! See you in Austin!

Global OWASP AppSec LatAm 2011 Videos Are Out

Global OWASP AppSec LatAm 2011 videos are now available on YouTube! I had the pleasure of acting as the host from beginning to end. Here are some of my favorite presentations:

In English:

In Portuguese:

The Great Cypher, Mightier Than The Sword

David Ladd (Principal Security Program Manager, Microsoft Corporation), Gary McGraw (Chief Technology Officer, Cigital, Inc.) Kyle Randolph (Senior Manager, Security & Privacy, Adobe) and I will be serving at a RSA Panel titled “Making Sense of Software Security Advice: Best vs. Practiced Practices“. Reeny Sondhi (Director, Product Security, EMC Corporation) will be the moderator.

Join me from February 27- March 2 in San Francisco for five days of learning, sharing and networking. I’ve seen the agenda and the week promises to be a busy one! As a selected speaker for 2012, I’m pleased to be able to extend a discount of $200 off the current registration rate when you use my personal discount registration code. Simply enter the following code when you register online:

My personal discount registration code: ZSPDdJaIoqK

This offer cannot be combined with any other discounts and is valid for new registrations from December 6, 2011 through January 27, 2012. The code cannot be used retroactively. To find out more about RSA Conference and the packed agenda, visit: Be sure to register using the discount registration code above to receive the $200 savings.

The Right Tool For The Right Job (SAFECode And BSIMM)

After listening to a number of talks at different conferences around the world, I’m convinced that even experts are confused about the various security initiatives, particularly SAFECode and BSIMM. As a consequence, organizations are confusing prevalent practices with effective ones. Some of the results of this misunderstanding are organizations trying to choose the most popular BSIMM practices and use them as criteria for suppliers or adopting BSIMM as a Secure Development Lifecycle framework.

This week SAFECode released “A SAFECode Perspective on Leveraging Descriptive Software Security Initiatives“. This brief paper addresses common questions on the differences between BSIMM’s descriptive model and SAFECode’s prescriptive guidance. If you are responsible for a large software security initiative, I highly recommend reading this paper.

The Gold Standard

Software Development has changed considerably from a decade or two ago. While writing secure code (secure programming) is still a critical component of the secure software lifecycle, there is a great deal more to consider. Formal and structured software development methodology became a necessity for any organization that develops code.

Despite its known flaws, certifications are a great way to attest outsourced development can build solutions with the same level of quality practiced in large and well-established enterprises. Certifications are a good way to verify a certain level of expertise has been reached among team members and to provide a meaningful measurement to customers. Engineers, especially in developing countries, should ponder the recognition a credible certification can bring to their work. I recently provided a quote to (ISC)2 about the value of CSSLP. The certification has reached the 1,000 certified professionals milestone this year and I wonder if it will eventually replace CISSP, known by many as the industry gold standard.

Speaking of (ISC)2, Caleb Sima, Tony UcedaVelez, Mikhael Felker, Stuart Schwartz and I will be speaking at the (ISC)² SecureSDLC 2011 – SoCal November 1st in Anaheim, CA. This should be a great one-day event.

OWASP AppSec LatAm 2011

It took more than a year to organize OWASP AppSec LatAm 2011 but the results were worth the effort. Equipped with numerous auditoriums that can accommodate up to 800 participants, PUC-RS provides a world-class infrastructure. The variety and quality of PUC-RS’s main restaurant are comparable to some Buffets in Las Vegas. In addition, many professors supported the event and were actively engaged in conversations on how to include application security education in the curriculum.

Bryan Sullivan and Michael Craigue, our two keynotes, delivered more than security knowledge in their presentations, they delivered wisdom. Bryan delivered a polished presentation that mixed big picture concepts with hard-core technical demos. Bryan’s unique mixture of skills makes his presentations interesting to all sorts of audiences. Michael Craigue’s conversational style and candidness made his presentation a must-see for everyone who wants to jump-start a security initiative at an enterprise. I highly recommend both.

The local organization worked incredibly hard to deliver a solid conference and great entertainment! Kudos to Alexandre Balestrin Correa (aka ABC), Jerônimo Zucco, L. Gustavo C. Barbato, Lucas C. Ferreira, Rafael Dreher, Gustavo Simon, Leonardo Goldim, Luiz Gava, Sarah Baso, Carolina Nogueira, Mauricio Pegoraro, Luciano Madeira, Adriene Barbato, Maximiliano Soler, Luis Otavio (aka LOD) and Ricardo Makino for a well done job! Argentina now has big shoes to fit for OWASP AppSec LatAm 2012!

A Pleasant Surprise!

(ISC)² Americas Information Security Leadership Awards 2011 took place yesterday. To my complete surprise, I received a special recognition award for community services! Wow, have you ever had the feeling you realized something about yourself just because someone told you?

There is nothing more enjoyable in life than being surrounded by highly motivated and passionate individuals. Performing community services is fulfilling and important: we all know there is a lot to do in application security and I believe we, the practitioners, have a social responsibility to help our communities.

Unfortunately, sometimes I see people leaving not-for-profit organizations because their bosses actively discourage this type of “distraction”. My personal experience as a manager and a practitioner is that these community services and work for an enterprise are symbiotic. In fact, all my staff at Symantec is encouraged to engage in this type of activity. This is a great way to retain, train and acquire talented employees. It’s good for the individual, the business, and the community. I hope other companies start to see things this way.

An Interview With Cassio Goldschmidt

The Pontifícia Universidade Católica do Rio Grande do Sul’s (the Pontificia Catholic University of Rio Grande do Sul, often abbreviated as PUCRS) magazine featured an interview with me this month. I’m an alumnus of the school of Informatica and a big fan of the university.

As of 2009, the university had 10 courses with 5 stars, computer science being one of them.  There are also 21 courses with 4 stars according to the Guia do Estudante: Computing and Mathematical Sciences and Engineering and Production.

The magazine is in Portuguese. Click on the picture to download and read the article on page 40.

Registrations For OWASP Global AppSec Latin America Are Now Open!

The organization committee truly went out of its way to keep prices down and provide great deals for people who really want to take advantage of this event. One example of the great discounts the organization is giving way is the conference full package deal: for R$1,000 (approximately US$625) you can attend two classes and the conference. The deadline for early-bird registration discounts is August 31st. Check out the videos about Brazil and Porto Alegre in the conference visitor’s guide.

OWASP Global AppSec Asia 2011

Sebastien Deleersnyder, Mano Paul, and I will be the keynote speakers at OWASP Global AppSec Asia 2011. Last year the conference had more than 500 attendants and this year the organization expects over 800 people coming from various verticals including government, information technology, services and consulting, telecommunications, finance, e-commerce, Internet, universities, and research institutes. Major news media will be covering the event.

There is a very high demand today for application security professionals in Asia. I have the privilege of working with many individuals in the People’s Republic of China I respect so much their technical knowledge, work ethics, and humbleness I could only wish we were fewer time zones apart! I hope to meet a lot more people alike in November. Please don’t be shy to come and chat if you see me around the conference floor.

(ISC)2 Americas Information Security Leadership Award 2011

I’ve been selected as a finalist for the Americas Information Security Leadership Award (ISLA) 2011. The ISLAs Program is held annually by the International Information Systems Security Certification Consortium ((ISC)²) to recognize outstanding leadership and achievements in workforce improvement of information security and management professionals. The gala dinner ceremony will be one among the many great events planned for the 57th ASIS Internation 2011 conference/(ISC)² Security Congress.

If you attend the conference, don’t miss Richard Tychansky, Hart Rossman, and Symantec’s Edward Bonver presenting case studies of large enterprises that have successfully integrated security engineering best practices into their Software Development Life Cycle (SDLC) to reduce defects and increase software resiliency and reliability. You can read more about this session here.

ISSA Los Angeles 2011 Security Summit

I just came back from the ISSA speaker dinner and I’m really excited about tomorrow’s event! ISSA clearly outgrew UCLA and the organization will need to deal with the growing pains of what is without a doubt going to be an outstanding conference. I’ll be serving at a panel with Steve Lipner (Microsoft), Gary McGraw (Cigital), and Jeremiah Grossman (WhiteHat). John Dickson (Denim Group) will be the moderator.

Other speakers include Marc Maiffret (eEye), Robert Brown (Western Bridge Corporate Federal Credit Union), Dan Cornell (Denim Group), Barbara Danzi (Garda Cash Logistics), Ariel Silverstone (Expedia), John Steven (Cigital), Mike Villegas (NewEgg, Inc.) and Tin Zaw (AT&T).

Better Software 2011

As much as I love to manage a global team that is as passionate about Software Security as Symantec’s Product Security, I’m still a software developer at heart. Needless to say, I had a real blast presenting at Better Software. “Cosmic Truths about Software Quality” by Karl Wiegers was a very insightful presentation about the real meaning of quality and how to achieve it. Backed by facts and research, Michael Mah made a very persuasive presentation on the real cost of offshoring and why geography matters.

According to the official conference numbers, my presentation about secure coding had one of the top ratings from all the 65+ speakers. Who said developers don’t care about security?

Valentine’s Day

Valentine’s this year will be a bit different… I’m returning to Berkeley to present a talk about my book, this time to Berkeley’s NetEcon group. Next, I’ll head to RSA Conference and finally end the day at a business dinner with my boss and a Symantec business partner.