Super excited to return to the beautiful Santa Monica beach for the much-awaited ISSA LA Summit XIII 2023 CISO forum. This year, I am grateful to have the opportunity to facilitate a roundtable discussion concerning the important role of phishing tests in our present technological scenario. See you October 4 at the Annenberg Beach House!
Check out the promotion video below if you are unsure whether you should attend this conference.
I am excited to see that the OWASP Top 10 for Large Language Models (LLM) taxonomy document has finally been released. This ambitious project brings much-needed clarity to the field of LLM applications, highlighting key vulnerabilities and providing invaluable recommendations for hardening these applications against potential attacks.
Having always been passionate about both developer security and AI for the last 4 years, the OWASP Top 10 for LLM couldn’t be more up my alley. Over 130 specialists, including myself, contributed their insights and knowledge.
Yet, it’s important to note that this breakthrough is only the beginning. LLM technology is an evolving, dynamic field. As technology advances, the security risks and associated adaptations will continuously need to be reassessed and updated.
I’m ecstatic with the news that I was listed among this year’s CISOs Connect Top 100 CISOs Award recipients, especially in light of the fact that there were over 700 applicants this year! All with at least 5 years of experience as CISOs of sizable companies!
Humbled to be listed among CISOs from companies like Walmart, Bank of America, HP, MasterCard, GE, Jack Henry, Marsh, Blackstone, Target, USAA, Freddie Mac, Unilever, and Fannie Mae.
I had the most excellent time chatting with Rich Rich Stroffoline in today’s Cyber Security Headlines podcast. Here is a summary of some of the topics we covered.
US Military Personnel Receiving Unsolicited Smartwatches
US military personnel have reported receiving smartwatches in the mail unrequested. While it’s theoretically possible these could be used as spying devices, it’s more likely a ‘brushing’ scam meant to drum up fake reviews. If you receive one, it’s best not to turn it on and report the incident.
Chinese State-Backed Hackers Infecting European Hospital
A European hospital was hit by a USB attack linked to Chinese hackers. The incident serves as a reminder that robust endpoint security is vital, showing that even notorious social engineering tricks can be effective without it.
Flight Disruptions from 5G
The upcoming 5G network may disrupt some flights due to overlapping frequencies with aircraft altimeters. Potential measures to deal with this include creating buffer zones and updating aircraft equipment.
Data Breach at Airlines Due to Third-Party Vendors
American and Southwest Airlines suffered data breaches due to a hack on a third-party vendor. The incident highlights the importance of ensuring your third-party vendors adhere to the same security standards as your company and having a response plan for breaches.
Potential US Export Bans on AI Chips
The US is considering significant export bans on AI chips, a move reminiscent of past restrictions. While it may help the US maintain its technological edge in the short run, it might also incentivize foreign competitors to develop their own technology.
Honored and humbled to be recognized in Tel Aviv by Team8 and Deloitte with the Cyber Community Development Award. Team8 has been a longtime supporter of the CISO community, promotes high-quality security papers, and assists in establishing some of the world’s most innovative security firms.
Excited to announce that I will be presenting at the ServiceTitan Pantheon once again! This year’s session is all about “The Future of GenAI and ServiceTitan”. Together with Sarah Sheehan, Group Product Manager at ServiceTitan, we’ll explore how Generative AI can solve many current challenges and discuss the opportunities it presents for ServiceTitan customers.
I am a strong proponent of #GenerativeAI and I am pleased that we were able to debunk some myths, provide guidance, and consider the risks associated with this cutting-edge technology. This paper is a good starting point for security practitioners who are being requested for guidance by their organizations and still need to catch up with the technology.
Download our full CISO guide on Generative AI here.
Looking forward to the upcoming Battery Ventures cyber readiness webinar alongside Daniel Schwalbe, CISO of DomainTools, open for all Battery Venture invested companies. In this by-invitation-only webinar, we will be discussing strategies for building a strong cybersecurity posture for organizations at any stage of their security journey.
One of the greatest joys of leading a team is providing the opportunity for the team members to grow and achieve self-realization in their professional lives.
Collaborating with colleagues you respect and admire at work is the employment equivalent of finding a golden ticket in your chocolate bar – it’s a rare treat that makes the daily grind infinitely more enjoyable.
During Levon’s employment interview, I asked him how he maintained his expertise as an incident response professional. I anticipated an answer related to reading books and the news, given that he was not yet employed full-time in his field of work. Instead, he went beyond stating that he did volunteer work to defend journalists from hacker groups. I knew instantly that Levon possessed the hunger I was seeking in a team member.
Congratulations on another well-deserved promotion, Levon. I am certain that this will not be the end.
SafeBase’s first Customer Advisory Board meeting was a resounding success, thanks to the SafeBase team’s meticulous preparation of a clear session agenda and topics. Representatives from companies such as LinkedIn, Crossbeam, ServiceTitan, Abnormal Security, Jamf, Axonius, Confluent, Split, and Sigma attended the meeting in Scottsdale, Arizona.
One of the most exciting topics we discussed was the industry trend of creating a Chief Trust Officer position. Jim Alkove’s fireside chat was especially enlightening, as he discussed the shifting role of security to a trust leader. This topic was timely and relevant, given the increasing importance of trust in today’s digital landscape.
Check out the SafeBase blog post on the topic. The tips and takeaways shared by the SafeBase team are useful and applicable to anyone hoping to hold a similar event with their advisory board or stakeholders.
What a joy to go to OWASP Orange County to present my talk, “Security for Growth Companies.”!
The turnout was amazing: the room was packed. People asked great questions, and it was exciting to see the audience’s engagement. It was also great to catch up with old friends, many of whom I hadn’t seen in a while.
What’s even more exciting is to see the next day that people found value in the talk and the way we run our security program!
Recently, I had the pleasure of being interviewed for the Future of Cyber Risk Podcast. During the episode, we discussed my role as Chief Information Security Officer at ServiceTitan, a vertical SaaS B2B company. David asked me to share what a day in the life of a CISO looks like, and I explained that security must come before compliance, but, in the end, business success should be the priority. I also shared my views on cyber risk management.
Tonight, I was once again honored to accept another set of awards on my team’s behalf. The team’s work on ServiceTitan’s Smart Trust Center (https://security.servicetitan.com) earned us a spot among the three finalists for the best project award at the 2022 TEN ISE West. The project attests to our commitment to innovation, excellence, and transparency in information security. After ServiceTitan established this portal, many of the “cool kids” many of us look to for direction, such as InstantCart, DataDog, LinkedIn, JAMF, SNYK, Postman, and Discord, jumped on the boat we took with a pre-Series A company to establish their portals using the same technology. Companies such as Blackstone, Lilly, and AT&T were competing against us. They all have a market cap that is more than ten times that of ServiceTitan and a disproportionately larger amount of resources in InfoSec.
I would also like to express my gratitude to the distinguished group of judges for nominating me for an executive award.
The greatest reward is helping a stranger on the other side of the world who you will probably never meet. Below is a LinkedIn post someone did this week about my LinkedIn Learning course.
I am honored to be among the nominees for the ISE West Executive Award. Team ServiceTitan was also put forward for the ISE West Project of the Year Award by a group of very qualified experts and industry professionals, which makes me very humble. Thank you, T.E.N., for your consideration and for consistently hosting a phenomenal event.
This may sound very strange, but after approximately 13 years of involvement with the OWASP LA chapter, I’ll be presenting a talk for the first time. The reason is simple: for the longest time I was at large the person in charge of selecting talks and I never felt comfortable selecting my own talks. I’m very thankful that the board reached out to me for this in person talk. I’m super excited with this special opportunity.
I’ll be a featured speaker at C|VISION CXO Thinktank in San Francisco on September 14, 2022. Steve Zalewski, Jared Snowm Sammuel Washington, Leda Muller, Rick Bosworth, and I will be addressing attacks on the supply chain.
Cloud has transformed the nature of the technology used to build systems. It also expanded the attack surface.
In this post, our group CISOs shares 5 Security principles to help founders, builders, and security practitioners respond to emerging and novel digital threats.
The C100 list was released today and I must say that it took days to review and verify references for several hundred candidates. Here are a few reasons why I consider the C100 award special:
- Experienced CISOs review and select the winners
- All candidates must have at least five years of experience as a CISO or equivalent position
- We consider the candidates’ involvement and leadership roles in professional organizations
- Volunteering and activism are part of the selection criteria
- Last but not least, the board considers mentoring, teaching, and educating future cybersecurity professionals across business and technical functions
The criteria are super transparent, and there is no fee or financial requirement at any point associated with the C100 awards.
To all winners of the C100 2022, I salute you!
Congrats to Glilot for organizing a great event for their CISO advisors and startup leaders during RSA. There were some great discussions with the group. Time well spent!
If you are attending RSA, come join Emilio and I on this panel about Dev environments on June 7, 2:30 PM at the Mourad! Emilio is a very experienced practitioner and I look forward to talking to him about this vital topic for any company developing SaaS products.
Pantheon 2022 was an absolute success. This year the conference took place at the historic Los Angeles Coliseum. Tom Howard and Sendur Sellakumar did a superb job describing the company’s vision to propel the industry forward with technology. During this presentation, they provided some of the concrete findings the company made from mining data.
Although I wasn’t present at the conference (because I was on vacation in Mexico with my family), I was humbled by Tom Howard’s off script shout-out to InfoSec and specifically to my work around 23:45 in the video below.
It was a pleasant surprise to see my employer’s announcement about our Smart Trust Center today on LinkedIn. ServiceTitan’s “self-serve” access allows customers to gather information about the company’s security program quickly. This includes audit reports, security certifications, results from automated scores tools, whitepapers, security policies, and a plethora of information grouped into tiles.
I’m honored to join this community and serve on the 2022 CISOs Top 100 CISO (C100) Board of Judges. I appreciate the opportunity to work with this esteemed group of experienced CISOs and be part of an award with transparent criteria and is not shy to show the faces of the board of judges.
With so many outstanding podcasts out there, I feel biased to call “A Virada” my favorite Brazilian Podcast. A Virada is a podcast about innovation and the future of markets and it’s a true forward thinking podcast. In 2021, A Virada made the top of iTunes list in the business category, passing internationally acclaimed podcasts such as the Harvard Business Review (HBR). Above all, the two hosts are what make this podcast so special to me: the head of Prana Venture Capital Bruno Peroni and the co-founder of Superplayer & Co, Gustavo Goldschmidt, my younger brother.
In this episode in Portuguese of A Virada we talked about Information Security, the current threat landscape, privacy, Internet of things (IoT), and much more.
One of the biggest threats to your personal information is a lack of cybersecurity. The same rings true for organizations that need to protect their data. This course offers you a strong understanding of what you can do as an individual contributor to help keep your organization’s data safe. In this course, Cassio goes over processes for identifying data that needs to be protected, as well as classifying and sorting data most effectively. He explains data processing, including how to address some common mistakes and remove processing bias. Cassio provides a detailed look into privacy policies, training, and breaches, as well as sharing proven strategies to manage privacy risks.
I’m feeling ecstatic to receive the CISOs Top 100 CISOs award from CISO CONNECT! This recognition is truly a collective win with the help of my amazing team and executive leadership that supports our initiatives day in and day out! Without this collaborative effort, we wouldn’t be where we are.
A heartfelt shoutout to my incredible colleagues and former board members at OWASP LA and the OWASP Foundation for working tirelessly with me to give back to the security community outstanding educational opportunities and the AppSec California conference, which many consider one of the best Application security conferences in the world! I cannot thank you all enough for your support!
– Announcement: https://lnkd.in/gaKUQVW
– C100 Winners: https://lnkd.in/gMVJD6E
I’m thrilled with my alma mater’s invitation to be the keynote speaker of this year’s SE Day event. By choosing a keynote on application security for a software engineering conference, PUC-RS sends a strong message to its students that security and privacy are indeed paramount.
For the last 7 years, I’ve been a certified bitcoin professional. Because of the continuous enhancements in the field, this certification expires every two years. This is the 4th year I take the test.
A Certified Bitcoin Professional is knowledgeable about the Bitcoin blockchain, Bitcoin transactions, and how the Bitcoin network operates. CBPs are able to apply Bitcoin technology to their professional area of expertise and understand privacy aspects, double-spending, and other issues that relate to the currency.
ServiceTitan won the ISE┬« West Executive Forum and Awards 2020 in the “project” category, debunking a little company called T-Mobile that you may have heard about.
Winners and nominees in other regions include equally small companies such as Aflac, Cox, Southwest, Mastercard, ADP, and others.
Pantheon will be an online conference this year and ServiceTitan is maintaining its high standards of quality. The company shipped 5 large boxes of professional video equipment to my home to practice and record material for the conference. Can’t wait to see the result.
BrazilΓÇÖs General Data Protection Law has officially come into effect. The new law has a lot of similarities with GDPR and CCPA/CPRA, however, LGPDΓÇÖs applicability is NOT limited only to businesses and organizations above a particular size but applicable to businesses of all sizes, with the exception of journalistic, artistic, and academic purposes, or public safety and national defense.
Every company that processes data in Brazil or sells services to Brazilian consumers needs to comply. In this talk with Julio Lanes, Partner at Andrade Maia Law Firm, Julio and I chatted a bit of my personal experience with the impact of privacy laws in the US and how companies reacted to it.
I had a great conversation with AppSec thought leader Nabil Hannan on the NetSPI’s Agent Of Influence podcast. During our talk, we covered a broad range of topics, industries, and application profiles.
Some highlights of our conversation include:
- Does one size fits all in AppSec?
- How do you create a safe environment to promote open test of highly sensitive systems?
- Are open-source solutions more secure?
- The fundamental difference between security software and software security
The COVID-19 situation opens up new work from home risks and cybercriminals are taking advantage of it. One of the ways companies can prepare employees is to send out simulated phishing tests. In my article Improve Your Company’s Resilience Against Phishing Attacks By Inviting Employees To Phish I describe Phish a Phriend, a more engaging, effective, and fun way for enterprises to roll out their phishing tests.
I feel truly honored for being selected as one of the 87 extraordinary employees who was selected to go to Cabo. Founders’ Club is the highest honor awarded at ServiceTitan and recognizes you as one of the top performers in a company full of star performers.
Honored to be one of the nominees for the T.E.N Information Security Executive (ISE) Award North America 2019. T.E.N. is a technology and information security executive networking and relationship marketing firm. The award is given to top-ranking decision makers representing organizations in the academic and public sectors, commercial, financial services and health care.
I am this year’s winner of the (ISC)2 Information Security Leadership Americas and I feel deeply honored to be selected by a program created by an organization with over 140,000 members that recognizes outstanding leadership and achievements in workforce improvement of information security and management professionals throughout the private and public sectors in North, Central, and South America.
I’m traveling to Yerevan in Armenia for the first time next week and I’m really looking forward to all the upcoming events, including the opportunity to meet the OWASP Armenia community, give a talk at the American University of Armenia, attend the Hive Ventures Summit, attend the WCIT, meeting the staff and ServiceTitan, and hire our first information security team member overseas.
Yerevan , Armenia: Cascade Complex monument landmark of Yerevan capital city of Armenia
Providing growth opportunities for my team members is paramount. When HR asked all ServiceTitan interns who wanted to be featured on a LinkedIn post about the 2019 internship experience, Sid was the first person companywide to volunteer. Sid had many internship options and I’m glad he chose to join the team.
Happy 40th birthday, FACIN school of Computer Science at PUC-RS! Thankful for all I learned from you. I am honored to be part of your history and humbled to be one of the 6 selected alumni case studies (in all 40 years) featured in the 40th-anniversary commemorative book.
Leaders have a significant responsibility in personally understanding and managing cybersecurity as a key risk area. They must learn how to proactively protect their organizations and customers from the ever-increasing threat of cyberattacks. I felt honored and humbled when a chapter in Brazil of the Young Presidents Organization (YPO), a global network of young chief executives with approximately 24,000 members in more than 130 countries, invited me to fly all the way to South America to speak on the topic of roles and responsibilities to their local group of business leaders.
The Media and Entertainment (M&E) industry has many “crown jewels” that require protection from hackers and malicious insiders. These jewels include intellectual property like video content and concept art, business data like highly sensitive email conversations, and personnel records. They also include the availability of content streams to ensure consistent, accurate delivery of media assets. It’s an area where digital security, innovation, conversion, and file content management is converging to redefine the daily experiences of M&E businesses.
This month I passed the strict review and approval process to become a qualified Trusted Partner Network (TPN) assessor. The TPN is a joint venture between two major entertainment industry associations, the Motion Picture Association (MPA) and the Content Delivery & Security Association (CDSA), the worldwide leaders in third-party entertainment industry assessments.
Securing the modern attack surface is a critical challenge you must effectively address to reduce cyber exposure and protect your enterprise. The Mighty guide Reducing Cyber Exposure from Cloud to Containers provides insights and lessons from 29 industry leaders (e.g., @daveshackleford, @csima, @lady_nerd, @planetlevel, @weldpond) on this topic.
Brazil’s Superior Electoral Court (TSE) selected me to test the electronic voting machines that will be used in the 2018 presidential elections. In this interview (in Portuguese) conducted by the TSE, all security researchers who provided relevant findings described their work and explained why the test is important.
The Brazilian government selected me as one of the security researchers who will test the nation’s electronic voting system. I’m honor and excited about the opportunity to contribute to the security of this critical infrastructure component.
On August 1st Bitcoin was split into Bitcoin (BTC) and the clone coin Bitcoin Cash (BCH). The means of this split was both a source code ΓÇ£hard fork,ΓÇ¥ creating an incompatible and independent cryptocurrency, in conjunction with a clone of the entire blockchain. Everyone who had bitcoins (BTC) before the fork has the same number of coins in bitcoin cash (BCH). In an article for the ITSP magazine, I explained the security and risks related to this split by discussing the motives, technical differences, and the consequences to the ecosystem.
Read the full article:┬áBitcoinΓÇÖs Fork And Its Security Implications (two-part article)
According to ITSP TV, the panel at ADP was extremely informative. Check out the video:
UNC Charlotte 17th annual Cyber Security Symposium┬áwas a sold out event. Humbled with the opportunity to take the main stage. Although this is an academia event, there were more far more professionals than students. Kudos to the organization for a great event!
So grateful for the strong attendance of over 600 people at my talk about Bitcoin. As of today, one Bitcoin is worth US$400. How far will it go?
Super excited about my upcoming talk at RSA 2016! With 33,000 attendants RSA is one of the biggest, best known, and most respected security events of the year. Here is a picture of a general session.
(ISC)2 congress was a massive success with over 20,000 attendants. Happy to be able to contribute to the show as a speaker. Below is a picture of Monday’s lunch. I always wonder how the kitchen is able to serve everyone at the same time. One day I’ll ask for a tour of the kitchen… It will make me a better man (and a better cook).
Working with Jim Manico is a joy! I hope we can present again soon.
Following the huge success of the previous event, OWASP AppSec California is promising to be one of the hottest conferences in 2015. The lineup of keynotes and speakers is top-notch and the venue is truly unique. Seating is limited so you really need to hurry up to get in!
Reviewing my talk for next week. Really excited about contributing and collaborating with FS-ISAC on critical security threats facing the global financial services sector.
The CIO series which currently operates in Europe, the Middle East, Africa, and many cities in North America is coming to Los Angeles. The event’s mission is to create a world-class platform of end-user-driven academia to help executives make the right decisions for their organizations. I’ll be speaking at the Los Angeles event along with the Coca-Cola CIO, E&Y CTOΓÇï, Carefusion CIO, and LA Unified School District CIO.
Wow!┬áThe organization committee highlighted my talk as one of the exciting conference briefings!┬áThe pressure is on! Better to brush up on my Portuguese for next week!
I am thrilled to share this one: my excellent friends Tin Zaw, Richard Greenberg, Edward Bonver, Stuart Schwartz, and Kelly FitzGerald were voted the best OWASP chapter leaders in the world and will receive the WASPY Awards during the Global OWASP AppSec USA 2013! Great job people!
Speaking of OWASP AppSec USA 2013, let me take a moment to plug this excellent conference and the impressive lineup of speakers. If you have never been to a Global AppSec (USA, Europe, Latin America, or Asia) before, I highly recommend checking it out!
The Black Hat Briefings are a series of highly technical information security conferences that bring together some of the most prestigious names from the full spectrum of security thinkers. The conference organization does a superb job staying on the leading edge of new security trends as they emerge.
I was thrilled with the announcement of┬áthe first Black hat briefing in Brazil┬áand even more thrilled when I was selected as one of the speakers! Brazil has long been reputed as the king of the banking Trojan. The few hackers who have been arrested are those who have committed such a huge scale of cybercrime that it was possible to arrest them under existing laws such as larceny and conspiracy. The local information security industry needs events such as BlackHat to learn and fight the ever-increasing number of new attack methods in cyberspace.
Wow! My roundtable session “Hot Topics in Security” at the Digital Insight Innovation Conference is indeed a hot session! Only a few days after the conference registration opened, the session reached maximum capacity. The organizers scheduled a second session on Tuesday for all of you who could not sign up for the first one.
SAFECode released some training material last week. Some of the main contributors are members of my former staff at Symantec.
If you are looking for this type of material, also consider Jerry HoffΓÇÖs excellent OWASP AppSec Tutorial Series
Lastly, my good friend Zully released a number of good videos about bitcoin security at Khan Academy.
This year OWASP initiated the first annual Web Application Security Person of the Year (WASPY) award and I’m truly honored to be among the finalists.
Kate Hartmann, one of the few OWASP full-time employees, once told me that babies are the number one project killer in the community, something I can now testify aboutΓÇª As sad as this statement may sound for a security practitioner, I believe this is the ultimate proof that the organization is indeed moved by passion. People dedicate countless hours and really love what they do. If you don’t believe my words, listen to Ivan Ristic’s interview in the OWASP podcast when he talks about OWASP!
I really cannot count how many individuals I met and I have come to admire and built a friendship with. OWASP not only made me a better professional but also a better person.
I’m sincerely touched by this nomination. Thanks, OWASP! See you in Austin!
- Bryan Sullivan – You Are Not Amy Winehouse: A New Plan for Reaching the Developer Community
- Michael Craigue – Security Development Lifecycle – A History in 3 Acts
- Chris Evans – Dosh4vulns — Google’s vulnerability reward programs
- Rob Rachwald – How Security Researchers Are Hurting the Business of Hacking
- Dinis Cruz – Making Security Invisible by Becoming the Developer’s Best Friends
- Maximiliano Soler Mantra – The Security Framework Slides
- Alexandre Braga – Como n├úo escolher a sua senha! Ser├í a senha gr├ífica o futuro das senhas?
- Rodrigo Montoro – HTTP Header Hunter: Looking for malicious behavior into your http header traffic
- Magno Logan – Seguran├ºa em Sites de Compras Coletivas: Economizando dor de cabe├ºa!
- Wagner Elias – Automatizando an├ílise passiva de aplica├º├╡es web
David Ladd (Principal Security Program Manager, Microsoft Corporation), Gary McGraw (Chief Technology Officer, Cigital, Inc.) Kyle Randolph (Senior Manager, Security & Privacy, Adobe) and I will be serving at a RSA Panel titled “Making Sense of Software Security Advice: Best vs. Practiced Practices“. Reeny Sondhi (Director, Product Security, EMC Corporation) will be the moderator.
Join me from February 27- March 2 in San Francisco for five days of learning, sharing and networking. IΓÇÖve seen the agenda and the week promises to be a busy one! As a selected speaker for 2012, IΓÇÖm pleased to be able to extend a discount of $200 off the current registration rate when you use my personal discount registration code. Simply enter the following code when you register online:
My personal discount registration code: ZSPDdJaIoqK
This offer cannot be combined with any other discounts and is valid for new registrations from December 6, 2011 through January 27, 2012. The code cannot be used retroactively. To find out more about RSA Conference and the packed agenda, visit: https://www.rsaconference.com/events/2012/usa/index.htm. Be sure to register using the discount registration code above to receive the $200 savings.
After listening to a number of talks at different conferences around the world, IΓÇÖm convinced that even experts are confused about the various security initiatives, particularly SAFECode and BSIMM. As a consequence, organizations are confusing prevalent practices with effective ones. Some of the results of this misunderstanding are organizations trying to choose the most popular BSIMM practices and use them as criteria for suppliers or adopting BSIMM as a Secure Development Lifecycle framework.
This week SAFECode released ΓÇ£A SAFECode Perspective on Leveraging Descriptive Software Security InitiativesΓÇ£. This brief paper addresses common questions on the differences between BSIMMΓÇÖs descriptive model and SAFECodeΓÇÖs prescriptive guidance. If you are responsible for a large software security initiative, I highly recommend reading this paper.
Software Development has changed considerably from a decade or two ago. While writing secure code (secure programming) is still a critical component of the secure software lifecycle, there is a great deal more to consider. Formal and structured software development methodology became a necessity for any organization that develops code.
Despite its known flaws, certifications are a great way to attest outsourced development can build solutions with the same level of quality practiced in large and well-established enterprises. Certifications are a good way to verify a certain level of expertise has been reached among team members and to provide a meaningful measurement to customers. Engineers, especially in developing countries, should ponder the recognition a credible certification can bring to their work. I recently provided┬áa quote to (ISC)2 about the value of CSSLP. The certification has reached the 1,000 certified professionals milestone this year and I wonder if it will eventually replace CISSP, known by many as the industry gold standard.
Speaking of (ISC)2, Caleb Sima, Tony UcedaVelez, Mikhael Felker, Stuart Schwartz and I will be speaking at the┬á(ISC)┬▓ SecureSDLC 2011 ΓÇô SoCal┬áNovember 1st in Anaheim, CA. This should be a great one-day event.
It took more than a year to organize OWASP AppSec LatAm 2011 but the results were worth the effort. Equipped with numerous auditoriums that can accommodate up to 800 participants, PUC-RS provides a world-class infrastructure. The variety and quality of PUC-RS’s main restaurant are comparable to some Buffets in Las Vegas. In addition, many professors supported the event and were actively engaged in conversations on how to include application security education in the curriculum.
Bryan Sullivan and Michael Craigue, our two keynotes, delivered more than security knowledge in their presentations, they delivered wisdom. Bryan delivered a polished presentation that mixed big picture concepts with hard-core technical demos. Bryan’s unique mixture of skills makes his presentations interesting to all sorts of audiences. Michael Craigue’s conversational style and candidness made his presentation a must-see for everyone who wants to jump-start a security initiative at an enterprise. I highly recommend both.
The local organization worked incredibly hard to deliver a solid conference and great entertainment! Kudos to Alexandre Balestrin Correa (aka ABC), Jerônimo Zucco, L. Gustavo C. Barbato, Lucas C. Ferreira, Rafael Dreher, Gustavo Simon, Leonardo Goldim, Luiz Gava, Sarah Baso, Carolina Nogueira, Mauricio Pegoraro, Luciano Madeira, Adriene Barbato, Maximiliano Soler, Luis Otavio (aka LOD) and Ricardo Makino for a well done job! Argentina now has big shoes to fit for OWASP AppSec LatAm 2012!
(ISC)² Americas Information Security Leadership Awards 2011 took place yesterday. To my complete surprise, I received a special recognition award for community services! Wow, have you ever had the feeling you realized something about yourself just because someone told you?
There is nothing more enjoyable in life than being surrounded by highly motivated and passionate individuals. Performing community services is fulfilling and important: we all know there is a lot to do in application security and I believe we, the practitioners, have a social responsibility to help our communities.
Unfortunately, sometimes I see people leaving not-for-profit organizations because their bosses actively discourage this type of “distraction”. My personal experience as a manager and a practitioner is that these community services and work for an enterprise are symbiotic. In fact, all my staff at Symantec is encouraged to engage in this type of activity. This is a great way to retain, train and acquire talented employees. It’s good for the individual, the business, and the community. I hope other companies start to see things this way.
The Pontif├¡cia Universidade Cat├│lica do Rio Grande do Sul’s (the Pontificia Catholic University of Rio Grande do Sul, often abbreviated as PUCRS) magazine featured an interview with me this month. I’m an alumnus of the school of┬áInformatica┬áand a big fan of the university.
As of 2009, the university had 10 courses with 5 stars, computer science being one of them.┬á There are also 21 courses with 4 stars┬áaccording to the Guia do Estudante: Computing and Mathematical Sciences and Engineering and Production.
The magazine is in Portuguese. Click on the picture to download and read the article on page 40.
The organization committee truly went out of its way to keep prices down and provide great deals for people who really want to take advantage of this event. One example of the great discounts the organization is giving way is the conference full package deal: for R$1,000 (approximately US$625) you can attend two classes and the conference. The deadline for early-bird registration discounts is August 31st. Check out the videos about Brazil and Porto Alegre in┬áthe conference visitor’s guide.
Sebastien Deleersnyder, Mano Paul, and I will be the keynote speakers at OWASP Global AppSec Asia 2011. Last year the conference had more than 500 attendants and this year the organization expects over 800 people coming from various verticals including government, information technology, services and consulting, telecommunications, finance, e-commerce, Internet, universities, and research institutes. Major news media will be covering the event.
There is a very high demand today for application security professionals in Asia. I have the privilege of working with many individuals in the People’s Republic of China I respect so much their technical knowledge, work ethics, and humbleness I could only wish we were fewer time zones apart! I hope to meet a lot more people alike in November. Please don’t be shy to come and chat if you see me around the conference floor.
I’ve been selected as a finalist for the Americas Information Security Leadership Award (ISLA) 2011. The ISLAs Program is held annually by the International Information Systems Security Certification Consortium ((ISC)²) to recognize outstanding leadership and achievements in workforce improvement of information security and management professionals. The gala dinner ceremony will be one among the many great events planned for the 57th ASIS Internation 2011 conference/(ISC)² Security Congress.
If you attend the conference, don’t miss Richard Tychansky, Hart Rossman, and Symantec’s Edward Bonver presenting case studies of large enterprises that have successfully integrated security engineering best practices into their Software Development Life Cycle (SDLC) to reduce defects and increase software resiliency and reliability. You can read more about this session here.
I just came back from the ISSA speaker dinner and I’m really excited about tomorrow’s event! ISSA clearly outgrew UCLA and the organization will need to deal with the growing pains of what is without a doubt going to be an outstanding conference. IΓÇÖll be┬áserving at a panel┬áwith Steve Lipner (Microsoft), Gary McGraw (Cigital), and Jeremiah Grossman (WhiteHat). John Dickson (Denim Group) will be the moderator.
Other speakers include Marc Maiffret (eEye), Robert Brown (Western Bridge Corporate Federal Credit Union), Dan Cornell (Denim Group), Barbara Danzi (Garda Cash Logistics), Ariel Silverstone (Expedia), John Steven (Cigital), Mike Villegas (NewEgg, Inc.) and Tin Zaw (AT&T).
As much as I love to manage a global team that is as passionate about Software Security as Symantec’s Product Security, I’m still a software developer at heart. Needless to say, I had a real blast presenting at Better Software. “Cosmic Truths about Software Quality” by Karl Wiegers was a very insightful presentation about the real meaning of quality and how to achieve it. Backed by facts and research, Michael Mah made a very persuasive presentation on the real cost of offshoring and why geography matters.
According to the official conference numbers, my presentation about secure coding had one of the top ratings from all the 65+ speakers. Who said developers don’t care about security?
One of the best things about being one of the first speakers to present at a conference is that it’s possible to actually pay attention to the other talks. 😉
While there were several good talks, I highly recommend watching two: Bryan Sullivan’s “Hey You, Get Off Of My Cloud: Denial of Service in the *aaS Era” and Tom Brennan, Ryan Barnett’s “Checkmate with Denial of Service“.