Blog
Friday, February 19th, 2021
Passed my Certified Bitcoin Professional Exam... again
For the last 7 years, I've been a certified bitcoin professional. Because of the continuous
enhancements in the field, this certification expires every two years.
This is they 4th year I take the test.
A Certified Bitcoin Professional is knowledgeable about the Bitcoin blockchain, Bitcoin transactions,
and how the Bitcoin network operates. CBPs are able to apply Bitcoin technology to their professional
area of expertise and understand privacy aspects, double-spending, and other issues
that relate to the currency.
Thursday, Februart 11st, 2021
Something really cool is in the works...
Just wrapped my latest course Madecraft! Looking forward to sharing the finished product soon!
Monday, December 21st, 2020
Addressing the security challenges of Shadow IT with Cassio Goldschmidt, CISO at ServiceTitan
I had a great time with Amir Bormand, Managing Director at Elevano, chatting about the risks of unapproved IT services to an organization in
The Tech Trek podcast part 1 and part 2.
Thursday, August 20st, 2020
ServiceTitan wins at the ISE® West Digital Awards Show
ServiceTitan won the ISE® West Executive Forum and Awards 2020 in the "project" category, debunking a little company called T-Mobile that
you may have heard about.
Winners and nominees in other regions include equally small companies such as Aflac, Cox, Southwest, Mastercard, ADP, and others.
Thursday, July 23st, 2020
Pantheon 2020
Pantheon will be an online conference this year and ServiceTitan is maintaining its high standards of quality.
The company shipped 5 large boxes of professional video equipment to my home to practice and record material for the conference. Can't wait to see the result.
Wednesday, July 1st, 2020
A Virada Podcast - The future of Coding
It was a very special honor to be a guest at A Virada Podcast
for two reasons.
- One of the two hosts is my brother, Gustavo Goldschmidt.
- A Virada is the #1 podcast in Apple's overall rank in Brazil
Sunday, June 25th, 2020
A talk about Privacy and Brazil's LGDP
Brazil’s General Data Protection Law has officially come into effect. The new law has a lot of similarities with GDPR and CCPA/CPRA, however
LGPD’s applicability is NOT limited only to businesses and organizations above a particular size but applicable to businesses of all sizes, with
the exception of journalistic, artistic and academic purposes, or public safety and national defense.
Every company that process data in Brazil or sells services to Brazilian consumers need to comply.
Wednesday, June 24th, 2020
Agent on Influence Podcast
I had a great conversation with AppSec thought leader Nabil Hannan on the NetSPI's Agent Of Influence podcast.
During our talk, we covered a broad range of topics, industries, and application profiles.
Some highlights of our conversation include:
- Does one size fits all in AppSec?
- How do you create a safe environment to promote open test of highly sensitive systems?
- Are open-source solutions more secure?
- The fundamental difference between security software and software security
Tuesday, May 05nd, 2020
Phish a Phriend
The COVID-19 situation opens-up new work from home risks and cybercriminals are taking advantage of it.
One of the ways companies can prepare employees is to send out simulated phishing tests. In my article
Improve Your Company's Resilience Against Phishing
Attacks By Inviting Employees To Phish I describe Phish a Phriend, a more engaging, effective, and fun way for
enterprises to roll out their phishing tests.
Friday, November 22nd, 2019
T.E.N Information Security Execurity North America Awards 2019
Honored to be one of the nominees for the T.E.N Information Security Executive (ISE) Award North America 2019. T.E.N.
is a technology and information security executive networking and relationship-marketing firm. The award is given to
top-ranking decision makers representing organizations in the academic and public sectors, commercial, financial
services and health care.
Saturday, November 2nd, 2019
(ISC)2 Information Security Leadership Americas Awards 2019
I am this year's winner of the (ISC)2 Information Security Leadership Americas and I feel deeply honored to be
selected by a program created by an organization with over 140,000 members that recognizes outstanding leadership and achievements in workforce
improvement of information security and management professionals throughout the private and public sectors in North, Central, and
South America.
Thursday, September 26, 2019
Armenia, here I come!
I'm traveling to Yerevan in Armenia for the first time next week and I'm really looking forward to all the upcoming events, including
the opportunity to meet the OWASP Armenia community, give a talk at the American University of Armenia,
attend the Hive Ventures Summit, attend the WCIT, meeting the
staff and ServiceTitan, and hire our first information security team member overseas.
Monday, July 15, 2019
Interns at ServiceTitan
Provide growth opportunities for my team members is paramount. When HR asked all ServiceTitan interns
who wanted to be features on a LinkedIn post about the 2019 internship experience, Sid was the first
person companywide to volunteer. Sid had many internship options and I’m glad he chose to join the team.
Sunday, May 5, 2019
FACIN is now 40 years old!
Happy 40th birthday, FACIN school of Computer Science at PUC-RS!
Thankful for all I learned from you. I am honored to be part of your history and humbled
to be one of the 6 selected alumni case studies (in all 40 years) featured in the 40th-anniversary commemorative book.
Sunday, February 3, 2019
Pantheon
In ancient Greece, it was said that all-powerful
Titans would gather at the Pantheon to make plans for the humans they protected.
During the Pantheon session "Security & Your Business: Best Practices", Sean Valdez and I will demonstrate effective solutions
to better secure your business.
Saturday, December 1, 2018
Entrepreneurship podcast
In this podcast in Portuguese, Eduardo and I talked about the importance of information security
in the development and growth of startups and companies. We touched on case studies and I gave
tips on how companies can start protecting their data.
Saturday, November 17, 2018
Cybersecurity at the board level
Leaders have a significant responsibility in personally understanding and managing
cybersecurity as a key risk area. They must learn how to proactively protect their
organizations and customers from the ever-increasing threat of cyberattacks.
I felt honored and humbled when a chapter in Brazil of the Young Presidents
Organization (YPO), a global network of young chief executives with approximately
24,000 members in more than 130 countries, invited me to fly all the way to South
America to speak on the topic of roles and responsibilities to their local group of business
leaders.
Thursday, July 26, 2018
M&E and Secure Content Creation
The Media and Entertainment (M&E) industry has many “crown jewels” that require
protection from hackers and malicious insiders. These jewels include intellectual
property like video content and concept art, business data like highly sensitive
email conversations and personnel records. They also include the availability of
content streams to ensure consistent, accurate delivery of media assets. It’s an
area where digital security, innovation, conversion and file content management is
converging to redefine the daily experiences of M&E businesses.
This month I passed the strict review and approval process to become a qualified
Trusted Partner Network (TPN) assessor. The TPN is a joint venture between two major
entertainment industry associations, the Motion Picture Association of America
(MPAA) and the Content Delivery & Security Association (CDSA), the worldwide leaders
in third-party entertainment industry assessments.
Friday, February 2, 2018
Reducing Cyber Exposure from Cloud to Containers Mighty Guide
Securing the modern attack surface is a critical challenge you must effectively address to
reduce cyber exposure and protect your enterprise. The Mighty guide
Reducing Cyber Exposure from Cloud to Containers
provides insights and lessons from 29 industry leaders
(e.g., @daveshackleford, @csima, @lady_nerd, @planetlevel, @weldpond) on this topic.
Wednesday, January 31, 2018
OWASP AppSec Cali 2018 - THE BEST EVER!!!
Great weather, great speakers, greater trainers, great organization = sold out and awesome!
Hollywood quality recordings of the talk are coming out soon.
Friday, December 22, 2017
Security Test of the 2018 presidential elections voting machines: experience and results
Brazil's Superior Electoral court (TSE) selected me to test the electonic voting machines that will be used in the 2018
presidential elections. In this interview (in Portuguese) conducted by the TSE, all security researchers who provided relevant findings described their work and explained why the test is important.
Friday, December 15, 2017
Forbes Technology Council
Feeling grateful for being hand-selected to become part of Forbes Technology Council and having the opportunity to submit
thought leadership articles on industry-related topics for publishing on Forbes.com.
Tuesday, December 5, 2017
Bug bounty Webinar
I'm presenting a 30 minutes webinar on Bug Bounty. Learn how to get started in implementing a
successful program and avoid common pitfalls. Click here to register.
Monday, November 27, 2017
Penetration test of Brazil's Electronic Voting System
The Brazilian government selected as one of the security researchers who will test the nation's
electronic voting system. I'm honor and excited with the oportunity to contribute with
the security of this critical infrastructure component.
Wednesday, October 11, 2017
Bug bounty panel at AppSec USA 2017
The video is out! Check it out.
Sunday, October 01, 2017
Bitcoin Hardfork
On August 1st Bitcoin was split into Bitcoin (BTC) and the clonecoin Bitcoin Cash (BCH).
The means of this split was both a source code “hard fork,” creating an incompatible and independent
crypto currency, in conjunction with a clone of the entire blockchain.
Everyone who had bitcoins (BTC) before the fork has the same number of coins in bitcoin cash (BCH).
In an article for the ITSP magazine, I explained the security and risks related to this split by discussing the motives,
technical differences, and the consequences to the eco-system.
Read the full article: Bitcoin’s Fork And Its Security Implications (two part article)
Sunday, July 09, 2017
AppSec USA 2017
AppSec USA 2017 lineup is looking promissing. I look forward to some of the keynotes too.
This year I'll be discussing bug bounty with a great team of panelists from companies such as GDS, PayPal, ITSP Magazine, and Baker McKenzie.
Will I see you there?
Wednesday, April 19, 2017
Innovate Pasadena CyberSecurity
According to ITSP TV, the panel at ADP was extremely informative. Check out the video: Passwords, Password Management, and Two-Factor / Multi-Factor Authentication
Monday, March 27, 2017
Stroz Friedberg Blog
A short and yet informative blog post on Bug Bounty: Bug Bounty Programs: Good Preparation is Key to Success
Monday, Fabruary 27, 2017
ITSP Magazine
Honored to be listed as an Expert on ITSPmagazine.
My first blog contribution is the article:
Dodging SHA-1’s Collision Course
Thursday, December 15, 2016
AppSec Cali 2017
4th Annual AppSec California to Open the Year With a Must-Attend Powerhouse Application and Web Security Conference Full Agenda and Expert Speaking Panel Announced
Full article
Wednesday, October 26, 2016
How to protect yourself online
With so many breaches out there, computer users often ask me how to protect their passwords. Here
is a short blog article I wrote for Stroz Friedberge about the topic:
Passwords: You think you know. But do you?
Tuesday, October 4, 2016
17th annual Cyber Security Symposium
UNC Charlotte 17th annual Cyber Security Symposium was a sold out event. Humbled with the
opportunity to take the main stage. Although this is an academia event, there were more
far more professionals than students. Kudos to the organization for a great event!
Friday, March 4, 2016
Dissecting Bitcoin Security at RSA
So grateful for the strong attendance of over 600 people at my talk about Bitcoin. As of today, one Bitcoin is
worth US$400. How far will it go?
Monday, February 29, 2016
RSA Conference 2016 is starting today
Very excited to be speaking at RSA this year! The title of my talk is "Dissecting Bitcoin security".
Bitcoin is a game changer invention and can be applied in various different systems. Unfortunately the
media put a very bad spin on the crypto currency and made people shy away from the technology. I hope
my talk help people understand what the technology is about and why it's so relevant for security pros.
Wednesday, January 20, 2016
OWASP Top 10 Proactive Controls 2016
Happy New year! OWASP Top 10 Proactive Controls 2016 is out. Enjoy!
Saturday, December 19, 2015
RSA 2016
Super excited about my upcoming talk at RSA 2016! With 33,000 attendants RSA is one of the biggest, best known and most respected security events of the year.
Monday, December 7, 2015
OWASP Top 10 proactive controls
Jim Manico is leading the upcoming release of OWASP Top 10 proactive controls. His approach this time was to make the document world editable on Google docs.
I applaud Jim for leading this project in such an open manner. It’s both a pleausure and honor to work with him again!
I look forward to sharing the end result with the rest of the world.
Monday, September 28, 2015
(ISC)2 Congress
(ISC)2 congress was a massive success with over 20,000 attendants. Happy to be able to contribute to the show as a speaker. Below is a picture of Monday's lunch.
I always wonder how the kitchen is able to serve everyone at the same time. One day I'll ask for a tour at the kitchen... It will make me a better man (and a better cook).
Tueday, May 5, 2015
OWASP AppSec California 2015 videos are out!
Working with Jim Manico is a joy! I hope we can present again soon.
Saturday, December 7, 2014
OWASP AppSec California 2015 Rocks!
Following the huge success of the previous event, OWASP AppSec California is promissing to be one of the hottest conferences in 2015. The line up of keynotes and speakers is top notch and the venue is truly unique. Seating is linmited so you really need to hurry up to get in!
Saturday, October 4, 2014
FS-ISAC, here I come!
Reviewing my talk for next week. Really excited about contributing and collaborating with FS-ISAC on critical security
threats facing the global financial services sector.
Monday, September 22, 2014
A good reason to upgrade to iOS 8
An integer overflow exists in the handling of PDF files that leads to arbitrary code execution. The vulnerability affects iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later and can be exploited remotely by simply viewing a malicious PDF file.
Technical Details:
CVE Name: CVE-2014-4378
Apple CoreGraphics library fails to validate numerical input bounds when parsing the colorspace specification of a PDF XObject, resulting in a
heap overflow condition. Exploitation is performed by corrupting data in specific ways to cause the application to overwrite the dynamic memory
allocation linkage, using the resulting pointer exchange to overwrite a program function pointer.
Thanks to the unpatched vulnerability CVE-2014-4377 which leaks valuable information about memory layout to the browser Javascript interpreter, the combined usage of both flaws allow attackers to bypass Data Execution Protection (DEP), Address Space Layout Randomization (ASLR) and code signing. Fortunately Apple corrected CVE-2014-4377 in Apple OS X with Security Update 2014-004. The recommended solution of iPhone users is to upgrade to iOS 8.
Moral of the story for developers:
DEP, ASLR and code signing are great defense in depth mechanisms that should be turned on when compiling C/C++ code but given the right conditions they can be bypassed.
Monday, September 15, 2014
The best time of DI year!
Really excited about today's talk at the Digital Insight Innovation Conference! Why? Because it's a departure from the talks I often do target to highly technical professionals. My DI talk
covers how to deal with many of the issues financial institutions requested our assistance during the last year and it's based on a collection of free tools and best practices that users
(and your customers or members) can adopt to improve their banking security.
Saturday, June 1, 2014
Ransom attacks against Macs and iOS devices
Ransomware attacks are on the rise, and some emerging attacks are going beyond PCs to target mobile devices used by banking customers.
Ransomware is a kind of malware (malicious software) that criminals install on the victims computer, usually through a malicious email
attachment or webpage link, and demand a ransom paid to the creator of the malware in order for the restriction to be removed.
A new type of Ransom exploitation against Apple devices has been reported in Australia but recently spread to the United States. This
attack differs from previous Ransomware attacks because the attack is based on Apple’s Find My iPhone application so software needs to
be installed on the device. Victims reported finding their phones suddenly locked, with a message from Find My iPhone saying that the
device had been "hacked by Oleg Pliss.". The hackers then directed owners to pay up to $100 for a device unlock via PayPal.
It’s not immediately clear how attackers are gaining access to the Apple IDs to take over the devices. One possible explanation is that
criminals have obtained access to a leaked list of email addresses and passwords, exploiting the fact that many individuals will reuse
the same account details for their Apple ID.
This attack can be proactively avoided by following some security best practices:
Saturday, May 24, 2014
CIO Event North America
The CIO series which currently operates in Europe, the Middle East, Africa, and many cities in North America is coming to Los
Angeles. The event's mission is to create a world-class platform of end-user driven academia to help executives make the right decisions
for their organization. I'll be speaking at the Los Angeles event along with the Coca-Cola CIO, E&Y CTO, Carefusion CIO and LA Unified
School District CIO.
Sunday, November 17, 2013
Black Hat Brazil - part II
Wow! The organization committee
highlighted my talk as one of the exciting conference briefings! Pressure is on! Better to brush up my Portuguese
for next week!
Tuesday, October 29, 2013
OWASP LA Rules!!!
I am thrilled to share this one: my excellent friends Tin Zaw, Richard Greenberg, Edward Bonver, Stuart Schwartz
and Kelly FitzGerald were voted the
best OWASP chapter leaders in the world and will receive the WASPY Awards during
the Global OWASP AppSec USA 2013! Great job people!
Speaking of OWASP AppSec USA 2013, let me take a momento to plug this excellent conference and the impressive line
up of speakers. If you never been to a Global AppSec (USA, Europe, Latin America or Asia) before, I highly recommend
to check it out!
Friday, September 20, 2013
Black Hat Brazil
The Black Hat Briefings are a
series of highly technical information security conferences that bring together some of the the most prestigious names from the
full spectrum of security thinkers. The conference organization does a suberb job staying on the leading edge of new security
trends as they emerge.
I was thirlled with the announcement of
the first Black hat briefing in Brazil and even more thirlled when I was selected as
one of the speakers! Brazil has long been reputed as the king of the banking Trojan. The few hackers who have been arrested are
those who have committed such a huge scale of cybercrime that it was possible to arrest them under existing laws such as larceny
and conspiracy. The local informaiton security industry needs events such as BlackHat to learn and fight the ever-increasing
number of new attack methods in cyberspace.
Saturday, August 24, 2013
Hot Topics in Security

Wow! My roundtable session "Hot Topics in Security" at the
Digital Insight Innovation Conference is indeed a hot session!
Only a few days after the conference registration opened, the session reached maximum capacity. The organizers scheduled a
second session on Tuesday for all of you who could not sign up for the first one.
Monday, August 5, 2013
Android Master Key Attack explained
The Bluebox research team recently pre-announced an Android vulnerability that allows an attacker
to inject malicious code to an application. Depending on the type of application, a hacker can exploit the vulnerability
for anything from data theft to creation of a mobile botnet.
The Android application package file (APK) is the file format used to distribute and install application software and middleware
onto Google's Android operating system; very similar to an MSI package in Windows or a Deb package in Debian-based operating systems
like Ubuntu. Simply put, APK files are zip files that could contain files with duplicate filenames inside. Unfortunately when duplicate
names exist, the entry which is verified for signature is the second one inside the APK, and the entry which ends up being installed is the
first one inside the APK - the injected one that can contain the malicious payload and is not checked for signature at all.
The solution to this issue involves the device manufacturer to provide an OS patch that will check for APK files with duplicate file names.
Reputable app stores are already doing the same to ensure no malicious code is available for download. End users should avoid downloading applications
from questionable sites. Users who wonder if their devices were compromised should download and run the
Blue Box Security Scanner.
Sunday, May 19, 2013
Free online training
SAFECode released some training material last week. Some of the main contributors are members of my former staff at Symantec.
If you are looking for this type of material, also consider
Jerry Hoff’s excellent OWASP AppSec Tutorial Series
Lastly, my good friend Zully released a number of
good videos about bitcoin security at Khan Academy.
Thursday, October 10, 2012
Another Pleasant Surprise!
This year OWASP initiated the first annual Web Application Security Person of the Year (WASPY) award and I'm truly honored to be among the finalists.
Kate Hartmann, one of the few OWASP full time employees, once told me that babies are the number one project killer in the community, something I can now testify...
As sad as this statement may sound for a security practitioner, I believe this is the ultimate proof that the organization is indeed moved by passion. People dedicate countless
hours and really love what they do. If you don't believe my words, listen to
Ivan Ristic's interview in the OWASP podcast when he talks about OWASP!
I really cannot count how many individuals I met and I come to admire and built a friendship. OWASP not only made me a better professional but
also a better person.
I'm sincerely touched with this nomination. Thanks OWASP! See you in Austin!
Tuesday, June 12, 2012
Can you Spot the Flaw?
Here is a function with a single line of code:
char check_scramble(const char *scramble_arg, const char *message, const uint8 *hash_stage2)
{
…
return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE);
}
memcmp returns an integer which is implicitly casted to
char.
If memcmp happens to return a non-zero number that has a zero last byte, check_scramble
will return 0 (password was ok), despite the fact that the password was incorrect.
One line of incorrect code resulted in this:
CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL
This is extremely hard for someone doing coding reviews of 1,000s of lines of code to spot or to find during a pen test.
On the other hand it’s trivial for a static source code analysis tool (or even a good compiler) to find.
Moral of the story:
- Check your compiler warning. In Visual Studio set your compiler warning to level 4.
- Use a static source code analysis tool. If you have Visual Studio Team Edition, enable the code analysis option.
Saturday, April 29, 2012
Global OWASP AppSec LatAm 2011 videos are out
Global OWASP AppSec LatAm 2011 videos are now available on YouTube! I had the pleasure of acting as the host from
beginning to
end. Here are some of my favorite presentations:
In English:
In Portuguese:
The Great Cypher, Mightier than the Sword
David Ladd (Principal Security Program Manager, Microsoft Corporation), Gary McGraw (Chief Technology Officer, Cigital, Inc.)
Kyle Randolph (Senior Manager, Security & Privacy, Adobe) and I will be serving at a RSA Panel titled "Making Sense of Software Security
Advice: Best vs. Practiced Practices". Reeny Sondhi (Director, Product Security, EMC Corporation) will be the moderator.
Join me from February 27- March 2 in San Francisco for five days of learning, sharing and networking. I’ve seen the agenda and the
week promises to be a busy one! As a selected speaker for 2012, I’m pleased to be able to extend a discount of $200 off the current
registration rate when you use my personal discount registration code. Simply enter the following code when you register online:
My personal discount registration code: ZSPDdJaIoqK
This offer cannot be combined with any other discounts and is valid for new registrations from December 6, 2011 through January 27, 2012.
The code cannot be used retroactively. To find out more about RSA Conference and the packed agenda, visit:
https://www.rsaconference.com/events/2012/usa/index.htm. Be sure to
register using the discount registration code above to receive the $200 savings.
Saturday, December 3, 2011
Secure Software Programming: One of the Three Best Security Career Bets
SC Magazine published a really nice article about the need for security last month. According to the latest edition of Foote Partners,
developers who posses security certifications can earn pay premiums averaging eight to 12 percent of base pay and even more with
additional experience.
Secure coding (and security testing) are hard to do, and market demand far exceeds the available talent supply. It takes
years of hands-on practice, as well as training, to develop the skills.
Sunday, November 13, 2011
The right tool for the right job (SAFECode and BSIMM)
After listening to a number of talks at different conferences around the world, I’m convinced that even experts are confused about the various security initiatives, particularly SAFECode and BSIMM. As a consequence organizations are confusing prevalent practices with effective ones. Some of the results of this misunderstanding are organizations trying to choose the most popular BSIMM practices and use them as criteria for suppliers or adopting BSIMM
as a Secure Development Lifecycle framework.
This week SAFECode released “A SAFECode Perspective on Leveraging Descriptive Software Security Initiatives“. This
brief paper addresses common questions on the differences between BSIMM’s descriptive model and SAFECode’s prescriptive guidance.
If you are responsible for a large software security initiative, I highly recommend reading
this paper.
Thursday, October 20, 2011
The Gold Standard
Software Development has changed considerably from a decade or two ago. While writing secure code (secure programming) is still a critical component of the secure software lifecycle, there is a great deal more to consider. Formal and structured software development methodology became a necessity for any organization that develops code.
Despite its known flaws, certifications are a great way to attest outsourced development can build solutions with the same level of quality practiced in large and well established enterprises. Certifications are a good way to verify a certain level of expertise has been reached among team members and to provide a meaningful measurement to customers. Engineers, especially in developing countries, should ponder the recognition a credible certification can bring to their work. I recently provided
a quote to (ISC)2 about the value of CSSLP. The certification has reached the 1,000 certified professionals milestone this year and I wonder if it will eventually replace CISSP, known by many as the industry gold standard.
Speaking of (ISC)2, Caleb Sima, Tony UcedaVelez, Mikhael Felker, Stuart Schwartz and I will be speaking at the
(ISC)² SecureSDLC 2011 – SoCal November 1st in Anaheim, CA. This should be a great one day event.
Monday, October 10, 2011
OWASP AppSec LatAm 2011
It took more than a year to organize OWASP AppSec LatAm 2011 but the results worth the effort. Equipped with numerous auditoriums that can accommodate up to 800 participants, PUC-RS provides a world class infrastructure. The variety and quality of PUC-RS’s main restaurant is comparable to some Buffets in Las Vegas. In addition, many professors supported the event and were actively engaged in conversations on how to include application security education in the curriculum.
Bryan Sullivan and Michael Craigue, our two keynotes, delivered more than security knowledge in their presentations, they delivered wisdom. Bryan delivered a polished presentation that mixed big picture concepts with hard core technical demos. Bryan’s unique mixture of skills makes his presentations interesting to all sorts of audiences. Michael Craigue conversational style and candidness made his presentation a must see for everyone who wants to jump start a security initiative at an enterprise. I highly recommend both.
The local organization worked incredibly hard to deliver a solid conference and great entertainment! Kudos to Alexandre Balestrin Correa (aka ABC), Jerônimo Zucco, L. Gustavo C. Barbato, Lucas C. Ferreira, Rafael Dreher, Gustavo Simon, Leonardo Goldim, Luiz Gava, Sarah Baso, Carolina Nogueira, Mauricio Pegoraro, Luciano Madeira, Adriene Barbato, Maximiliano Soler, Luis Otavio (aka LOD) and Ricardo Makino for a well done job! Argentina now has big shoes to fit for OWASP AppSec LatAm 2012!
Thursday, September 29, 2011
BSIMM 3 is out
Every craftsman needs a set of tools to
perform its duties and security practitioners are no different.
Released this past Tuesday, the Building Security In Maturity
Model (BSIMM, pronounced “bee simm”) is one of the essential
tools security professionals need to know about. BSIMM is an
inventory of existing security practices from over forty
large-scale, IT dependent organizations across seven business
vertical categories.
Reviewing BSIMM data over the years is a
great way to compare and contrast how the industry is evolving.
In addition, BSIMM provides a considerable list of activities
organizations with an established security initiative should
consider to adopt next.
Thursday, September 22, 2011
A Pleasant Surprise!
(ISC)² Americas Information Security Leadership Awards 2011 took place yesterday. To my complete surprise, I received a
special recognition award for community services! Wow, have
you ever had the feeling you realized something about yourself just because someone told you?
There is nothing more enjoyable in life than being surrounded by highly motivated and passionate individuals. Performing community
services is fulfilling and important: we all know there is a lot to do in application security and I believe we, the practitioners, have a
social responsibility to help our communities.
Unfortunately sometimes I see people leaving not for profit organizations because their bosses actively discourage this type of “distraction”.
My personal experience as a manager and a practitioner is that this community services and work for an enterprise is symbiotic. In fact all
my staff at Symantec is encouraged to engage in this type of activity. This is a great way to retain, train and acquire talented employees. It’s
good for the individual, the business and the community. I hope other companies start to see things this way.
Saturday, September 10, 2011
Symantec released
Norton Internet Security 2012
(NIS 2012) this
week. According to independent research, the product is both the
fastest antivirus solution and the product with the highest
detection rate on the market.
Be sure to check the new product advertisement campaign
titled "Protect The Stuff That Matters".
In my opinion this is hands down the best marketing campaign the
company ever did.
Tuesday, September 6, 2011
An Interview with Cassio Goldschmidt
The Pontifícia Universidade Católica do Rio Grande do Sul's (Pontifical Catholic University of Rio Grande do Sul, often abbreviated as PUCRS)
magazine featured an interview with me this month. I'm an alumnus of the school of Informatica and a big fan of the university.
As of 2009 the university had 10 courses with 5 stars,
computer science being one of them. There are also 21
courses with 4 stars according to the the Guia do Estudante: Computing and Mathematical sciences and Engineering and Production.
The magazine is in Portuguese. Click on the picture to download and read the article on page 40.
Monday, August 22, 2011
Registrations for OWASP Global AppSec Latin America are now open!
The organization committee truly went out of its way to keep prices down and provide great deals for people who really want to take advantage of this event. One example of the great discounts the organization is giving way is the conference full package deal: for R$1,000 (approximately US$625) you can attend two classes and the conference. The deadline for early bird registration discounts is August 31st.
Check out the videos about Brazil and Porto Alegre in
the conference visitor's guide.
Saturday, July 23, 2011
(ISC)2
Americas Information Security Leadership Award 2011
I’ve been selected as a finalist for the
Americas Information Security Leadership Award (ISLA) 2011. The ISLAs Program is held annually by the International Information Systems Security Certification Consortium's ((ISC)²) to recognize outstanding leadership and achievements in workforce improvement of information security and management professionals.
The gala dinner ceremony will be one among the many great events planned for the
57th ASIS Internation 2011 conference/(ISC)² Security Congress.
If you attend the conference, don't miss Richard Tychansky, Hart Rossman and Symantec's Edward Bonver presenting case studies of large enterprises that have successfully integrated security engineering best practices into their Software Development Life Cycle (SDLC) to reduce defects and increase software resiliency and reliability. You can read more about this session
here.
Saturday, July 16, 2011
OWASP Global AppSec Asia 2011
Sebastien Deleersnyder, Mano Paul and I will be the keynote speakers at
OWASP Global AppSec Asia 2011. Last year the conference had more than 500 attendants and this year the organization expects over 800 people coming from various verticals including government, information technology, services and consulting, telecommunications, finance, e-commerce, Internet, universities and research institutes. Major news media will be covering the event.
There is a very high demand today for application security professionals in Asia. I have the privilege of working with many individuals in People’s Republic of China I respect so much their technical knowledge, work ethics and humbleness I could only wish we were fewer time zones apart! I hope to meet a lot more people alike in November. Please don’t be shy to come and chat if you see me around the conference floor.
Wednesday, June 29, 2011
SANS and MITRE released today the "Top 25 Most Dangerous Software Errors". This list ranks the most widespread and critical errors that can lead to serious vulnerabilities in software
and is a great educational tool to help programmers to prevent the kinds of vulnerabilities that plague the software industry.
I've been a
contributor of this list since the first release in 2009. It
amazes me to see vulnerabilities such as CWE-120 ('Classic
Buffer Overflow') still on the top of list for the following
reasons:
- Programmers really have to go out of their way to create
classic buffer overflows in modern languages such as C# and
Java. These languages, not C/C++, are the language of choice
for many developers nowadays creating new systems.
- Static code analysis tools do an excellent job finding
instances of buffer overflows.
- Modern compilers offer several ways to prevent
exploitation of this type of flaw without changing a single
line of code.
- Some companies did an outstanding job bringing awarness
to this issue and providing great security training to their
development teams, including QA.
Without necessarily producing better software, the industry
in general found a way to innovated itself out of a widespread
problem. Buffer overflow flaws are still prevalent out there
because we use a lot of legacy systems. I just don't find a lot
of new instances being discovered, at least in our tests. If
anything, this type of flaw is identified and fixed during the
development phase using static source code analysis tools that
are integrated to build systems.
Tuesday, June 14, 2011
I just came back from the ISSA speaker dinner and I'm really excited about tomorrow's event! ISSA clearly outgrew UCLA and the organization will need to deal with the growing pains of what is without a doubt going to be an outstanding conference. I’ll be
serving at a panel with Steve Lipner (Microsoft), Gary McGraw (Cigital) and Jeremiah Grossman (WhiteHat). John Dickson (Denim Group) will be the moderator.
Other
speakers include Marc Maiffret (eEye), Robert Brown (Western Bridge Corporate Federal Credit Union), Dan Cornell (Denim Group), Barbara Danzi (Garda Cash Logistics), Ariel Silverstone (Expedia), John Steven (Cigital), Mike Villegas (NewEgg, Inc.) and Tin Zaw (AT&T).
Thursday, June 9, 2011
As much as I love to manage a global team that is as passionate about Software Security as Symantec's Product Security, I'm still a software developer at heart. Needless to say, I had a real blast
presenting at Better Software. "Cosmic Truths about Software Quality" by Karl Wiegers was a very insightful presentation about the real meaning of quality and how to achieve it. Backed by facts and research, Michael Mah made a very persuasive presentation on the real cost of offshoring and why geography matters.
According to the official conference numbers, my presentation about secure coding had one of the top ratings from all the 65+ speakers. Who said developers don't care about security?
Monday, February 14, 2011
Valentine's day
Valentine's this year will be a bit different... I'm returning to Berkeley to present a talk about
my book, this time to the NetEcon group. Next, I'll head to RSA Conference and finally end the day at a business dinner with my boss and
a Symantec business partner.
Thursday, January 20, 2011
Black Hat
One of the best things about being
one of the first speakers to present at a conference is that it's possible to actually pay attention to the the other talks. ;-)
While there were several good talks, I highly recommend watching two: Bryan Sullivan's "Hey You, Get Off Of My Cloud: Denial of Service in the *aaS Era" and Tom Brennan, Ryan Barnett's "Checkmate with Denial of Service".