Active Deception as a Methodology for Cybersecurity w/ Lawrence Pingree from Gartner


, , ,

Lawrence Pingree and I were having a discussion in the press room at RSA Conference 2016. We talked about his work with Gartner, analyzing deception as part of cybersecurity. His voice was so passionate, I just had to turn on the recorder. I haven’t heard many people talking about this subject, but it’s intriguing to think about… more than honeypots, true deception. Have a listen.

About Lawrence Pingree

Lawrence Pingree has been an active member of the Information Security industry for many years. He has consulted for large financial institutions, corporations and government entities on technologies ranging from firewalls, intrusion detection, networks, system penetration, risk management, compliance, eDiscovery and Forensics.

He has served as a Chief Security Architect at both Peoplesoft and Netscreen. He is currently an active member of the Information Systems Security Association (ISSA) of Silicon Valley as well as the Open Web Application Security Project (OWASP) and is a published author of two books.

Lawrence is a founding board member of the Digital Forensics Association where he is serving as Vice President. In his spare time enjoys trading money on the foreign currency market, hiking, nature and performance cars.

Security War Games with Sam Guckenheimer at Rugged DevOps RSAC 2016


, , , , ,

You just have to accept it. The hackers are going to get in. The question is, what are you going to do once they are in? In preparation for Sam Guckenheimer’s session at Rugged DevOps, RSA Conference 2016, I spoke with Sam about his work at Microsoft and how his team is working on Security War Games to keep things in check.

About Sam Guckenheimer

Sam Guckenheimer is Product Owner for the Microsoft Visual Studio Cloud Services, including VS Team Services and Team Foundation Server. He focuses on DevOps, Agile and Application LifeCycle Management (ALM). His most recent talk: From Box to Cloud at Gartner AADI 2015 is available at…4ee49887b5f81d.

Sam is the author of three books, most recently Visual Studio Team Foundation Server 2012: Adopting Agile Software Practices: From Backlog to Continuous Feedback. Prior to joining Microsoft in 2003, Sam was Director of Product Line Strategy at Rational Software Corporation, now the Rational Division of IBM.

Sam lives in the Seattle area with his wife and three children in a sustainable house they built that has been described in articles in Metropolitan Home and Pacific Northwest magazine.

DevOps, Security and Engineering at Slack


, , , , ,

Leigh Honeywell And Ari Rubenstein are Senior Staff Security Engineers at Slack. I saw Leigh on Wendy Nather’s panel during RSA Conference 2016 and was interested in getting some insight into what’s going on at Slack when it comes to DevOps. As luck would have it, Ari was in the audience, so we were able to step outside into the hallway and talk about how DevOps, security and engineering work together at Slack.

About Leigh Honeywell

Leigh reboots computers and makes hackerspaces.

Leigh is a Security Engineer at Slack. Prior to Slack, she worked at, Microsoft, Symantec, and Bell Canada. Her career has included everything from stringing cable and building phone systems to responding to some of the most serious computer security incidents in industry history, shipping software to a billion people, and protecting infrastructure running companies’ critical business communications.

Her community work includes founding the HackLabTO hackerspace in Toronto, Canada, and the first feminist hackerspace, the Seattle Attic Community Workshop, as well as advising countless others and speaking about hackerspace cultures, collaboration, and open source software. She is Chief Security Officer of Double Union, a women’s hackerspace in San Francisco. She is a former administrator of the Geek Feminism wiki and blog, and current adviser to the Ada Initiative, the SECTor security conference, and the Magic Vibes Corporation. Leigh has a Bachelors of Science from the University of Toronto where she majored in Computer Science and Equity Studies.

About Ari Rubenstein

Senior Staff Security Engineer
- Developed tooling for Security Automation, Detection, and Response
- Implemented multiple open-source technologies to gain visibility on a company-wide level
- Led feature reviews and architecture critiques
- Discovered multiple vulnerabilities in Open Source Software, and committed fixes upstream
- Performed code audits and static analysis
- Collaborated cross-organization on Security topics with Sales, Accounts, Engineering, and Executive teams
- Managed public-facing bug bounty program for product security issues
- Provided guidance for customer questions and support tickets

Guns, Germs and Steel at RSAC 2016 with John Willis


, , , , , , ,


After John Willis delivers the keynote session next week at Rugged DevOps during RSA Conference 2016, he says he’s going to grab a front row seat because he’s so excited about the line up.

In this interview, I talk with John about his relationship with Josh Corman and how they started working together. We talk about security as part of the software supply chain, the part Docker plays in the reference architecture picture for enterprise DevOps and how the developer world has changed in the past 5 years.

About John Willis

John Willis has worked in the IT management industry for more than 35 years. Currently he is an Evangelist at Docker Inc. Prior to Docker Willis was the VP of Solutions for Socketplane (sold to Docker) and Enstratius (sold to Dell).

Prior to to Socketplane and Enstratius Willis was the VP of Training & Services at Opscode where he formalized the training, evangelism, and professional services functions at the firm. Willis also founded Gulf Breeze Software, an award winning IBM business partner, which specializes in deploying Tivoli technology for the enterprise.

John has authored six IBM Redbooks for IBM on enterprise systems management and was the founder and chief architect at Chain Bridge Systems.

Assemble with DevOps Heros at Rugged DevOps RSAC 2016


Equal Respect: Women in Technology with Chenxi Wang [Audio]


, , , ,

Editor’s note: We have passes available to the full DevOps track at RSA Conference 2016 in San Francisco. Use the code 1U6DEVXPO when registering for RSA, and select Expo Hall Pass as the ticket type. All fees will be waived.

Chenxi Wang has had a diverse career in the technology industry, Before her current position as Chief Strategy Officer at Twistlock, she was Vice President, Cloud Security & Strategy at CipherCloud, Vice President, Strategy and Market Intelligence at Intel Security, and Vice President at Forrester Research. Along the way, she has worked on technology education initiatives and is currently at work on Equal Respect, a movement to stop the objectification of women in technology.

In this interview, I spoke with Chenxi about her upcoming sessions at RSA Conference 2016, her work on the Equal Respect initiative, and her passion for software security education.

About Chenxi Wang

Dr. Chenxi Wang is a security industry veteran and a respected thought leader. She held a variety of strategy leadership positions from Intel and Ciphercloud, following a stint as a highly respected industry analyst at Forrester Research. Chenxi held a faculty position at Carnegie Mellon University earlier on in her career. She has a Ph.D. in Computer Science from University of Virginia.


DevOps: Politics, People and Process with Paula Thrasher [Audio]


, , ,

Editor’s note: We have passes available to the full DevOps track at RSA Conference 2016 in San Francisco. Use the code 1U6DEVXPO when registering for RSA, and select Expo Hall Pass as the ticket type. All fees will be waived.

I first met Paula Thrasher at DevOps Summit 2016 in San Francisco. Her message about people at the core of software supply chain processes resonated with me enough that I invited her to participate on a panel at RSA Conference 2016 in San Francisco on February 29.

In the run up to the conference, I recorded this call with Paula about what it takes to facilitate a large scale DevOps project for the US Government. Her main concentration is in change management and how to deal with the intricacy of various personalities when working with developers, the security team and operations.

About Paula Thrasher

Paula is an Application Delivery Lead at CSRA, formed from the merger of CSC’s government services unit and SRA International. CSRA is a the leading provider in next-generation IT and professional services to the US Government. Paula leads digital transformations for customers across the federal government. She has 20 years experience in information technology and works in the federal market leading agencies and teams towards Agile and DevOps.

Paula’s first Agile project was in 2001, since then she has led over 15 programs and projects as an Agile developer, technical lead, Scrum master, or Agile coach. Her teams have helped three separate federal agencies migrate applications to Amazon AWS GovCloud, and done some other amazing DevOps ninja work along the way.

Paula a Carnegie Mellon University alumna with a B.S. in Statistics, is a Certified Scrum Master (CSM) and a Project Management Professional (PMP), but prefers learning new things through experience and working with smart people.

OWASP Top 10 Proactive Controls Project with Jim Manico and Katy Anton


, , , ,

The OWASP Top 10 Proactive Controls Project uses the OWASP Top 10 model as a way to encourage the community to participate in the building and maintenance of a Top 10 project aimed at developers. In this interview, I talk with Jim Manico and Katy Anton on the history of the project, how they anticipate it being utilized, and how they have worked with the community do decide the criteria for building the list of controls.

The OWASP WebGoat Project, version 7.0, with Bruce Mayhew [AUDIO]


, , ,

The OWASP WebGoat Project started 10 years ago and has had over 1,000,000 downloads. Version 7.0 is being released this week. I caught with Bruce Mayhew, project lead, to talk about the history of the project, what has been updated in version 7, and what he foresees as the future of this project.

Resource: The OWASP WebGoat Project

Johanna Curiel on the Growing Pains of OWASP and Management of Project Reviews


, , ,

Several months ago Johanna Curiel figured she’d had enough and was ready to take a break from OWASP. Recently, she came back and is working tirelessly to revamp the Project Reviews initiative. I talked with Johanna about why she left, what has changed to make it enticing enough for her to return and what her vision is for the Project Review team in the coming year.

Resources for this Broadcast

OWASP Portfolio Project Reviews



Kim Zetter to Speak at DevOps Connect: Rugged DevOps at RSAC


, , , , ,

Kim Zetter - DevOps Connect

The sessions for DevOps Connect: Rugged DevOps at RSAC on February 29 are starting to be announced. I’m excited to confirm Kim Zetter from Wired will be doing a session on the epic security and privacy fails of 2015. All attendees of RSAC have access to the full day of DevOps sessions.

Here’s the abstract from Kim. Hope to see you there.

2015 in Review: Major Failures in Public Safety and Privacy

In 2015, Kim Zetter, Senior Reporter at Wired, covered major cyber security and privacy failures including “The US Office of Personnel Management’s Struggle to… Manage”, “Ashley Madison Cheaters Were Cheated Out of Their Privacy”, “Gemalto’s Rapid Response to Hack Was a Little Too Rapid”, “Hillary Clinton’s Server”, “Everything We Know About Ukraine’s Power Plant Hack” and “Secret Code Found in Juniper’s Firewalls Shows Risk of Government Backdoors”.

This session will look at the people, companies, and events having the most epic security and privacy fails in 2015—and what we can expect to see in 2016.

Kim’s talk will lay the groundwork for the afternoon track, where we’ll talk about the need for better, more secure software and development practices through Rugged DevOps and automation of the Software Supply Chain.

About Kim Zetter

Kim Zetter is an award-winning investigative journalist and author who covers cybersecurity, cybercrime, cyber warfare, privacy and civil liberties. She has been covering computer security and the hacking underground since 1999, first for PC World magazine, and now for WIRED, where she has been reporting since 2003 and is currently a senior staff writer. She has broken numerous stories over the years and has three times been voted one of the top 10 security reporters in the nation by her journalism peers and security industry professionals.

Kim recently completed a book about Stuxnet, a sophisticated digital weapon that was launched by the U.S. and Israel to sabotage Iran’s uranium enrichment program. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon published by Crown/Random House in November 2014.