Documenting an As-Is Security Architecture, part one

This is the first of a two part post, part two is available here.

The following list is a set of activities that need to completed at least once to document an existing As-Is security architecture view for a business architecture and then need to be maintained over time through repeat reviews.
Read the rest of this entry »

Security and Systems Engineering

In my experience when a business brings security people into their systems engineering process they are trying to solve a problem. Usually there has either been a painful security incident or some security testing pushed them over the edge and they feel exposed. Sometimes they are undertaking a big enough change or the security implications of a change are so obvious that they realise they need to ensure security is covered off.

However, while the senior management of the business is looking to solve the security problem there is commonly confusion amongst the system engineering teams, the new security team and the middle management of the business about what it is they are asking for and what it is they are getting. Read the rest of this entry »

Protected: Black Swan Security Dinner

This content is password protected. To view it please enter your password below:

Security defect triage in delivery projects

The guys at Recx asked me to look at a draft of their recent blog post The Business v Security Bugs – Risk Management of Software Security Vulnerabilities by ISVs where they describe some of the business constraints and influences on security defect triage for Independent Software Vendors and make the case that ultimately the triage decision is a business decision not a technical security decision.

I was happy to do it as I’ve known the guys at Recx for a long time and they are a great little British security company with some seriously deep technical security skills. They have a lot of experience working through ISV security defect triage processes both as external security researchers and as internal product security managers.
Read the rest of this entry »

44con and Uncon

It’s been a busy week again.

I helped out  a few weeks ago on the panel choosing speakers for the Infosec track for 44con and subsequently got roped in / volunteered to run that track during the days of the con. A week before 44con happened one of the speakers failed to get a visa and I volunteered to fill the gap and spoke on ‘Intelligence-Led Cybersecurity’. It was an interesting process working out what I could talk about, how I could squeeze it into a 45 minute slot (With questions)  and then convincing my employers to let me talk publicly.
Read the rest of this entry »

Twitter RSS