Two years ago:

I’ve been staying with my Mom while she recovers from surgery, and she’s been watching the news. It is 99% propaganda, vapid, or irrelevant. Makes me want to go into news.

πŸ”’ Still true! If you are doing something in journalism and need cybersecurity help, please let me know!

πŸŽ™οΈπŸ”’ Tomorrow I’m recording for the eXecutive Security Podcast.

My bar for podcasts:

β€œIs this a better use of my time than an audiobook?”

So I take this pretty seriously. Hopefully we’ll make it worth your listening time.

πŸ”’ The 2024 edition of CWE Top 25 is published:

Most Dangerous Software Weaknesses

“But what about the OWASP Top 10?” Think of the OWASP list as more of an engagement and learning tool.

The CWE 25 can more effectively be used as a target list to build your evaluation, mitigation, and prevention.

πŸ”’ Big improvements to calls in Signal: call links

πŸ”’ Look ma, I clean up okay!

πŸ”’πŸ₯ƒ Hey, you know how security teams are the worst and nobody wants to work with them?

Anyway, this is a signed going away present from the engineering platform and architecture leaders.

Definitely a keeper, even after it’s empty.

GlenDronach port wood bottle. β€œThanks for everything. Good luck!” signed by 10 people in silver marker.

πŸ”’ I’m at the CSO Conferencece and Awards.

Tomorrow, my team will be accepting a CSO50 award for our security automation platform that supports 4000 engineers and 7000 applications.

I’ve since left the company, but am here supporting my previous team. Proud of them!

πŸ”’ Banks: practice internet safety!

Also banks: we won’t let you login if you are blocking junk in your browser or using a VPN

πŸ”’ The opportunity: application threat modeling & secure design review is one of the highest value appsec/prodsec activities, but is hard to implement efficiently and at scale.

A bad solution: provide a long list of controls that need to be checked each time

A better solution: generate relevant security requirements automatically based on what’s being built

Met with primesec yesterday, and this is what they are trying to do! They are using LLM to read what’s in your user stories (etc.), summarizing the work for the security team, and injecting specific security control requirements.

If this catches even a small portion of the real requirements, it would be a major uplift for teams both from a security and efficiency perspective. Looking forward to checking it out.

πŸ”’ Met with the folks from Pangea yesterday.

Looks like it could be an interesting solution for:

  • small developer orgs that don’t have time or expertise to deal with common security needs
  • large developer orgs that need consistency, scale, and governance of their security capabilities