Wolfgang Goerlich on a Real World Example of The Phoenix Project in Action


, , ,

At 2014 SOURCE Boston, Josh Corman told me that Wolfgang Goerlich had an interesting DevOps story to tell. I sat down and spoke with Wolfgang and was astounded to hear a tale that could have come straight out of Gene Kim’s book, The Phoenix Project. Listen in as Wolfgang describes the process of taking over a project that was mired in technical debt, falling behind in deliverables to stakeholders and in need of a new way of thinking. To me, this story is one of the strongest statements for DevOps that I’ve heard.

Listen to the entire interview with Wolfgang Goerlich


About Wolfgang Goerlich
As Vice President of Consulting Services at VioPoint, Wolfgang supports clients by advising, identifying, and assisting in managing information security risk as well as mentoring VioPoint’s consulting team. Wolfgang, known for his outstanding leadership in the technology and information security community, is the co-founder of OWASP Detroit and an organizer of the annual BSides Detroit conferences as well as an accomplished speaker at regional and national security events.

Allison Miller and the Society for Information Risk Analysts [AUDIO INTERVIEW]


, , ,

Allison Miller caught my attention at the end of her session at 2014 Source Boston when she ‘Risk Rolled’ the audience and had them sing along with a talking head embedded in her presentation. I knew immediately this was someone I wanted to talk with and get to know.

Allison is the President of the Society of Information Risk Analysts, a relatively new organization that is an interest group for practitioners of information risk management. We talked about the mission of the group and why people would want to participate in a risk based approach to solving problems. Have a listen…

Listen to the full interview with Allison Miller

About Allison Miller
Allison Miller (@selenakyle) is Senior Director of Operations at Electronic Arts, where she oversees the business operations of EA’s cross-company digital platform.Allison has over 10 years of experience in designing, building and deploying real-time threat detection and prevention systems. Miller is active in the security community and presents research on fraud prevention and account security issues regularly to both industry and government audiences, including the ITWeb Security Summit, Black Hat Briefings, SOURCE Conferences (Boston, Barcelona, Seattle, Dublin), Nordic Security Conference, BruCon, USENIX/Metricon, and RSA. Prior to joining EA, Miller led Tagged’s Security & Risk Management team, managed PayPal’s Account Risk & Security team and was Director of Product / Technology Risk at Visa International.

She is currently the president of the Society of Information Risk Analysts (SIRA).

Ryan Berg on Post-HeartBleed Password Management


, , ,

Ryan BergAs many of you are already well aware of there has been a serious flaw in OpenSSL that is a foundational open source library used for SSL encryption. There are plenty of places to get more information but if you haven’t at least read http://heartbleed.com/ you can start there.

We all have accounts at a lot of different places some more critical than others (salesforce, expensify,home banking etc). I would highly recommend that you take the time today to take measure of the passwords you use and where you use them. If you have a yahoo password that is shared among many accounts better safe to assume this has been breached.

I for one have been systematically changing my passwords and recommending friends and family to do the same. The unfortunate thing about this attack is that it has been around for years and there is already evidence that it has been active in the underground before the public release. With this in hand, I would highly recommend you change your passwords today (and for the truly paranoid it is always a good idea to rotate passwords, I rotate mine for critical sites every 90 days).

There are plenty of password locker applications available for those of you that don’t have a scheme for remembering passwords (and I am sure nobody uses the same password at multiple sites) and if using a mac keychain works great, but I also use pwSafe for my iPhone and iPad.

– Ryan Berg

Dwayne Melancon: What InfoSec Can Learn from Video Games


, , , ,

Dwayne Melancon, CTO of Tripwire, has an interesting idea: turn your team into gamers, let them build their internal images and support that vision. This isn’t the type of thing you’d expect to hear at a security conference. In this short conversation, I talk with Dwayne about how to implement employee game theory within your project team.

About Dwayne Melancon
I was a contributor to both the Visible Ops Handbook and Visible Ops Security Handbook, working with authors Gene Kim, Kevin Behr, and George Spafford. As part of this effort, I have worked as a researcher with Carnegie Mellon’s SEI, the University of Florida, and the IT Process Institute in their studies and benchmarking of IT best practices. I work with numerous corporations around the world on IT service management improvement and IT security, and have teamed with the Institute of Internal Auditors in its pursuit of Generally Accepted IT Principles.

As a frequent, highly-rated speaker at national and regional itSMF, ISACA, ISSA, IIA and other industry events, I present on how to achieve world-class IT results. Using a framework of essential IT controls, I provide operations, security, and audit audiences with prescriptive steps they can take to improve IT change policies, procedures and systems.

Info Sec and Gaming

2014 SOURCE Boston Conference: Melissa Elliot on the HeartBleed Bug at Yahoo


, , ,

The HeartBleed bug is running rampant on many major sites such as Chase and Yahoo while people are scrambling madly to find solutions. At the SOURCE Boston Conference this morning, I caught up with Melissa Elliot from VeraCode as she was examining the impact of the HeartBleed on Yahoo, using software from Jared Staffer of JSPenguin.org. I asked her to describe what she was seeing. Have a listen…

Listen to the full interview with Melissa Elliot

About Melissa Elliot
I am 0xabad1dea (the zero-x is silent), a professional application security researcher also known as Melissa Elliott. If my name breaks your website we have a personal problem. My long-term goal is to convince programmers that the security of everything from the global economy all the way up to online Pokémon battles is in their hands and they need to take that responsibility seriously. My primary means of interacting with the community is through my extremely active Twitter account.

2014 SOURCE Boston Conference: Introduction


, , , ,

Source Boston 2014For three days this week I am at the SOURCE Conference in Boston covering the sessions, meeting with the vendors and most importantly talking with people in the hallways about what they are working on.

I just had an interesting discussion with Melissa Elliot, who is tracking how much data is leaking out of Yahoo on the open WiFi here at the conference. She’s agreed to an audio interview later today, so you’ll want to listen in on that one.

Keynotes at the conference include:

  • Bruce Schneier
  • Justine Aitel
  • Dr. Andrea M. Matwyshyn

Of special interest to me is the “Wait wait, don’t pwn me!” session moderated by with boB Rudis (and yes, before you ask, that’s boB, with a lower case ‘b’). I’m sure there’s much more to come.

UPDATE: I just spoke with Melissa Elliot, @0xabad1dea, from VeraCode, on the HeartBleed attack on Yahoo. Audio interview will be up within the hour.

4th Annual Open Source Development Survey


, , ,

SurveyRobotIt’s only been a week, but preliminary results of the 4th Annual Open Source Development Survey sponsored by NEA, Rugged, Sonatype, Contrast Security and the Trusted Software Alliance show some interesting results with the first  1500+ responses:



  • 84% of respondents use Maven/JAR open source component packages, followed by 22% using RPM/YU
  • 34% state open source components are more secure than COTS
  • 62% don’t actively monitor for changes in open source vulnerabilities

With over 3500 participants last year, this is one of the largest, ongoing industry studies. The survey is open until April 30th, so give your input and let’s see what happens.

2014 Open Source Survey

2014 AppSec APAC – Post Mortem (English)


, , , , ,

AppSec APAC - 2014 In March 2014, Rio Okada and his team in Japan organized the first AppSec APAC event in Japan. I called Rio to ask how the event went. Joining the conversation with me and Rio is Robert DraceaTobias Gondrom and Jerry Hoff. During our call we talked about what made the event so successful and how that success might be used in future AppSec events. Have a listen.

Listen to the AppSec APAC post-mortem with Rio Okada, Robert Dracea, Tobias Gondrom and Jerry Hoff


The OWASP Hacky Easter Challenge with Ivan Bütler


, , , ,

The Hacky Easter ChallengeIvan Bütler and his team at the Hacking Lab have whipped up a fun challenge for the Easter season. The Hacky Easter Challenge is a white-hat hacking competition for fun and education. Sign up and start your quest for easter eggs! No need to be a “1337 h4xor” – there are challenges of different difficulty.

Listen to Ivan describe the challenge and how it works

About Ivan Bütler
Ivan Bütler is the co-founder and CEO of Compass Security, a Swiss Ethical Hacking and Penetration Testing company located in Switzerland and Germany. Besides his own business he is also a tutor at both, the University of Applied Sciences in Rapperswil and Lucerne University of Applied Sciences and Arts. Ivan is a regular speaker at international conferences (Blackhat USA, IT Underground Warsaw, OWASP AppSec).

Ivan is in the board of the Swiss Cyber Storm 4 Conference Committee and as such, responsible for the CTF and Hacking platform for the European Cyber Security Challenge 2014/2015, a cyber talent competition between Austria, Switzerland and Germany and may others from the European Union.

He is the founder of Hacking-Lab – a remote security lab that is being used world-wide by security enthusiasts and security professionals to train their hands-on experience. Hacking-Lab is partnering with OWASP and provides free OWASP TOP 10, OWPASP Hackademics and OWASP WebGoat challenges.