Wednesday, 25 May 2016

Intro to O2 Plartform

(here is an intro to the O2 Platform email that I wrote, which was bouncing of the recipient email's server due to '554 rejected due to spam URL in content')

The O2 Platform is all about automating and scripting. It's a platform/framework which means that it helps to have a 'hard question' to start with.

Here are a good place to start with the O2 Platform:

Wednesday, 18 May 2016

Threat Modeling Template and Concepts v0.6

Here is an updated version of Threat Model Template v0.5  and a new Threat Model Concepts page.

You can download the pdfs and files from this GitHub repo

Tuesday, 17 May 2016

The BBC should open source most (if not all) of its developed technology

Following on the Recipe for disaster post on the topic of BBC to close recipes website as part of £15m savings, I wanted to put down this idea, which in my view, goes to the heart of the value that public entities (like the BBC, but also the NHS, public services, Non-profit orgs, charities, etc... ) should provide to society:

The BBC should open source most (if not all) of its developed technology 

The BBC hires a large number of software/application teams (from Devs, to QA, to Designers, to Architects), which create a large body of code, that is in most cases behind closed doors and not available to the general public (namely other public or private organisations that would benefit from that code)

Thursday, 12 May 2016

Looking for AppSec jobs? Here are some opportunities for you

The AppSec market is definitely getting hotter, and I'm getting more and more calls from recruiters.

The problem is that I'm too senior or expensive for most of them, so there is not much I can do to help. I also do a lot of AppSec training where I get asked a lot the question 'How do I get into AppSec?'

I've decided to try to connect these two worlds and see if we can get more AppSec roles filled up (specially by devs who want to move into AppSec).

I'm starting with job opportunities, but it would be interesting to also list professionals looking for a job.

You can find the page at (starting with two roles from The Hut Group)

Threat Model Template v0.5

Here is a an improved simple Threat Model template which contains info about STRIDE and DFD Elements (which is based on the diagram shown at Threat Model WebServices v0.2)

You can download both PDFs from here

Sunday, 8 May 2016

Threat Model WebServices v0.2

Here is an experiment in trying to create an Threat Model (A3 size) that can be easily consumed during the Threat Model session(s).

This diagram was created using which is pretty amazing (and allows team collaboration):

Friday, 6 May 2016

AppSec and Software Quality - Presentation v0.5

Here is a slimmed down version of the presentation I delivered in Italy last March.

This version does not contain the part that talks about the problem (i.e. the attacks and why you need to do Application Security)

The key idea that I defend is that we can use Application Security to define and measure Software Quality

Let me know what you think