Credit: Photo by Eric Prouzet
This post is a collaboration between me, Joe Basirico, and one of the best tech recruiters in the industry, Ellen McGarrity. You can learn more about Joe on this website. Throughout you can read Ellen’s take, in her own words in blue text Ellen has spent her 18-year career focused on recruiting in the software tech industry at both large (Microsoft, Amazon, Salesforce) and small (Tableau, Highspot) companies. She has recruited candidates at all levels, domestically and internationally. Originally based out of Seattle, she now lives in the Bay Area with her husband and 2 daughters. A hiring manager and a recruiter’s guide to getting hired.
Read more >>
Credit: Asanan Aphisitworachorch @ Unsplash
This is a multi-part blog series. If you haven’t already I encourage you to read the first two installments: Part 1 - My First 100 Days in ProdSec at a Series E Startup Part 2 - From gates to responsibilities As mentioned in my previous posts, one of the key takeaways from The First 90 days was to understand that past performance and solutions will not necessarily help you in the future. I found this to be strikingly true at Highspot. As a consultant it’s easy to swoop in, find flaws, deliver a report, and move onto the next customer. When you don’t have to sit with your long term decisions or to maintain the day to day relationships, and when you don’t have time to fully understand the reasons and history for current decisions things are a lot simpler.
Read more >>
Credit: unknown
This is part of a multi-part blog series, if you haven’t already, please check out the first post: Part 1 - My First 100 Days in ProdSec at a Series E Startup In my first blog post I discussed how I found Highspot and what attracted me to this company. I discussed the immediate challenges I faced as I scaled up my own knowledge and tried to rapidly snap to the new culture and demands of my role. If you haven’t read that already I recommend starting there and coming back.
Read more >>
Credit: Daniel Cheung @ Unsplash
After working in the application security consulting industry for nearly two decades and helping to solve my clients’ most difficult challenges, it was time to put what I used to tell others into practice. These are my lessons from the first 100 days. I’ve created security teams, bug bounty programs, set up tooling strategies, hiring plans, and more. I thought I’d hit the ground running and start making an impact on day 1, or at least day 99, while I made some impact early I had a lot to learn. As I passed my 100th day I learned so much about what makes a successful product and a successful product security team. In this article I’ll walk you through the successes, challenges, and failures I’ve faced in my transition from seasoned security vendor to Senior Director of Product Security at Highspot .
Read more >>
Credit: Patrick Tomasso @ Unsplash
The purpose of this document is to outline an application security strategy and roadmap for AWS Cloud SaaS applications, covering both application security concerns as well as AWS specific infrastructure. This is a checklist style article to help start conversations and give you information to perform further research. I’ve referenced other white papers and further reading available for more information throughout. An effective application security program will reduce security risk associated with code development while keeping disruption to the normal SDLC processes to a minimum. Ideally, this is done in an environment that fosters cooperation and transparency between AppSec professionals and the development team as a whole. If the entirety of the team is on the same page in regard to application security goals, and the maturity journey to get there, then the security team can operate as a service organization whose goal is enablement, rather than as a policing organization whose goal is governance.Purpose
Application Security
Read more >>
Credit: Daniel McCullough @ Unsplash
My background is as a developer and a security professional, so when I had to learn system design I approached it from that perspective. While I was familiar with many of these concepts, I decided that I had to learn it in depth and in earnest. Now that I know more, I’m convinced that every developer and every security professional should understand these concepts. For all of you who are like me and want to learn more, here’s an overview to help you think about system design, coming at it from a mindset of application security.
Read more >>
Credit: Barry Weatherall @ Unsplash
There are a number of places online where you can find details about application security vulnerabilities, but it is surprisingly hard to find a single location that provides a summary of all the most important vulnerabilities to be aware of. While any high-risk vulnerability is worth fixing, It’s worth adding a layer of prioritization around the most common vulnerabilities that are being used in attacks and exploits. The following statistics were reported by Contrast Security. While this is based primarily on what they are seeing with their customers, I think it is generally useful:
Read more >>
Credit: Joe Basirico
Last week I published a post introducing three important phases of AppSec Engineering: Awareness, Enablement, and Enforcement. Over the next three posts I will dive into each of these topics to share best practices and guidelines you can roll out to optimize your security engineering practice. In my experience, the best AppSec programs start with AppSec awareness training. The goal is to provide your product team with enough information to know when they need security involvement. That’s a broad statement, so let’s break it down.This is part of a series
Read more >>
Credit: Joe Basirico
In order for an AppSec team to collaborate effectively with development teams they should think in three phases: Awareness, Enablement, and Enforcement. This month I’ll be dedicating an article to each. The focus of these articles will be on the critically important area of application security, focused on the roles involved in building software: developers (DevOps), testers, and architects.This is part of a series
Read more >>
Credit: Alan Bishop @ unsplash
There are two sides to preventing a successful phishing attack. The first side is focusing on the user; trying to train users to identify phishing attacks and to protect themselves from these types of attacks. Training is important, but there’s a responsibility on the company to act in a way that does not emulate common phishing techniques and set your users up for failure. The second side of the successful phishing attack is the software and technology side. There are many techniques that companies can employ to make it easier for their users to identify fraudulent emails and there are some great security features that can be developed in your application and website to help protect users from the damaging effects if they do mistake a phishing email for a real one.
Read more >>
