Archive for the ‘DevOps’ Category

There’s been quite a bit of drama with regards to whether or not to boycott the RSA conference over a deal that the RSA security vendor had made with the NSA. I will not be rehashing it here.

What I will say is that I can respect individual decisions for principled reasons.

My own choice is also based on a calculus of my principles; I hope those who made a different choice can respect that.

I will be speaking at RSA – for a number of very nuanced reasons.

Of these, the clearest in my mind was simply this…

I research security to help people better defend themselves and things that matter.

Love or hate the RSA Conference, it is the annual heartbeat of the security industry and for many mainstream security professionals, this is their best chance to learn, challenge themselves and interact with the industry’s leading minds. I thought long and hard about all of the sides of this issue and decided that those most likely to be hurt by me boycotting were the very people I do this for.

Trust has been damaged on many fronts over the last year. I believe these issues cut to the core of the industry and our “community”. They will need hard discussion and debate – and I will be there to make sure that happens.

My Speaking Slots:

Both Sunday and Monday, February 23/24, 2:00 – 6:00 PM — BsidesSF at DNA Lounge 

“I am The Cavalry” @ #BSidesSF DNA Lounge is at 375 Eleventh Street San Francisco, CA 94103

Our dependence on technology is growing faster than our ability to defend it. The Cavalry isn’t coming. It falls to us… While its roots come from many places, a key moment for the @iamthecavalry movement was my #BSidesSF closing keynote last year. One year later, we have a large and growing movement of security professionals focussed on having impact on security of consequence. As our focus converges on technologies with the potential to impact human life and public safety, come hear what we’re doing regarding Auto, Medical, Home Electronics, and Public Infrastructure. The full agenda for our 2 days of working session is posted at the BSidesSF Website.

I am The Cavalry

Tuesday, February 25, 8:00 AM PM – RSA USA – South “Viewing Point” in Gateway Halls – Keynote Commentary

“Expert” Commentary for Day 1 Keynotes

RSA is always experimenting. This year in the “Viewing Point” in Moscone South, folks can watch the Tuesday  keynotes with some running commentary and play by play analysis. I’ll be joined by Hugh Thompson and Wendy Nather for what should be a bit of fun and analysis, but will hopefully help to frame the discussions and the rest of the week.

Tuesday, February 25, 3:00 – 3:30 PM – RSA USA – North Room 134 – Speaker

Call in the Cavalry – WHY We Need The Cavalry and Why It Falls to Us

Our dependence on IT has grown faster than our ability to protect it. What was once our hobby became our profession, and now permeates every aspect of our lives. In this swarming internet of things, vulnerable, connected technologies now permeate every aspect of our lives. While our best and brightest struggle to defend our enterprises, no one is even thinking about our growing dependence and exposure. The sad news is… the cavalry isn’t coming – it falls to us. We must be the adults in the room. We must ready ourselves to be ambassadors of technical literacy and the voice of reason. We have to be better… and we will be… starting now.

Much of RSA Conference is about protecting your enterprise. We are very pleased that RSA acknowledged the need also focus our best and brightest on security for the internet of things. My Tuesday “WHY the Cavalry” talk is the first of three 30 minute Cavalry talks at RSA. On Wednesday, Nicholas Percoco will explain WHAT the Cavalry must lead. On Thursday Katie Moussouris will outline HOW the Cavalry will affect change. All three #RSAC Cavalry talks are listed here.  Also, come talk about the mission at out booth in the Sandbox:

  • Tuesday 1:00-5:00pm
  • Wednesday 8:30am – 1:00pm
  • Thursday 8:30am – 1:00pm
Wednesday, February 26, 10:40 – 11:40 AM – RSA USA – West Room 2014 – Panelist

ASEC-W03 – DevOps/Security Myths Debunked

As DevOps has become more popular a lot of myths have arisen with regards to security and many opponents claiming that you can’t do security in a DevOps environment. This panel will address a number of those myths and demonstrate how you can embrace DevOps and maintain the appropriate security profile for your organization.

Dwayne Melancon will once again moderate myself and fellow Rugged DevOps trailblazers: Gene KimDavid Mortman, and Nick Galbreath. The great news is that the ranks of security DevOps boundary spanners is growing to include folks like Neil MacDonald, Rich Mogull, Dan Kaminsky and others. If this is a new or threatening subject, my 30m RSA Europe 2013 Keynote was a good introduction:

Thursday, February 27, 8:00 – 9:00 AM – RSA USA – West Room 2020 – Co-Presenter

STR-R01 – Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome

Nearly every aspect of our job as defenders has gotten more difficult and more complex—escalating threat, massive IT change, burdensome compliance reporting, all with stagnant security budgets and headcount. Rather than surrender, it’s now time to fight back. This session will provide new approaches to finding financial and operational support for information security across the organization.

I’ll ride once more with David Etue for Part 3 of our “Modern Security Strategy Trilogy” based on work we’ve together over several years.
NOTE: The slides and visuals came out WELL BEYOND my expectations. You do not want to miss this.
Friday, February 28, 9:00 – 10:00 AM – RSA USA – West Room 2014 – Co-Presenter

ASEC-F01 – Software Liability?: The Worst Possible Idea (Except for all Others)

Nearly While many had hoped that market competition would influence security improvements, customers are forced to accept software as is with no alternatives. Software is responsible for our critical infrastructure, cars, medical devices and is a part of our daily lives including our well-being. Will we be able to achieve better software security without vendors facing financial consequences?

I’ve not yet worked with Jake before but we have had spirited exchanges in the past. We have come into the topic of Software Liability from very different paths, but it has been a good complement and I really hope this advances what is often a thought terminating debate. Jake knows a ton about how the Insurance industry has been looking at the issues. He also has an interesting vantage point through his work with the Open Source Vulnerability Database (OSVDB).
I hope to meet new people and new teammates.

Q: Are you going to RSA?

A: Of course. RSA is mandatory punishment for people like me.

Like I said just before RSA USA 2012, each year at RSA I want to quit security.

At the end of the day, like with most things…

…it is what you make of it. Make it matter this year. Demand better. I will be.

My suggestions on are worth re-reading :

  • People Value
  • Non-RSA Venue
  • The Bizarre Bazaar of the Exhibit Floor

Anticipated Buzz-Words:

Remember: Just because a buzzword is abused and/or nausiating, doesn’t mean all uses or the ideas/facts behind them are nonsense. The trick is to ask people to define their use, defend their use, and provide specifics.

  • Big Data: This will be the least clear and most abused. It isn’t just having a hadoop cluster or *B or *flops of useless data.
  • Actionable Intelligence: Done right, this is becoming table stakes. Done wrong, this is a marketing retread. Ask for specifics. Most are offering a data feed. Good programs are combining and enriching from OSINT, HUMINT, SIGINT, pay-for feeds of various types, information sharing communities/pilots. This topic is worth sifting out Signal from Noise.
  • Offensive Security: For some, the term itself is “offensive”. This often is heard as “Hack Back”. Which is for most, a really, really bad idea. Aside from the legal or attribution debates… if you can’t consistently change default passwds or basic access control, why do you think you’ll win an escalating fisticuffs with your attacker? My Wed 1pm panel (END-W25) will try to clarify this.
  • Active DefenseThis is a less offensive spin on “Offense”, but definitions vary tremendously. It often means beginning to use deception, deterrence, increased work effort/work factor, increasing the entropy of the attack/er, etc. Again, my Wed 1pm panel (END-W25) will try to clarify this.
  • APT or APT1: Yes folks. The Kitten-Killing, Thought-Terminating Cliche’ is back. Given the one two punch of the Executive Order and the hotly debated APT1 materials put out by Mandiant; China, China, China will be discussed. Not all espionage is out of China. Lots is. Get past the groaning and try to get to substance.
  • Adversary: This is a good one I am pleased to see entering the lexicon. While many “thought leaders” dogmatically fight the inclusion of adversary analysis, they are wrong 😉 . The programs that are modernizing are trying to weave in the chaining of Adversaries -> Motivation Structures -> Preferred Assets Types -> Their Common/Range of TTPs (Tactics, Techniques & Procedures). Much like this artifact from our Adversary talk from RSA last year (slideshare here).


My Speaking Slots:

Monday, February 25, 3:30 PM – RSA USA – Innovators Sandbox – Room 134 – Facilitator

ISB-001 – Do You Know Your Enemy Enemies?: WHO & WHY do matter…

Much of RSA Conference will focus on WHAT & HOW; at Innovation Sandbox we will focus on WHO & WHY. From script kiddies to nation states (or chaotic actor/hacktivists to citizen soldier militias)… gone are the days where our adversaries are only financially driven. We now face a pantheon of adversaries – each with varying motivational structures, preferred asset type(s), capabilities and levels of skill/determination. This facilitated white boarding session will discuss the characteristics of modern adversaries and hopefully raise questions (and answers) on their implications to our risk management priorities.

This White Boarding session should be both fun and challenging – given the innovative crowd.

Monday, February 25, 4:00 – 5:30 PM — BsidesSF at DNA Lounge 

Closing Keynote: Joshua Corman

DNA Lounge is at 375 Eleventh Street San Francisco, CA 94103
I will be “taking the gloves off” in this audience of fellow digerati. We are not getting better (enough), fast enough. We are part of the problem. We need to level-up and we need to entertain some uncomfortable ideas. The pot will be stirred. If there is anything you’ve wished you could say to them, you have a few more days to load me up…It will be followed immediately by: “We Quit” – A Roast of the Infosec Business hosted by Jack Daniel, JadedSecurity, and Javvad Malik.

Tuesday, February 26, 3:50 – 4:50 PM – RSA USA – Room 132 – Panelist

ASEC-T19 – Making Rugged DevOps and Infosec Work

Because of widespread cloud adoption and the DevOps movement, information security has never been at more risk of being completely marginalized by development and the business. This panel will discuss how information security can integrate into these value streams, where agile businesses routinely conjure thousands of compute instances doing over 1000 deploys per day.

Dwayne Melancon will moderate myself and fellow Rugged DevOps trailblazers: Gene Kim, David Mortman, and Nick Galbreath.

Wednesday, February 27, 1:00 – 2:00 PM – RSA USA – Room 309 – Moderator

END-W25 – Offensive Security: Hope or Hype?

With the threat environment dramatically changing, there is a new consensus that it is almost impossible to keep targeted attackers out of any large-scale network. This panel will discuss new thinking around “Active Defense,” or what some would term “Offensive Activities.” We will explore the pros/cons of enacting an offensive security position in defending a company’s networks.

This one is going to be feisty. Born out of some hot offline debates, this clash of the titans needed to happen. I will have my hands full moderating, but I am up for the challenge – and for challenging them. Come watch George Kurtz (CEO of CrowdStrike), Chris Hoff (Juniper), Adam O’Donnell (Sourcefire) and Andrew Woods (Stanford) duke it out. Got anything you want asked?

Thursday, February 28, 8:00 – 9:00 AM – RSA USA – Room 135 – Panelist

HT-R31 – Mayans, Mayhem and Malware

This panel focuses on the persistent gaps and perennial conditions confronting organizations today, notably in areas of compliance and governance related to threat mitigation, education and awareness. Also, we examine the resurgence of advanced, malicious code & content intelligent enough to obfuscate, assess, re-assess and execute against a programmatic strategy.

Will Gragido, Brian Honan and I tried this at RSA Europe and it was surprisingly good – realistic and griity and honest… This time we’re adding two other dynamic characters.

Friday, March 01, 9:00 – 10:00 AM – RSA USA – Room 133 – Co-Presenter

GRC-F41 – Control Quotient: Adaptive Strategies for Gracefully Losing Control

Cloud, virtualization, mobility and consumerization have greatly changed how IT assets are owned and operated. Rather than focusing on loss of security control, the path forward is cultural change that finds serenity and harnesses the control we’ve kept. The Control Quotient is a model based on control and trust, allowing proper application of security controls, even in challenging environments.

I’m teaming up again with David Etue and we’ve been maturing this idea/approach over several years. A lot of my best concepts/models are born near the end of final content creation. This happened again this year with this talk. One of our new models has been sanity checked with a few of you and we’re excited that it will pack a real punch.

I regret this is so early on the last day but this is not one to miss.

The 6 minute RSA Podcast pre-interview of our talk is posted here.

The security challenges have REALLY stepped it up… it’s time we do.

This is not a book review.

This is a fork in the road for every IT security professional – and the clock is ticking:

We can make excuses; or we can make changes.

Security is hard – increasingly so. At times it feels as if we’re pre-ordained to failure. In our bones we know it doesn’t have to be this way. Yet year after year, we remain marginalized and at odds with the business. Thus far, we’ve struggled to find anything resembling a game changer.

Here is your game changer:

The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win


While we hate to admit it, we know our security “Best practices” aren’t – that “Good enough” isn’t.  Our dependence on IT is growing faster than our ability to secure it. Moreover, the consequences of our failures have grown more severe.

There has to be a better way. For those of you who know me, I am convinced our current approaches cannot scale and have dedicated myself to help get the security community un-stuck – to reframe the issues – to experiment – to find a better way.

In 2007, a mentor told me if I truly want to transform the way security is done, I must read The Goal. What the HECK could a novel about the failing US manufacturing industry have to do with security?! But Eli Goldratt’s Theory of Constraints and continuous process improvement fundamentally transformed and rescued manufacturing, as we know it.

As “The Goal’s” spiritual successor for IT, Gene’s “Phoenix Project” outlines our fundamental transformation. This sorely needed narrative meets us in our compliance-distracted, security-debt-saddled despair but credibly paints our journey of redemption through the “3 ways” – grounded in fact and real world successes.

While we focus upon (and wallow in) failure, Gene has been seeking and studying achievement. While we remain isolated within the security echo chamber, Gene has studied high performers outside of it. Gene’s seminal research in Visible Ops on high performers in IT was just the beginning. For the last few years, Gene has been a force of nature within the DevOps revolution. It has been my honor and privilege to collaborate with him.

Gene Kim is our quintessential boundary spanner. His novel puts our security struggle into the broader context of the conflict between IT and the Business. It is cathartic and uncomfortable, but also instructive and inspiring. IT is undergoing a transformation with DevOps; where Development and Operations have figured out how to work together in ways that not only eliminate conflict, but allow organizations to drive value and do things they didn’t think possible. It is their philosophy and attitude that are most essential and can serve as a blueprint for any of us – in any type or size of organization.

This IT revolution is the moment security has been waiting for; the likes of which we may not see again for 30 years. We have a singular opportunity to change with it. What’s more, the DevOps pioneers are embracing Rugged DevOps with open arms. Are we ready to evolve and be embraced? If not now, when? If not us, who? This revolution has started without us, but it is not too late. We can break out of this death spiral.

To this end, Gene has made the first half of the book free for security professionals to read and share.
Download link HERE.

Read this book, now. Give it to your boss, your CIO, your CEO, and your peers.
Don’t be surprised if you can’t put it down. You will not look at your role the same way again.

There is a better way. Join the tribe.


Joshua Corman