LocoMocoSec and QCon: Vulnerability Inbox Zero (2022)

Co-authored with Jake Mertz. You have a vulnerability problem. You run a scanner. Now you have two problems - vulnerabilities and a mess of scanner results to process. Keeping up with vulnerability scanners is a struggle. Modern software services can have vulnerabilities in each of their layers. Scanners at each of these layers can produce results that require time to understand and process. False positives and overblown risk ratings can exhaust engineering team capacities.

LocoMocoSec: Building effective security OKRs (2020)

Security objectives and key results (OKRs) make it clear whether your team is on the right track. Effective security OKRs drive trust outside of the team and focus within it. Ineffective security OKRs are drafted with good intentions, but recede into the background soon after. I've discovered some principles that I think help define security objectives that matter.

Enigma: The Kids Aren't Alright — Security and Privacy in the K–12 Classroom (2019)

Many of the security and privacy mechanisms we build - permission prompts, security warnings, privacy policies - make one critical assumption: the end-user is an adult with agency to make their own decisions. Children, and especially children in schools, operate in a different security and privacy context than the general-purpose online tools they use. Young students can't evaluate security risks or consent to data sharing, but we give them the same security warnings and privacy controls that confuse adults.

Absolute AppSec Podcast: Alex Smolen (2018)

Alex Smolen (@alsmola) will join us to discuss his latest work, insights, and also tell us a little bit about his background. Alex currently works at Clever and previously was at Twitter & Foundstone.

LocoMocoSec: Identity and Access Management: Judgment Day (2018)

When you design identity and access management (IAM) systems, consider psychology and sociology in addition to computer security. The goal of this talk is to describe the human-computer interaction problems presented by IAM and three real-world patterns with open-source implementations for managing AWS IAM in an organization.

LASCON: Application Security & User Experience (2016)

You might think application security and usability are a zero-sum game. Strong password policies, tight access controls, and cycle-burning cryptography improve system security but hamper the user experience. From a security advocate's perspective, it's important to minimize risk, even if it makes a system hard to use. But what if introducing strict security mechanisms actually increases risk? When do security and usability complement, rather than detract from, each other?

OWASP AppSecUSA: Put Your Robots to Work: Security Automation at Twitter (2012)

With daily code releases and a growing infrastructure, manually reviewing code changes and protecting against security regressions quickly becomes impractical. Even when using security tools, whether commercial or open source, the difficult work of integrating them into the development and security cycles remains. We need to use an automated approach to push these tools as close to when the code is written as possible, allowing us to prevent potential vulnerabilities before they are shipped.