You’re probably not doing DevSecOps so stop saying you are

I was a security consultant for 6 years, and I’ve been working in security for 10 years and if there’s one thing I’ve learned its this: IT and the rest of the business really doesn’t like or even understand security. We get in their way and we demand things of them that only help us, and the business never sees…

Moving away from Gitlab

A few years ago I switched my “business” code from Github to Gitlab. The reason for this was… well, I was bootstrapping a business. Every dollar counts, and Github’s private repos were $5/mo while Gitlab was free. Unfortunately almost immediately after I switched everything, Microsoft bought Github and started offering free private repos. I should have switched back immediately. But…

Do we still need dedicated security teams?

Dating back for decades now, most major companies and enterprises have had “security” teams. Sometimes called “IT Security” or “infrastructure security” or something along those lines. This group was responsible for everything from security policies to risk reviews to approving firewall changes. Sometimes they’d own things like IDS/IPS, anti-virus, and often strictly security tools like a SIEM, a WAF, or…

Are you defending the Maginot Line?

The Maginot Line in World War II was the French defense against invading German forces. It covered almost the entire perimeter of the country, was impervious to attacks from the air or ground, and had backup supply lines on the inside of the perimeter. It was well staffed with trained and experienced soldiers. It was hugely expensive, state-of-the-art, and considered…