In this series we are discussing how to get your technical training approved at work. This is not the first article, and you may want to go back and read it from the start.

In the previous article, we talked about how we need to explain to our boss not only which training we want, but we must overcome any objections, if we are going to get it approved. Let’s look at the second objection in our list.

Back in the day I requested approval to take a web-app hacking course, and I recall my boss saying, “You don’t need…

Welcome to the Black Lives Matter Edition of Book Club, where we will talk about a couple of books that Tanya read recently, and what she thinks about them. The previous article in this series was about Communication and Metrics.

All of the books listed are available in audiobook; my preferred reading format.

We are covering this topic for several reasons, but the one that makes it relevant to this membership is that when Tanya, the founder of this company, used her social media accounts to share her support for those fighting oppression and system violence and racism in America…

The Second Way of DevOps is fast feedback. In security, when we see this we should all be thinking the same thing: Pushing Left. We want to start security at the beginning of the system development life cycle (SDLC) and ensure we are there (providing feedback) the whole way through!

The previous post in this series is here.

Fast feedback loops means getting important information to the right people, quickly and regularly. …

The previous article in this series is here. If you are lost reading this article, read the whole series from the start. :-D This is a long post, sit tight!

The first “Way” of DevOps is emphasizing the efficiency of the entire system. Many of us tend to focus only on our part of a giant system, and get bogged down improving only our own contributions to the larger process. It’s rare that we stand back, look at the entire thing, and realize that if we helped another team or if changed something small within our part, that it could…

The previous article in this series is here.

In this post we will explore The 3 Ways of DevOps. But first, a definition.

DevSecOps is Application Security, adjusted for a DevOps environment.

-Imran A Mohammed

DevSecOps is the security activities that application security professionals perform, in order to ensure the systems created by DevOps practices are secure. It’s the same thing we (AppSec professionals) have always done, with a new twist. Thanks Imran!

Refresher on The Three Ways:

1. Emphasize the efficiency of the entire system, not just your part.
2. Fast feedback loops.
3. Continuous learning, risk taking and experimentation (failing fast)

…

Link to the previous post in this series.

There are many definitions of DevOps, too many, some might say. Some people say it’s “People, Processes, and Products”, and that sounds great, but I don’t know what I’m supposed to do with that. When I did waterfall I also had people, processes, and products, and that was not great. I thought DevOps was supposed to be a huge improvement?

I’ve heard other people say that it’s paying one person to do two jobs (Dev and Ops), which can’t be right… Can it? I’ve also been told once by a CEO that…

In a recent ‘Ask Me Anything’ Tanya covers ‘Where can we learn Threat Modelling?’. The linked video is approximately 2 minutes.

• Threat modelling, for those who are unaware, is a sort of ‘evil brainstorming’.
• The question included “How can we learn by doing, not just reading?”
• Play the game “Escalation of Privilege”, create by Adam Shostack
• You can actually play online, for free! It just came online last week. Play online here.
• She also mentions that you should play Backdoors and Breaches, however, that is an incident response card game. You should still play…

In a recent ‘Ask Me Anything’ live stream, Tanya Janca of We Hack Purple discusses ‘DevSecOps versus Secure SDLC’. This video is approximately 2.5 minutes.

• DevSecOps is you as an AppSec professional, doing your job, in a DevOps environment.
• A secure SDLC is when you add security activities to your system development lifecycle. Preferably in every phase of the SDLC, and formalized (devs cannot avoid it).
• Examples of secure SDLC

-Threat modelling during design

-Adding security requirements & review during requirements gathering

-Reviewing your design for security flaws and to ensure secure deign concepts are applied

• Then Tanya gets off topic and talks about We Hack Purple.

For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

I have a mailing list, please subscribe, it’s free!