Thursday, May 30, 2013

Security Thoughts for Start-ups

Last night I spoke at the SFNewTech event "How To Avoid Online Security Headaches" along with a great group of speakers:
  • Joe Sullivan, Chief Security Officer of Facebook
  • Michael Coates, Director of Security Assurance at Mozilla
  • Mark Risher, CEO/Founder, of Impermium
  • Deron McElroy, Director of Regional  Partnerships, Cybersecurity and Communications (CS&C) at U.S. Department of Homeland Security (Invited)
  • Dan Goodin, IT Security Editor at Ars Technica (Moderating)
The format included a brief 10 minute introductory presentation from each person. My slides are available on slideshare and embedded below. This is clearly not the entirety of what you should consider about security. Instead. the intention was to provide a 10 minute crash course to raise awareness of key items that deserve consideration.





-Michael Coates - @_mwc
Posted by

Tuesday, May 7, 2013

Avoiding the Security Gate

The worst place for a security program is to be a gate at the end.

What happens in organizations where security is seen as the final hurdle in order to launch a new service or feature? Security becomes the enemy. The development team has toiled for months to create and build the new code. They're over budget, over worked, over schedule and all they want to do now is launch. But one thing stands between them - the nod from the security team.

In this scenario the developers don't care about security. They have no interest in best practices, least privilege or layers of defense. All they want is the green check that means there code is shipped to the world.

This is not to say that developers don't care about security - in fact, I'd argue they very much do care. Instead, this is a reflection of a poorly built system that places one team in a position of superior control and results in the natural level of frustration and animosity.

If this sounds like your organization then you've done something wrong.

Over the next several posts I'll talk about avoiding the security gate and building an effective security program. We'll explore the following topics, and maybe more.
  • Team structures for security
  • Pushing security left
  • Inverting the scanning model
  • Operating at scale

Stay tuned for more...

-Michael Coates - @_mwc
Posted by
Subscribe to: Posts (Atom)