This statement might be a slight bit of hyperbole, but there are a certain number of parallels that can be drawn between the the processes that go into distilling this wondrous amber liquid and a security industry that is just starting to reach a level of maturity where it's starting to become an integral part of business. While not a perfect analogy, we'll be exploring the steps that go into making whiskey, from the process of making the mash through the aging process and finally to how it's consumed. Whether it's your personal career or where security is going as a there's something to be learned from the process.
And some days you just need a little whiskey to help you recover after a long day of fighting cyber warfare.
With over a decade of experience in the IT and security field, Martin is a well sea- soned professional dedicated to spreading awareness about security and privacy. As a recovering QSA, he’s well aware of the pain many companies feel when dealing with compliance. He is the host and author of a pair of the longest running podcasts and blogs in the security industry, the Network Security Podcast and the Network Security Blog. He’s also just a pretty nice guy in general, with a wicked sense of humor and a finely honed blade of sarcasm.
Paco Hope, Principal Consultant, Cigital
"Lessons from the Dojo: The Karate of Software Security"
We can both learn and teach software security the way we learn and teach martial arts. Shotokan Karate, like many others, divides its art into "kihon", "kata", and "kumite": basics, repeated forms, and sparring. Software security maps well into this same arrangement. Paco applies the form of Karate to the martial art of software security to reveal the "kihon", "kata", and "kumite" that we should both learn and teach. Our basics are our language and platform practices, our kata are security design patterns, and our kumite is sparring through adversarial security testing. Just as kata are built from basics, our secure design patterns are built from fundamental capabilities. Sparring puts them into practice in a safe space for learning. We learn through repeatedly doing the right thing until doing it right is easier than doing it wrong. We teach through repetition, clarity, and safe practice spaces. Place your shoes neatly by the door of the dojo and attend a master's lesson.
Paco Hope is a Principal Consultant for Cigital with deep experience in the securing of software and systems. His experience covers mobile applications, web applica- tions, online retail, and financial systems. He worked with small startups and large enterprises in architecture risk analysis, secure code review, penetration testing and other consulting. Paco serves on (ISC)2’s European Advisory Council and authors questions for the CISSP and CSSLP certifications. He is active in the OWASP Mo- bile Top Ten Risks project. Paco co-authored the Web Security Testing Cookbook, Mastering FreeBSD and OpenBSD Security.