It appears the Equifax breach hinged on an unupdated Apache Struts vulnerability. Lots of security people are talking about lots of different dimensions of this breach but one portion is the (in)secure use of 3rd party code. …

Much ink has been spilled in defining, or refuting, the concept of the 10x engineer. A concept sometimes used in Silicon Valley to describe an engineer that is 10x more productive than an average engineer although the 10x metric is figurative. 10x or not there are definitely patterns in how…

I’ve worked in three big areas in my career: building software, securing software and leadership. Each area has a different sized feedback loop. Building software has a very tight and immediate feedback loop. Get an idea, try to build the idea, fix/tweak/improve then finally ship. At the micro level its…

A reasonable mission for an application security team is to find and fix security bugs in a codebase. I held this view at one point and I now think this is subtly wrong and instead we actually care about outcomes, not bugs. A bug is a discrete flaw in software. …

A while back I changed from an engineer to a manager. With that came a whole new set of manager-y words that I had previously nodded along with but not deeply understood. This article is my definition of these concepts in a way engineer-Collin would understand. Preamble Engineers build¹ a $thing…

There are these two young fish swimming along and they happen to meet an older fish swimming the other way who nods at them and says “morning boys, hows the water?” And the two young fish swim on for a bit and eventually one of them looks over at the…

Because software has inherent vulnerabilities, smart security teams build protections inside and outside their code to help prevent exploits. The goal is not only to limit the impact of an unknown vulnerability, but to prevent future vulnerabilities from ever being written into code. To do this effectively, security must be…

Working in software security for a while I’ve recognized a few core ideas that have helped guide the efforts of a product security team. I want to share these primitives and the opinions built upon them as essentially how I think about product security. All of these ideas are seen…

When software security flaws can fetch over a million dollars it is useful to examine why building secure software is so difficult. All our work in security rests on these difficulties and this article aims to collect the specifics inherent in application security so followup articles can offer solutions. …