It was late 2018. I was attending (ISC)2’s annual Security Congress, listening to a talk titled “Enterprise Security Program that Works” by Theresa Frommel. Now in our third year since achieving PCI-DSS compliance as a level 1 merchant, I was feeling pretty confident in my abilities to help my company…

In my posts so far, I’ve talked about how I see security best rolling into existing software development lifecycles as another dimension of quality and good problem-solving. However, even the best solutions will at times face the unexpected. When you can engross a team in a story about a scenario…

In my last post, I talked about how security in software development is fundamentally a creative exercise, albeit one with strong rules like in graphic design. While that post focused on ways to identify high-level risks early during software’s design phase, it was light on ways to collaborate with developers…

In my previous post, I talked about how I see the majority of security-related issues in software development not requiring sophisticated detection tools, but the mindset of your existing QA teams in order to identify risks. This process of risk mitigation before writing code is intrinsically a creative problem-solving exercise…

In the cybersecurity industry, the term “DevSecOps” is touted as the best way to integrate security best-practices into your company’s software development pipeline. The term seems to get interpreted literally, however, since discussions around its implementation focus on ways to bring in new people and tools to identify specific vulnerabilities…

I’m new here. This blog will be a snapshot of my brain in a point in time where I’m between jobs. While I’ve been found to be a prolific writer in places where I’ve worked, I’ve never shared thoughts more publicly. I’ve got an intent to combine my lessons learned…