January 27, 2018

An introduction to good security practices, with Sam Bisbee, Chief Security Officer of Threat Stack

I was nervous starting my position at a cloud-based security firm. It 's been a while since I was a security tester testing against the OWASP Top Ten. How would I get trained in good security practices? Luckily, newbies like myself aren't just thrown into the deep end. They have Sam Bisbee (@sbisbee),  Chief Security Officer of Threat Stack to guide them.
"As the Chief Technology Officer at Threat Stack, Sam is responsible for leading the Company's strategic technology roadmap for its continuous security monitoring service, purpose-built for cloud environments. Sam brings highly-relevant experience in distributed systems in public, private, and hybrid cloud environments, as well as proven success scaling SaaS startups. Sam was most recently the CXO at Cloudant (acquired by IBM in Feb. 2014), a leader in the Database-as-a-Service space, where he played a senior technical and product role". - Threat Stack / Author: Sam Bisbee
What were the first introductory security sessions like? Take a look at talk that Sam Bisbee gave at AWS: re:Invent on November 2017:

"Stop Wasting Your Time: Focusing on Security Practices The Actually Matter".
Sam Bisbee, Nov 2017
https://youtu.be/d4XXmZi32tg

What is AWS re:Invent?


From the AWS re:Invent site: "AWS re:Invent is a learning conference hosted by Amazon Web Services for the global cloud computing community. The event features keynote announcements, training and certification opportunities. At the conference, you’ll have access to more than 1,000 technical sessions, a partner expo, after-hours events, and so much more".

What Makes Sam Bisbee's Talk Different?


What is interesting in this talk is that instead of simply giving a product demo, Sam shares his philosophy about creating a good company-wide security policy at your company.

"The State of Security is the Absence of Unmitigatable Surprise." - Dan Geer, CISO, IN-Q-TEL

For those (like me) who are new to these updated terms: When Sam mentions a "See-So", it is a CISOChief Information Security Officer.

Some examples:

  • Don't just come up with a security policy and threaten people's jobs if they make a mistake and have that be that. Know what is happening. Look around. Close that feedback loop and adjust the security policy. 
  • Identify the top risks, and work with organization to mitigate that risk, putting in controls to monitor that it is working. 
Security is about identifying a risk -- a vulnerability in our product, a process, unlocked laptop:
  • Use data to understand the risk
  • Attempt to control the risk
  • Remove it
  • Compensate for it

... And, yes, I am already trying to recruit Sam as a speaker for the Ministry of Testing - Boston Meetup.


Happy Testing!

-T.J. Maher
Sr. QA Engineer, Software Engineer in Test
Meetup Organizer, Ministry of Testing - Boston

Twitter | YouTubeLinkedIn | Articles
Post a Comment