Doyensec<p>📜Hear ye, hear ye! 📜 We're proud to announce our ongoing sponsorship of <span class="h-card" translate="no"><a href="https://infosec.exchange/@bsidessf" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bsidessf</span></a></span> ! Doyensec ⚔️ will be onsite 🏰 and we hope to see you there April 26-27th (details: <a href="https://bsidessf.org/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">bsidessf.org/</span><span class="invisible"></span></a>)! 🐉<br><a href="https://infosec.exchange/tags/BsidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BsidesSF</span></a> <a href="https://infosec.exchange/tags/Doyensec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Doyensec</span></a> <a href="https://infosec.exchange/tags/BSides" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSides</span></a> <a href="https://infosec.exchange/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a></p>
mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit
Administered by:
Server stats:
381Kactive users
mastodon.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.0-nightly.2025-02-28-security
#bsidessf
0 posts · 0 participants · 0 posts today
phildini @ 👥❗<p>What <a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a> talk do folks want me to watch-along next?</p>
phildini @ 👥❗<p>This talk had good advice, but all the advice requires a _lot_ of political air cover, I feel?</p><p>Maybe I've only worked at dysfunctional orgs previously 😅</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>Final idea:</p><p>"Scale security automatically"</p><p>Determine a ratio of sec hires, either on overall headcount or per program, etc.</p><p>Try to avoid only net-new work being funded</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>Related idea in this talk that I love:</p><p>Vendor evaluation and integration should be a key skill and criteria for Senior / Staff Security Engineer promotion.</p><p>(Yesss! Across the industry, "evaluating technology well" should be a promotion criteria)</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>Ok, now we're diving into funding security programs smarter!</p><p>The core idea: Whoever owns, maintains, builds, operates, or otherwise is responsible for a system is implicitly responsible for all security, unless the sec org provides explicit support</p><p>(I think this is objectively the right idea, subjectively "nice to want things". It's a great place to aim, it requires a lot of political capital and will in the org)</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>It's important to remember: these are supposed to build on each other.</p><p>ie, having a bug bounty program before you've done dependency tracking and developer security training is (probably) cart before the horse.</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>Oooh, pyramid of security needs, like Maslow's hierarchy of needs.</p><p>Maybe not the levels I would have chosen, but fun to think about.</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>So this talk is going to try and answer two questions:</p><p>1. How to assess an org's effectiveness/prioritization</p><p>2. How to overcome tight funding</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>The problem:</p><p>Security budgets are _perceived_ as tight, and this is matched with tech downturn and increased regulations</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>Ok, it's time for another <a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a> live-watch! This time: "Effective Security on a Tight Budget" by Felix Mantenaar</p><p><a href="https://www.youtube.com/watch?v=H6G5fIrGh7E" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">youtube.com/watch?v=H6G5fIrGh7</span><span class="invisible">E</span></a></p>
phildini @ 👥❗<p>That's the talk, pre-questions! I love when security talks have collective action and anti-capitalist undertones ✨</p><p>This was a fun one, and worth a watch.</p><p>Stay tuned here for the next talk I live-toot 🙇♂️</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>Here's a takeaway:</p><p>Pirates where technically competent experts whose operational models are recognizable today in everything from SRE to hacker culture as "the better, more desirable, more practical, more open" way to work.</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>Ok, so how / why were Atlantic Pirates successful?</p><p>- It took the imperial powers 35 YEARS to end Piracy's Golden Age.<br>- Piracy is inherently parasitic, requires functioning economy to work<br>- Caribbean pirates became so vital to local economy that authorities often looked the other way</p><p>Security isn't parasitic, but does depend on someone else's productivity, perception, and tolerance.</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>A brief digression on toil:</p><p>- toil is manual, repetitive work you have to do<br>- it can be enjoyable! the idea that it's unenjoyable might not be true!<br>- toil hurts the _org_ more than the _individual_</p><p>Pirate ships focused on reducing toil and increasing slack</p><p>- overabundance of crew, allowed them to overwhelm larger ships<br>- redundancy as a resilience strategy: shorter shits, violence became less necessary<br>- manual operations are a bug, excess capacity is a feature for moving fast</p><p>How do we apply to Security? Think of work in terms of projects to reduce future toil, not tickets!</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>The benefits of generative culture are backed up by the DORA 2023 findings</p><p><a href="https://cloud.google.com/devops/state-of-devops" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">cloud.google.com/devops/state-</span><span class="invisible">of-devops</span></a></p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>Generative culture:</p><p>- Performance-oriented<br>- good info flow<br>- high levels of trust / collaboration</p><p>(We should be aiming for this!)</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini @ 👥❗<p>"What made up pirate culture?"</p><p>- good culture is inspiring, not mandated<br>- pirates knew the risks and planned ahead for them<br>- pirate ships had articles! basically a constitution, which outlined reimbursement for incidents<br>- on merchant ships, sick/disabled sailors would be disabled -- on a pirate ship, often taken care of because of the shared culture<br>- a sense of shared fate!</p><p>(If this sounds like a good culture for software teams, welcome to this talk! ✨)</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
phildini<p>On the other side of my brain, I'm doing a watch-along of some <a href="https://wandering.shop/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a> talks, come join me: <a href="https://infosec.exchange/@SecOpsCeo/112764033850640923" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@SecOpsCeo/11</span><span class="invisible">2764033850640923</span></a></p>
phildini @ 👥❗<p>"Working at Google in <a href="https://infosec.exchange/tags/DevSecOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DevSecOps</span></a> had a lot of similarity to what I was reading about 18th-Century Pirates"</p><p><a href="https://infosec.exchange/tags/BSidesSF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSidesSF</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload