Some thoughts on infosec and social media

I posted the thought above on Twitter a couple nights ago.

Rereading it, I feel I need to expand upon my idea, because there are a couple motivators for the tweet. First, the tweet was not worded very well. It comes off as saying that people on Twitter are not as good as those not on Twitter. This wasn’t my intention. I think there are really good people both on and off Twitter. The idea is more about myself and evaluating whether or not I’d be a better infosec person if I were to stay off Twitter.

A majority of the people I work with on the security team are not on Twitter. All of them are really good at what they do. I know there are more of those types of people, because I’ve worked with others who are really good at what they do. Twitter is a very small subset of the people within the infosec field. I think it’s important that what is said and done on Twitter doesn’t necessarily reflect on the entire industry. I was also watching a YouTube video at the time of a buddy of mine who has a Twitter account, but doesn’t tweet a lot. He’s really smart and is doing some pretty amazing things in the field. I’ve wondered if I need to be spending more time being productive and less time on Twitter.

Twitter being just a small part of Twitter is also why I was a bit disappointed to hear that this year is DerbyCon’s last. I like to go to DerbyCon. I have a good time and I catch up with friends and make new ones. There’s a lot of positives to the conference. Unfortunately, there is also some drama, which gets amplified by Twitter. It’s draining on the conference organizers. I get it and I don’t have any ill feelings towards their decision. It’s their conference.

What I think it highlights to me is that sometimes we need to step out of our own little bubble and look around. Twitter, and social media, is our own little world. We create it and curate it to our beliefs and preferences. It can certainly be a useful tool for information, but it can also create our own bubble that consumes and drowns us.

Things that get our attention the most are on social media are controversial. It’s frustrating and depressing. I take solace in the fact that there’s a larger world with the those things but also a lot more good.



ShowMeCon wrap-up and what's ahead

I know. I know. It's been two weeks since ShowMeCon. I've been busy! Within hours the neighbors wanted to hang out (I brought the St. Louis beer). The next day, I had a big case of the don't give a shits. I didn't get a podcast ready for that night's release.

I went to work Monday expecting to head home and work on some stuff (like get a podcast out). Instead I was informed the development team I work with was heading to Nashville Sounds game, because some people were in from out of town and I was invited. I went. Tuesday, I played soccer for two and half hours, because I like pain (I didn't regain full functionality of my legs until Saturday). Wednesday was a social night, because those same people were in town (yay!). I got home and got the podcast out, three days late. Thursday, I wrote about suicide. Friday, I wrote about password policy. Both very serious topics.

Things sort of got normal after that. I took the weekend to kind of dink around on stuff I wanted to do. Monday I got two of the four podcasts edited I needed to. I was invited over the neighbors Tuesday for beer and baseball. Finally, last night I got four podcasts scheduled. I'm heading to Asheville tomorrow for BSides Asheville (still looking for a ticket). Much beer (and maybe a podcast) will be involved. Tonight is the night for me to write something and hopefully get a little Overwatch in. Damn I've been busy. Didn't really realize that until writing it down.

Back to ShowMeCon. This was my third year and fantastic as always. It's the ideal security conference. The hackers think it's too businessy. The business people think it's two hackery. There are more women at this conference than any other security conference, I've been to combined. I love it!

I did my first ever podcast panel, which went really well for being the first time. They had a personal trainer there to talk about health and fitness. There were a lot of questions at the end. This might be something I need to write about. I do work at a wellness company after all!

During the conference I managed to get two interviews for the podcast recorded. I really like the idea of recording interviews at conferences. It's a much better vibe when the two people are in person. It flows better. There's the low rumble of the crowd. The low thud of doors smacking closed. It's fantastic. Those will be releasing over the next two weeks.

Now that ShowMeCon is over, I've been re-evaluating my desire and need for submitting to conferences. I've been speaking since 2015. It's a great challenge and a good career booster. Now that I'm at a company that I adore and in a role that continues to expand, I'm starting to wonder the value I'm getting out of submitting to conferences. I love sharing ideas and challenging myself to become a better speaker. The downside to speaking is that it takes time away from my family.

I have two kids still in the single digits. I'd like to spend more time with them. At one point I was slated to be at 12 conferences this year. With other obligations, conflicts, and one conference not happening this year, I'm down to eight. That's still quite a bit. I've presented at all five I've gone to this year. It's not just going to the conference that takes time. It's also the preparation leading up to the conference. I spend several hours putting the talk together. Then I spend the week leading up to the conference practicing the talk. This is on top of the weekly podcast I produce.

I spend a lot of time in the field. Because of my expanding role I'm spending more time at work now too. I'm trying to find that balance. I'd like to spend more time with my kids. I think that will be at the cost of the conferences I attend. If I do submit a talk, it'll be for a podcast panel. The preparation for that is much easier than a full blown talk. I'd like to say I'm cutting back on conferences, but I don't think it'll take much for me to go to a conference (someone asks). We'll see.

 This blog post first appear on Exploring Information Security

Converge and BSides Detroit wrap-up

IMG_5368.jpg

Last week, I headed to Detroit for a wonderful conference called Converge. It was quickly followed on Saturday by BSides. This is one of staple conferences every year. The crowd is great. The venue is top notch. The other speakers are fantastic. The organizers are awesome! And of course dueling coney dog restaurants. 

This year I got the opportunity to both speak and put on a workshop. The topic is the one I've been peddling all year, Social Engineering for the Blue Team. The talk went well enough. I had to transfer slides to our new company template and I missed some notes. The workshop went really well. I got some great feedback and found some refinements that need to be made. I only had six people in the workshop. Which worked out well, because I had a lot of back and forth and contributions from the crowd. I look forward to doing it again in the future.

I recorded one podcast interview and then did another conference interview that will come out this week. I'm going to try and do more podcast interviews while I'm conferences. Before I wanted to enjoy the conference and not worry about audio equipment and recording. That's a bit selfish, because I think I can record in-person with people. This would ideally lead to some better quality interviews and content. Shout out to Jesse who told me that he liked the new format. Thanks Jesse!

I'm playing with the format a bit so, I think this can slide in nicely. I plan to record some impromptu interviews where I just hit the record button and go. I think for the over-the-internet interviews I'll use my old format. I'll tweak it a bit. Ditch the old opening where I have the interviewee listen in. Instead I'll record an intro for each episode. This will allow me to give impressions of the interview and any promotional things. Still experimenting.

The conference went really well. I caught up with some friends and made some new ones in the process. If you missed it this year, I highly encourage you to check it out next year.

My first developer focused talk on security at Nodevember

On Monday, I had the opportunity to speak at Nodevember. The title of the talk is, "How to embed security into your process." I've wanted to get out and speak at a developer conference since the beginning of the year. Nodevember was the first conference to accept my talk (CodeMash next month is the second).

My talk

I believe developers have a lot of say in regards to the security of an application. I believe that we have a lot to say in regards to application security. I've been speaking on application security for the past couple years at security conferences and local meetups. That's great and it helps teach others in the field about application security. Where I can also make an impact (and potentially more so) is at developer conferences.

Developers have a lot of interest in security. There is proof of that from today. The talk before mine, "The State of Node Core" (good talk) had about a third of the seats filled. By the time my talk started just about all the seats were filled and a couple people were standing in the back. I was both happy and terrified.

My assessment of my talk was okay. I checked the schedule of the talks when I got to the conference. The 40 minutes I thought I had, was actually 30 minutes (my goof). I tried not to freak out. I'm usually quick on practice and I could cut out some things I needed to. By the end of it, I had discussed everything I felt was necessary and still had three minutes to spare.

I missed a couple elaboration points and a rant. I could have gotten those on my final thoughts slide, but my mind was blank. I was doing the talks with just slides and not presenter notes. This was due to me not wanting to waste time switching displays for the demos I was doing. Speaking of demos, I had one fail on me because I didn't practice my talk using my phone hot spot. My VM network settings was set to use Wifi.

Overall, it was okay. I got positive feedback from several people, plus some suggestions on what I could add to the talk (I asked for that specifically and was not disappointed). It was expressed to me that developers would love more security talks at developer conferences. There was some frustration around getting fellow developers to take security more seriously. Something I can sympathize with.

Here's some of the specific feedback and suggestions I got (thank you to those that gave feedback):

  • They really liked the OWASP ZAP demo

  • securityheaders.io (I did a content security policy demo before my talk)

  • Docker Hub Images - static analysis (I need to research this)

  • HTTPS - Cloudflare and Lets Encyrpt

  • Lateral movements

I don't think all the feedback is in the scope for this talk. It certainly gives me ideas for future talks.

Other talks at Nodevember

I also really like attending developer conferences, because I still have a lot to learn from the development community. I have the same feeling of wonder and inadequacy as I did when I first started going to security conferences. All three talks I attended were great and taught me something new.

Unlocking the Mysteries of Unfamiliar Codebase by Randy Cox touched on diving into an unfamiliar codebase. This is a big thing for application security professionals who need to do code analysis. My confidence was boosted by Randy, because I was already doing a lot of the things he recommends. He also gave me some new ideas for looking at unfamiliar code.

My notes:

  • Document

  • It's like an investigation

  • Make sure everything is in source control

  • Where is all the code?

  • Git blame

  • Document startup sequence and system architecture

  • Use "code analysis" instead of "documentation" if management wants you to only code.

  • Don't fix things - document and write bug tickets

Using npm scripts as your build tool by Elijah Manor. This talk was a little over my head. The scripts he covered were for automating some of the builds you can do in Node. Lot of cool scripts and ascii art.

The State of Node Core by Colin Ihrig. This talk gave an over view of the Long Term Support (LTS) schedule. Talked about some of the statistics on Node version use. Talked about new features and some other items I hadn't heard of before. Colin also talked about some of the security improvements on the way.

The closing keynote, Welcome to the new npm by Laurie Voss was very entertaining and enlightening. He covered the past of npm, as well as looked at the future of npm and Javascript development.

Final thoughts

More security people need to get out to non-security conferences to learn, gain an understanding, and contribute.