While I’m looking for the right fit for my next role, I’ve started a consulting practice. If you need an independent voice for infosec—especially for #appsec or #prodsec programs—drop me a line! I’ve been working with software teams in QA, SDET, engineering, and R&D for over 20 years. I’ve been an AppSec practitioner, researcher, and manager for 15. I’ve built and accelerated AppSec programs from startup to Fortune 50.

If you think you or someone you know could use me, please let me know!

@JessTheUnstill @hacks4pancakes If there’s anyone hiring for #infosec jobs that pays reasonably and gives annual cost-of-living increases at least close to inflation, I would be very much interested in learning more about what open positions they have available. Or even someone that just pays well.

I focus on client security, but I can also talk about infrastructure #security and #ProdSec. 🙂

@SheHacksPurple @wilander @manicode I deliver training through @manicode as well as through my employer but I also see a variety of environments through consulting.

I think that the scope of potential #AppSec/ #ProdSec risks is so large now that it is hard for anyone to get a real handle on it.

Secure coding is one small part of it which I think training helps with a lot but consider the fact that there is no one place where you can find secure coding guidance for a variety of languages other than maybe a @owasp cheatsheets.

However, I think there are a bunch of more organizational level concerns related to how organizations normalize and get buy-in for software security activities and keep these processes going long-term without everyone hating security.

I also think that many of the loudest AppSec voices right now (in mainstream information security spaces) are vendors or breakers who have a specific perspective on things and are mostly talking about tools, automation and testing.

I would argue that the focus on those topics distracts organizations from more fundamental issues of scaling the processes and activities which cannot be automated away such as training, developer engagement, threat modelling and vulnerability triage.

I am not sure we will see significant improvement until these things are addressed at a strategic level within organizations...

Kas shares their journey into #AppSec & #ProdSec from a non-technical background at #ComfyConAU2022Too @ComfyConAU

Lots of good lessons
https://www.youtube.com/watch?v=cyoIisr8mLA

Microsoft contributes S2C2F to OpenSSF to improve supply chain security

https://www.microsoft.com/en-us/security/blog/2022/11/16/microsoft-contributes-s2c2f-to-openssf-to-improve-supply-chain-security/

#appsec #prodsec #supplychain #openssf #s2c2f

Microsoft contributes S2C2F to OpenSSF to improve supply chain security

https://www.microsoft.com/en-us/security/blog/2022/11/16/microsoft-contributes-s2c2f-to-openssf-to-improve-supply-chain-security/

#appsec #prodsec #supplychain #openssf #s2c2f

Woke up this morning and jumped on my soapbox. Started the day blogging, spent most of it writing some code to gather data, totally forgot that #Ragnarok was waiting (sorry Kratos!). PTO days are great when python is involved. https://annvix.com/blog/risk-based-vulnerability-management #prodsec #risks

Do all vulnerabilities REALLY matter? Sometimes we determine the answer based on feelings rather than facts. If it sounds scary maybe it is! But then again, maybe it isn't. I take a look at some facts that inform RedHat's approach. https://redhat.com/en/blog/do-all-vulnerabilities-really-matter #prodsec #infosec