Wednesday 12 December 2018

Creating Wardley Maps using Lambda Functions

One of the biggest limitations that I had when trying to use/create Wardley Maps was my inability to programatically create the maps (ideally via and DSL or something like DOT language).

What I really wanted was to be able to create Maps from an serverless environment, namely from an Lambda Function.

After some research, I was able to find a nice way to do just that :slight_smile: (all the code is available on this GitHub repo 7)

After playing with a number of scenarios and techniques I zoomed in on the following tech stack:

  • AWS API Gateway exposes an url that calls an
  • Lambda function, which saves the data supplied (coffeescript) in a file that will be loaded by an HTML page
  • the html will load up visjs 1 which is what will render the graph (in the browser)
  • start a local python web server, that
  • uses pyppeteer to open up a headless version of chrome, and
  • opens the page exposed by the web server in the headless browser, and
  • takes screenshot of the page, and
  • returns png value (to the browser or lambda caller)
  • Hugo was also used locally during develpment

3 Wardley Maps Templates I’m using to talk to Generation Z Developers

Hi, as part of the content I’m writing for my “Generation Z Developers” book (see, I have created the following 3 templates to help engaging Gen Zs (kids and young adults born after 1996) into how to start mapping their life.

A key objective with these maps is to dispel a number of myths that a lot of amazing talented people have about development / programming (namely that learning how to program multiple languages is the MOST importing skillset and they they are not good at technology or development)

The 1st one is an empty map that can be used as a template.

Tuesday 11 December 2018

Please take a look my new website (and maybe get some Christmas shopping done)

In order to help with the "Generation Z Developers" book I'm writing, I created the website to centralise all content and products I created based on the book.

It would be great if you could take a look and share it with your friends :)

Sunday 7 October 2018

Just published new version of "Generation Z Developers" book (v0.60)

I've been working on a new book called "Generation Z Developers" and I really would like your feedback (you can get it for free from Leanpub at

In this version:

 - Content fixes and contributions by: Mike Eriksson, Michael Chadwick and Claudio Camerino
 - New book cover
 - New chapters:
    - DOT Language
    - AST (Abstract Syntax Tree)
    - Being criticized is an privilege

Here is the diff with the previous version: v0.50...v0.60]

Published 3 new chapters from the Generation Z Developers book

I just published the following 3 posts on medium with the content of the respective chapters on the "Generation Z Developers" book I'm currently writing:

Check out these posts and let me know what you think of them (all content is at this GitHub repo and you can use GitHub issues and Pull Requests to send your feedback)

Thursday 4 October 2018

My comments on the "Open Letter to the OWASP Board from the OWASP Chapters"

Thanks Josh (and others who put this Open Letter together) for the effort and passion on Owasp and in continuing to try to find solutions to improve the current situation

Although I don't agree 100% with the solutions presented in this document (see some of my ideas below), I'm happy to sign it since this is the kind of fact based discussions and conversations that we must have as a community (one request, can we put this letter in a GitHub repo so that we can send comments using git and sign it using Pull Requests)

Note that I have not been that involved lately in Owasp foundation threads (including reading all my email), but the key themes of decentralisation and openness are key for Owasp future and require creative solutions

My view on situations like this Open Letter, is that this is a great example of the passion that our community has for Owasp (which is a very positive thing). It is not good that they needed to resort to an Open Letter to raise the issue, but what is important is how we all react to the challenge and help to improve Owasp's future and organisation

Monday 4 June 2018

Looking for your next challenge, join the Photobox Group Security Team

Last year I took on the role of Photobox Group Security CISO and was given a strong mandate to transform the Group's security activities and build a modern security function

After building a great team and creating a strong foundation, we are looking for 3 senior security leaders to take us to the next level:

If you are looking for an environment where you will make a big difference, where you will learn constantly and will work on an empowered environment, then Photobox Group Security is for you :)

If you know me from my open source contributions, event speaking and leadership roles (past member of Owasp Board and creator of the Owasp Summits), you know that I'm a very strong believer in Openness, Trust, Quality, doing the 'right thing' and building high effective teams.

For more details on how we approach security, see this post I wrote on the Photobox Group Security website  Why join Photobox Group Security and this post from the Group's CTO How we think about Security

If you are interested in these roles, and are around London this week (4th to 8th of June), the best place to meet the team is at the Open Security Summit ( This is where you will meet most of the team and we will be able to see you in action. As a sponsor for this event we still have some day tickets available, so let us know if you need one

Monday 19 March 2018

GDPR Patterns - Working Session tomorrow

(From this GDPR Patterns Working Sessions page)

You can participate online (London) or remotely. Get your ticket here

What are GDPR Patterns?

They are reusable mappings of data journeys across specific threat modeling scenarios.
The idea is to take the diagram below and map specific scenarios to it.

Monday 5 March 2018

PDF of 'Generation Z Developer' book (v0.31)

I just pushed an update to the book I'm currently writing.  You can read this version below (via the embedded pdf) or directly at this GitHub release

Change log for this version:
  • Added initial section which shows issues from GitHub
  • New/Improved chapters
    • "The future needs you
    • "Backup your life"
  • Couple content fixes

Monday 26 February 2018

"Generation Z Developers" - new Leanpub Book

In the last couple weeks I been been working on a book called "Generation Z Developers" which you can now get it for free from Leanpub

As with all my books, the content is released under an creative commons license and hosted on this GitHub repo

One difference with this book, is that I'm using Hugo for the static site generation of the book and the leanpub content generation (and it is helping a lot)

I'm including below the current introduction to the book which provides a good explanation of why I wrote it.

Let me know what you think of it, and what other topics or ideas should be included.

Monday 18 December 2017

We're hiring at PhotoBox Group Security (5x Senior Security positions)

As some of you might have noticed, earlier this year I became the CISO of the PhotoBox Group :)

Part of the strategy agreed with the Board, is the recruitment of 5x new senior security positions to create the Group Security leadership team.

If you want to join me in this amazing experience, and execute the vision/ideas that you have read many times on this blog, please visit the PhotoBox Group Security website, where you will find details about the following roles:

We also have a couple Contract positions avaiable

Big favour!!!!   

If you know of good candidates for these roles, xplease share the PhotoBox Group Security link with them :)

Finally, we are going to share a lot of what we are doing at PhotoBox Group Security in that site's blog (not only how we are approaching the recruitment of these roles, but also how we use JIRA, like I showed in the Creating a Graph Based Security Organisation - DevSecCon keynote), so keep an eye on it

Tuesday 3 October 2017

RFP for Security Consulting Services

Hi I was asked to post this RFP, if you are interested DM me on Twitter and I'll put you in touch with the relevant party

Project brief:
Company X is performing a number of Security Projects that require specialised security skills and experience.

Friday 23 June 2017

Owasp Summit 2017 debrief (v1.0) and 'We are the Crazy ones' Video

Here is the fist pass at mapping the Owasp Summit 2017 outcomes (there is still quite a bit missing, but as you will see, the Participants created a massive amount of work and deliverables)

See the Outcomes pages for the full mapping (and latest developments).

Tuesday 20 June 2017

(Owasp Summit 2017) Thanks for creating an amazing event, now we need to focus on the Outcomes :)

(email sent to all Summit Participants)

Hi Summit Participant, on behalf of the entire Summit organisation team and Owasp, I want to thank you for all the energy and hard-work you put at the Owasp Summit last week.

We received really good feedback, and we hope to see you all there next year for the Owasp Summit 2018, which will happen on 23-27 of April 2018  (same place, same team).

Now that you had a couple days to relax, it is really important that we make sure that we capture the outcomes created during the Summit.

Wednesday 7 June 2017

5 days to the Owasp Summit, it's time to sort out your personalised Summit schedule!

(email sent to all Summit Participants)

Hi Summit Participant :)

With 5 days to go, and with a new version of the Summit's site that supports a dynamic schedule mapping, it is time for you to take a really good look at the current Working Sessions schedule and make sure that you have at least 4 mapped to you per day.

If you go to full schedule page you will see the mapping of the 126 Working Sessions current scheduled to occur (see at the end of the Tracks page for the list of the 45 Working Sessions that are currently not scheduled).

Tuesday 23 May 2017

You can still create new Working Sessions and the Owasp Summit Schedule is not final !

(email sent to all Summit participants)

Hi Summit Participant, I had a couple emails about the Summit schedule which seem to imply that it was the final version, and that changes would be hard to make.

Just to be very clear. The final schedule will most likely only be published a couple days before the Summit (if not the day before). This is by design, and is a key factor in the Summit's success (to give you an idea of how much better we are this time around, at the last Summit (2011), we only had the first draft of the schedule about 4 days before the Summit started)

Our objective with the schedule is maximise participant's time and their need to be part of specific Working Sessions. From a practical point of view, what this means is that we map out first the key players and organisers of a particular Working Session, and then make sure (as much as we can) that there are no conflicts.

Monday 22 May 2017

Owasp Summit Working Session 'Definition of Done'

(email sent to all Summit Participants)
Hi Summit Participant. As you can see by the Summit Schedule, one of the nice problems that Participants will have is going to be: how to select which Working Sessions to attend.

The Summit will create a highly focused and energized environment where each Participant is donating it most valuable assets: Time and Knowledge

The Working Sessions organizers have the privilege of the Participant's time, which is a massive gift. Their responsibility is to create the most effective and productive environments for them.

Owasp Summit 2017 - 20 days to go (summit presentation)

Hi, please see this presentation for a nice overview of where we are with 20 days to go to the Owasp Summit 2017 in London.

We now have (draft) schedule and an amazing pool of talent participating onsite and remotely.

Please share this slide-deck with your network + blog + tweet, and if you have an Owasp chapter meeting coming up, please present it (it only takes 5 minutes)

Friday 19 May 2017

Please help to Promote the Summit

(Email sent to all Owasp Summit Participants)

Summit Participants, the success of the Summit depends on the amount of talent that we are able bring together.

Although the current list of Participants is already quite impressive, I'm sure we can do better, and bring even more talent to the Summit.

First Summit Schedule and Working Sessions Registration

(email sent to all Owasp Summit Participants)

Summit Participants, now that we have a first pass at the Summit Schedule, we really need you to update your Participant page with the Working Sessions that you want to be involved in.

Here are the individual Track's schedule

Here is the consolidated Summit Schedule

What is also really useful, is that after you add those Working Sessions mappings, you will be able to see your personalized schedule on your to your Participant's page.

Sunday 14 May 2017

Security message on recent Ransomware attacks (WannaCry worm)

(In case it helps, here is an email I sent today to all of PhotoBox Group Technology team)

Hi all Tech (TL;DR: high risk of Ransomware, see list of recommendations below)

As you probably have seen in the news, there has been a wide spread Ransomware attack which affected large number of companies worldwide, and is bound to cause more damage next week.

The attack is called Ransomware (a play on Ransom + Software) and has the business model of encrypting all files the affected computer has access to, and then asking for a ransom (i.e. payment) to decrypt the files.

Owasp Top 10 2017 Track at Owasp Summit 2017

The Owasp Summit now has a full track dedicated to the Owasp Top 10 2017 with the following Working Sessions:

Security Playbooks Track and request for anonymised data

After a conversation with Ante Gulam about Security Playbooks, I had the real-world experience of needing them in multiple occasions this week.

Since I was not able to find good resources online that I could easily use, I realised that the Summit presented a great opportunity to create a set of Security Playbooks in standard formats that could be used by the Owasp/Security community.

After some research, I created the Security Playbooks Track with these Working Sessions:
At the moment none of these Working Sessions have an organiser, so for the ones that you are interested in, please become one (or at least register as an onsite or remote participant).

If you already have Security Playbooks at your company (or similar documents/diagrams/workflows) please submit them in an anonymised format with an OpenSource/CC license (so that it can be used by the Working Sessions)

Remember that significant work and collaboration should occur before the Summit (i.e. between now and the 12th of June). It would be amazing if some of the Working Sessions listed above had its tasks completed before the Summit!

For example, we can start working and collaborating asap on the Security Playbooks Diagrams.

Do you have Playbook Diagrams that you can share? (pictures of whiteboard-based diagrams will be a great place to start)

Thanks for your help


Friday 12 May 2017

30 days to go for the Owasp Summit 2017

In 30 days (12 June) Owasp will host its 2017 Global Summit in London where hundreds of participants will join forces in Working Sessions focused on solving hard Application and Cyber Security problems.

This is not a conference with unidirectional presentations. Using the same model as the past two OWASP Summits in Portugal, this 5-day event will be a high-energy experience, during which attendees get the chance to work and collaborate intensively. Every thoroughly prepared working session is geared towards a specific application security challenge and will be focused on actionable outcomes.