Monday 18 December 2017

We're hiring at PhotoBox Group Security (5x Senior Security positions)

As some of you might have noticed, earlier this year I became the CISO of the PhotoBox Group :)

Part of the strategy agreed with the Board, is the recruitment of 5x new senior security positions to create the Group Security leadership team.

If you want to join me in this amazing experience, and execute the vision/ideas that you have read many times on this blog, please visit the PhotoBox Group Security website, where you will find details about the following roles:

We also have a couple Contract positions avaiable

Big favour!!!!   

If you know of good candidates for these roles, xplease share the PhotoBox Group Security link with them :)

Finally, we are going to share a lot of what we are doing at PhotoBox Group Security in that site's blog (not only how we are approaching the recruitment of these roles, but also how we use JIRA, like I showed in the Creating a Graph Based Security Organisation - DevSecCon keynote), so keep an eye on it

Tuesday 3 October 2017

RFP for Security Consulting Services

Hi I was asked to post this RFP, if you are interested DM me on Twitter and I'll put you in touch with the relevant party

Project brief:
Company X is performing a number of Security Projects that require specialised security skills and experience.

Friday 23 June 2017

Owasp Summit 2017 debrief (v1.0) and 'We are the Crazy ones' Video

Here is the fist pass at mapping the Owasp Summit 2017 outcomes (there is still quite a bit missing, but as you will see, the Participants created a massive amount of work and deliverables)

See the Outcomes pages for the full mapping (and latest developments).

Tuesday 20 June 2017

(Owasp Summit 2017) Thanks for creating an amazing event, now we need to focus on the Outcomes :)

(email sent to all Summit Participants)

Hi Summit Participant, on behalf of the entire Summit organisation team and Owasp, I want to thank you for all the energy and hard-work you put at the Owasp Summit last week.

We received really good feedback, and we hope to see you all there next year for the Owasp Summit 2018, which will happen on 23-27 of April 2018  (same place, same team).

Now that you had a couple days to relax, it is really important that we make sure that we capture the outcomes created during the Summit.

Wednesday 7 June 2017

5 days to the Owasp Summit, it's time to sort out your personalised Summit schedule!

(email sent to all Summit Participants)

Hi Summit Participant :)

With 5 days to go, and with a new version of the Summit's site that supports a dynamic schedule mapping, it is time for you to take a really good look at the current Working Sessions schedule and make sure that you have at least 4 mapped to you per day.

If you go to full schedule page you will see the mapping of the 126 Working Sessions current scheduled to occur (see at the end of the Tracks page for the list of the 45 Working Sessions that are currently not scheduled).

Tuesday 23 May 2017

You can still create new Working Sessions and the Owasp Summit Schedule is not final !

(email sent to all Summit participants)

Hi Summit Participant, I had a couple emails about the Summit schedule which seem to imply that it was the final version, and that changes would be hard to make.

Just to be very clear. The final schedule will most likely only be published a couple days before the Summit (if not the day before). This is by design, and is a key factor in the Summit's success (to give you an idea of how much better we are this time around, at the last Summit (2011), we only had the first draft of the schedule about 4 days before the Summit started)

Our objective with the schedule is maximise participant's time and their need to be part of specific Working Sessions. From a practical point of view, what this means is that we map out first the key players and organisers of a particular Working Session, and then make sure (as much as we can) that there are no conflicts.

Monday 22 May 2017

Owasp Summit Working Session 'Definition of Done'

(email sent to all Summit Participants)
Hi Summit Participant. As you can see by the Summit Schedule, one of the nice problems that Participants will have is going to be: how to select which Working Sessions to attend.

The Summit will create a highly focused and energized environment where each Participant is donating it most valuable assets: Time and Knowledge

The Working Sessions organizers have the privilege of the Participant's time, which is a massive gift. Their responsibility is to create the most effective and productive environments for them.

Owasp Summit 2017 - 20 days to go (summit presentation)

Hi, please see this presentation for a nice overview of where we are with 20 days to go to the Owasp Summit 2017 in London.

We now have (draft) schedule and an amazing pool of talent participating onsite and remotely.

Please share this slide-deck with your network + blog + tweet, and if you have an Owasp chapter meeting coming up, please present it (it only takes 5 minutes)

Friday 19 May 2017

Please help to Promote the Summit

(Email sent to all Owasp Summit Participants)

Summit Participants, the success of the Summit depends on the amount of talent that we are able bring together.

Although the current list of Participants is already quite impressive, I'm sure we can do better, and bring even more talent to the Summit.

First Summit Schedule and Working Sessions Registration

(email sent to all Owasp Summit Participants)

Summit Participants, now that we have a first pass at the Summit Schedule, we really need you to update your Participant page with the Working Sessions that you want to be involved in.

Here are the individual Track's schedule

Here is the consolidated Summit Schedule

What is also really useful, is that after you add those Working Sessions mappings, you will be able to see your personalized schedule on your to your Participant's page.

Sunday 14 May 2017

Security message on recent Ransomware attacks (WannaCry worm)

(In case it helps, here is an email I sent today to all of PhotoBox Group Technology team)

Hi all Tech (TL;DR: high risk of Ransomware, see list of recommendations below)

As you probably have seen in the news, there has been a wide spread Ransomware attack which affected large number of companies worldwide, and is bound to cause more damage next week.

The attack is called Ransomware (a play on Ransom + Software) and has the business model of encrypting all files the affected computer has access to, and then asking for a ransom (i.e. payment) to decrypt the files.

Owasp Top 10 2017 Track at Owasp Summit 2017

The Owasp Summit now has a full track dedicated to the Owasp Top 10 2017 with the following Working Sessions:

Security Playbooks Track and request for anonymised data

After a conversation with Ante Gulam about Security Playbooks, I had the real-world experience of needing them in multiple occasions this week.

Since I was not able to find good resources online that I could easily use, I realised that the Summit presented a great opportunity to create a set of Security Playbooks in standard formats that could be used by the Owasp/Security community.

After some research, I created the Security Playbooks Track with these Working Sessions:
At the moment none of these Working Sessions have an organiser, so for the ones that you are interested in, please become one (or at least register as an onsite or remote participant).

If you already have Security Playbooks at your company (or similar documents/diagrams/workflows) please submit them in an anonymised format with an OpenSource/CC license (so that it can be used by the Working Sessions)

Remember that significant work and collaboration should occur before the Summit (i.e. between now and the 12th of June). It would be amazing if some of the Working Sessions listed above had its tasks completed before the Summit!

For example, we can start working and collaborating asap on the Security Playbooks Diagrams.

Do you have Playbook Diagrams that you can share? (pictures of whiteboard-based diagrams will be a great place to start)

Thanks for your help


Friday 12 May 2017

30 days to go for the Owasp Summit 2017

In 30 days (12 June) Owasp will host its 2017 Global Summit in London where hundreds of participants will join forces in Working Sessions focused on solving hard Application and Cyber Security problems.

This is not a conference with unidirectional presentations. Using the same model as the past two OWASP Summits in Portugal, this 5-day event will be a high-energy experience, during which attendees get the chance to work and collaborate intensively. Every thoroughly prepared working session is geared towards a specific application security challenge and will be focused on actionable outcomes.

"The Best Real-Life InfoSec Problem Solving Event in the World" (and new Owasp Summit blog)

I just added a blog feature to the Owasp Summit site (which wasn't very hard since Jekyll is a blogging engine) which you can see at

The first 3 posts are:

Monday 8 May 2017

FAQ on attendees count, working session format and how to contribute (as a vendor)

(email sent to all Owasp Summit participants)

Hi Summit Participants, please see below an email sent today in response to a couple questions we received from one of the companies in the Security Crowdsourcing space. See if you can guess which one :)

I'm sure some of you have similar questions, specially around the participation by vendors of security products/services in the Summit's Working Sessions

Btw, if you have questions that you think we have not provided good answers for, please reach out, and we will do our best to answer them

The Woodstock of AppSec and more Owasp Summit Working Sessions

(email sent to all onsite and remote Owasp Summit Participants)

Hi Summit Participants, I hope you had a great weekend. Here in London I meet with Ante Gulam for BBQ and we had a very productive Sunday (as you can see below)

Before I go into the details, I have a question for you: What do you think of this tag line for the Summit: "The Woodstock of AppSec"

Seba come up with it when we meet for lunch on Friday, when we were talking about the Summit's gravitational pull (as in 'the place to be', 'the place were the most interesting AppSec conversations will occur', 'the place where the best minds in XYZ topic will be together', 'the place where participants are trying to solve hard problems that I have today')

Sunday 7 May 2017

Help with OWASP Summit 2017 Outreach

(email I just sent to the owasp-leaders list)

Hi Owasp Leaders, I would like to ask you for some help in promoting the Owasp Summit 2017

We are now at phase of the Summit's journey, where we have reached critical mass, and really need your energy, collaboration and involvement.

About the Summit:

Owasp Summits are not a normal conference where attendees go to watch presentations. This is a highly collaborative environment made of Working Sessions, which are created by the participants around areas they are passionate about or have real-world problems they need solutions for. 

How the Summit's Working Sessions will work and Summit's Schedule

(email sent to all Summit registered participants)

Hi Summit Participants (BCCed). I have been receiving a number of questions about how the Working Sessions will be organised at the Summit, so here is an explanation of how they will be setup.

At the moment it might look a bit weird the fact that we have more Working Sessions (106) than participants (81). This is actually quite normal (at this stage), since we still have a large number of participants that will be registering in the next month, and a significant number of Working Sessions that will not have enough energy, content, focus or registrations to justify its inclusion in the final schedule.

Saturday 6 May 2017

19 new Owasp Summit 2017 Working Sessions

(email I just send to all onsite and remote Owasp Summit 2017 participants)

Hi Summit Participant (BCCed)

I hope you are having a good weekend and have some energy for some Summit related GitHub Pull Request activities :)

Thursday 4 May 2017

39 Working Sessions with no organizers, two new Gold Sponsors (CapitalOne and PhotoBox)

Thanks for the Owasp Summit Participants that added themselves as an organiser to 6 Working Sessions.

It's a great start, but, we need more :)

In fact we now have 39 Working Sessions that need organisers (two more than yesterday), because we added the following 8 new Working sessions (most with no organiser and very little content)

Wednesday 3 May 2017

Summit Working Sessions with NO organizer (please help)

(here is the email I just sent to all registered Owasp Summit 2017 participants which also applies to you (reader of my blog) :)  . Please take a good look at those 37 'Working Sessions with no organizer' and pick one to help) 

Hi Owasp Summit Participants (onsite and remote)

As you can see by the latest list of 76 Working Sessions, we have a quite a good number of very interesting/important topics to collaborate/work at the Summit (with more sessions being added daily).

We have grouped them into the following tracks and technologies:

Wednesday 26 April 2017

Owasp top 10 2017 Working Session at next OWASP Summit

Given the recent debates about the changes made on this new version of the OWASP Top 10 (which you can download from here), the next OWASP Summit 2017 will host a Working Session to allow for further collaboration and debate.

Please take a look at and add/change it accordingly (btw, you can now register as participant, and, if you want to help organising it, please we need an organiser for this Working Session)

Here is a first pass at the topics to cover:

Monday 10 April 2017

RfP for Owasp SAMM assessment (£10k budget)

Here is a project brief I have been asked to share by a company that operates across Europe, USA and Australia.

Seems to me like a great opportunity for an active member of the OWASP/SAMM community :)

Ping me if your company (or you) want to respond, and I'll put you in touch with them.


Project brief:

Our e-commerce security maturity is of critical importance to us and our valued customers.

Through this RfP process, we are approaching the App/InfoSec community to invite responses from Europe-based AppSec consultants and businesses who are interested in engaging with our Group Security team to delivery an acute assessment of our individual team's security maturity.

We welcome responses from those well versed in the OWASP SAMM methodology, and have full-stack technical experience of auditing complex e-commerce environments and practices. Experience in producing board-level written reports and visualisations of data collected is highly desired. The data is to be collected using the Owasp Maturity Model tool.

Presentation: Building AppSec Teams

Here is the presentation I delivered recently at an online SC Conference on Web Application Security.

This is the consolidation of my recent research (and practical experience) of creating AppSec teams.

I think this structure and focus would make a massive difference (if implemented) at a large number of companies (specially the AppSec Squad concept)

The video is available on demand here

Presentation: OWASP Summit 2017 (Jan and Feb updates)

Here are two presentations I delivered recently (at the OWASP London Chapter) about the forthcoming OWASP Summit 2017

Presentation: Security champions

Here is a presentation I delivered recently to a newly created Security Champions team.

The objective was to present them what are Security Champions, and to motivate them into wanting to become one.

Let me know what you think of it, and if there is anything missing from this initial 'motivational' slide deck

Presentation: Legacy-SecDevOps (AppSec Management Debrief)

Here is a presentation I created last year as a debrief to C-Level execs

It is quite strong, but they took it quite well and agreed with most of it :)

Let me know what you think of it (I'm sure you've seen many similar projects and organisations)

Friday 7 April 2017