Still going after all these years.
I keep missing blogging days, but not because things aren’t busy. Here’s a roundup of places where I’ve been talking in the press and other stuff for the past few months: On the Veracode blog: Regulations like FS-ISAC and PCI are now looking at the security of open source components, are you ready?. Plus a … Continue reading “What I’ve been up to”
I’ve written a series of blog posts on the Veracode blog about application security. Check them out, if that sort of thing floats your boat, or if you just want to see what’s up in my professional life. Note that I don’t generally write my own headlines, so I don’t claim responsibility for clickbaityness or … Continue reading “Recent writing elsewhere”
My company, Veracode, published our most recent State of Software Security Report yesterday (disclaimer: I’m one of the authors). The report mines data from hundreds of thousands of application scans to paint a picture of the risk profile of software. This year we included data on risk from open source components. The idea is that it’s … Continue reading “What is free?”
It was an incredibly busy last couple of days, to the point where I couldn’t even think at some points. The older I get the more I learn things about my cognitive style. Things like: there’s a point beyond which I can’t multitask any more, where adding additional things to the “to do” list simply … Continue reading “Hacking away”
Two different reports came out in the last 24 hours about the costs and investments required for cybersecurity. The first, a paper from the RAND Institute’s Sasha Romanosky, claims that, on average, breaches only have a modest financial impact to organizations—but also notes that the real costs are mostly not born directly by the corporation: while … Continue reading “Two views of cybersecurity cost and return”
InfoWorld (Chris Wysopal): Election system hacks: we’re focused on the wrong things. Chris (who cofounded my company Veracode) says that we should stop worrying about attribution: Most of the headlines about these stories were quick to blame the Russians by name, but few mentioned the “SQL injection” vulnerability. And that’s a problem. Training the spotlight … Continue reading “The myth of fingerprints”
One of the things I’ve been theoretically excited about for a while in iOS land is the coming of HomeKit, the infrastructure for an Internet of Things platform for the home that includes standard controller UI and orchestration of things like smart thermostats, light bulbs, garage door openers, blinds, and other stuff. I’ve been personally … Continue reading “Smart thermostats, dumb market”
There are very few sentences of five words or less that will make me drop what I’m doing and read something closely. “Sichuan Cuisine, Imperiled by Success” happens to be one of those sentences. The New York Times does a review of how the demand of extreme eaters for more and more spicy foods is imperiling authentic Sichuan cuisine. … Continue reading “The spicy is life”
As busy as the past few days have been with the Veracode Hackathon, it hasn’t been the only thing happening. Our town of Lexington puts on a choral festival every year, in which choirs from all the local churches get up and sing a few songs, finishing with a mass sing. This year there were … Continue reading “Singing with a new voice”
It seems I’m falling into a pattern where at least one day a week, I will end up posting for two days worth of material. This is one of those days. At least I have a good excuse for not posting. It was Veracode’s Hackathon IX this week, and that means craziness. Monday’s activity? Live-action Pac-Man. What … Continue reading “Never too late to have a happy childhood”
I sometimes forget to take a look back at things I’ve written—forgivable if you ignore the almost fifteen years of blog history here. For all that, my beats have remained relatively steady, as a look back at March 30 in my blog’s history reveals. Going backward, we have: One year (and a few days) ago: An … Continue reading “Today in my blogging history”
I added a line to my Twitter bio recently that probably bears some explanation. Here’s my current bio: Grammy Award winning product guy for Veracode, building the most powerful application security platform in the world. Has a Bacon Number of 3. Most of this is self explanatory, as I’ve written about the Grammy and my employer … Continue reading ““Has a Bacon number of 3””
Larry Lessig in the New Yorker: Why I Dropped Out. This was the second part of a two-part essay about Lessig’s presidential bid. The first part, Why I Ran for President, reads like the first page of a thesis of political science. Sadly, the second part is much shorter and details Lessig’s major misstep—his distracting promise to … Continue reading “Democracy inaction: review of the Lessig presidential race”
Speaking of eight years in, I missed a day of posting yesterday due to the Veracode sales kickoff, so I’m going to do a two-fer today to make up. With the past weekend’s killer storm in DC and Charlottesville (as well as most of the rest of the mid-Atlantic), I couldn’t help but thinking about … Continue reading “Winter Song”
Today is the eighth anniversary of my first day at Veracode. It’s something I don’t talk as much about here, primarily because it keeps me so busy that I can’t write here very much. But it’s interesting to step back and understand how much things have changed—and how much they haven’t. Here’s one of the first … Continue reading “Eight years in”