Jason Taylor
Bio
Jason Taylor is an application security expert and published author, responsible for application security for Arc XP - the Washington Post’s publishing platform.
As the Chief Technology Officer for Security Innovation he was responsible for the strategic direction of the company’s technology initiatives. He has spent his career focused on application development and testing with a primary focus on application security. Prior to joining Security Innovation, he served as a Test Architect, Development Manager, and Security Lead at Microsoft. He was on the Internet Explorer team starting with Internet Explorer 3 through Internet Explorer 6. He was also involved in various releases of Windows and worked on the precursor to the Windows Presentation Framework, code-named Avalon.
At Security Innovation he had the privilege of leading development teams, penetration test teams, and consulting teams working to improve the security practices and processes of customers ranging from small startups to Fortune 100 companies. In addition, he has worked with the patterns & practices team at Microsoft as an external reviewer, contributor, and primary author for MSDN content and Microsoft Press published books. He has been a Microsoft patterns & practices Champion as well as a Microsoft Developer Security MVP.
Jason Taylor has also written two science fiction novels, Ganymede and End of the Wild, focused on the impact of technology on our shared future.
Credit: Patrick Tomasso @ Unsplash
AppSec Strategy for AWS Cloud SaaS
Purpose The purpose of this document is to outline an application security strategy and roadmap for AWS Cloud SaaS applications, covering both application security concerns as well as AWS specific infrastructure. This is a checklist style article to help start conversations and give you information to perform further research. I’ve referenced other white papers and further reading available for more information throughout.
Application Security An effective application security program will reduce security risk associated with code development while keeping disruption to the normal SDLC processes to a minimum.
Read more >>
Credit: Daniel McCullough @ Unsplash
System Design for Security
My background is as a developer and a security professional, so when I had to learn system design I approached it from that perspective. While I was familiar with many of these concepts, I decided that I had to learn it in depth and in earnest. Now that I know more, I’m convinced that every developer and every security professional should understand these concepts. For all of you who are like me and want to learn more, here’s an overview to help you think about system design, coming at it from a mindset of application security.
Read more >>
Credit: Barry Weatherall @ Unsplash
AppSec Vulnerability Cheatsheet
There are a number of places online where you can find details about application security vulnerabilities, but it is surprisingly hard to find a single location that provides a summary of all the most important vulnerabilities to be aware of.
While any high-risk vulnerability is worth fixing, It’s worth adding a layer of prioritization around the most common vulnerabilities that are being used in attacks and exploits.
The following statistics were reported by Contrast Security.
Read more >>
Credit: Pexels
How to Scale an Application Security Program - Part Two
In my last blog post, I wrote about what an application security program is and why it matters. In this post, I’ll cover what it takes to build and scale an effective application security program. I’ve seen many different ways that a well-intentioned program can fail to meet its objectives. While there may be many ways to fail, there are just a few key characteristics that lead to success.
The program must be:
Read more >>
Credit: Pexels
How to Scale an Application Security Program - Part One
In the late 1990s I worked on the security team for Internet Explorer. In fact, I was the first hire that Microsoft made in response to an influx of browser-based security vulnerabilities. I got to see what it looks like when a development team is bombarded by security problems that are serious enough to require a response and yet there’s no process to handle it. In the early days we would get at least one new vulnerability each week.
Read more >>
Credit: Dane Deaner on Unsplash
It's Always About People
It seems like everyone is struggling to build a scalable application security program these days. Budgets are small, internal politics and bureaucratic inertia are a real problem, and in the meantime the threat landscape isn’t waiting while your business figures things out.
I would love it if my conversations with customers could be focused on a holistic, risk-centered approache that combines improvements to people, process, and tools in order to reduce risk to manageable levels.
Read more >>
A Conversation With the Father of Public Key Infrastructure
In today's post, I'd like to introduce you to Loren Kohnfelder, an old friend of mine. I met Loren at Microsoft in the late 90's when we were tasked with the herculean task of improving the security of Internet Explorer.
It was an exciting and harrowing time, and while it is amazing to think about how far we've all come, it is also surprising to realize how many of the security challenges we struggled with twenty years ago are still with us today.
Read more >>
I'm Thankful for CISOs
I used to think I’d like to be a CISO. Now that I’ve spent the past few years speaking with CISOs, I’m not so sure I’d want the job. CISOs have targets on their backs, they hold our data in their hands and I, for one, am thankful for what they do.
I’m convinced that the CISO job is one of the hardest, most thankless, and most stressful jobs on the planet.
Read more >>
Security Takes Commitment
In my last post , I talked about the fact that none of us knows how to solve the problem of cybersecurity. It’s a tautology, so it shouldn’t be surprising. If we knew how to solve the problem, the problem would be solved. Therefore we don’t know how to solve the problem. But it is surprising, and so it feels like a ‘hard truth’ rather than ‘the truth’.
When confronted with a long-standing problem (like cybersecurity), it is typical to assume that if we had more will, more resources, more intelligence, or perhaps more of all of the above, we could solve the problem.
Read more >>
None of Us Knows What We Are Doing
I want to let you in on a little secret. Nobody in the security profession, especially those of us in the software security profession, truly knows what we are doing. You’d never know it talking to security vendors. If you attend a security conference you can walk the booths and talk to hundreds of security professionals selling solutions that cost tens or hundreds of thousands of dollars, each promising that they will solve your security problems with their technology platform, their professional services, and most importantly with their new deep learning, AI algorithms.
Read more >>
Anonymous Is Better at SysAdmin Than You
Earlier this year I listened to Sabu talk. Sabu the hacker. The same guy who was the brains behind Anonymous, who knocked down email servers in Iran, who attacked DNS servers in China, who participated in the cyber fight during the Arab Spring. The same Sabu who turned on his fellow hackers, putting them behind bars in order to reduce his own prison sentence.
This is a guy who has been on the dark side and come out to tell us about it.
Read more >>
Getting to Yes
In this post I want to try something new. Rather than writing an article, I’ll capture a dialog between Joe and I as we discuss a topic that interests us both.
On Joe’s recommendation, I recently read Getting to Yes , written by Roger Fisher, William Ury, and Bruce Patton for the Harvard Negotiation Project. The book is nearly thirty years old, but it has been continuously updated and it still contains lessons worth learning.
Read more >>
What About AI in Security?
I was recently asked to give a talk about the state of AI in the field of Cyber Security. As I put together my comments, I found myself wondering, as I often do when on this subject, why AI hasn’t made a bigger impact on my field. I’ve been thinking about how to use AI techniques to improve security results for nearly two decades, and while the tooling and platform have gotten bigger and better, the impact I have been expecting has not yet materialized.
Read more >>
Can Security Training Change Lives?
I had the opportunity to spend a few days at a security conference last month, in which I talked with hundreds of people in the information security community about their fears, concerns, hopes, and plans. One thing that stood out to me was the sheer optimism and joy that most of the conference attendees brought with them. They were not there (only) for the swag or the cocktail hour or the chance to be away from their day jobs for a few days.
Read more >>
Welcome!
Joe and I created this website and newsletter to help you do your job better, and in so doing, make the world a better place for all of us to live in. We want to share with you what we see in the security industry, and in the world at large, through the lens of two security professionals who have been at this for a very long time. We have been thinking about security, finding and exploiting vulnerabilities, writing interesting code, managing teams of engineers, and helping our customers (large and small) up their game for over twenty years each.
Read more >>