Joe Basirico
Bio
Joe Basirico has worked in the Software Security Industry for nearly two decades. During this time he has helped companies from startups to Fortune 500 reduce their overall application risk by understanding and balancing business drivers and deep technical concepts.
He has built and led a team of some of the best application security experts and developers in the country, helping to grow his team from an eight-person startup to a leading cybersecurity business. Under his lead the engineering team regularly delivers high value security services, research, and products.
Joe regularly posts here, at ReThink Security, to help share his insights and guidance with leaders in the software security space as well as his personal blog at whoisjoe.com. He speaks at security conferences and has been guests on podcasts. Please reach out to learn more.
Credit: Photo by Eric Prouzet
100,000 People Have Been Laid Off, What’s Next
A hiring manager and a recruiter’s guide to getting hired. This post is a collaboration between me, Joe Basirico, and one of the best tech recruiters in the industry, Ellen McGarrity. You can learn more about Joe on this website. Throughout you can read Ellen’s take, in her own words in blue text
Ellen has spent her 18-year career focused on recruiting in the software tech industry at both large (Microsoft, Amazon, Salesforce) and small (Tableau, Highspot) companies.
Read more >>
Credit: Asanan Aphisitworachorch @ Unsplash
Part 3 — Vetting Past Assumptions
This is a multi-part blog series. If you haven’t already I encourage you to read the first two installments:
Part 1 - My First 100 Days in ProdSec at a Series E Startup
Part 2 - From gates to responsibilities
As mentioned in my previous posts, one of the key takeaways from The First 90 days was to understand that past performance and solutions will not necessarily help you in the future.
Read more >>
Credit: unknown
Part 2 - From Gates to Responsibilities
This is part of a multi-part blog series, if you haven’t already, please check out the first post:
Part 1 - My First 100 Days in ProdSec at a Series E Startup
In my first blog post I discussed how I found Highspot and what attracted me to this company. I discussed the immediate challenges I faced as I scaled up my own knowledge and tried to rapidly snap to the new culture and demands of my role.
Read more >>
Credit: Daniel Cheung @ Unsplash
Part 1 - My First 100 Days in ProdSec at a Series E Startup
After working in the application security consulting industry for nearly two decades and helping to solve my clients’ most difficult challenges, it was time to put what I used to tell others into practice. These are my lessons from the first 100 days. I’ve created security teams, bug bounty programs, set up tooling strategies, hiring plans, and more. I thought I’d hit the ground running and start making an impact on day 1, or at least day 99, while I made some impact early I had a lot to learn.
Read more >>
Credit: Joe Basirico
Phase One of Appsec Engineering: Awareness
This is part of a series Introduction Awareness (you are here) Enablement (coming soon) Enforcement (coming soon) Last week I published a post introducing three important phases of AppSec Engineering: Awareness, Enablement, and Enforcement. Over the next three posts I will dive into each of these topics to share best practices and guidelines you can roll out to optimize your security engineering practice.
In my experience, the best AppSec programs start with AppSec awareness training.
Read more >>
Credit: Joe Basirico
The Three Phases of Appsec Engineering
This is part of a series Introduction (you are here) Awareness Enablement (coming soon) Enforcement (coming soon) In order for an AppSec team to collaborate effectively with development teams they should think in three phases: Awareness, Enablement, and Enforcement. This month I’ll be dedicating an article to each. The focus of these articles will be on the critically important area of application security, focused on the roles involved in building software: developers (DevOps), testers, and architects.
Read more >>
Credit: Joe Basirico
October 2020 Newsletter - Three Phases of AppSec Engineering
This month I’ve been thinking a lot about how security engineering teams collaborate effectively with development teams. In my experience, it comes down to these three phases: Awareness, Enablement, and Enforcement. This month I’ll be dedicating an article to each, but as a subscriber to this newsletter, I want to give you a sneak peek. The focus of these articles will be on the critically important area of application security, focused on the roles involved in building software: developers (DevOps), testers, and architects.
Read more >>
Credit: Joe Basirico
1 Year Anniversary! - October 2020
It’s hard to believe, but we’ve been writing these newsletters for more than a year now! Our last newsletter had an amazing open rate (about 50%) in our last newsletter, 2-4 times the national average!
When we started this newsletter and blog our goal was to give you the best security insights out there without a hint of sales or marketing spin. No BS, just good information to help you be successful.
Read more >>
Credit: Joe Basirico
August 2020 Newsletter
Instead of a full fledged long-form article or two I decided to write a couple of mini-articles, these are small ideas that I’ve been kicking around for a while, but haven’t made into full fledged articles yet. I’ve included these here and will publish them on the blog as well. Of course, I’ve also included lots of security articles from around the web as usual.
ReThink Mini-Articles Reducing vulnerability classes to near zero through secure defaults and good choices.
Read more >>
Credit: Alan Bishop @ unsplash
Mini-Post: Stop Acting Like Phishers
There are two sides to preventing a successful phishing attack. The first side is focusing on the user; trying to train users to identify phishing attacks and to protect themselves from these types of attacks. Training is important, but there’s a responsibility on the company to act in a way that does not emulate common phishing techniques and set your users up for failure.
The second side of the successful phishing attack is the software and technology side.
Read more >>
Credit: Joe Basirico
Mini-Post: Reducing Vulnerability Classes to Near Zero Through Secure Defaults and Good Choices
“If you could wave a magic wand and do anything to reduce vulnerabilities, what would you do?”
Some common answers are things like training and education, forcing penetration testing, better tools, and smarter users, but none of these things really strike at the core of the issue. Where is the vulnerability garden? Where are those vulnerabilities planted? Can we make that soil hostile to vulnerabilities and rich for good coding practices?
Read more >>
Credit: Joe Basirico
July 2020 Newsletter
Since COVID started I’ve been having a hard time keeping track of time. It feels like it’s been somewhere between 2 weeks and 2 years since this all began. After a bit of a hiatus I’m excited to start back on a regular cadence, sending out the ReThink Security Newsletter each month. Barring another global catastrophe, I’m happy to focus on bringing you security insights and interesting security related news.
Read more >>
Credit: Visual Cinnamon & NY Times
You Have an Obligation to Fight for Privacy
Note: The header image was created by Visual Cinnamon for The New York Times on an opinion piece on digital trackers.
By now everyone is familiar and desensitized to cookie popups that bombard us on our first visit to almost every. These cookie consent alerts are there for a reason, they are required by new legislation such as GDPR and the California CPA. This legislation has been introduced to try to protect consumers from boundless data collection policies , which is a laudable goal.
Read more >>
Credit: Joe Basirico & Rob Curran
Building a Security Team of 500
I recently talked with a CISO friend of mine who was struggling to scale his security team. He has fewer than 10 security people on his team to support an organization with over 500 developers and 2000 employees. Responding to all of the requests which include: development best practices, legal and compliance, security awareness, IT security, trying to organize his team to perform the scanning, testing, reviews and more left him under water and stressed out!
Read more >>
Credit: Joe Basirico
May 2020 Newsletter
I’m excited to announce that we’ve launched a twitter account. If you’re on twitter, please follow us: @ReThinkSec . I’d like to use twitter to send out interesting articles and insights that may not make it into the newsletter or for topics that are more timely and can’t wait a month to get out. It’s also a good way for you to send interesting topics to me, if there’s something you think would be good for an upcoming article or a piece of news that should be in an upcoming newsletter just @mention us or DM it to us and we’ll help get the word out.
Read more >>
Credit: Kroll Historical Maps
A Traveler's Method of Learning Technology
My favorite thing about my career in security consulting has been the constant opportunity to learn new topics. Security weaves itself through every aspect of software, and software is everywhere. The phone in your pocket, the bluetooth chip in your headphones, your automobile, and the SCADA systems you rely upon every day execute millions of lines of code on your behalf. The idea that each of those systems gives me the opportunity to gain new knowledge is truly exciting.
Read more >>
Credit: Joe Basirico (cc attribution)
Every Application Fails in Unique but Predictable Ways: A Study in Zoom
Zoom is an interesting case study in the various ways that software can fail. The Zoom team has had to learn a lot of lessons quickly, including the pitfalls of reusing components, figuring out how to make security engineering improvements to their SDLC and DevOps processes, and the need for a CISO leadership team.
In this article I want to walk you through some of the issues that were recently publicized.
Read more >>
Credit: Jay Heike @ Unsplash
April 2020 Newsletter
A month later and the world has shifted underneath us all. Most of us are working from home and adjusting to the new normal of having drinks with friends over video chat and conducting work from slack only. If you’re like me you’ve probably found yourself becoming an amateur virologist and epidemiologist very quickly. While I usually read dozens of security articles each month to curate a nice list of articles that are critical for security leaders, like yourself, to be aware of, this month I’ve found myself grappling with COVID and the fastest financial slide in history.
Read more >>
Credit: Jay Heike @ Unsplash
Are You a Firefighter or a Building Inspector
Firefighters are heroes. They rush into burning buildings to save our families and heirlooms from disaster. They are there in the middle of the storm to help.
Building Inspectors are bureaucrats. They tell us how to safely build and remodel while mitigating unforeseen threats that may never come.
But who has saved more lives and property?
It’s difficult to determine how many disasters have been averted by building codes or by the recommendations and requirements from building inspectors, but I suspect a lot more disasters are averted through their careful building plans, processes, and procedures than by firefighters responding to a fire.
Read more >>
Credit: Smithsonian American Art Museum and its Renwick Gallery
March 2020 Newsletter
Don’t forget to subscribe to the newsletter to receive this in your inbox as soon as we write them! While everybody has been discussing the Coronavirus and the elections we have been focused on providing you with the best application security guidance and news out there. The March edition of this newsletter brings two new ReThink articles and a variety of interesting articles that I’ve found this month. The threat landscape is evolving.
Read more >>
Credit: Smithsonian American Art Museum and its Renwick Gallery
Exploring the Darkweb
The best way to understand attacker tools, data breaches, and the underground marketplaces is to go to the source and learn what we can. Join me on a tour of the Darkweb.
Warning: the following action should be performed by trained professionals only. Do not attempt this at home.
One of the great benefits of large scale network connected computers is that it allows likeminded people to build communities in order to share ideas, techniques, tools, and software.
Read more >>
February 2020 Newsletter
Don’t forget to subscribe to the newsletter to receive this in your inbox as soon as we write them! This edition of the ReThink Newsletter includes two new ReThink articles, both of which cover important topics for our industry. It also includes five articles we think are the most interesting or important security news from the industry.
Recent ReThink Articles Jason published an interview with Loren Kohnfelder, the father of Public Key Infrastructure.
Read more >>
Defending Against a Potential for Iranian Cyber Response
I recently had the opportunity to sit in on a conference call with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and got a chance to hear how they’re thinking about protecting against cyber threats after escalating tensions between the US and Iran.
I’d like to summarize what I heard and reference a few useful supporting cybersecurity guidelines.
On the call CISA made it clear that although they’ve prepared a National Cyber Awareness System Alert and a CISA Insights document specific to the increased geopolitical tensions and threats, they have yet not seen an increase in attacks from Iran.
Read more >>
Defense in Depth, What I Should Have Done to Save Myself From Dire Injury
I caught three of my fingers in a tablesaw this last weekend, which caused a severe hand injury, mangling my fingers, tearing off my fingernails, and breaking the bones. It was pretty terrible, but luckily the hand surgeon says I should have a complete recovery in a few months.
Me being me, this got me thinking about some of the things that I could’ve done to mitigate the injury before it happened.
Read more >>
December 2019 Newsletter
Please be sure to subscribe Don’t forget to subscribe to the newsletter to receive this in your inbox as soon as we write them!
Our last newsletter of the year brings quite a few great new articles from the end of November and the beginning of December. There was a lot going on this month.
We have four new articles and a brand new website. We got a lot of feedback that the old website was slow, difficult to view on mobile, and included an unnecessary amount of JavaScript.
Read more >>
It Will Go Wrong. What Will You Do When It Does?
A friend of mine just left the world of consulting. I asked him for the biggest change in his thinking, he said:
Something is going to go wrong. It’s not a matter of if, it’s when. When that bad thing goes wrong everything hinges on how you detect and respond to it.
As consultants so much of our job is focused on reducing risk for our clients, but that’s all we can do.
Read more >>
A Hacker’s Manifesto and 2TB Data Breach From Cayman National Bank and Trust
On Saturday a transparency collective named “Distributed Denial of Secrets” tweeted that they have released a massive data set from a recent breach. Over 2 terabytes of data has been released and is hosted by DDoS and on Torrents. In addition to the data that was released the hacker published a manifesto and hacking guide called “HackBack - A DIY Guide to rob banks" alongside the data dump. The hacker, who goes by Phineas Fisher, originally wrote the HackBack guide in Spanish, however, this morning I found a translated copy.
Read more >>
Deconstructing a Sexploitation Attack
The Next Wave of Cyber Attack Imagine receiving an email with your username and password as the subject line. Inside the email there is a PDF that has been encrypted with a password provided in the body of the email. What do you do? Whoever sent the email has already proven they know who you are, and you probably want to know what else they have and what they’re asking for, right?
Read more >>
You Are Spending Too Much on Security
… or not enough, but you certainly don’t have it right.
Security takes commitment, but it’s not as simple as all or nothing. Knowing how much to commit for your level of risk tolerance is critical. The first thing you need to do when improving your security program is set honest goals about what you want to achieve.
Ideal security investment means, do what is necessary and nothing more. Every dollar you spend to secure something that isn’t going to be attacked is a dollar that isn’t used to lead the market, build new features, or sell and market your solutions.
Read more >>
Follow the Money
Back in the day hackers hacked to see what was possible. Why did they do it?
Because it was there.
I’m pretty sure Robert Morris said that. A lot of the most interesting and epic hacks in the early days of software were about pushing boundaries or learning systems for the simple joy of understanding how they worked. There are still a couple of areas like that left: the incredible checkm8 research comes to mind.
Read more >>
We Are in the Midst of a Cyber Cold War
As tensions ratchet up between the US, Russia, North Korea, Iran, and China the Cyberwarfare landscape is changing. Our critical infrastructure that we rely on every day is brittle and critically out of date. Industrial Control and SCADA systems touch on almost every aspect of your daily life from clean water, energy, to transportation. The pieces are falling into place for a very scary outcome.
If news headlines, global trends, and tech reports tell us anything about cyber security in Industrial Control and SCADA systems in the past few years, it’s that we are currently in cyber cold war, and a full on cyber war could follow in short order.
Read more >>
Why the Apple Card Is a Gorgeous Piece of Garbage
I certainly love Apple products, and I own most of them. But Apple really missed the mark with the physical Apple Card.
I love the perfectly white surface, as well as the beveled etching of the Apple and MasterCard logos. Even the chip connector is remade to be symmetric and balanced. It is gorgeous. It is a failure of engineering.
Apple struggles with form over function with almost every product it releases.
Read more >>
Do Cloud Sync Products Protect You From Ransomware?
Since my last post Protecting Yourself and Enterprise from Ransomware Attacks on the history and impact of ransomware I’ve gotten a few questions about whether Cloud Sync products like Dropbox, Box, iCloud, and OneDrive protect you from a ransomware attack. Cloud Sync products are different than Cloud Backup solutions like Mozy, Backblaze, or Carbonite. Backup solutions take a snapshot of your whole hard drive at certain points in time, because of this even if ransomware does encrypt your hard drive and your backup syncs the encrypted files to the cloud you will still have your pre-infection files available to you.
Read more >>
Protecting Yourself and Enterprise From Ransomware Attacks
I’ve had more than half a dozen friends and colleagues ask for my help in restoring encrypted files after a ransomware attack in as many months. Unfortunately, when ransomware is done “right” there’s little you can do other than restore from a backup and start again. You do have good backups, don’t you?
Ransomware (like Cryptowall, Wannacry or Petya) is a type of malware that works by encrypting each personal document it finds and then deleting the original.
Read more >>
Inspiring Your Teams in Security
Security enforcement is the traditional way of thinking about security, in which security teams are set as a gate to pass before software is allowed to be released. Because of this, development teams see security requirements as hurdles to pass instead of valuable insights. This isn’t unreasonable, most security teams have set themselves up this way, standing as the last bastion of security. I’ve heard security colleagues even say things like “every vulnerability must be fixed before ship!
Read more >>
Getting to Yes
In this post I want to try something new. Rather than writing an article, I’ll capture a dialog between Joe and I as we discuss a topic that interests us both.
On Joe’s recommendation, I recently read Getting to Yes , written by Roger Fisher, William Ury, and Bruce Patton for the Harvard Negotiation Project. The book is nearly thirty years old, but it has been continuously updated and it still contains lessons worth learning.
Read more >>
Defcon - There Has Never Been a Better Time to Get Into Security
I just returned from the 27th Defcon security conference. I’ve been attending for the last 12 or so years and it has been interesting and fun to see the conference grow and mature. Once intimidating due to the homogenous attendees, lewd contests, and a “Try Harder” mantra, it has now evolved into a great place to learn and meet new people.
Each year I speak at, or attend, a handful of security conferences.
Read more >>
Google’s Global Adaptive Authentication
Passwords are the scourge of application security. Password reuse is rampant, data breaches compromising poorly stored passwords are common, passwords are difficult to remember and easy to crack, password guidance is inconsistent.
Against all these odds we put the responsibility of account security squarely on the shoulders of our users. We give them tools that will make them more secure, but are difficult to use like Multi-Factor Authentication and Password Managers.
Read more >>
Privacy as a Differentiator
I really appreciate the efforts that Apple has made to protect the privacy of their users. In my mind this does two things. First, it offers a model of competition where other companies can see Apple’s success in protecting data while providing competing features. Second, it gives customers an option to “un-subsidize” the common advertising and data-as-currency model for cheap devices.
The problematic component of this means that we could end up with a two tier privacy model whereby an individual can maintain the privacy of their data and self only if they are able to pay for it.
Read more >>
Where to Begin
“Where to begin” is a common question we hear in security. Our clients will come to us and ask what they should do next in terms of security. What’s their next step. What will make the biggest impact, or what’s the best value for their investment.
As we kickoff this new newsletter and website I find myself asking the same question. Where to begin.
When I work with our clients my first questions we gravitate toward is to understand their goals.
Read more >>