https://securedelivery.io/practitioners/toby-irvine/Recent content on Secure DeliveryHugo -- gohugo.ioen-usMon, 04 Jan 2021 21:53:43 +0000https://securedelivery.io/articles/play-owasp-cornucopia-mobile-online/Tue, 11 Jun 2024 14:13:11 +0100https://securedelivery.io/articles/play-owasp-cornucopia-mobile-online/This week, the OWASP Cornucopia project announced some significant updates, and I’m proud to have contributed one. I like to tell a story, though, so first a bit of history. At Secure Delivery, we’ve always used the card games Cornucopia and Elevation of Privilege and love the agile approach to threat modelling that puts development teams at the heart of uncovering security issues in their systems. Three years ago, in May 2021, a global pandemic was making it pretty damn hard to sit in a room together and play cards.https://securedelivery.io/articles/the-lost-art-of-keeping-a-secret/Mon, 18 Apr 2022 14:38:14 +0000https://securedelivery.io/articles/the-lost-art-of-keeping-a-secret/When we’re working with product development teams, one of our foundational principles is that product security isn’t just a quality of what’s being delivered, it’s in the quality of your ways of working, too. There are many ways that how you’re delivering products can cause security issues. One of these ways is how you’re handling the secrets that are part of your product development (credentials, API keys, private certificates, etc.). A screw-up here can very quickly cause a Very Bad Day™, so what should we be doing to keep our secrets, well, secret?https://securedelivery.io/articles/what-is-devsecops/Thu, 31 Mar 2022 12:58:14 +0000https://securedelivery.io/articles/what-is-devsecops/Is it too on the nose to use an image of a waterfall for this article? Sure, it’s the classic example of a one-way process but it’s also continuous delivery of water. Keep reading for more incredible insights! In the Beginning Some of us have been around for a very long time. We remember dial-up internet, BBSs and Webrings and we’ll bore you senseless with repeated stories of how nothing’s changed in tech, really, but somehow and at the same time everything’s changed and completely for the worse.https://securedelivery.io/articles/securing-the-digital-factory-part-1/Tue, 22 Mar 2022 11:30:08 +0100https://securedelivery.io/articles/securing-the-digital-factory-part-1/I’m not sure what’s the best hero image for an article talking about “digital factories”, maybe it’s a “Minority Report but in a hardhat” kind of vibe? Let’s go with that. To business! If you know me you know I’m not a big fan of analogies. They’re generally used to poorly convey a reasonably complex topic in an overly-simplistic way, by people who have a poor understanding of the subject matter to start with.https://securedelivery.io/articles/chestertons-fence-and-monkeys/Mon, 12 Apr 2021 08:14:42 +0100https://securedelivery.io/articles/chestertons-fence-and-monkeys/Chesterton’s Fence, and Monkeys G. K. Chesterton—writer; modernist philosopher; friend to George Bernard Shaw, H. G. Wells and Bertrand Russell but, most importantly, author of a piece I can torture into an article on security. Chesterton’s fence In the matter of reforming things, as distinct from deforming them, there is one plain and simple principle; a principle which will probably be called a paradox. There exists in such a case a certain institution or law; let us say, for the sake of simplicity, a fence or gate erected across a road.https://securedelivery.io/articles/how-to-scale-product-security/Mon, 15 Mar 2021 13:29:08 +0100https://securedelivery.io/articles/how-to-scale-product-security/The Ratio In our work with large organisations we’ve developed a “rule of thumb” that quite usefully predicts the proportion of development and cybersecurity staff in the workforce. For companies whose primary business isn’t software development but have internal, established application delivery capability (banks, telcos, etc.) around 10% of the workforce are software developers. At the scale these organisations operate at, typically an architecture function has split off from engineering and is around 10% of the developer total.https://securedelivery.io/articles/what-is-the-cloud-its-zero-trust/Mon, 20 Jul 2020 11:37:42 +0100https://securedelivery.io/articles/what-is-the-cloud-its-zero-trust/Is this guy really going to do a “What is the cloud?” article in 2020? Yes, he is. I mean, I am. Because I want to talk about the cloud. No, not cloud computing. No, not a series of tubes. Not “just someone else’s computer”. This cloud: This actual cloud. We’ve all seen it thousands of times, and you’ve probably used it a lot if you’re reading this article. You might have seen it in use like:https://securedelivery.io/articles/the-chaos-butterfly-of-security-standards/Tue, 14 Jul 2020 09:32:42 +0100https://securedelivery.io/articles/the-chaos-butterfly-of-security-standards/The mathematician and meteorologist, Edward Lorenz, made the Butterfly Effect famous with his talk in 1972, “Does the Flap of a Butterfly’s Wings in Brazil Set Off a Tornado in Texas?” and it’s stuck in the popular conscious ever since. The notion that small events in a chaotic system can build to large changes over time and space. In large companies I frequently see a hope that a similar mechanism will occur when a security standard is published to the company SharePoint.https://securedelivery.io/articles/biggest-misconception-in-appsec/Wed, 01 Jul 2020 09:41:00 +0100https://securedelivery.io/articles/biggest-misconception-in-appsec/I’ve touched on this in previous articles, but it’s worth dedicating a little time to this misconception as it’s at the root of so many of the problems that organisations have with security and delivery. A common way to think about maintaining security while delivering software systems at pace is this. Where rapid delivery of changes into production is one end of a scale, being secure is at the other end and, as an organisation, you pick where along the scale you’re comfortable according to your risk appetite.https://securedelivery.io/articles/building-a-culture-of-quality-not-just-security/Mon, 29 Jun 2020 08:30:08 +0100https://securedelivery.io/articles/building-a-culture-of-quality-not-just-security/In my previous article I covered how security is just one aspect of the quality of the applications you’re building. Today I’d like to focus on the process of building high quality systems and, in a startling break with tradition, actually define what culture is so that we can talk meaningfully about culture change. Let’s remind ourselves of the standard for software quality from ISO 25010: It never makes sense to talk about “building a culture of security”.https://securedelivery.io/articles/number-of-data-breaches-is-not-a-good-security-metric/Thu, 18 Jun 2020 11:30:08 +0100https://securedelivery.io/articles/number-of-data-breaches-is-not-a-good-security-metric/Ok, of course it’s not. Does this feel familiar though? Budget gets allocated to cybersecurity Cybersecurity activities happen Everyone is reasonably happy, except the application delivery teams having cybersecurity activities done to them Terrible news - a data breach! PANIC Budget gets substantially increased for cybersecurity Substantially more cybersecurity activities happen Everyone is reasonably happy, except the application delivery teams having substantially more cybersecurity activities done to them Terrible news - a data breach!