BACK TO BASICS
Architecture as a Service, or vArchitect
- We keep it simple - What is the problem we are trying to solve? And how are we going to solve it? Designs should never be full of theory. If the justifications for design decisions are important, they can be included in an appendix.
- SABSA based design without the endless theory of SABSA.
- Security capabilities covered: Threat and Vulnerability Management, SIEM, Trust (firewalls, trust boundary controls), Business Resilience Management (BRM), Identity Management, and Cryptography and Key Management (CKM).
Cloud Migration - Engineering and Architecture
- Architecture - see above.
- Engineering - TVM, SIEM, IDAM.
- Platforms: AWS, Google Cloud Platform, Azure.
- Integration of security capabilities with existing devops processes and technologies.
- Splunk, Alienvault, open source architectures with Rsyslog.
- We only work with clients who are interested in development of use cases for the purpose of alerting - i.e. seeing some benefit for their investment.
- Strategic and tactical Development of Security Operations functions, and incident response.
Threat and Vulnerability Management
- Infrastructure Penetration Testing.
- Application Security - "blind" OWASP testing.
- Designing capabilities for TVM - people, process, and technology - how does the organisation respond to an identified vulnerability?
Oracle Database Security Health Check
- 10g, 11g, 12c.
- Automated scanning using Musang.
- Follow up on vulnerability assessment with remediation advice.
- Splunk apps.
- Python, Django, BASH, Ruby.
- Types of engagement:
- Bridging gaps between product functionality and required functionality.
- Development of scripts for automation.
- Debugging existing automation.
Ian Tibble graduated from City University (London) in 1991 with a BEng in Computer Systems Engineering, and then went overseas in Oil & Gas exploration ("Seismic") in Algeria, Turkey, Yemen (twice), and UAE, with an accidental crossing into Libya in the deep south of the Sahara.
Ian then used his degree to get into IT at the age of 25, with first Sun Microsystems, then IBM Global Services.
In 1998 Ian joined Trusecure's testing and research lab in Asia Pacific (now Verizon Business), serving clients in banking and telcos, in Thailand, Malaysia, Indonesia, Hong Kong, Taiwan, and Australia. These first 5 years in red team/unrestricted penetration testing laid the foundation for Ian's career and gave him an attack mindset, to be followed by 2 years in DHL's ITSC in Prague, where "the other side of the fence" (defence) was the priority.
After a spell with PwC, the next 8 years up to 2015 saw Ian engaged in multiple sectors: Insurance, Telecommunications, Legal, Banking, and Trading (London Stock Exchange Group).
More recently (since 2015) Ian has been engaged as a architectural/engineering resource on cloud migration and devops projects for HSBC and HM Government (multiple departments).
Latest Blog Post
On Hiring For DevSecOps
Oct. 14, 2019, 9:29 p.m.
Based on personal experience, and second hand reports, there's still some confusion out there that results in lots of wasted time for job seekers, hiring organisations, and recruitment agents.
There is a want or a need to blame recruiters for any hiring difficulties, but we need to stop that. There are some who try to do the right thing but are limited by a lack of any sector experience. Others have been inspired by Wolf Of Wall Street while trying to sound like Simon Cowell.
It's on the hiring organisation? Well, it is, but let's take responsibility for the problem as a sector for a change. Infosec likes to shift responsibility and not take ownership of the problem. We blame CEOs, users, vendors, recruiters, dogs, cats, "Russia", "China" - anyone but ourselves. Could it be we failed as a sector to raise awareness, both internally and externally?
Security De-engineering, published by Taylor Francis, covers ubiquitous problems in information security and offers a solution in the final chapter
Areas covered: Penetration testing, Hackers, CASEs (Checklists and Standards Evangelists), IDS, Cloud Security, jobs in security, Identity Management, and organisational elements.