Matt Konda’s Post

I am headed back to Defcon for the first time in a while. If you are there, come find me - I'd love to connect. I'm excited to be plugging back in to this community and I think I'm ready to start volunteering again after a little post OWASP burnout. Check out Quantum Village, I will probably be posted up there for a bunch of Friday and Saturday.

Justin is awesome. Recommend meeting him whether you are job seeking or not! :)

Chase is great and I bet this role would be fun!

The other day a forward thinking client pointed me to James Lewis talks about Flow, Microservices and Scale. It talks about how organizations scale, age, and die and is based on complexity theory and science that applies to all sorts of examples outside of software (cities, mammals). I was fascinated by the topic in and of itself, but it really got me thinking about security and especially what his conclusions meant for those of us that work at the point where security overlaps with development. That lead me to put together this blog post (https://lnkd.in/g4P9-YbU) which represents my first pass at thinking about this more thoroughly. It also has my juices flowing again about tools that fit into a decentralized paradigm and really focus on not just "security" but "security within the context of improving and maintaining organizational health". If you are interested to explore this with me, prototypes are starting, requirements documents are being written and conversations are happening. Reach out here or anywhere you find me. Big thanks to James Lewis who also graciously engaged with me when I reached out and provided some interesting insights as well. #security #flow #developer #development #appsec

Security != Compliance (And InfoQ says so too!) Early in my career in security (eg. 2008-2012), there was a widespread toxic attitude about compliance (at that time PCI). The hard core security folks I worked around basically thought compliance was bull. Since then, I think the pendulum has swung to the other extreme where there is a cadre of $1B valuation companies capitalizing on a compliance culture - primarily around SOC2. Although I like to remind my team security isn't the same as compliance and that behind every breached company was a compliance regime, the reality is that I am very middle of the road on this topic. My philosophy is to work on strong security, and be assured that compliance will be a natural byproduct. It isn't meaningless, it just shouldn't be the part to focus on. So with this background, it was so great to see an article in InfoQ advocating for a culture shift to a risk based instead of compliance focused (https://lnkd.in/gFSX3A7a)! That is twice in a two week period I am referring to articles on InfoQ that are targeting developers and that hit the nail on the head. Kudos! The whole philosophy behind our securityprogram.io tool was to build a system that would allow companies to get great security and then map out compliance where they needed it. Security first. Even when it is unsexy and can't be automated. Cool to see this angle validated in a developer focused platform.

If you're in security, you've heard of PoC | GTFO. At Jemurai, we're more of a PR | GTFO type of company. https://lnkd.in/g6DJxihd We're all about helping and the fix. Who needs help?