Home » Author Archives: Jim Bird (page 4)

Author Archives: Jim Bird

Jim Bird
Jim is an experienced CTO, software development manager and project manager, who has worked on high-performance, high-reliability mission-critical systems for many years, as well as building software development tools. His current interests include scaling Lean and Agile software development methodologies, software security and software assurance.

Application Security – Can you Rely on the Honeymoon Effect?

software-development-2-logo

I learned about some interesting research from Dave Mortman at this year’s RSA conference in San Francisco which supports the Devops and Agile arguments that continuous, incremental, iterative changes can be made safely: a study by by the MIT Lincoln lab (Milk or Wine: Does Software Security Improve with Age?) and The Honeymoon Effect, by Sandy Clark at the University ...

Read More »

Implementing Static Analysis isn’t that easy

software-development-2-logo

Static Analysis Testing (SAST) for software bugs and vulnerabilities should be part of your application security – and software quality – program. All that you need to do is run a tool and it will find bugs in the code, early in development when they are cheaper and easier to fix. Sounds easy. But it takes more than just buying ...

Read More »

Can you Learn and Improve without Agile Retrospectives? Of course you can…

agile-logo

Retrospectives – bringing the team together on a regular basis to examine how they are working and identify where and how they can improve – are an important part of Agile development. Scrum and “Inspect and Adapt” So important that Schwaber and Sutherland burned retrospectives into Scrum at the end of every Sprint, to make sure that teams will continuously ...

Read More »

How much can Testers help in Appsec?

software-development-2-logo

It’s not clear how much of a role QA – which in most organizations means black box testers who do manual functional testing or write automated functional acceptance tests – can or should play in an Application Security program. Train QA, not Developers, on Security At RSA 2011, Caleb Sima asserted that training developers in Appsec is mostly a waste ...

Read More »

Stop Telling Stories

agile-logo

There are beautiful, simple ideas in today’s Agile development methods that work really well. And some that don’t. Like defining all of your requirements as User Stories. I don’t like the name. Stories are what you tell children before putting them to bed, not valuable information that you use to build complex systems. I don’t like the format that most ...

Read More »

Appsec’s Agile Problem

agile-logo

Agile development has a serious Appsec problem. Most Agile development teams suck at building secure software. But one of the reasons for this is that Appsec has a serious Agile problem. Most security experts don’t understand Agile development and haven’t come to terms with the way the way that Agile teams design and build software; with the way that Agile ...

Read More »

Applying the 80:20 Rule in Software Development

software-development-2-logo

Managers don’t want to think harder than they have to. They like simple rules of thumb, quick and straightforward ways of looking at problems and getting pointed in the right direction. The simpler, the better. One of the most useful rules of thumb is the 80:20 rule: 80% of effects come from 20% of causes and 80% of results come ...

Read More »

Adding Appsec to Agile: Security Stories, Evil User Stories and Abuse(r) Stories

agile-logo

Because Agile development teams work from a backlog of stories, one way to inject application security into software development is by writing up application security risks and activities as stories, making them explicit and adding them to the backlog so that application security work can be managed, estimated, prioritized and done like everything else that the team has to do. ...

Read More »

Making Devops work outside of Webops

devops-logo

I’ve spent the last 3 years or so learning more about devops. I went to Velocity and Devopsdays and a bunch of other conferences that included devops stuff (like the last couple of OWASP USA conferences and this year’s Agile conference). I’ve been following the devops forums and news and reading devops books and trying out devops tools and Continuous ...

Read More »
Do you want to know how to develop your skillset and become a ...

Subscribe to our newsletter to start Rocking right now!

To get you started we give you our best selling eBooks for FREE!
Get ready to Rock!
To download the books, please verify your email address by following the instructions found on the email we just sent you.

THANK YOU!

Close