This is an updated re-post of an article I wrote on the PKC Blog in June 2018 There’s always a reason to rebuild. Perhaps you’re a CEO of a startup that has had some success and your engineers are clamoring to re-platform and do a rewrite from scratch. Perhaps you’re an executive or IT lead […] The post 5 Red Flags Signaling Your Rebuild Will Fail appeared first on Ken Kantzer's Blog.| Ken Kantzer's Blog
SANS Control 6—”Maintenance, Monitoring and Analysis of Audit Logs” The Core Principle The core principle is this: fish nets over fishing lines. In the case of security monitoring, fish nets are alerting on anomalies, where anomalies are defined as universal constants that have been broken. Fishing lines are manual search procedures. Phrase this principle like […] The post Core Control #6: Log Everything appeared first on Ken Kantzer's Blog.| Ken Kantzer's Blog
SANS Control 5—”Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers” The Core Principle Let’s sum it up in three words: Secure by default. The more systems that are secure by default, the less twiddling your IT team has to do for each deployment. Less twiddling means fewer chances to make […] The post Core Control #5: Secure by Default appeared first on Ken Kantzer's Blog.| Ken Kantzer's Blog
SANS Control 4—”Controlled Use of Administrative Privileges” The Core Principle This core principle can be summed up by the famous Reagan Cold War quote: trust but verify. Transcendent CISOs trust their people with privileged access, but are simultaneously very stringent about authenticating them. This approach is akin to Postel’s Law, which was the core principle […] The post Core Principle #4: Managing Privileged Access appeared first on Ken Kantzer's Blog.| Ken Kantzer's Blog
SANS Control 3—”Continuous Vulnerability Management” The Core Principle That first word—continuous—is the core of this control. “Continuous” has seen a bit of hype in tech circles in other contexts. In particular, I’m thinking of continuous integration and continuous delivery from the world of DevOps and continuous improvement from the world of Digital Transformation. Why not […] The post Core Principle #3: Continuous Security appeared first on Ken Kantzer's Blog.| Ken Kantzer's Blog
SANS Control 2—”Inventory and Control of Software Assets” The Core Principle The same Golden Rule that applies to hardware applies to software: know what you have. No user on your systems should be able to install an executable onto a company device without the approval of security. This may seem like a draconian policy (and […] The post Core Principle #2: Know Your Software appeared first on Ken Kantzer's Blog.| Ken Kantzer's Blog
SAN Control 1—”Inventory and Control of Hardware Assets“ The Core Principle There are only six controls in the Top 20 list that are designated “Basic,” and an inventory of your hardware is number one. I actually would like to rephrase this control slightly, so it better fits the core principle I wanted to highlighted: if […] The post Core Principle #1: Know Your Hardware appeared first on Ken Kantzer's Blog.| Ken Kantzer's Blog
CISOs have an impossible job. When it comes to developing a roadmap for my company’s security program, where is the best place to start? That what this series is about.| Ken Kantzer's Blog
I read a comment on HN that sparked this article: GPT is kind of like DevOps from the early 2000s. Here’s the hot take: I don’t see the primary value of GPT being in its ability to help me develop novel use cases or features – at least not right now. The primary value is […] The post GPT is the Heroku of AI appeared first on Ken Kantzer's Blog.| Ken Kantzer's Blog
One day, while The Teacher was walking back from a morning coffee run, a group of engineers came near and spake unto him, saying: “Teacher, we are unable to hire Talent - and many of our candidates refuse to take our coding challenges.“| Ken Kantzer's Blog
My startup Truss (gettruss.io) released a few LLM-heavy features in the last six months, and the narrative around LLMs that I read on Hacker News is now starting to diverge from my reality, so I thought I’d share some of the more “surprising” lessons after churning through just north of 500 million tokens, by my […]| Ken Kantzer's Blog
While I was leading PKC’s security practice, we did probably 20-30 code security audits, almost of all of them for startups that were just around their Series A or B (that was usually when they had cash and realized that it’d be good to take a deeper look at their security, after the do-or-die focus on product market fit).| Ken Kantzer's Blog
This post is on how technical leaders should think about the value of technology and especially technology innovation. This is not a trivial task—and the point of this post is that commonly-used method of Return on Investment (ROI) is deeply flawed.| Ken Kantzer's Blog
I thought I'd take a break this week, and write about some bad engineering habits that I've found the absolute hardest to quit.| Ken Kantzer's Blog
A few years ago, I was in one of my ruts. Everything I was working on seemed to be bogged down or low-leverage. What was so frustrating was that this had come on the heels of a few amazingly productive months, where I had gotten a lot done. Worse yet, this seemed to happen cyclically: […]| Ken Kantzer's Blog
Hiring experienced engineers is one of the most difficult and important things that managers have to pull off. Here are some tips on things I've found.| Ken Kantzer's Blog
We did a several code audits for companies that rapidly scaled their engineering orgs relatively early on (we’re talking 50-100 engineers, maybe 10-35M revenue, series A/B). None of them are doing well right now, and some are out of business.| Ken Kantzer's Blog
Creating the ”pit of success” as a way to discourage the most severe security practices has by and large been an enormous success. We started doing code audits in 2014. React had come out in March of the previous year, and AWS Lambda came out that November.| Ken Kantzer's Blog
I've been thinking recently about how to discover and hire great engineers in the hottest job market in decades. One of the biggest hurdles to hiring good engineers, and especially experienced engineers, is that they're so. unbelievably. expensive.| Ken Kantzer's Blog
