I started Transvasive Security in 2008 and offered consulting services until taking a full time job in 2012. This site is an archive of my work prior to 2015; I currently blog at information-safety.org and provide security consulting through my new company, Security Differently.
This week I’ve been looking through and cataloging my past presentations, and found a few older ones that were never posted here or at https://information-safety.org.
Here are brief notes and slides from these past talks:
University of MN
I presented a version of my Behavioral Information Security talk, tailored for an information security class at the Carlson School of Management, on February 13, 2012.
ISSA SEAG
On April 16, 2013, I presented a version of my Information Safety talk that I originally gave at SIRAcon to the ISSA Security Education and Awareness Group, along with the Information Safety Basicsslides I’d developed.
Secure360 2013
In May 2013, I gave an updated version of the Behavioral Threat Modeling talk I originally gave at the ISC2 Security Congress in 2012.
Secure360 2017
Finally, I spoke at Secure360 2017 on “Practical Identity Access Management”, originally given at CyberSecureGov. I was later invited to present the talk again at the first (and last) Secure360 conference in Milwaukee, WI in 2018. (slides)
Over the past few days, I have been working on an overhaul of transvasive.com. I’ve started using GitHub Pages for my safety-related blog, information-safety.org, and have found that I prefer that workflow to the more traditional approach of using a CMS, like WordPress, so I decided to migrate transvasive.com to GitHub. Today, I completed that migration by adding a custom domain and redirecting traffic to GitHub Pages.
From the GitHub Repository, here is the journey of transvasive.com so far:
As part of the migration, I edited all of the historical posts, fixing a few typos and restoring broken links. In some cases, the sites referenced are no longer active – those have been replaced with the page stored in the Internet Archive when available.
While I haven’t been posting to transvasive for a few years, I wanted to maintain the site as a historical record (mainly for myself) of my writings. It’s been interesting to read through the posts during the migration and see how ideas I had years ago have evolved and influenced my contemporary work. Although my focus has shifted to safety and resilience, I do have a couple of past presentations to post here, and will post any security-focused content here.
One final note: for a single-person blog, a static site generator is easy to use and much easier to secure. I’d recommend it both for the improved security and for the benefits of being able to manage your content using version control.
Last month I gave a talk at SIRAcon 2016, “STPA-Sec: stealing from safety engineering to improve threat modeling.” The talk was well received, and I want to thank both the organizers and attendees for an excellent conference.
The talk was the result of my attendance at the 2016 STAMP workshop. STAMP includes a couple of frameworks that are used within the safety profession, both for hazard analysis (STPA) and accident analysis (CAST). There are a handful of security researchers involved with the group (mainly from MIT Lincoln Labs) and they have developed a version that can be applied to security, STPA-Sec.
STPA has been shown to identify hazards more efficiently and effectively than traditional safety methods such as fault tree analysis, identifying more hazards in a shorter period of time, and I believe STPA-Sec can do
the same for information risk analysis, by more effectively identifying and communicating risks than existing threat modeling techniques. Even so, STPA-Sec is still a work in progress, and I found gaps in the model
when applying it to a simple banking application: it does not directly address confidentiality as that isn’t generally a safety concern.