The Secure Developer

Today we have a great guest who brings battle tested perspectives on security from both inside and out, Ian Amit! Ian is Chief Security Officer at Cimpress and founder of the Penetration Testing Execution Standard as well as Tel Aviv DEFCON group (DC9723). Ian has worked on everything from pen testing to red teaming, risk management, research, and national security too. We kick things off hearing about Ian’s journey in the field starting out tinkering with computers in his early teens and working on application security in its nascent phase, before he moved into consulting and then went full circle from the vendor to customer side in his current position. Ian moves on to talk about his approach to vetting vendors in light of being one himself once, and the experiences he had working at Amazon of the difficulty of drawing the line as far as shared responsibility for security between cloud providers and clients goes. We then move to hear more about the mass customization services Cimpress provides before digging into their practices for offering custom security to their clients. Ian sheds light on the minimum standards Cimpress’s clients need to meet in regards to their secure software development practices and more. He talks about how Cimpress guides their clients in this manner using a secure SDLC framework and the ‘paved road’ approach, weighing in on how this is also expanding their best practices further afield. We wrap things up hearing about the challenge of finding metrics to measure their evolving systems, and Ian talks about their use the NIST Cyber Security and FAIR frameworks in this regard. Tune in for some brilliant insights from a man who has done it all!