Brett Crawley

Author: Brett Crawley (33)

Brett is a Seasoned Application Security Engineer and Thought Leader with a Proven Track Record in Software Engineering and Security Best Practices.

Brett has over 10 years of application security experience and 25 years in software engineering. He holds (ISC)² certifications including CISSP, CSSLP, and CCSP. As the author of Threat Modeling Gameplay with EoP and the project lead for the OWASP Application Security Awareness Campaigns, Brett actively contributes to the security community. He also maintains the Ostering.com blog, where he shares insights on security practices.

Brett has successfully collaborated with teams to define security best practices and integrate security by design into their software development lifecycle (SDLC). His training initiatives in threat modeling have led to significant improvements in design quality and security awareness within organizations.

In his spare time, Brett enjoys sports, gardening, cooking, and photography. He is fluent in both English and Italian and holds dual citizenship.

Key Skills: Secure by Design, Privacy by Design, Threat Modeling (STRIDE, EoP, Privacy, LinddunGO, Plot4AI), Secure Coding, Vulnerability Management, and more.

Brett welcomes connections and opportunities to collaborate on innovative security solutions.

 

 

Ideas and Opinions from the Trenches

There are lots of ways we can optimise what we do, through a data driven approach, but we need to be careful and use critical and creative thinking.

What! Think before coding? WHY?

Why are so many people just diving, straight into the code? A minimum of requirements and design? Perhaps a threat Model?

Software Engineering Security Culture

We need to fix the culture, from top to bottom in the software engineering industry. Here are just some of the issues as I see them and what we should be doing about them.

Threat Modeling Gameplat with EoP

Threat Modeling Gameplay with EoP

Coming soon to a bookshelf near you, Threat Modeling Gameplay with EoP: A reference manual for spotting threats in software architecture

Threat Modeling Remotely with Miro and EoP

Threat modeling with teams is a process that requires visuals, interaction between team members and discussion and so lends itself to everyone being in a room together. This has been quite hard the last two years. It also doesn’t look to be getting any easier, so we should probably get used to it. Here’s how I’ve been doing it with several teams.

Application Security is More than Just Pen Testing

So often organizations believe that Application Security stops at penetration testing and fixing vulnerabilities but it is more than that, penetration testing is the reactive side of things but you also need the proactive aspects of Application Security to reduce the flow.

CAPEC-STRIDE Mapping

Mapping between the Common Attack Pattern Enumeration and Classification (CAPEC) from Mitre and the S.T.R.I.D.E. Categories used in Threat Modeling.

Python3 Notes

This is just a collection of notes I’ve made over a period of time to remind me of certain commands or syntax. I will continue adding to this over time. I’m also going to add my Natural Language Processing notes and Machine Learning Notes in a couple of other articles.

Browse all Topics