Subscribe and get email updates
We won’t share, sell or spam you.
About Gene Kim

I'm the multiple award-winning CTO, Tripwire founder, Visible Ops co-author, IT Ops/Security Researcher, Theory of Constraints Jonah, a certified IS auditor and a rabid UX fan.

I am passionate about IT operations, security and compliance, and how IT organizations successfully transform from "good to great."


7/30 - BSides Las Vegas- Las Vegas, NV
Mobilizing the PCI Resistance: Lessons Learned from Fighting Prior Wars (SOX-404)

9/20 - itSMF USA Fusion 2010 - Louisville, KY
Avoiding Audit Fatigue: Achieving Compliance In A Multi-Compliance World

9/24 - PCI SSC North American Community Meeting - Orlando, FL
Scoping SIG Update

9/24 - Interop New York - New York, NY
Creating Effective Security Controls: A Ten Year Study of High Performing Security Organizations

10/24 - NACD Corporate Governance Conference - Washington, DC
How IT Can Help (And Hinder) Boards


Talk Notes: "Why Does Bad Software Happen To Good People?", Matt Tesauro: LASCON Keynote

LASCON 2011: October 27, 2011

Matt Tesauro was the project lead for the LiveCD OWASP Project and is on the OWASP board. My notes are below...

Click to read more ...


Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011

LASCON 2011: October 27, 2011

Jeremiah Grossman is the founder of White Hat Security, where my good friend Stephanie Fohn is currently CEO (she helped us with our first initiatives and product launches at Tripwire over a decade ago, for which I'll be forever grateful). Jeremiah is also very well-known for his work on metrics and benchmarking all aspects of vulnerabilities.

Here are my notes/tweets from Jeremiah's presentation:

Click to read more ...


Talk Notes: The Infosec Perspective of DevOps: James Wickett: LASCON 2011

LASCON 2011: October 27, 2011

James Wickett and his ex-boss @ernestmueller are both a very special breed of people. James is well-known for his experience as an information security practitioner and his leadership in the OWASP community (he is the conference chair for the upcoming 2012 OWASP USA conference). But what makes him so interesting to me is that a boundary spanner. Beyond just infosec, he has experience doing IT Operations, as well as Development and DevOps practices.

(Incidentally, I believe his presentation on "The Rugged Way in the Cloud--Building Reliability and Security into Software" as one of the seminal works on how to information security integrates into DevOps-style practices. It is shown below, even though that isn't the topic of this talk note:)

At LASCON, he presented with Peco Karayanev on the PIE tool they built to integrate security practices into daily development and IT operations work. It will look very similar to a DevOps presentation, but hints at how organizations can integrate and deliver the non-functional requirements from the Rugged Computing initiative (e.g., scalable, available, survivable, securable, supportable, etc..).

Here's how they describe PIE, which is a tool they developed at National Instruments to support developing applications that are served up in the cloud:

Click to read more ...


Talk Notes: Gamification: Gabe Zichermann: ISEPP Lecture Series

IESSP Lecture Series: November 17, 2011

This was a fantastic talk. Gabe Zichermann helped codify the gamification, writing a number of books on the topic, including "Game Based Marketing: Inspire Customer Loyalty Through Rewards, Challenges and Contests" and also the O'Reilly book "Gamification On Design".

My tweeted out notes are below:

Click to read more ...


My First Three Weeks With The BSides Board

I’m writing this blog post to explain briefly why I chose to accept the BSides board position, what my goals are, and provide a brief status report.

Why I joined the BSides board

Over the years, I’ve come to respect the work of everyone in the BSides community.  I’m amazed and continually reminded of how many people BSides has positively influenced and the vibrant community they’ve created.  I’ve been to three events, and during my tenure at Tripwire, we became one of the first global sponsors.  I’ve always loved the people who congregate there, and I’m grateful for how it's reconnected me with old colleagues and friends.  I proudly consider myself a part of the BSides community.

In mid-December, I was asked by Mike Dahn and Jack Daniel to join them on the BSides board.  I first admitted to them that I’ve primarily been a beneficiary of everyone’s hard work, and that there are countless people who have contributed far more than me.  But after talking with them, I told them that it was a privilege to be asked and that I would be happy to serve for a one-year term and help in any way I could.  

My goals

My goal is to help ensure that BSides succeeds in its mission: to continue to help more information security practitioners achieve their fullest potential, both now and in the future.

Clearly there have been some growing pains. To paraphrase Bill Brenner, this is really an opportunity to "make a better BSides." Our goal as a board is to help BSides grow, become more effective and accountable, as well as more transparent.

A brief status report

Mike, Jack and I started having nearly daily, now weekly, phone calls. The top issues we're working on are the following:

  • Create a timeline to complete all the filings necessary for BSides to become officially a 501c3 not for profit corporation
  • Create a timeline to retain an outside bookkeeper and release audited financials, going all the way back to the first events, to show that all account balances and values are exactly as they should be, and that all the money went where it was supposed to
  • Create a communication calendar so that we regularly release information on what we’ve promised and how we’re doing on those promises, in order to earn back any lost trust with the community

On the 501c3 front, the team continues to move towards the official filing. BSides remains a California public benefit S corporation. As such, there is no official board, but we’ve started to organize and adopt all the structures and processes required for when we have official 501c3 status.

Part of this is getting regular financial reports released that are audited by an independent third party. The team has spent two weeks interviewing firms to take over the daily bookkeeping operations, as well as a CPA firm who can attest to the accuracy of the financials.   I’m particularly pleased that as soon as BSides completes the transition to a 501c3, the CPA firm that opines on the financials of the widely-revered Electronic Frontier Foundation (EFF) will do the same for BSides.  

While I've studied the SecurityErrata post, based on my analysis, I believe that any financial reporting errors found will be small. My biggest concern is that volunteers sometimes paid event suppliers out of their own pockets, due to BSides cash flow issues -- these transactions may not have been recorded or repaid properly. Of course, we will fix any issues we find.

And finally, on the communications front, this will be the first of many communications you’ll see from the team to make you aware of what we’re focused on, and how we’re doing on the commitments we’ve made.

Some last thoughts

Mike and Jack have been terrific to work with, and I’m confident that we’ll have more positive information to share throughout January and February.  From there, the focus of the board will be to discuss the structure that will best serve the BSides mission and community.  

I want to thank the many people who took the time to give me advice, provide recommendations on trusted bookkeepers and accountants, and much more. I particularly want to acknowledge Branden Williams, Brian Costello, Matt Hixson, Todd Butson and Bob McCarthy and countless others for their help, for which I’m very grateful.