Rafe Hart

Thoughts on security, privacy, and building software.

Security in Agile

20 July 2017

At least once a fortnight I find myself filling out a Request for Proposal (RFP) describing my team’s development approach, and how we secure our Systems Development Life Cycle (SDLC). We have a formal security framework; they’re great for filling out RFPs. When you are trying to build products in an agile format they are less so. The traditional process looks something like this.

Read More

Windows 10 Privacy

27 March 2017

Last week in the US the FCC privacy regulations were repealed, which, amongst other things, allows ISPs to track your internet usage and sell it to third parties. It's a good time to think about privacy.

Read More

Hardening Windows 10

03 January 2017

Security 'hardening' is the process of raising the baseline security of a device. I harden every device I use. It's not my intention to provide a hardening guide here (I've linked several good ones at the end), but I did want to go through some of the resources available if you need to do this for a group of computers (your organisation, for example).

Read More

PCI DSS from scratch

13 December 2016

PCI DSS is the Payment Card Industry Data Security Standard, and it is required for any merchant, payment processor, or service provider that interacts with cardholder data. I recently went through the process of implementing this standard, and I thought I would share some of my observations on the process.

Read More

Ruxcon 12

23 October 2016

I've spent the last weekend attending Ruxcon 12, which is a technical security conference in Melbourne. For the benefit of those who weren't there, and because it helps me consolidate my own thoughts, I'd give the following review.

Read More

Due Diligence

27 May 2016

Checking things at part of due diligence is rarely the most fun activity in the world, but it does have a habit of turning up some surprising things. I've been doing some compliance checking for PCI DSS recently, and it turns out a lot of the providers I thought were PCIDSS compliant (and claimed to be) aren't.

Read More