Timo Pagel has been in the IT industry for over fifteen years. After a career as a system administrator and web developer, he advises customers as a DevSecOps consultant and trainer. His focus is on security test automation for software and infrastructure and assessment of complex applications in the cloud. In his spare time, he teaches “Web and Application Security” at various universities of applied sciences.
Security should to be part of the hole development and operations process. Security related strategic, design and implementation decisions are to be made. As a DevSecOps consultant, I help you introducing and maintaining security into your organizational culture.
Strategic Planning / Intoduction of a Security Culture
Introduction of security into the development lifecycle is a journey and strategic decisions are to be made. I help to make the best strategic cloud- and security decisions. This includes the following programs to scale security
- Security Champions
- Threat Modeling
- Motivation for security for employees at all organizational layers
Continuous measurement with OWASP SAMM or my project OWASP DevSecOps Maturity Model provides the ability to plan the next steps.
Threat Modeling Program
Threat Modeling is an important part and should be performed as early as possible to reduce the costs fixing security related issues. Depending in the type of the project, different methodologies are used like STRIDE or Cyber Kill Chain.
In addition to performing threat modeling workshops, I am developing threat modeling programs with my clients.
Training / Workshops
Most security frameworks require security related trainings for IT personal. Security aware developers and operators keep security in mind during there regular work leading to much less security issues.
At some clients, I conduct a bi-weekly security training for up to one and a half hour! During this time, we discuss security related organizational issues or innovations and a security related training is provided.
IT systems might become very complex, specially in the cloud environments. Review of the concept and the implementation, e.g. code, is a good way to analyse that security related requirements are met.