I am excited to announce the release of my book, [Building An Agile Security Program] (https://leanpub.com/buildingasecurityprogram)! I started this book in 2019 and worked on it with the Jemurai team through 2020. I never quite got it over the finish line - until now.

This book came from hard earned experience helping small and medium sized high tech software companies reason about security. It breaks the problem down and explains how to think about it in an agile way. The book is really for CTO’s or VP of Engineering that get tagged with security responsibilities before their company even has a security team. It is also intended to be useful for relatively junior security folks that want to keep the big picture in mind.

The book is grounded in NIST 800-53 standard, and explains why and how to leverage this for various commercial audits. It also talks about adversaries, AI, data protection and essentially every topic you need to build a responsible security program.

In early versions of the book, I was trying to direct the readers to easily track the information in our securityprogram.io tool. In this version, I abstracted the tool specifically so that the book would be detached from any particular product. Having said that, our good friends at Crux have shiny updates to the SPIO tool we build and it really is an easy button for tracking security initiatives at smaller companies.

I’m just so excited to have this project in a place where it can be useful to more people. Check it out!

Table of Contents#

  • Introduction
  • Security Standards
  • Organizational Readiness
  • Agile Security
  • Adversaries
  • Risk Management
  • Policies, Privacy and User Management
  • Asset and Configuration Management
  • Network and Infrastructure Security
  • Vendor and Supply Chain Management
  • Security Budgets
  • Data Protection
  • System Hardening and Vulnerability Management
  • Application Security
  • Monitoring and Audit
  • Incident Response
  • Business Continuity
  • Physical Security
  • Security Tooling
  • Frontier Technologies
  • Maturity, Metrics and Ongoing Work
  • Policy Authoring with Markdown and AI
  • Security Automation in Practice
  • Quantitative Risk Modeling
  • Standards Reference
  • Glossary
  • NIST 800-53 Control Mapping