Thursday, June 30, 2022

The Zen of Python by Tim Peters... Applied to standards.

Not all regulations, standards, and security practices are the same. Some have too little detail, and some have too much detail. Some have great clarity and focus, and others are all over the place. 

See how beautifully this applies to the standards community. This should be read before every standards meeting...! 

The Zen of Python, by Tim Peters

Beautiful is better than ugly.

Explicit is better than implicit.

Simple is better than complex.

Complex is better than complicated.

Flat is better than nested.

Sparse is better than dense.

Readability counts.

Special cases aren't special enough to break the rules.

Although practicality beats purity.

Errors should never pass silently.

Unless explicitly silenced.

In the face of ambiguity, refuse the temptation to guess.

There should be one-- and preferably only one --obvious way to do it.

Although that way may not be obvious at first unless you're Dutch.

Now is better than never.

Although never is often better than *right* now.

If the implementation is hard to explain, it's a bad idea.

If the implementation is easy to explain, it may be a good idea.

Namespaces are one honking great idea -- let's do more of those!

Thursday, June 23, 2022

PCI DSSv4 Spreadsheet Format

PCI DSSv4 Spreadsheet Format!

Source: Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards

Available hereBlog Downloads ( 

Direct Link: here


It can be helpful to have the PCI Data Security Standard content in a spreadsheet format to facilitate learning and the creation of related artifacts and mappings. I've provided this for other versions and now have an updated PCI DSS version 4 in a similar format to facilitate learning about the standard's content. This format helps me absorb and structure (yes - an active verb) a large amount of information quickly. I've learned that I'm wired differently than others - and this is what works for me. 

I'm a fan of what the PCI Standards Security Council has created with the DSS. They have had a significant impact on the overall security posture of many organizations because of their output.


The tabs in the spreadsheet contain: 

  • Original Content: Keeps tables in the same organization as the original. All text is retained. 
  • Nested Content: Recognizes the intentional nesting of content. All text is retained. 

Example given:                                 

  • X.Y is used as a top-level control descriptor for the items under it and never has a testing procedure.  
  • X.Y.Z is used as the primary control descriptor which always has a testing procedure

Nested Content is therefore: 

Gartner’s Top Cybersecurity Predictions 2022-23

 Tags: Gartner; Risk Management; Predictions

Source: Gartner Unveils the Top Eight Cybersecurity Predictions for 2022-23

Relevance: Cyber security risk management runs as a central theme throughout each of these predictions.

  • Formal risk management critical thinking and processes have been central to peer conversations for more than 10 years. It’s now time to bring quantitative and qualitative measurement and evaluation into business decisions regarding controls that protect critical assets. We do this to protect our business.
  • Just as importantly, perhaps more so, risk management must be part of product security decision making. We do this to protect our customers… which protects our business.

Gartner recommends that cybersecurity leaders build the following strategic planning assumptions into their security strategies for the next two years.

  1. Through 2023, government regulations requiring organizations to provide consumer privacy rights will cover 5 billion citizens and more than 70% of global GDP.

As of 2021, almost 3 billion individuals had access to consumer privacy rights across 50 countries, and privacy regulation continues to expand. Gartner recommends that organizations track subject rights request metrics, including cost per request and time to fulfill, to identify inefficiencies and justify accelerated automation.

  1. By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform.

With a hybrid workforce and data everywhere accessible by everything, vendors are offering an integrated security service edge (SSE) solution to deliver consistent and simple web, private access and SaaS application security. Single-vendor solutions provide significant operational efficiency and security effectiveness compared with best-of-breed solutions, including tighter integration, fewer consoles to use, and fewer locations where data must be decrypted, inspected and re-encrypted.

  1. 60% of organizations will embrace Zero Trust as a starting point for security by 2025. More than half will fail to realize the benefits

The term zero trust is now prevalent in security vendor marketing and in security guidance from governments. As a mindset — replacing implicit trust with identity- and context-based risk appropriate trust — it is extremely powerful. However, as zero trust is both a security principle and an organizational vision, it requires a cultural shift and clear communication that ties it to business outcomes to achieve the benefits.

  1. By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.

Cyberattacks related to third parties are increasing. However, only 23% of security and risk leaders monitor third parties in real time for cybersecurity exposure, according to Gartner data. As a result of consumer concerns and interest from regulators, Gartner believes organizations will start to mandate cybersecurity risk as a significant determinant when conducting business with third parties, ranging from simple monitoring of a critical technology supplier to complex due diligence for mergers and acquisitions.

  1. Through 2025, 30% of nation states will pass legislation that regulates ransomware payments, fines and negotiations, up from less than 1% in 2021.

Modern ransomware gangs now steal data as well as encrypt it. The decision to pay the ransom or not is a business-level decision, not a security one. Gartner recommends engaging a professional incident response team as well as law enforcement and any regulatory body before negotiating.

  1. By 2025, threat actors will have weaponized operational technology environments successfully to cause human casualties.

Attacks on OT – hardware and software that monitors or controls equipment, assets and processes – have become more common and more disruptive. In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft, according to Gartner.

  1. By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest and political instabilities.

The COVID-19 pandemic has exposed the inability of traditional business continuity management planning to support the organization’s response to a large-scale disruption. With continued disruption likely, Gartner recommends that risk leaders recognize organizational resilience as a strategic imperative and build an organization-wide resilience strategy that also engages staff, stakeholders, customers and suppliers.

  1. By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts

Most boards now regard cybersecurity as a business risk rather than solely a technical IT problem, according to a recent Gartner survey. As a result, Gartner expects to see a shift in formal accountability for the treatment of cyber risks from the security leader to senior business leaders.

Monday, May 9, 2022

Coding Resources

This isn't for everyone, but for those with the intelligence, work ethic, proclivity...

There's a LOT of money to be made here. 

There's a fascinating website,, which has a list of coding problems you can explore. Consistently hitting medium problems successfully? Let me know if you'd like a job. This is where really good money starts. 

Specific to cloud computing, a slightly different route that is also profitable, is

Specific to *learning* how to code, and what programming language to learn... C, C#, python, JavaScript, Java, SQL, no SQL. Right now I hear a lot about “R” for statistical modeling and graphical programming. It’s used a lot in data analysis. I know that there’s a huge shortage of people with this expertise because it’s hard, but reach out if you excel at solving these kinds of problems!  

There are a ton of free and low-cost resources online! Two really popular websites for learning how to code include and

Choose to become a mentor. Pass along your experiences.

It's important that we all do our best to share our experiences, and perhaps, help others make solid decisions that impact their careers and growth. These stories make up the tapestry of our experiences, but sometimes, it's a gift to someone else. 

So let's say that you have made the decision to become a mentor. Here is an example of how to break the ice. Purposefully, with intent, enter into that initial dialogue so that you can make it the best possible experience for both you and the mentee.


Here are some ideas to start a dialogue with your mentee:
  • Share personal details like your role at VMware, any hobbies, interests, or other fun facts about yourself. Ask your mentee to share the same with you.
    • [Chris] Industry Standards Technical Manager, Office of the CTO; kids, family, friends, learning, church; Texas, US Navy submarines, Nuclear Engineering, McCombs MBA, 20 years information security with concurrent 10 years graduate teaching and 13 books. I've learned how little I know and how to ask others for help.
    • You can find out more about me here: Chris Davis | LinkedIn | Cloud Audit Controls
  • Get to know your mentee by asking questions about their career and how they got started at VMware.
    • [Chris] I came to VMware by way of VCE, left for Amazon, Oracle, startup, came back.
  • Share your career goals and aspirations with your mentee, and the steps you’ve been taking to achieve them.
    • [Chris] I’ve achieved far more than I ever set out to achieve. Why? It's not because I'm the smartest. 100% believe in yourself. Determination. Extreme ownership. Accept imperfection. Accept failure. We will discuss these. 
  • If relevant, ask your mentee for insight into their current work projects. They may have questions and an outside opinion may be helpful.
    • [Chris] I have several opinions. Not all of them will be helpful! 20% will be wrong. 60% will be solid. 20% will be nuggets. You’ll have to have the discernment to determine which opinions follow into which category for you. We will discuss this as well.
  • Share about recent books or podcasts you’ve enjoyed. If they also read or listen, set up a meeting to exchange thoughts (like an informal book club!).
    • [Chris] I regularly read and listen to podcasts. I have several current favorites.
  • Discuss tips and tricks for working from home. Your new hire may not be used to working in a virtual environment. Openly discuss any pain points and if relevant, provide recommendations.
    • [Chris] Choose to arrive at the beginning of the day with intent and a plan. Otherwise, by default, you choose to invite failure as an option and you choose to accept that.
Desired Outcomes


Plan of Actions and Milestones

Wednesday, April 20, 2022

Highlight Reel: CISA Database of Known Exploited Vulnerabilities

Tags: CISA, known exploited vulnerabilities, US National Cybersecurity Infrastructure Security Agency, VMware, penetration testing, vulnerability testing


  • The list is continuously updated with vulnerabilities if they have known, and actively used exploits.  
  • One of many indicators of priority importance - as a function of risk.
  • Listing contains excellent metadata.
  • There are 644 entries for all vulnerabilities.
OK, so why does this matter? Because every company seems to struggle with how to prioritize. Sure, there's a lot to get done. But how do I prioritize what to fix? What to build? Where to focus? Perhaps you have an interesting project to track vulnerabilities. Another dimension that can be added to provide intelligence or meaningful input into priority ranking includes indicators of whether an exploit is being used by a population of attackers.

Sources & Links:

Tuesday, February 8, 2022

Discussion on XDR and the SOC

 Tags: SOC, XDR, Gartner, Ponemon Institute


Relevance: What is XDR going to be when it matures? EDR… XDR… It's not quite the same thing. XDR is starting to gain traction as a beloved moniker. How do we shape the industry and VMware's story? The following is a representative, but not exhaustive, list of potential future XDR vendors from Gartner’s Innovation Insight: Cisco, Fortinet, Fidelis Cybersecurity, McAfee, Microsoft, Palo Alto Networks, Symantec, Trend Micro, FireEye, Rapid7, and Sophos. How does VMware fit into this narrative?

Pushing this further – welcome to the intersection of XDR and the SOC.

From Gartner Innovation Insight report:

The three primary requirements of an XDR system are:

1.      Centralization of normalized data, but primarily focusing on the XDR vendors’ ecosystem only.

2.      Correlation of security data and alerts into incidents.

3.      A centralized incident response capability that can change the state of individual security products as part of incident response or security policy setting.

Extended Detection and Response Conceptual Architecture:

This was insightful from the Ponemon Institute research report on SOCs:

Systems Security Engineering: A Primer

 Tags: advanced persistent threat; assurance; controls; cyber resiliency; cyber resiliency approaches; cyber resiliency design principles; cyber resiliency engineering framework; cyber resiliency goals; cyber resiliency objectives; cyber resiliency techniques; risk management strategy; system life cycle; systems security engineering; trustworthiness


Discussion: Where can you go to learn how to engineer and develop secure systems?

Take a look at the newly released SP 800-160 Vol. 2 Rev. 1 to learn more about cyber-resilience. Specifically, cyber resiliency engineering “intends to architect, design, develop, implement, maintain, and sustain the trustworthiness of systems with the capability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises that use or are enabled by cyber resources.”

Know a smart architect or developer interested in strengthening their knowledge of security principles?

Have them read each of the sections below one week apart and test them over the content.

  • D.3 CYBER RESILIENCY TECHNIQUES....................................................................................................... 89
    • Basic concepts… e.g. ANALYTIC MONITORING
  • D.4 CYBER RESILIENCY IMPLEMENTATION APPROACHES....................................................................... 92
  • D.5 CYBER RESILIENCY DESIGN PRINCIPLES .......................................................................................... 109
    • Covers specific strategic design principles

Monday, August 23, 2021

Resume Help! 185 Action Verbs

Phenomenal job whoever put this together. I found this here:

185 Action Verbs That'll Make Your Resume Shine | The Muse

Here's the list so that I can refer others to this... How often are you asked for help? Here's a great way to spruce up the old resume. Express yourself well. Tell the story. Don't bore me. There's a balance of too little and too much. Grammar-check and spell-check everything. Check your spacing, fonts, and use of bolding/italics/color to make sure you are consistent everywhere.

Your resume has to stand by itself without you there to explain away easy to fix mistakes. The last position we had for our team had 450 resumes submitted within days. I'm ruthless with reviews. You have time to work on your resume. It should be awesome. You can tell a difference between someone who cares and someone who doesn't.

Action Verbs 1-12: You Led a Project
If you were in charge of a project or initiative from start to finish, skip “led” and instead try:
1. Chaired
2. Controlled
3. Coordinated
4. Executed
5. Headed
6. Operated
7. Orchestrated
8. Organized
9. Oversaw
10. Planned
11. Produced
12. Programmed

Action Verbs 13-33: You Envisioned and Brought a Project to Life
And if you actually developed, created, or introduced that project into your company? Try:
13. Administered
14. Built
15. Charted
16. Created
17. Designed
18. Developed
19. Devised
20. Founded
21. Engineered
22. Established
23. Formalized
24. Formed
25. Formulated
26. Implemented
27. Incorporated
28. Initiated
29. Instituted
30. Introduced
31. Launched
32. Pioneered
33. Spearheaded

Action Verbs 34-42: You Saved the Company Time or Money
Hiring managers love candidates who’ve helped a team operate more efficiently or cost-effectively. To show just how much you saved, try:
34. Conserved
35. Consolidated
36. Decreased
37. Deducted
38. Diagnosed
39. Lessened
40. Reconciled
41. Reduced
42. Yielded

Action Verbs 43-61: You Increased Efficiency, Sales, Revenue, or Customer Satisfaction
Along similar lines, if you can show that your work boosted the company’s numbers in some way, you’re bound to impress. In these cases, consider:
43. Accelerated
44. Achieved
45. Advanced
46. Amplified
47. Boosted
48. Capitalized
49. Delivered
50. Enhanced
51. Expanded
52. Expedited
53. Furthered
54. Gained
55. Generated
56. Improved
57. Lifted
58. Maximized
59. Outpaced
60. Stimulated
61. Sustained

Action Verbs 62-87: You Changed or Improved Something
So, you brought your department’s invoicing system out of the Stone Age and onto the interwebs? Talk about the amazing changes you made at your office with these words:
62. Centralized
63. Clarified
64. Converted
65. Customized
66. Influenced
67. Integrated
68. Merged
69. Modified
70. Overhauled
71. Redesigned
72. Refined
73. Refocused
74. Rehabilitated
75. Remodeled
76. Reorganized
77. Replaced
78. Restructured
79. Revamped
80. Revitalized
81. Simplified
82. Standardized
83. Streamlined
84. Strengthened
85. Updated
86. Upgraded
87. Transformed

Action Verbs 88-107: You Managed a Team
Instead of reciting your management duties, like “Led a team…” or “Managed employees…” show what an inspirational leader you were with terms like:
88. Aligned
89. Cultivated
90. Directed
91. Enabled
92. Facilitated
93. Fostered
94. Guided
95. Hired
96. Inspired
97. Mentored
98. Mobilized
99. Motivated
100. Recruited
101. Regulated
102. Shaped
103. Supervised
104. Taught
105. Trained
106. Unified
107. United

Action Verbs 108-113: You Brought in Partners, Funding, or Resources
Were you “responsible for” a great new partner, sponsor, or source of funding? Try:
108. Acquired
109. Forged
110. Navigated
111. Negotiated
112. Partnered
113. Secured

Action Verbs 114-122: You Supported Customers
Because manning the phones or answering questions really means you’re advising customers and meeting their needs, use:
114. Advised
115. Advocated
116. Arbitrated
117. Coached
118. Consulted
119. Educated
120. Fielded
121. Informed
122. Resolved

Action Verbs 123-142: You Were a Research Machine
Did your job include research, analysis, or fact-finding? Mix up your verbiage with these words:
123. Analyzed
124. Assembled
125. Assessed
126. Audited
127. Calculated
128. Discovered
129. Evaluated
130. Examined
131. Explored
132. Forecasted
133. Identified
134. Interpreted
135. Investigated
136. Mapped
137. Measured
138. Qualified
139. Quantified
140. Surveyed
141. Tested
142. Tracked

Action Verbs 143-161: You Wrote or Communicated
Was writing, speaking, lobbying, or otherwise communicating part of your gig? You can explain just how compelling you were with words like:
143. Authored
144. Briefed
145. Campaigned
146. Co-authored
147. Composed
148. Conveyed
149. Convinced
150. Corresponded
151. Counseled
152. Critiqued
153. Defined
154. Documented
155. Edited
156. Illustrated
157. Lobbied
158. Persuaded
159. Promoted
160. Publicized
161. Reviewed

Action Verbs 162-173: You Oversaw or Regulated
Whether you enforced protocol or managed your department’s requests, describe what you really did, better, with these words:
162. Authorized
163. Blocked
164. Delegated
165. Dispatched
166. Enforced
167. Ensured
168. Inspected
169. Itemized
170. Monitored
171. Screened
172. Scrutinized
173. Verified

Action Verbs 174-185: You Achieved Something
Did you hit your goals? Win a coveted department award? Don’t forget to include that on your resume, with words like:
174. Attained
175. Awarded
176. Completed
177. Demonstrated
178. Earned
179. Exceeded
180. Outperformed
181. Reached
182. Showcased
183. Succeeded
184. Surpassed
185. Targeted

Wednesday, August 4, 2021

[Comment Period] Draft SP 800-53A Revision 5

 Tags: NIST, Draft SP 800-53A Revision 5, Comment Period, assessment objectives, determination statements, assessment methods, assessment objects

Source: SP 800-53A Rev. 5 (Draft), Assessing Security and Privacy Controls in Info Sys and Orgs | CSRC (

Control assessments are not about checklists, simple pass/fail results, or generating paperwork to pass inspections or audits. The testing and evaluation of controls in a system or organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome are critical to managing and measuring risk. Additionally, control assessment results serve as an indication of the quality of the risk management processes, help identify security and privacy strengths and weaknesses within systems, and provide a road map to identifying, prioritizing, and correcting identified deficiencies. 


Draft NIST Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations, provides organizations with a flexible, scalable, and repeatable assessment methodology and assessment procedures that correspond with the controls in NIST SP 800-53, Revision 5. Like previous revisions of SP 800-53A, the generalized assessment procedures provide a framework and starting point to assess the enhanced security requirements and can be tailored to the needs of organizations and assessors. The assessment procedures can be employed in self-assessments or independent third-party assessments.

In addition to the update of the assessment procedures to correspond with the controls in SP 800-53, Revision 5, a new format for assessment procedures in this revision to SP 800-53A is introduced to:

  • Improve the efficiency of conducting control assessments,
  • Provide better traceability between assessment procedures and controls, and
  • Better support the use of automated tools, continuous monitoring, and ongoing authorization programs.

NIST is seeking feedback on the assessment procedures in this publication and in electronic versions (OSCAL, CSV, and plain text), including the assessment objectives, determination statements, and potential assessment methods and objects. We are also interested in the approach taken to incorporate organization-defined parameters into the determination statements for the assessment objectives. To facilitate their review and use by a broad range of stakeholders, the assessment procedures are available for comment and use in PDF format, as well as comma-separated value (CSV), plain text, and Open Security Controls Assessment Language (OSCAL) formats.


The comment period is open through October 1, 2021. See the publication details for a copy of the draft and associated files, and instructions for submitting comments. We encourage you to submit comments using the comment template provided.


Please submit inquiries and comments to


NOTE: A call for patent claims is included on page vii of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.


Publication details:  

ITL Patent Policy: