NetSPI Blog

Ryan Wakeham

Ryan leads NetSPI’s Assessment Team, which performs network and application penetration tests, code reviews, and infrastructure assessments. He also consults directly with clients on IT risk management and security program development projects. He brings to his work sound insight into security issues and the communication skills to effectively and thoroughly convey risks and recommended remedies to clients. Ryan has over ten years of computer security experience, seven of them with NetSPI. He holds a BA in Computer Science from Carleton College and an MS degree in Information Security from the Georgia Institute of Technology.

Ryan Wakeham
September 22nd, 2013

The Value of Detective Controls

For as long as I can remember, security professionals have spent the majority of their time focusing on preventative controls. Things like patching processes, configuration management, and vulnerability testing all fall into this category. The attention is sensible, of course; what better way to mitigate risk than to prevent successful attacks in the first place? […]

Ryan Wakeham
December 12th, 2012

2013 Cyber Threat Forecast Released

The Georgia Tech Information Security Center and Georgia Tech Research Institute recently released their 2013 report on emerging cyber threats. Some of these threats are fairly predictable, such as cloud-based botnets, vulnerabilities in mobile browsers and mobile wallets, and obfuscation of malware in order to avoid detection. However, some areas of focus were a bit […]

Ryan Wakeham
October 15th, 2012

Thoughts on Web Application Firewalls

I recently attended a talk given by an engineer from a top security product company and, while the talk was quite interesting, something that the engineer said has been bugging me a bit. He basically stated that, as a control, deploying a web application firewall was preferable to actually fixing vulnerable code. Web application firewalls […]

Ryan Wakeham
June 22nd, 2012

Web Application Testing: What is the right amount?

It is becoming more common these days (though still not common enough) for organizations to have regular vulnerability scans conducted against Internet-facing, and sometimes internal, systems and devices. This is certainly a step in the right direction, as monthly scans against the network and service layer are an important control that can be used to […]

Ryan Wakeham
May 24th, 2012

Enterprise Vulnerability Management

Earlier this month, at the Secure360 conference in St. Paul, Seth Peter (NetSPI’s CTO) and I gave a presentation on enterprise vulnerability management.  This talk came out of a number of discussions about formal vulnerability management programs that we have had both internally at NetSPI and with outside individuals and organizations.  While many companies have […]

Ryan Wakeham
March 19th, 2012

Pentesting the Cloud

Several months ago, I attended an industry conference where there was much buzz about “The Cloud.”  A couple of the talks purportedly addressed penetration testing in the Cloud and the difficulties that could be encountered in this unique environment; I attended enthusiastically, hoping to glean some insight that I could bring back to NetSPI and […]

Ryan Wakeham
February 7th, 2012

The Annual Struggle with Assessing Risk

In my experience, one of the security management processes that causes the most confusion among security stakeholders is the periodic risk assessment.  Most major information security frameworks such as ISO/IEC 27002:2005, the PCI Data Security Standard, and HIPAA, include annual or periodic risk assessments and yet a surprising number of organizations struggle with putting together […]

Ryan Wakeham
October 26th, 2011

Why I Hate The Cloud

The Cloud is one of the “new big things” in IT and security and I hate it.  To be clear, I don’t actually hate the concept of The Cloud (I’ll get to that in a minute) but, rather, I hate the term. According to Wikipedia, cloud computing is “the delivery of computing as a service […]

Ryan Wakeham
October 12th, 2011

Mobile Devices in Corporate Environments

Mobile computing technology is hardly a recent phenomenon but, with the influx of mobile devices such as smartphones and tablet computers into the workplace, the specter of malicious activity being initiated by or through these devices looms large.  However, generally speaking, an information security toolkit that includes appropriate controls for addressing threats presented by corporate […]