Brendan Francis O'Connor


Hi. I'm Brendan Francis O'Connor.

I'm a technologist, and I work to build information security programs focused on everyday excellence. I'm an attorney. My work blends both areas.

If you'd like to talk to me, my email: My GPG key is public, though very rarely used at this point.

Below, I've compiled my talks, experience, and a few other useful bits of information. If you'd like this as a full-length CV, just hit print; if you'd like a formal resume, click here for HTML or click here for a PDF.

Master of Science in Engineering in Computer Science
September 2005 - May 2009
The Johns Hopkins University
  • Thesis: 'Mnikr: Reputation Construction Through Human Trading of Distributed Social Identities'
  • President, Upsilon Pi Epsilon (Computer Science Honor Society)
Bachelor of Science in Computer Science
September 2004 - May 2008
The Johns Hopkins University
  • Departmental Honors
Staff Security Engineer
2022 -
As a Staff Security Engineer, I am responsible for engaging in high-leverage work to improve security across Cedar to protect patients, medical providers, and our employees; I also help educate our engineers on secure programming practices, perform code reviews, and guide technical implementations of key client-required security features. My recent large-scale work has included rebuilding the corporate IAM and secrets management systems, compiling the first complete set of technical client contract requirements, and creating a trusted baseline and deployment tracker for our container build systems.
Senior Security Advisor
2014 - 2016, 2019 - 2022
Leviathan Security Group
I worked as a Senior Security Advisor in Leviathan's Risk and Advisory Services group, where I built security programs, advised teams on how best to meet compliance goals, and conducted large-scale architecture and security ecosystem assessments on codebases with more than ten years' engineering effort, more than 20 million end users, or both. I built SOC 2 Type II-compliant security programs and defended them during audits, and advised management at dozens of companies on HIPAA, FERPA, HITRUST, CMS ARS, ISO 27001/2/18, and PCI compliance. I also co-wrote four whitepapers on forced data localization as it affects security, and more recently, one on Kubernetes and container security.
Enterprise Security Platform Lead
2018 - 2019
As the head of the information security program at RealSelf, I directed the company's overall security, risk and compliance efforts. This involved close coordination with the RealSelf executive and engineering teams to align security priorities with our business goals and overall risk posture; I reported to the CTO and General Counsel. My work included developing and delivering security training, working with developers and SREs to design and implement security at all levels of our systems, building our ISO 27000-aligned information security management program, communicating with customers regarding security issues, leading security incident response efforts, working with our legal and privacy teams on vendor management, and managing our bug bounty program. I also worked on HIPAA, PCI, GDPR, and other regulatory issues to ensure that we were able to meet evolving obligations, and ultimately, that the trust our users placed in us was well-earned.
Chief Technical Officer / DSS
2010 -
Malice Afterthought, Inc.
Malice Afterthought provides information security consulting services. Some highlights of past work: I led an international nonprofit's security efforts, including both building a multi-regulated compliance program (FERPA, HIPAA, and FedRAMP) and implementing technical defensive tools; I taught at a Department of Defense information and network warfare (CNO) school; and I won and completed two DARPA Cyber Fast Track (CFT) contracts. Languages and tech stacks have included Ruby, Python, Perl, D3JS, UnityScript, Hadoop, Spark, and AWS, among many others.
Security Engineering Lead
2017 - 2017
Nuna Inc.
Nuna provides healthcare data analytics and warehousing to Medicare/Medicaid, insurance networks, and self-insured employers. I led the Security Engineering team, which was responsible for broadly-defined security throughout Nuna (from code, to architecture, to cross-cutting initiatives). I joined Nuna as a Senior Security Engineer, and became Security Engineering Lead in March 2017. Languages and tech stacks included AWS, R, Python, Bash, and Java; compliance stacks included SOC 2, HIPAA, and CMS ARS.
Senior Research Associate
2009 - 2010
SET Corporation
I worked as a technical lead on software projects in a variety of areas, including natural language processing and user modeling, and a project to create an augmented reality application to add real-time data and intelligence analysis to a multi-viewpoint 3D holographic display, using the iPhone 3GS as a controller. SET worked primarily for the defense and intelligence communities. Languages included Objective C, Java, Ruby, Python, and others.
Open Platforms Group Graduate Intern
2008 - 2008
Six Apart
I worked as an engineer on the Open Platforms team, dealing with furthering the goals of data portability across technologies and corporate boundaries while maintaining a focus on user control of data. I worked as an intern full-time during the summer of 2008, and then part-time through the remainder of the year.
Solaris Security Technologies Group Graduate Intern
2007 - 2007
Sun Microsystems
I ported and integrated software to SunOS (Solaris) allowing users to authenticate using true PKCS#11 interfaces, then worked with a variety of teams and people across Sun (despite my status as an intern) to move these smartcard services into Solaris. I also had the opportunity to work with DTrace on Solaris Kerberos.
VeriSign Security Services Undergraduate Intern
2006 - 2006
I worked primarily with the Unified Authentication group, specifically with One-Time Passwords. I also did some work for VeriSign Labs (the Advanced Projects Research Group) on VeriSign's OpenID implementation, the Personal Identity Provider. Over the course of 12 weeks, I was responsible for major projects in C#, Ruby, and Java, as well as JSP/Struts/Spring web applications, JNI, C/C++, and various related technologies. I won the VeriSign Labs 'PIP Challenge' for integrating one-time password technology with the VeriSign Personal Identity Provider (later Apache Heraldry).
Stuffing your Cloud into your SOCs
June 15, 2020
DevSecCon 24 - The Cloud
How to use DevSecOps to do a SOC 2 audit easily---and how to use a SOC 2 to get more time to focus on infrastructure investment.
Your company is trying to sell to large enterprises and wants a SOC 2 audit. You're running a DevOps team that's 'also responsible for security' and have no time, no budget, no headcount, and no interest in redoing all your infrastructure just to please an auditor. This isn't an impasse---it's an opportunity for you to promote DevOps best practices throughout your company, using the extremely effective carrot of 'this is how we can sell more!' We'll cover what a SOC 2 audit is, what you get to decide when getting one, and the happy path for cloudy companies to pass audits using modern DevOps practices. The tools you already use provide a robust compliance framework; it just requires you to tell the story to the auditors. You'll also get with a useful list of things to start asking other teams (like IT and HR) to handle, and a cheat sheet for translating DevOps to Auditor. In 25 minutes, you'll have the knowledge you need to prepare for a SOC (or many other kinds of compliance) audit, and be ready to sell your team's hard work to an auditor (even if they ask you where your tape library is).
You Can Do The Thing!
January 13, 2017
ShmooCon FireTalks - Washington, DC
Given tiny starchy vegetables, a call to action for the information security community: if you don't like where the world is going, change the world.
Security by Consent; or, Peel's Principles of Security Operations
October 18, 2016
SecTor - Toronto, ON, Canada
November 2, 2016
O'Reilly Security New York - New York, NY
November 10, 2016
O'Reilly Security Amsterdam - Amsterdam, Netherlands
How to create and maintain a security operation within a larger organization that focuses on cooperation and consent, rather than coercion, based upon the 'policing by consent' model created in 1820s England.
Are you tired of knowing everything, having people ignore 'the security person' because 'reasons,' and then having 'I told you so' as your only comfort? Sick of the hostile relationship between security and development, security and operations, security and HR, and/or security and everyone not wearing a black t-shirt? There’s a better way. Faced with the challenge of building a security function into a society that wasn’t sure it wanted one (but which nonetheless needed it), Charles Rowan and Richard Mayne set out what became known as the Peelian Principles of Policing, or Policing by Consent. They provide an effective model for running a security group that stands with its organization, rather than against it. We are, after all, 'only members of the public who are paid to give full-time attention to duties which are incumbent on every citizen in the intent of the community welfare.' Join us to become a security Bobby—where a commitment to service is non-optional, but the silly hat’s only needed if you like it.
Don't Be a Hero
October 31, 2016
Ignite O'Reilly Security - New York, NY
October 29, 2016
PumpCon - Philadelphia, PA
Ignite format; presentation on the value of compliance for small and mid-sized businesses. The talk was designed to lay out the motivational case, rather than the step-by-step implementation of compliance in an organization.
Swinging swords, slaying beasts, drinking Red Bull, and coding through a weekend: the life of a startup is exciting and free from rules. When you get your first security audit and have to establish policies and compliance, you may find your sword hand itchy; are the good times over? No--something even better comes next. Stop being a hero-based organization, and build things that will outlive you.
Endrun—Secure Digital Communications For Our Modern Dystopia
October 17, 2014
Black Hat Europe - Amsterdam, Netherlands
With Grant Dobbe. Censorship-resistant communications based on the Delay-Tolerant Networking concept.
The Internet is no longer trustworthy, having been compromised by bad actors across the globe. Current proposals to work around a compromised Internet rely upon encrypted transport links, mesh networks, or harassing users for being unable to use GPG safely. Each of these strategies fails in different ways that inevitably lead to information leakage or -- in the extreme case -- death. Endrun, by contrast, takes NASA's Disruption-Tolerant Networking project from a laboratory experiment to a functional system that supports user-friendly encryption in hostile environments. Endrun embraces the nearly-unlimited throughput of a disk-laden station wagon and creates a reliable, eventually-consistent communications system ideal for activists, refugees, and trolls.
The Perfectly Legitimate Project
April 25, 2014
ThotCon - Chicago, IL
With Grant Dobbe. Cryptographically-sound user-friendly darknet designs.
When we can't use the Internet anymore---either because it's gone, or because we can't trust it---how can we share our cat GIFs, tear gas remedies, or recipes for Roasted Rodent Ratatouille? The Perfectly Legitimate Project creates a decentralized, Internet-optional system of sharing data among a group of nodes without relying on easy-to-locate mesh networks. PLP uses whatever’s available to move heavily-encrypted payloads around, including short-range wireless communications (on license-free VHF, UHF, ZigBee, or WiFi), sneakernet, or tasty (and nutritious!) carrier pigeons. PLP has four components: NATASHA and MOOSE provide user-friendly services (such as email, wikis, and blogs) to any end-user without a need for specialized hardware or customized software, while BORIS and SQUIRREL let couriers use any means necessary to ship data with a derivative of the interplanetary Disruption-Tolerant Networking protocol. The end result is a system that's OPSEC-capable, easy to use, and can be deployed when zombies attack---or when you're just tired of having your adversaries listen through the fillings in your teeth.
Tyvlytting På Lufta (Voyeurism in the Air)
March 27, 2014
Paranoia - Oslo, Norway
July 10, 2014
Lockdown - Madison, WI
New updates to the CreepyDOL system, including a large-scale deployment in Montezuma, NM with 755 devices.
War Crimes as a Service
October 26, 2013
PumpCon - Philadelphia, PA
With Dr. John Linwood Griffin. Introduction for non-lawyers to the Tallinn Manual, why security experts should care, and a modest proposal for how to stop unlawful digital warfare.
Three years of international negotiations and deliberations by eleven lawyers, two academics, a bunch of editors, and an Estonian dog named Terry gave us the 'Tallinn Manual'---a.k.a., cover for the world’s militaries to blow up the Internet. This talk will explain why international law matters, why it’s important that a bunch of non-hackers defined 'attack' to only mean dead bodies, and how we can prevent certain nations from clogging the tubes with the blood of the innocent. The international law of war isn’t dead---it’s just sleeping. Come help wake it up.
Stalking a City for Fun and Frivolity
August 3, 2013
DEF CON - Las Vegas, NV
October 24, 2013
LASCON - Austin, TX
Distributed sensor network data acquisition, filtering, and visualization, with several security applications. This presentation addressed the architecture and collection aspects of the CreepyDOL system, as well as the implications for global surveillance states and engineering as a profession.
Tired of the government being the only entity around that can keep tabs on a whole city at once? Frustrated by dictators du jour knowing more about you than you know about them? Fed up with agents provocateur slipping into your protests, rallies, or golf outings? Suffer no more, because CreepyDOL is here to help! With open-source software, off-the-shelf sensors, several layers of encryption, and a deployment methodology of 'pull pin, point toward privacy insurance claimant,' it allows anyone to track everyone in a neighborhood, suburb, or city from the comfort of their sofa. For just four easy hardware purchases of $131.95, you, too can move up from small-time weirding out to the big leagues of total information awareness: deploy CreepyDOL today!
CreepyDOL: Cheap, Distributed Stalking
August 1, 2013
Black Hat USA - Las Vegas, NV
Distributed sensor network data acquisition, filtering, and visualization, with several security applications. This presentation addressed the architecture and collection aspects of the CreepyDOL system.
Are you a person with a few hundred dollars and an insatiable curiosity about your neighbors who is fed up with the hard work of tracking your target's every move in person? Good news! You, too, can learn the intimate secrets and continuous physical location of an entire city from the comfort of your desk! CreepyDOL is a distributed sensing and data mining system combining very-low-cost sensors, open-source software, and a focus on user experience to provide personnel identification, tracking, and analysis without sending any data to the targets. In other words, it takes you from hand-crafted, artisan skeeviness to big-box commodity creepiness, and enables government-level total awareness for about $500 of off-the-shelf hardware.
Reticle: Dropping an Intelligent F-BOMB
July 26, 2012
Security BSides Las Vegas - Las Vegas, NV
Software to control ad-hoc networks of disposable computers.
F-BOMB is a disposable computing project, and Reticle is its software brain: a distributed, leaderless system for transferring data and commands to and from the tiny, distributed, dirt-cheap little boxes. Together, these two systems form a botnet-styled sensor network that can be deployed the same way as a smoke grenade by a field agent, but with intelligent encryption, plausible deniability, and a peer-to-peer command network to ensure that an enemy can't compromise your goals-- whether you're providing Internet access to an Occupy group, or playing distributed hide and seek for cell phones. We discuss the design and implementation of Reticle, which was intended to take some of the networking ideas from modern botnets and apply them in a more useful context. Reticle was created with support from DARPA Cyber Fast Track, and the code, utilities, and documentation created under that project will be released with the talk.
Sacrificial Computing for Land and Sky
January 27, 2012
ShmooCon - Washington, DC
Hardware design for very-low-cost sensor nodes.
Projects such as the incredible Wireless Aerial Surveillance Platform give you the ability to monitor or attack networks far from accessible areas, but are limited by their deployment characteristics: $6000+ buys you just 10-30 minutes on target, and you have simultaneously to do your work and defend the physical plane from Bad Men With Projectile Weapons, lest they take exception to your plans. Disposable computing designed for just one use can provide massive reductions in cost and time to deployment without sacrificing flexibility; we show how $50-$75 can give you upwards of 24 hours to work on a task, while using only off-the-shelf hardware, and leaving no data onsite for an adversary to analyze after the operation. These computers can then be planted manually, or even dropped from unspecialized UAVs (such as the Parrot Drone) to allow your expensive plane to return to safety while you do your work.
Mnikr: Reputation Construction Through Human Trading of Distributed Social Identities
November 13, 2009
5th ACM Workshop on Digital Identity Management - Chicago, IL
With Dr. John Linwood Griffin. Stock-market-like construction of computer-readable human-mediated reputation scores. Selected as the best paper at the workshop.
Reputation forms an important part of how we come to trust people in face-to-face interactions, and thus situations involving trust online have come to realize that reputation is an important characteristic in the digital age. We propose a new holistic and context-free approach to quantifying reputation on the Internet, based upon a stock exchange where users can trade reputation shares of other users and obtain goodwill dividends, including new algorithms for identifying and creating digital identities not inherently tied to a user’s personally identifiable information. We developed such a system, named Mnikr, and deployed our system on the Internet for a month to demonstrate and evaluate this approach. Our results suggest that existing public data sources can indeed be used to create an overarching social network whose utility is greater than its number of users would indicate, and in which reputation measurements are generated that are actually indicative of each user’s standing in society.
Kubernetes and Containerized Security
Leviathan Security Group
An overview of what 'securing Kubernetes,' a common client request, really entails: not just security of the control plane, but more critically, of the containerized software, and how to achieve that.
Quantifying the Cost of Forced Localization
Leviathan Security Group
With James Arlen. Focused on the direct costs to companies of forced localization laws--the actual economic disadvantage inflicted by a country on its businesses when it chooses to require that all data be stored within its borders.
Value of Cloud Security: Vulnerability
Leviathan Security Group
With James Arlen and Lee Brotherston. A discussion of the challenges around setting up local data storage, for small, medium, and large enterprises, and a comparison of price data between major local and cloud storage vendors.
Analysis of Cloud vs. Local Storage: Capabilities, Opportunities, Challenges
Leviathan Security Group
With James Arlen and Lee Brotherston. A discussion of the challenges of hiring sufficient cybersecurity expertise given the current talent pool and educational programs available.
Comparison of Availability Between Local and Cloud Storage
Leviathan Security Group
With James Arlen and Lee Brotherston. A discussion of the challenges of securing the integrity and availability of data stored in datacenters and the cloud in the face of disasters and other large-scale events.
Mnikr: Reputation Construction Through Human Trading of Distributed Social Identities
5th ACM Workshop on Digital Identity Management
With Dr. John Linwood Griffin. Stock-market-like construction of computer-readable human-mediated reputation scores. Selected as the best paper at the workshop.
State Bar of Montana, Washington State Bar Association
International Association of Privacy Professionals
Information Systems Audit and Control Association
Cloud Security Alliance
International Information Systems Security Certification Consortium (ISC(2))
FEMA Professional Development Certificate, IS-{1, 100, 120, 130, 139, 200, 230, 235, 240, 241, 242, 244, 250, 288, 700, 800, 802}
January 7, 2011
United States Federal Emergency Management Agency
Public Service and Emergency Communications Management for Radio Amateurs
May 1, 2011
American Radio Relay League (ARRL)