Brian A. McHenry

BrianAs a Senior Security Solutions Architect at F5 Networks, Brian McHenry focuses on web application and network security. McHenry acts as a liaison between customers and the F5 product teams, providing a hands-on, real-world perspective. He is a regular contributor on, a co-founder of BSidesNYC, and a speaker at AppSecUSA, BC Aware Day, GoSec Montreal, and the Central Ohio Infosec Summit, among others. Prior to joining F5 in 2008, McHenry, a self-described IT generalist, held leadership positions within a variety of technology organizations, ranging from startups to major financial services firms. Follow him on twitter @bamchenry

Articles by Brian A. McHenry

The WAF Is Not Enough

Application security is difficult. Much of network security can be addressed by segmentation, best practice default-deny firewall polices, and well-placed sensors. That’s an over-simplification of network security practice, but it covers the high-level areas most infosec teams can apply to an effective practice. Application security, on the other hand, seems to require not only a …


Top 5 InfoSec Things I Think For 2018

That time of year again, when people like me with a little space on the Internet try to predict what goodies CyberSecurity Santa will bring for the New Year. Past predictions1 2 3 by your intrepid security guide have been uneven (blame the IETF), but I will do my best to once again prepare you …


The Internet of Thingbots

If you follow technology news, then it’s almost impossible to avoid some mention of “the Internet of Things” or IoT, for short. With the proliferation of smart home devices ranging from lighting to garage door openers to thermostats to cameras and the use of other smart devices in enterprises, the challenges and growth in IoT …


Black Hat USA 2017: Bigger and Better (?)

The 20th edition of Black Hat USA (BHUSA) did not disappoint, if your expectations were the largest exhibit floor, the most lasers, and the biggest attendance ever. Black Hat USA has become one of the most anticipated infosec conferences of the year, and anchors a week that has become affectionately known as Infosec Summer Camp, …


What’s New In The OWASP Top 10 And How TO Use It

As a student of web application security over the last decade, a constant touchstone has been all of the educational tools and projects available from the Open Web Application Security Project (OWASP). OWASP does a phenomenal job of publishing tools, promoting and funding projects, and fostering a community of students and professionals passionate about application …


Balancing Simplicity in Security

Complexity is the enemy of security. I first heard this truism from an interview with Bruce Schneier way back in 2001. In the years since, infrastructures have only grown more complex. Virtualization in its many forms is a chief contributor to complexity. Containers within hypervisors within clouds within data centers. As we’ve seen the barriers …


Keep The Security Light On Without Burning Out

At BC Aware Day in Vancouver this past February, I was lucky enough to attend Jack Daniel’s InfoSec Survival Skills talk. Check out the recording or find Jack at a local security conference near you. Jack’s talk focuses a lot on the stresses and triggers we deal with as security practitioners and the coping mechanisms …


To The Cloud, But Securely

By now, you’ve seen some breakdown of SaaS vs. PaaS vs IaaS, with respect to security. You’ve also probably seen the most common piece of security advice, which is “patch your (stuff)”. For Software-aaS, the service provider handles patching and system maintenance. Your security concerns are going to be negotiated in all sorts of legal …


Perfect Forward Secrecy

Perfect Forward Secrecy. The term sounds like something out of the latest Bond film. When I first checked how to configure PFS ciphers several years ago, I couldn’t find much documentation because I didn’t realize that that PFS described a class of ciphers, which included Diffie Hellman Ephemeral (DHE) and Elliptic Curve DHE (ECDHE). Further …

UK Plc to Take Security Seriously

F5 Releases 2017 State Of Application Delivery Report

Today F5 Networks released its third annual State of Application Delivery report. Data comes from a customer survey of over 2,000 IT professionals across the networking, application, and security realms, and examines the vital role application services play in enabling enterprises to deploy applications faster, smarter, and safer. Survey responses came from around the globe, …