Here's the complete list of everything authored by yours truly in 2015. Except the NC-17 stuff, which I've been told should remain unpromoted. Let me start this list with the Absolute Greatest Hits of 2015 and then we'll move on to stuff that is only kindawesome.

Cloud and the Security Skills Gap - DarkReading Video

Video: Using Cloud to Fill the Security Gap - DarkReading [2:23]

In an astonishly short amount of time, I throw down three different ways an organizations can use cloud to remediate their security skills shortage.

DarkReading: How the Security Skills Shortage Killed Defense-in-Depth

One of my best pieces discusses how the shortage of qualified security professionals is changing the way security is sold. It struck home with a lot of people as it got lots of discussion on the site and on Twitter. Some of it bizarre. I learned to ignore the weirdos after this one.

ACROFAN [CC BY-SA 3.0 ( or CC BY-SA 3.0 (], via Wikimedia Commons

Security Week: The Real Story Behind the Kate Upton Nude DDoS Attack

The story of how the Kate Upton Nude photos were blamed for a ISP outage in New Zealand is my all time Greatest Hit. Probably still gets more clicks than anything else I wrote.

Blog: The 5 David Holmeses More Famous Than Me

Help me choose my new first name. Because there are too many guys named David Holmes who are more famous than this one.

SSL Recommended Practices SSL Recommended Practices 

My colleague Marty Scholes and I slaved over this 53 page magnum opus during the fall of 2015. Everything you want to know about SSL and F5. 

Blog: Implementing Light-Weight East-West Firewalls with F5

East-west data center traffic needs to be secured. Here's the easy way to do it with the load balancers you already have. 

Blog: How much of my traffic is still SSLv3?

Here's an iRule that counts how many of your connections are SSLv3. Even gives you a cool graph from the iRule itself.

Paris and Playstation

Security Week: Paris Attacks: What Kind of Encryption Does the Playstation 4 Use, Anyway?

This was my favorite piece of the year. In the first days after the Paris Attacks, there was a rumor going around that the terrorists were using PlayStation encryption to hide from Interpol. I examined the messages from my PS4 and determined it wouldn't be a great platform for coordinating terrorists activities.

Security Week: Disrupting the Disruptor: The Security of Docker Containers

A friend of mine called me recently: "Hey man, I was looking up the security of docker containers and read this article and lo-and-behold it was my old buddy Dave who wrote it!"

Stack Ranking SSL Vulnerabilities

Security Week: Stack Ranking SSL Vulnerabilities for the Enterprise

Not all SSL vulnerabilties are the same. Some are way worse than others, but often the media doesn't know that. My attempt to provide a relative scale based on quantifiable cryptographic assets. Also uses a cute Japanese Monster Alert level.

Blog: Why You Should Tap the Hardware Random Number Generator in your BIG-IP

This is wicked important, and you should read it right now. This could improve your entire cryptographic security posture. For free. You're welcome!

Blog: Remediating Logjam: an iRule Countermeasure

Logjam attacked the Diffie-Helman key exchange protocol. In general, F5 devices aren't vulnerable, but if you have vulnerable devices on your network, here's an iRule that can block the attack.

Data Center Knowledge: 2014: The Year of the Infrastructure Vulnerability?

A look back at 2014 and all the ShellShock and Heartbleed fallout for Data Center Knowledge. Nice, crisp piece.

Beyond the Absolute Greatest Hits we have the um, Normal Greatest Hits. 

Security Week

Security Week runs a bi-weekly column of mine where they allow a wide latitude of topics as long as they are security-related. Here's all my other Security Week bylines from 2015. 

Where is the Android DDoS Armageddon?
Pete Silva and I had a long running bet that if the handheld DDoS zombie craze never happened that we would stop talking about it. This is me claiming I won the bet.

In Memoriam: Goodbye RC4, an Old Crypto Favorite
RC4 was such a cute algorithm. My tribute, and a look at new stream ciphers with festive names, such as "Salsa" and "Chacha".

What's the Disconnect with Strict-Transport-Security?
Strict Transport Security hasn't taken off
. Which is weird, because it's so easy!

How "Let's Encrypt" Will Challenge the CA Industry
One of three pieces where I discuss the merry band of do-gooders "Let's Encrypt" and their crusade against the Certificate Authority industry.

Should You Be Worried About BGP Hijacking Your HTTPS?
A breakdown of an attack vector unveiled at 2015's Blackhat conference. Should you be worried? Read and find out.

Hacker Search Engine becomes the new Internet of Things Search Engine
A look at the SHODAN search engine, and how it has evolved from the Hacker's favorite search engine to the new Internet of Things search engine. Inspired by John Matherly's presentation at Amsterdam's Hack-in-the-Box.

Three Reasons Mobile DDoS Never Materialized
The Android DDoS Armaggedon article generated some discussion among my colleagues. I captured their best points in this follow-up piece.

Why Do Bulldozers Incite DDoS Attacks?
Three examples of bulldozer-companies that have gotten attacked with DDoS. And why.

Why Let's Encrypt Won't Make the Internet More Trustworthy
I didn't choose the title for this piece; it got bolted on (to my surprise) to make it more clicky. I get it, that happens. I wasn't nearly so hard on LE as the title would have you believe.

Was SSL3 Killed by a POODLE? The Survey says... Maybe!
A look at F5's survey data that shows a precipitous decline in SSLv3 traffic.

How to Tap the Hardware Random Number Generator in your Load Balancer
My SecurityWeek piece for the same topic as the DevCentral piece. Read the DevCentral version, it has more detail, and an iRule.

DevCentral Blogs

I love writing for DevCentral. I can write about whatever I want. Like bidets. Or HDMI.

Convergence Replacement Throwdown: Update
A conversation with Ivan Ristic about what happened with Convergence, the precursor to the Certificate Transparency project.

Is the Security Skills Shortage Real?
The DevCentral follow-up to my DarkReading article. Captured some of the interesting discussion that resulted from the original.

2015 Security Conferences
A quick and incomplete list of security conferences in 2015. There were so many!

Generational Whitehat Deficit Will Drive SilverLine WAF
The whitehat deficit will drive F5's security-as-a-service solutions.

BIG-IP Cipher History
John Hall at F5 came up with this cool eye-chart for research or provisioning for BIG-IP and SSL.

My Three Favorite Security Podcasts
How do you stay on top of the security industry? Listen to these security podcasts.

How to Fix That Sewer Smell In Your European Hotel Bathroom in 2 Seconds
Why does your boutique Parisian hotel room smell so bad? The answer is simple, and so is the fix.

Preparing your F5 for new TLS requirements in Apple iOS 9 and Mac OSX 10.11
Apple dropped new SSL/TLS requirements in iOS9 and OSX 10.11. Here are the configuration changes you should make to optimize for the new requirements.

Random Video

Hackers and Banks and Stuff - Polish Media Interview [2:51]
Another 3 minute video, this one from Poland. They have a polish guy talking over my audio track, which is neat if you know Polish. I don't.

[Caption: Me in the white shirt, moderating a panel for an FBI Infragard event]

There you have it; another productive year for yours truly, David Holmes, the F5 Security Evangelist. Speaking of evangelism, I visited 43 cities in 2015, too. Spoke in at least 5 steakhouses. And a movie theater. That was weird. Watch for me coming to a steakhouse or movie theater near you in 2016!