Harshil Parikh is a seasoned security leader with experience building security and compliance functions from the ground up. He notably built the security and compliance team at Medallia from scratch and led it through several transitions. He is also a conference speaker, and, most recently, he co-founded Tromzo. Harshil shares insights about AppSec, running a startup, selling effectively, and provides justification for his mantra, "Context is king."
Harshil underscores the importance of understanding context in security, emphasizing that it's the bedrock for making informed decisions. He also brings to light the significance of data-driven metrics in application security.
Harshil champions the cause of enhancing the developer experience in application security. He posits that security professionals should be more than just watchdogs; they should be enablers, aiding developers in making the right security decisions. This involves equipping developers with the necessary tools and knowledge and providing them with the relevant context to understand the bigger picture. Harshil's insights into the trend of developer autonomy, especially in modern companies, are particularly enlightening. He discusses how developers today often take ownership beyond just coding, emphasizing the need for security guardrails to guide them.
Rounding off the episode, Harshil touches upon the challenges of scaling application security programs in organizations. His main message resonates powerfully: the role of security professionals extends beyond mere problem detection. It's about risk management, improving developer experiences, and navigating the complex labyrinths of organizational hierarchies. This episode is a treasure trove of insights for anyone keen on understanding the nuances of application security in today's dynamic tech landscape.
Recommended Reading:
The Metrics Manifesto by Richard Seiersen. https://www.wiley.com/en-us/The+Metrics+Manifesto%3A+Confronting+Security+with+Data-p-9781119515418
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeff Willams of Contrast Security joins Chris and Robert on the Application Security Podcast to discuss runtime security, emphasizing the significance of Interactive Application Security Testing (IAST) in the modern DevOps landscape. After reflecting on the history of OWASP, the conversation turns to the challenges organizations face in managing their application security (AppSec) backlogs. Jeff highlights the alarming number of unresolved issues that often pile up, emphasizing the inefficiencies of traditional security tools.
Jeff champions IAST, and here are a few highlights that he shares. IAST is ideally suited for DevOps by seamlessly transforming regular test cases into security tests. IAST can provide instant feedback, leading to a Mean Time To Repair (MTTR) of just three days across numerous applications. Unlike Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST), which can take hours or even days, IAST can complete security testing during the build, fitting within the tight SLAs of modern pipelines.
IAST offers developers comprehensive insights, which aids in a better understanding and quicker resolution of the identified issues. It is also adaptable, as IAST can detect vulnerabilities before they are exploited. Jeff argues that IAST's ability to work with existing test cases and provide rapid feedback makes it a perfect fit for the fast-paced DevOps environment.
Jeff emphasizes that while runtime security can be a game-changer, it doesn't replace other essential aspects of AppSec programs, such as training. In conclusion, Jeff Williams champions IAST as a revolutionary tool in the application security domain. Its adaptability, efficiency, and depth of insights make it a must-have in the toolkit of modern developers and security professionals.
Links:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mark Curphey and John Viega join Chris and Robert to explain the details of Chalk, Crash Override's new tool. Mark also talks about why ZAP departed from OWASP and joined the Software Security Project, highlighting some of the value and differences of both organizations. Open Source Software is important to the industry, but Mark calls on companies to contribute to the development and support of the projects they use.
The conversation explores the challenges faced by companies, especially large tech firms, in managing their software engineering processes. Many organizations grapple with identifying code ownership, determining code versions during incidents, and prioritizing alerts from static analysis tools. Chalk emerges as a solution to these challenges, providing clarity and reducing friction in the software development and maintenance process.
Toward the end, both speakers emphasize the importance of understanding the entire software engineering process to make informed decisions. They advocate for an "outside-in" perspective, urging listeners to step into the shoes of others and view challenges from a broader perspective. This holistic approach, they suggest, can lead to more effective decision-making in the realm of software development.
Listen until the end for book recommendations on cybersecurity, business, and personal growth.
Links:
Books:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Maril Vernon is passionate about Purple teaming and joins Robert and Chris to discuss the intricacies of purple teaming in cybersecurity. She underscores the significance of fostering a collaborative environment between developers and the security team. Drawing from her experiences, Maril shares the challenge of development overlooking her remediation recommendations. She chose to engage directly with the developers, understanding their perspective and subsequently learning to frame her remediations in developer-centric language. This approach made her recommendations actionable and bridged the communication gap between the two teams.
Maril also looks into the future of purple teaming, envisioning a landscape dominated by automation and AI tools. While these tools will enhance the efficiency of certain tasks, she firmly believes that the human element, especially the creativity and intuition of red teamers, will remain irreplaceable. She envisions a future where dedicated purple teams might be replaced by a more holistic approach, or white teams, emphasizing collaboration across all departments.
Maril's powerful message on the essence of security: "You get what you inspect, not what you expect." She emphasizes the importance of proactive inspection and testing rather than relying on assumptions. And she re-states the centrality of cooperation between teams. Maril's insights serve as a reminder of the dynamic nature of cybersecurity and the need for continuous adaptation and collaboration.
Helpful Links:
Book Recommendations:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dan Kykendall visits The Application Security Podcast to discuss his series "Why All AppSec Products Suck" and explain why software companies should understand the uses and limitations of any security tool. The series aims to highlight the limitations of each tool and to help users make informed decisions when selecting the right tools for their needs. In this field, there is no such thing as an expert; there is always something new to learn.
Dan, Chris, and Robert remember the late Kevin Mitnick, a well-known figure in the cybersecurity community. They share their personal experiences with Mitnick, highlighting his curiosity, humility, and the importance of remembering that everyone in the cybersecurity community is a regular person with feelings and concerns.
The hosts discuss the challenges of dealing with heavy client-side applications, such as those built with React, and the difficulties faced by Dynamic Application Security Testing (DAST) scanners in handling different data formats and client-side complexities. They share their experiences in redesigning DAST scanners to handle various data formats and the importance of separating data formats from attack payloads. Dan helps Chris see the usefulness of DAST in certain situations, such as a large enterprise, without hiding some of the limitations inherent in DAST.
The podcast also touches on the importance of training engineers in web security and the need for a collection of tools that address different security concerns. The hosts emphasize the value of designing security into applications from the beginning and the role of training in achieving this goal. Learning the basics, such as understanding TCP/IP, is still important for security and developers.
To gain more valuable insights and resources from Dan Kuykendall
The Dan On Dev website
Social Media
- https://twitter.com/dan_kuykendall
- https://twitter.com/Dan_On_Dev
- https://instagram.com/dan_on_dev
- https://facebook.com/danondev
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kevin Johnson is the CEO of Secure Ideas. He began his career as a developer but turned toward security when he discovered that the interface for an intrusion detection system, Snort, was out of date. This led him to create BASE (Basic Analysis and Security Engine), a testament to Kevin's proactive approach.
Kevin has a deep-rooted passion for open-source projects. He highlights the challenges and joys of initiating and sustaining such ventures, emphasizing the pivotal role of community contributions. Kevin also details how to install and start with SamuraiWTF, a tool tailored for those keen on mastering application security. He outlines two paths for developers: one focused on learning application security intricacies and another on actively contributing to the project's growth.
Kevin also discusses the notable departure of ZAP from OWASP. Kevin expresses his concerns and reflects on the broader implications of this decision on the cybersecurity community. The episode wraps up with a touch of nostalgia, as Kevin and Chris reminisce about their early tech adventures, showcasing Kevin's unwavering commitment to knowledge-sharing and community collaboration.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tony Quadros, the AppSec Lumberjack, shares the unique career path that led him to find his passion in Application Security. The discussion delves into the work of an AppSec vendor, with Tony explaining his role and the responsibilities it entails. He emphasizes the importance of understanding the needs and environment of the customer, and whether the product he represents can fulfill their requirements. Tony also shares his philosophy of sales, centered around solving problems and providing business value.
Tony reveals the challenges salespeople face in the cybersecurity industry, particularly the pressure to meet quotas and the need for good company culture. Chris, Robert, and Tony highlight the importance of setting realistic expectations at the executive level to avoid putting undue pressure on customers and prospects.
In addition, the conversation touches on the importance of sales leadership in setting processes and creating a positive company culture. Sales leaders need to educate themselves about their products and market segment. Tony stresses they should provide value to customers through their conversations.
He also talks about becoming involved with OWASP Maine and encourages community involvement for all members of the AppSec community.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cloud security is on an evolutionary path, with newer platforms embracing secure-by-default settings. This has led to a significant improvement in security but also adds complexity as developers need to understand these defaults when deploying to the cloud.
Steve Giguere defines cloud application security, describes cloud-first development and cloud complexity, security by default, and the need to broaden AppSec by creating new security personas and being secure from idea to destination. Steve provides many nuggets of insight from his travels, including pointing us to Wing, a programming language for the cloud that includes code and IaC together.
We discuss the consolidation of application security, particularly Static Application Security Testing (SAST) and Software Composition Analysis (SCA). These should not be separate products but must provide actionable insights and be tied together for practical reachability analysis.
We introduce a new segment of rapid-fire questions, asking about what Steve would put on a billboard at RSA or Blackhat and asking for book recommendations. Steve recommends "Hacking Kubernetes," praising its use-case focus and engaging narrative.
We plan to revisit this conversation in a few years to see if Steve's predictions about the security pipeline and other aspects of cloud application security have come to fruition.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Visualizing the Software Supply Chain" is a project which aims to kick off a discussion about the scope and breadth of the software supply chain.
Paul McCarty emphasizes the importance of understanding what's in the software supply chain to secure it effectively. He uses the burrito analogy, stating that you can't decide if you want to eat it if you don't know what's in it. We discuss the nuances around the Software Bill of Materials (SBOM) and the importance of understanding the differences between various SBOMs, especially for companies that deploy frequently.
The conversation also covers third-party components, such as APIs, SaaS solutions, payment gateways, and identity providers, which are part of the software supply chain. Paul gives the example of Stripe, a payment platform that includes software components and SaaS.
Paul's project helps people understand the different threats associated with each category in the software supply chain. The episode concludes with a call to action for organizations to prioritize understanding their software supply chain and leveraging automation as much as possible.
Gain valuable insights into securing the software supply chain and consider guidance on actionable steps organizations can take to enhance their security.
Four key takeaways from the episode:
Links:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Farshad Abasi shares three models for deploying resources within application security teams:
Over several years, Farshad's journey progressed from the expert-led model to a fully-deputized, champion-driven approach to AppSec.
After careful consideration, we conclude that the fully deputized model is the only path to scalability.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kim Wuyts discusses her work in privacy threat modeling with LINDDUN, a framework inspired by Microsoft's STRIDE for security threat modeling. LINDDUN provides a structure to analyze privacy threats across multiple categories such as linking, detecting data disclosure, and unawareness. The framework has been updated over the years to incorporate new knowledge and developments in privacy, and it has become recognized as a go-to approach for privacy threat modeling.
Kim believes that privacy and security can be combined and highlights the importance of protecting individuals' rights and data while securing systems and assets.
Privacy by design, which focuses on reducing unnecessary data collection and considering individual needs, is discussed in relation to secure architecture and threat modeling. The Threat Modeling Manifesto is emphasized as a significant resource for promoting privacy threat modeling.
Kim addresses emerging trends in privacy, including the concerns surrounding AI and responsible AI, and stresses the need for increased awareness among individuals and companies about privacy issues and the importance of privacy protection.
Listen in as Kim explains the importance of collaboration between security and privacy teams, integrating privacy into security practices, and recognizing the value of privacy for both privacy protection and overall security.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Software supply chain -- how deep does the problem go? Franois is here to help us realize how deep the rabbit hole of the supply chain is and enlighten us with strategies to get out of the hole.
Franois emphasizes the importance of branch protection in source code repositories as the cornerstone of any supply chain, highlighting the need for peer review and static code analysis before merging. He also discusses the concept of tag protection, which prevents anyone with rewrite access to the repository from modifying a tag. This is particularly important in the context of build systems, where an overwritten tag could compromise the entire system.
The conversation then shifts to a "Let's Encrypt" equivalent for package signing, which Franois believes is being addressed by the SIG store project. This project introduces the concept of keyless signatures, which eliminates the need to manage private keys, a process that can be risky and cumbersome.
Franois also discusses the importance of understanding your dependency tree and using package manager lock files to ensure that the version of a package you're downloading is the one you expect. He mentions the Terraform modules, where the lack of a lock file for modules can lead to security vulnerabilities.
Toward the end of the episode, Franois recommends listeners explore the OpenSSF (Open Source Security Foundation) and its various projects, such as the Scorecard project, which provides a security posture for your repo. He also mentions https://deps.dev, a free Google service that scans open-source repos and runs the Scorecard on those projects.
Look up towards the light if you find yourself at the bottom of the rabbit hole.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How do we do security in the world of AI and LLMs? A great place to start is with an OWASP project tasked with creating a standardized guideline for building secure AI applications with large language models such as ChatGPT. Enter OWASP Top Ten for LLMs, and Steve Wilson, the project leader.
You'll experience Large Language Models (LLMs) and their implications in AI. Steve explains how the introduction of ChatGPT marked a significant shift in the AI landscape. He elaborates on the concept of LLMs, their functioning, and the unique properties that emerge when used at a large scale.
Traditional OWASP Top Ten issues like SQL injection and broken authorization are still applicable when dealing with AI applications, and the OWASP API Top Ten could be layered onto these considerations. Think about it -- AI applications have web frontends.
A new discipline of AI security engineering is on the horizon, focusing on the security of large language models and the applications that access them. A focus on both AI safety AND security must occur.
We look forward to the release of the 1.0 version of the OWASP Top Ten for LLMs. Join the discussion today on OWASP Slack, and help form the new list.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is the state of application security? JB Aviat answered that question, by creating the state of application security report based on data from Datadog customers using the application security and APM products. It provides insights into threat detection, vulnerability detection, prioritization, and general trends on where the most significant risks lie.
We discuss:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is zero trust, and how does it impact the world of applications and application security? We dive deep into zero trust with Joshua Wells, a seasoned cybersecurity expert with over ten years of experience. Joshua explores the intricacies of zero trust, a cybersecurity model that dictates no user or machine is trusted by default and must be authenticated every time.
Listen in as Joshua discusses his journey from aspiring to be an NFL player to becoming a leading voice in cybersecurity. He shares insights on how zero trust operates in different domains, including architectural security, endpoint detection, mobile device management, and risk assessment. He also touches on its implementation across various government bodies and private organizations.
Further, Joshua sheds light on the challenges of implementing zero trust, such as the need for a mix of different security tools and the stress of smaller teams when handling this robust framework. The episode also covers important considerations for Application Security (AppSec) professionals in a zero-trust environment and the role of attribute-based access control within this model.
Don't miss this enlightening discussion on cybersecurity's current landscape and future direction. Whether you're a cybersecurity professional, a tech enthusiast, or simply keen on understanding how your data is being kept secure, this episode will surely provide invaluable insights.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeevan Singh, the director of product security at Twilio, discusses the future of application security engineers. Singh highlights the importance of embedding security into all aspects of software development and the need for a strong security culture within organizations. He also explains the skills required for a senior application security engineer, such as application security, software development, and teaching skills. Singh underscores the importance of empathy and influence, emphasizing that soft skills can significantly affect adequate application security. He also discusses the impact of AI, particularly OpenAI's GPT, in supporting the work of security engineers by providing valuable insights and information. Singh concludes by urging application security engineers to broaden their skills, particularly in software development, to ensure they can effectively handle the industry's evolving demands.
Five takeaways:
Jeevan's first appearance on the Application Security Podcast was entitled Jeevan Singh -- Threat modeling based in democracy.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Have you ever considered using an SBOM to inform your threat modeling? Tony Turner has. Tony joins us to discuss SBOMs, threat modeling, and the importance of Cyber Informed Engineering.
Tony delves into the SBOM (Software Bill of Materials) concept, highlighting their value proposition in identifying vulnerabilities, demonstrating compliance with software licenses, and informing M&A activities and incident response indicators related to cyberattacks. We also explore the integration of SBOMs into the system engineering process and security engineering.
Tony further introduces the concept of Consequence-Driven Cyber Informed Engineering, which emphasizes understanding the potential consequences of cyberattacks on critical infrastructure rather than just on individuals or individual businesses. We discuss the four-step process of consequence-driven CIE. The conversation also addresses the challenges in communicating SBOM information, the importance of demanding transparency from suppliers, and the need to place trust in trusted third-party attestations.
Follow up:
- Research tools for integrating SBOMs into threat modeling
- Explore methods of communicating SBOM information
- Investigate Cyber Informed Engineering and Consequence-Driven principles in more detail
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Christian Frichot, an AppSec hacker, security leader, and developer of hcltm. He discusses the DevOps threat modeling tool he dreamed up and built. The tech was created to fit into developers' workflows and leverage tools they are familiar with. hcltm is designed to drive valuable change and be updated and maintained easily by software engineers. It is a developer-centric software product not heavily opinionated on diagramming, allowing users to employ their preferred methods for threat modeling. The solution is still evolving, and Frichot is open to user feedback and suggestions to improve it. He encourages people to try hcltm and see if it fits their threat modeling needs, as everyone approaches the process differently.
Critical actions for you to take from this episode:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Zohar Shachar joins us to discuss the bug bounty process from both sides. Zohar has spent time as a bug bounty hunter and shares wisdom on avoiding bug bounty-causing issues for your AppSec posture. We hope you enjoy this conversation with...Zohar Shachar.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sarah-Jane Madden is the Chief Information Security Officer of Sensing Technology Group. - part of Fortive. She has over 20 years of software experience, from the most formal environments to lets fix it in production type teams. She has been a longtime advocate of deliberate application security as a partnership with product management and believes security does not have to be an overhead. Sarah-Jane joins us to discuss her talk at OWASP Dublin, "Far from green fields introducing Threat Modeling to established teams." She shares lessons learned from her 3-year journey and is transparent with the mistakes she made along the way. We hope you enjoy this conversation with...Sarah-jane Madden.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jet Anderson's passion is teaching today's software developers to write secure code as part of modern DevOps pipelines, at speed and scale, without missing a beat. He's been a software engineer for over 25 years and believes fixing security bugs is better than finding them. Jet joins us to discuss software or security engineer first, how fixing security bugs is better than just finding them, and the Code Doctor security training program he built and deployed. We hope you enjoy this conversation with...Jet Anderson.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
James Mckee is a developer (MCPDEA) and security advocate (CISSP) whose biggest responsibility is leading developer security practices. He sets the standards and procedures for the practice's operations and leads all client engagement efforts concerning security. He also takes the lead in ensuring that company staff (developers specifically) are properly trained and following best practices concerning application security. Currently, he is responsible for training and providing product guidance for developers worldwide. James joins us to discuss offensive application security for developers. We also get into the role of security professionals in reaching developers outside of the security echo chamber. We hope you enjoy this conversation with...James Mckee.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Derek is the author of The Application Security Handbook. He is a university instructor at Temple University, where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led security teams, large and small, at organizations in the healthcare and financial industries. Derek joins us to unpack the goals of an application security program, what is cutting edge in application security programs today, the role of open source vs. commercial, and guidance such as "decentralized application security." "enablement instead of gates; application security as a service," and "stop chasing the shiny new tool." We hope you enjoy this conversation with...Derek Fisher.
Find the book at https://www.manning.com/books/application-security-program-handbook
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rob van der Veer has a 30-year background in software engineering, building AI businesses, creating software, and assessing software. He is a senior director at the Software Improvement Group, where he established practices for AI, security, and privacy. Rob is involved in several standardization initiatives like OWASP SAMM, ENISA, CIP, and AI security & privacy guide. He leads the writing group for the new ISO standard on AI engineering: 5338. Rob co-leads the OWASP integration project, with openCRE.org as a key result, aiming to create alignment in the standards landscape. Rob joins us to introduce the OWASP AI Security and Privacy Guide. We cover Rob's observations on how AI engineering differs from regular software engineering, typical software engineering pitfalls for AI engineers, the new guide's scope, threats introduced with AI, and mitigations that orgs and teams can use to build a secure AI system. We hope you enjoy this conversation with...Rob van der Veer.
Show Notes:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Robyn Lundin started working in tech after a coding boot camp as a developer for a small startup. She then discovered her passion for security, pivoted into pentesting for NCC Group, and now works as a Senior Product Security Engineer for Slack.
Robyn joins us to discuss the role of penetration testing within the application security realm. Robyn provides actionable guidance you can apply directly to your application pen testing program. We hope you enjoy this conversation with....Robyn Lundin.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Michael Bargury is the Co-Founder and CTO of Zenity, where he helps companies secure their low-code/no-code apps. In the past, he headed security product efforts at Azure, focused on IoT, APIs and IaC.
Michael is passionate about all things related to cloud, SaaS and low-code security and spends his time finding ways they could go wrong. He also leads the OWASP low-code security project and writes about it on DarkReading. Michael is a regular speaker at OWASP, BSides and DEFCON conferences.
Michael joins us to unpack Low Code / No Code and the new OWASP Top Ten that defines specific risks against Low/No Code. We hope you enjoy this conversation with...Michael Bargury.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Alex leads the Cyber Security Consulting Group, part of Rakuten's Cyber Security Defense Department. The group's dedication is to providing global security services, including security architecture, DevSecOps tooling and integration services, delivery of technical training, and running Rakuten's Security Champion community. His focus is on empowering teams to improve security throughout the development lifecycle.
Alex joins us to discuss security champions, a topic near and dear to our hearts. We get into democratizing appsec, the value of security governance and empowerment activities for security champions and the organization, how scope, cost and effort fit, and the ROI of training and security champions. We hope you enjoy this conversation with...Alex Olsen.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mark Curphey is one of the creators of OWASP from the very early days. Mark worked in the background over the few decades of OWASP but has recently taken more to the spotlight. After running, he was elected and joined the OWASP Board of Directors.
This conversation starts with the historical story of Mark and his history with OWASP. Then we jump into the visions for OWASP in the future and the plans in place to reach those goals. We hope you enjoy this conversation with...Mark Curphey.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tiago Mendo is a co-founder and CTO of Probely. He has extensive experience in pentesting applications, training, and providing all-around security consultancy.
Tiago started working with security in the early 2000s, beginning with a tenure of 12 years at Portugal Telecom. While there, he built the web security team and worked with 150+ developers. He holds a Master's in Information Technology/Information Security from Carnegie Mellon University and a CISSP certification.
He is also a qualified member of AP2SI, a non-profit organization that promotes Information Security in Portugal, and Co-Leader of the Lisbon OWASP Chapter. He is a frequent speaker at security events, such as Confraria da Segurana da Informao, BSides Lisbon, BSides Krakw and LASCON.
Tiago Mendo joins us to discuss OWASP ZAP and DAST scanning at scale. Tiago shares what scanning at scale is, the common challenges development teams must overcome when scanning at scale, and how to overcome them using OWASP ZAP. We hope you enjoy this conversation with ... Tiago Mendo.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
J. Wolfgang Goerlich is an Advisory CISO for Cisco Secure. He has been responsible for IT and IT security in the healthcare and financial services verticals. Wolfgang has led advisory and assessment practices for cybersecurity consulting firms.
Wolf joins us to talk about some security things that will stretch your mind, like security beyond vulnerabilities, how apps intended functionality can be misused, data privacy, and nudges and behavior science.
Wolf challenged my thinking in this episode and pointed out a new area of threat modeling I had never considered. We hope you enjoy this conversation with... J. Wolfgang Goerlich.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant with over 20 years of IT experience and a background in software engineering and web application development.
Sam has worked for various financial services institutions in the City of London, specializing in Application Security consulting, Secure Software Development Lifecycle (SDLC), developer training, source code reviews and vulnerability management. He is also a Subject Matter Expert in Web Application Firewalls (WAF) and SIEM systems. Sam holds a Masters degree in Software Engineering and a CISSP certification.
Sam joins us to introduce us to OWASP Nettacker. He describes the tool's capabilities, how you can put it into use in various scenarios for asset generation and vuln scanning, and how to contribute to the project going forward. We hope you enjoy this conversation with...Sam Stepanyan.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dolev Farhi is a security engineer and author with extensive experience leading security engineering teams in complex environments and scales in the Fintech and cyber security industries. Currently, he is the Principal Security Engineer at Wealthsimple. He is one of the founders of DEFCON Toronto (DC416). He enjoys researching vulnerabilities in IoT devices, participating in and building CTF challenges and contributing exploits to Exploit-DB.
Nick Aleks is a leader in Toronto's cybersecurity community and a distinguished and patented security engineer, speaker, and researcher. He is currently the Senior Director of Security at Wealthsimple, leads his security firm, ASEC.IO, and is a Senior Advisory Board member for HackStudent, George Brown, and the University of Guelph's Master of Cybersecurity and Threat Intelligence programs. A founder of DEFCON Toronto, he specializes in offensive security and penetration testing. He has over ten years of experience hacking everything from websites, safes, locks, cars, drones, and even intelligent buildings.
Dolev and Nick join us to unpack the world of GraphQL security. We introduce GraphQL, threats, and mitigations to secure your GraphQL instances. We hope you enjoy this conversation with....Dolev and Nick.
Important Links:
Link to the book https://nostarch.com/black-hat-graphql
CrackQL https://github.com/nicholasaleks/CrackQL
Damn Vulnerable GraphQL Application https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
With nearly 25 years of experience in the cyber-security industry, Guy held various positions in both corporates and startups.
In his role as the CTO for the cyber crisis management firm Profero, his focus is making incident response fast and scalable, harnessing the latest technologies and a cloud-native approach.
Guy is the BSidesTLV chairman and CTF lead, a Public speaker in well-known global security events (SAS, t2, 44CON, BSidesLV, and several DefCon villages, to name a few), and the recipient of the Cisco black belt security ninja honor Ciscos highest cybersecurity advocate rank.
Guy joins us to explore his front-row seat for the incident response with Log4j. There are many AppSec lessons to learn by understanding the greater depth of Log4J. We hope you enjoy this episode with .... Guy Barhart-Magen.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brett Smith is a Software Architect/Engineer/Developer with 20+ years of experience. Specialties: Automation, Continuous Integration/Delivery/Testing/Deployment
Expertise: Linux, packaging, and tool design. Brett joins us to discuss why he hates security and shares his vast knowledge of building a secure and cutting-edge build pipeline. We hope you enjoy this conversation with...Brett Smith.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chen Gour-Arie is the Chief Architect and Co-Founder of Enso Security. With over 15 years of hands-on experience in cybersecurity and software development, Chen demonstrably bolstered the software security of dozens of global enterprise organizations across multiple industry verticals. An enthusiastic builder, he has focused his career on building tools to optimize and accelerate security testing and all related workflows. Ken joins us to introduce the AppSec Map and provides a live demo of the catalog and what AppSec practitioners can use it for. We hope you enjoy this conversation with...Chen Gour-Arie.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dominique Righetto is an AppSec enthusiast and OWASP projects contributor. Dominique joins us to discuss the OWASP Secure Headers project. We discuss headers at a high level and then dive into all the goodies you'll find within the project, from awareness, guidance, and a test suite that can be integrated into your CI/CD pipeline to test your security headers. We hope you enjoy this conversation with...Dominique Righetto.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hillel Solow is Chairman of the Board at ProtectOnce, where he helps guide product and security strategy. Hillel is a serial entrepreneur in the cybersecurity space, but his favorite thing is still writing code at 2 am.
Hillel joins us to discuss how to do appsec without a security team. We explore the building blocks of an appsec program, and what appsec looks like for companies of different sizes, from startup to midsize to enterprise. Then dive into Hillel's most important advice for companies who can't afford a security person. We hope you enjoy this conversation with Hillel Solow.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode of the Application Security Podcast, Chris Romeo walks through the origin story of Security Journey and shares some experiences taking a security startup from bootstrap to acquisition. Chris talks about how and why he started the company, what defining factors made Security Journey successful and why they're being acquired now. He ends by giving an overview of what to expect from Security Journey moving forward. We hope you enjoy this conversation withChris Romeo.
Check out these resources for more information about the acquisition!
Press Release: https://www.accesswire.com/702562/HackEDU-Acquires-Security-Journey-to-Provide-the-Most-Comprehensive-Application-Security-Training-Offering-Helping-Development-Teams-Deliver-Secure-Code-and-Protect-Data
Chris's Blog Post: https://www.securityjourney.com/post/hackedu-acquires-security-journey
Joe's Blog Post: https://www.hackedu.com/blog/hackedu-acquires-security-journey-to-create-industry-leading-application-security-offering
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode of the Application Security Podcast, we talk to Kristen Tan and Vaibhav Garg from Comcast. They wrote a paper called "An Analysis of Open-source Automated Threat Modeling Tools and Their Extensibility from Security into Privacy". They join us to share their story about what they were doing and why they did it. We hope you enjoy this conversation with...Kristen and VG.
https://www.usenix.org/publications/loginonline/analysis-open-source-automated-threat-modeling-tools-and-their
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Patrick is a Senior Product Security Engineer in the Application Security team at ServiceNow. He is also Co-Leader of the OWASP CycloneDX project. A lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Daniel Krivelevich is a cybersecurity expert and problem solver, with 15+ years of enterprise security experience with a proven track record working with 100+ enterprises across multiple industries, with a strong orientation to Application & Cloud Security. Daniel co-Founded Cider Security as the companys CTO. Cider is a startup focused on securing CI/CD pipelines, flows, and systems.
Omer is a seasoned application and cloud security expert with over 13 years of experience across multiple security disciplines. An experienced researcher and public speaker, Omer discovered the Web Cache Deception attack vector in 2017. Omer leads research at Cider Security.
We hope you enjoy this conversation with...Omer and Daniel.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Josh Grossman has over 15 years of experience in IT Risk and Application Security consulting, and he has also worked as a software developer. He currently works as CTO for Bounce Security, where he focuses on helping organizations build secure products by providing value-driven Application Security support and guidance.
In his spare time, he is very involved with OWASP. He is on the OWASP Israel chapter board, he is a co-leader of the OWASP Application Security Verification Standard project, and he has contributed to various other projects as well, including the Top 10 Risks, Top Ten Proactive Controls and JuiceShop projects.We hope you enjoy this conversation with...Josh Grossman.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Alex Mor is a passionate cybersecurity defender or breaker depending on the time of day, providing expert technical guidance to product teams and building security in their platforms. Alex joins us to talk about application risk profiling. He defines what this concept is to help us understand it. Then we talk about how can you do application risk profiling at scale? Whether you have ten applications or 1500 applications? How do you bring this together and gain real true security value from this idea of profiling your applications? We hope you enjoyed this conversation with Alex Mor.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brenna Leath is currently the Head of Product Security for a data analytics company where she sets the application security strategy for R&D and leads a team of security architects. Brenna originally joined us to talk about EO 14028 and the implications for private sector programs, BUT, we were chatting about security champions and product security leads, and we changed our focus to cover these topics instead. We hope you enjoy this conversation with...Brenna Leath.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Will Ratner is a software security professional with extensive experience building and implementing security solutions across a myriad of industries including banking, media, construction, and information technology. In his current role at Atlassian, Will focuses on improving the vulnerability management process by building highly scalable and automated solutions for the enterprise. Will joins us to discuss a centralized approach he built for container scanning. We explore the challenges and lessons learned, building a scalable, enterprise-grade solution, and how to build something that developers will see value in. We hope you enjoy this conversation with...Will Ratner.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Neil Matatall is an engineer with a background in security. He has previously worked at GitHub and Twitter and is a co-founder of Loco Moco Product Security Conference. Neil joins us for his second visit, to discuss account security at scale. He describes the underlying principles behind security at scale, how he worked to build a sign-in analysis feature, and how attacks were detected. We ended the conversation with an authentication lightning round, with Neil responding to various statements about authentication off the cuff! We hope you enjoy this episode with Neil Matatall.
Check out our previous conversation with Neil Matatall.
https://www.buzzsprout.com/1730684/8122595-neil-matatall-content-security-policy
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Joern Freydank is a Lead Cyber Security Engineer with more than 20 years of experience. He is currently establishing the Threat Modeling Program at a major insurance company. Joern joins us to talk about security design anti-patterns. He defines the term, explains security debt, reviews the categories of anti-patterns, and walks us through the example of a common role misconception. We hope you enjoy this conversation with...Joern Freydank.
For more from Joern, check out his talk, Security Design Anti-Patterns -- Creating Awareness to Limit Security Debt, from Global AppSec:
https://youtu.be/o_Wq7Ga4M-0
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ken Toler is a principal consultant at Kudelski Security and is passionate about building and optimizing application security programs that stick through strong adoption and ease of use. Ken has spent considerable time on all sides of the security aisle from playing defense and managing security teams to offense by breaking applications and reviewing code. Ken is also the host and creator of the Relating to DevSecOps podcast that focuses on forging strong relationships between engineers, operations, and security through collaboration, understanding, skill-sharing, and healthy debate. Ken joins us to talk about all things Blockchain and AppSec. We define Blockchain, discuss the connections between cloud, appsec, and blockchain, common architecture failures, pen testing, and even dive into smart contracts. We hope you enjoy this conversation with...Ken Toler.
Links from the episode:
Secureum Videos
https://www.youtube.com/c/SecureumVideos/videos
BLOCKCHAIN SECURITY: A NEED FOR TODAYS BUSINESSES (COMPLETE GUIDE FOR BEGINNERS)
https://www.blockchain-council.org/blockchain/blockchain-security-a-need-for-todays-businesses-complete-guide-for-beginners/
The Rust Programming Language
https://doc.rust-lang.org/book/
Blockchain Security @ Kudelski
https://kudelskisecurity.com/services/applied-security/blockchain-security/
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeroen Willemsen is a passionate, hands-on security architect with a knack for mobile security and security automation. As a "jack of all trades," he has been involved with various OWASP projects and has developed various trainings. He has spent over 10 years as a full-stack developer and has worked as a (security) architect, security lead, and risk manager.
Ben de Haan is a Freelance Security consultant and engineer. Ben's specialties are architecting and implementing cloud security and building secure CI/CD environments in Agile, DevOps, and SRE cultures. Ben believes security should be built-in and can be scaled to meet these modern ways of working. Outside of regular work, Ben enjoys hosting security trainings or workshops, and he's an AWS NL Meetup regular.
Jeroen and Ben join us to speak about their OWASP project, Wrong Secrets. We discuss the problems secrets bring into applications and explore how you can use Wrong Secrets to bolster your knowledge of what not to do with secrets. We hope you enjoy this conversation with... Jereon and Ben.
Explore these helpful resources mentioned during the interview:
https://owasp.org/www-project-wrongse...
https://xebia.com/secure-deployment-1...
github; https://github.com/commjoen/wrongsecrets
free heroku dyno hosted version; https://wrongsecrets.herokuapp.com/
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Adam is a leading expert on threat modeling, and a consultant, expert witness, author and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft. While not consulting or training, Shostack serves as an advisor to a variety of companies and academic institutions. Adam joins us to talk about fast, cheap, and good threat models. We discuss how Adam defines these categories, the weight of threat modeling, questionnaires/requirements, expertise, and how to make threat modeling conversational. We hope you enjoy this conversation with...Adam Shostack.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Loren Kohnfelder has over 20 years of experience in the security industry. At Microsoft, he was a key contributor to STRIDE, the industrys first formalized proactive security process methodology, and also program-managed the .NET platform security effort. At Google, he worked as a software engineer on the Security team and as a founding member of the Privacy team. Loren joins us to talk about his new book, Designing Secure Software. We start the conversation geeking out about his work to create STRIDE and digital certificates. We then discuss facets of the book, like secure software, security design review, and what he would implement if he could only do one thing to improve software security. We hope you enjoy this conversation with...Loren Kohnfelder.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ochaun Marshall is an Application Security Consultant. In his roles of secure ideas, he works on on-going development projects utilizing Amazon web services and breaks other people's web applications. Ochaun joins us to talk about SAST and IaC, static application security testing and infrastructure as code. We talk about what they are, how they work, the security benefits, some of the tools that make them possible, and we finish our conversation talking about developer empathy and why Ochaun has developer empathy as a result of some of the experiences that he has as a developer and as a security person. We hope that you enjoy this episode with...Ochaun Marshall.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Project Leader and a Distinguished Engineer at StackHawk, a company that uses ZAP to help users fix application security bugs before they hit production. He has talked about and demonstrated ZAP at conferences all over the world. Prior to making a move into security, he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.
Simon joins us for the second time to refresh our knowledge of Zap, explain how to use Zap as an automation tool in your pipeline, and what he knows about rolling Zap out across an Enterprise. We hope you enjoy this conversation with....Simon Bennetts.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Timo Pagel has been in the IT industry for over fifteen years. After a system administrator and web developer career, he advises customers as a DevSecOps consultant and trainer. His focus is on security test automation for software and infrastructure and assessment of complex applications in the cloud.In his spare time, he teaches Web and Application Security at various universities. Timo joins us to talk about the OWASP DevSecOps Maturity Model or DSOMM. We explore maturity models, this specific one, how you can use it, and how to get started. We hope you enjoy this conversation with...Timo Pagel.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mazin Ahmed is a security engineer that specializes in AppSec and offensive security. He is passionate about information security and has previously found vulnerabilities in Facebook, Twitter, Linkedin, and Oracle, to name a few. Mazin is the developer of several popular open-source security tools that have been integrated into security testing frameworks and distributions. Mazin also built FullHunt.io, the next-generation continuous attack surface security platform. He is also passionate about cloud security, where he has been running dozens of experiments in the cloud security world. Mazin joins us to introduce Infrastructure as Code and TerraForm and discuss the security benefits IaC brings to our cloud environments. We hope you enjoy this conversation with...Mazin Ahmed.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dr. James Ransome is the Chief Scientist for CyberPhos, an early-stage cybersecurity startup. He is also a member of the board of directors for the Bay Area Chief Security Officer Council and serves as an adviser to ForAllSecure and Resilient Software Security.
Dr. Ransome's career includes leadership positions in the private and public sectors. He has served in three chief information security officer and four chief security officer roles before taking on Chief Product Security Officer roles over the last 11 years. During this time, he has been building and enhancing developer-centric, self-sustaining, and scalable software security programs that are holistic, cost-effective, and operationally relevant.
Brook S.E. Schoenfield is the author of Secrets Of A Cyber Security Architect (Auerbach, 2019) and Securing Systems: Applied Security Architecture and Threat Models(CRC Press, 2015). Building In Security At Agile Speed (with James Ransome, Auerbach, 2021), focuses on software security for continuous development practices and DevOps. Brook helps clients with their software security and secure design practices. He mentors technical leaders to effectively deliver security strategy. He consults as a technical leader for True Positives, LLC and SEC Consult Americas holistic security architecture services.
https://www.amazon.com/Building-Security-at-Agile-Speed/dp/0367433265/ref=sr_1_1?dchild=1&keywords=building+in+security+at+agile+speed&qid=1631297374&sr=8-1
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Robert and I break down the OWASP Top 10 2021 Peer Review Edition. We walk through and give you our insights and highlights of the things that stand out to us and our questions. We feel it brings value to our audience's understanding of the OWASP Top 10 2021 and what it will likely look like when it comes out. We encourage you to go and do your own peer review of the document, submit your own poll requests, provide your feedback and issues on Github because together as a community, this is how we make this document better. Enjoy!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Anastasiia Voitova is the Head of customer solutions and a security software engineer at Cossack Labs. She works on data security and encryption tools and their integration into the real world apps.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Eran Kinsbruner is the Chief Evangelist and Senior Director at Perforce Software. His published books include the 2016 Amazon bestseller, The Digital Quality Handbook, Continuous Testing for DevOps Professionals, and Accelerating Software Quality ML and AI in the Age of DevOps. Eran is a recognized influencer on continuous testing and DevOps thought leadership, an international speaker, and blogger. Eran joins us to talk about the role of testing in a secure software pipeline. We talk about the intersection of security and quality, biggest challenges in getting started, and even a brief conversation about how SAST is used to check automotive software. We hope you enjoy this conversation with...Eran Kinsbruner.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mark Loveless - aka Simple Nomad - is a security researcher and hacker. He's spoken at numerous security and hacker conferences worldwide, including Blackhat, DEF CON, ShmooCon, and RSA. He's been quoted in the press including CNN, Washington Post, and the New York Times. Mark joins us to discuss his series of blog posts on Threat Modeling at GitLab. We discuss his philosophical approach, framework choice (spoiler alert, it's a pared down version of PASTA), and success stories / best practices he's seen for threat modeling success. We hope you enjoy this conversation with...Mark Loveless.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeroen Willemsen is a Principal Security Architect at Xebia. Jeroen is more or less a jack of all trades with an interest in infrastructure security, risk management, and application security. With a love for mobile security, he enjoys sharing knowledge on various security topics. Jeroen joins us to unpack security automation in a DevOps world. We discuss categories of tools, typical quick wins, potential downsides, and how dependency management specifically plays into automation. We hope you enjoy this conversation with...Jeroen Willemsen.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kevin Greene is the Director of Security Solutions at Parasoft and has extensive experience and expertise in software security, cyber research and development, and DevOps. He leverages his knowledge to create meaningful solutions and technologies to improve software security practices. Kevin and I had a conversation to discuss software security from the past and into the future. We cover how to make security easier for developers, SBOM, software minimalism, cyber resiliency, and so much more! We hope you enjoy this conversation with...Kevin Greene.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeevan Singh is a Security Engineer Manager at Segment, where he is embedding security into all aspects of the software development process. Jeevan enjoys building security culture within organizations and educating staff on security best practices. Before life in the security space, Jeevan had a wide variety of development and leadership roles over the past 15 years. Jeevan joins us to speak about self-serve threat modeling at Segment or threat modeling based in democracy. We discuss their focus with the program, how it fits in their dev methodology and their ultimate goal with the threat modeling program. We hope you enjoy this conversation with... Jeevan Singh.
Additional Resources:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dima Kotik is an Application Security Engineer at Security Journey and has been programming in Python for years. As he was working on building out Security Journey's Secure Coding with Python content, he came across the Zen of Python, a set of guidelines for how to program in Python. He wrote a blog post about how to apply application security to the Zen of Python, and then we recorded this interview to talk about the concept in more depth. We hope you enjoy this interview with....Dima Kotik.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Before taking the plunge into information security leadership, Dustin Lehr spent over a decade as a software engineer and architect in a variety of industries, including retail, DoD, and even video games. This diverse background has helped him forge close partnerships with development teams, engineering leaders, and software security advocates while pursuing the organizational culture shift of building good security habits into daily work. Dustin joins us to talk about the challenges developers face with security and so much more. We hope you enjoy this conversation with...Dustin Lehr.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Aaron Rinehart is expanding the possibilities of chaos engineering to cybersecurity. He began pioneering security in chaos engineering when he released ChaoSlingr during his tenure as Chief Security Architect at UnitedHealth Group (UHG). Rinehart is the O'Reilly Author on Security Chaos Engineering and has recently founded a chaos engineering startup called Verica with Casey Rosenthal from Netflix. Aaron joins us to explain what the heck security chaos engineering is. We explore the origin story of chaos engineering and security chaos engineering and how a listener starts with this new technique. We hope you enjoy this conversation with...Aaron Rinehart.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode of the Application Security Podcast, we're joined by friends Izar and Matt, authors of the book "Threat Modeling: A Practical Guide for Development Teams." Izar is currently the Squarespace Principal Security Engineer. He lives in NY, where he enjoys telling people who separate security from development to get off his lawn. Matt is currently a Product & Application Security Engineer at Dell Technologies. Matt lives in Massachusetts, is an avid gamer, and enjoys time with his family when not thinking or talking to others about security. We discuss why they wrote the book, what it covers, the target audience, and how to wield the information within to threat model all the things. Robert and I both love the book, and highly recommend it, and on this episode, you'll hear why.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Charles is a Senior Security Consultant for Red Siege. He has over 18 years of experience in IT. In his spare time, Charles does retro gaming and works on the SECBSD open source project, a penetration testing distro. He currently works as Staff at several Security Conferences, podcasts (GrumpyHackers) (Positively Blue Team Cast), and is a part of the MentalHealthHackers DeadPixelSec NovaHackers and HackingisNotaCrime Family. Charles joins us to talk about positivity in InfoSec. If you've never seen Charle's videos, you're missing out. We'll unpack what drives his positivity and how we as infosec / appsec people can embrace a more positive approach to our world. We hope you enjoy this conversation with...Charles Shirer.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Leif Dreizler is the manager of the Product Security team at Segment. Leif got his start in the security industry at Redspin doing security consulting work and was later an early employee at Bugcrowd. He helps organize the Bay Area OWASP Chapter, the LocoMocoSec Conference, and the AppSec California conference. Leif caught our attention when he published an article called Shifting Engineering Right: What security engineers can learn from DevSecOps. In this interview, we focus in on the tactical tips and takeaways from the article, or how you as a security person can shift engineering right. We hope you enjoy this conversation with...Leif Driezler.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vandana Verma is the President of Infosec girls and Infosec Kids, a board of directors member for OWASP, and a leader for BSides Dehli. She joins us to introduce the OWASP Spotlight Series. With each video she creates, she highlights an OWASP project. We survey the projects she's covered and discuss a specific takeaway from each for the application security person. We hope you enjoy this conversation with...Vandana Verma.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dr. Anita DAmico is the CEO of Code Dx, which provides Application Security Orchestration and Correlation solutions to industry and government. Her roots are in experimental psychology and human factors. Her attention is now focused on enhancing the decisions and work processes of software developers and AppSec analysts to make code more secure. Anita joins us to discuss research she has done answering the question, "do certain types of developers or teams write more secure code?" Being a security culture fanatic, this topic is near and dear for me. We hope you enjoy this conversation with...Dr. Anita D'Amico.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Alyssa Miller is a life-long hacker, security advocate, and cybersecurity leader. She is the BISO for S&P Global ratings and has over 15 years of experience in security roles. She is heavily involved in the cybersecurity community as an international speaker, author, and advocate. Alyssa joins us to talk about bringing security to DevOps and the CI/CD pipeline. We talk about the success of the DevOps transformation, mistakes AppSec teams make with DevOps and explore the possible idea that DevSecOps is its own silo. We hope you enjoy this conversation with...Alyssa Miller.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Liran Tal is an application security activist and long-time proponent of open-source software. He is a member of the Node.js security working group, an OWASP project lead, author of Essential Node.js Security, and OReillys Serverless Security. He is leading the developer advocacy team at Snyk in a mission to empower developers with better dev-first security. Liran joins us to talk about cloud-native and application security. We begin by defining cloud-native and the changes it is causing. We then get into threats in a cloud-native world and the role of developers and AppSec. We hope you enjoy this conversation with. Liran Tal.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For this episode, Robert and I decided to talk about an article I wrote called "DevOps security culture: 12 fails your team can learn from". We hope you enjoy this walkthrough of the 12 fails. If we missed any, hit us up on Twitter and let us know what we should add to the list.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jim Routh has built software security programs at some of the biggest brands in the world. He has served as CISO or CSO six different times in his career, always staying close to his cyber and software security roots. Jim has hung up his CISO badge and now focuses on serving on boards and advising security-focused startups. Jims original AppSec podcast episode is our #1 listened to of all time. Having the opportunity to interact with Jim and absorb his vast wisdom and knowledge is a treat for everyone. At the end of this interview, my immediate thought was to go back and listen to this one again. Jim talks with us about the impact of DevSecOps on the CISO, security controls for a devsecops pipeline model, and shift left still the dominant theme for software security. We hope you enjoy this conversation with Jim Routh.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Andrew van der Stock has been around the world of Application Security for quite a long time. In 2020, he took over as the Executive Director of OWASP, and he's working from within the organization to further the mission of taking application security to the masses. We discuss Andrew's OWASP origin story and he defines OWASP and the OWASP core mission. We talk membership, the future, and drop some details about the upcoming 20th anniversary of OWASP. We hope you enjoy this conversation with Andrew van der Stock.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JC Herz is the COO of Ion Channel, a software logistics and supply chain assurance platform for critical infrastructure. She is a visiting fellow at George Masons National Security Institute and co-chairs a Department of Commerce working group on software bills of materials for security-sensitive public and private sector enterprises. JC and Steve Springett join to talk all things software bill of materials. We define what an SBOM is and what its used for. We talk threats that SBOM counters, who started it, and what the OWASP tie in. JC concludes our time by explaining why now is the time YOU must care about SBOMS. We hope you enjoy this conversation with. JC Herz and Steve Springett.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Reed is Chief Mobility Officer at NowSecure. Brian has over 30 years in tech and 15 years in mobile, security, and apps dating back to the birth of mobile including BlackBerry, Good Technology, BoxTone, and MicroFocus. Brian joins us to discuss mobile application security, the good, the bad, and the ugly as we head into 2021. We discuss recent issues in mobile apps, mobile firewalls, mobile vs. web, and how AppSec is different in a mobile world. We hope you enjoy this conversation withBrian Reed.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is part two of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto. In this episode, we move on from definition to working through the values and principles that make up threat modeling, and then we ship the product.
The working group of the Threat Modeling Manifesto consists of individuals with years of experience in threat modeling for security or privacy.
Other episodes on threat modeling:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is part one of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto. Our intention is to share a distilled version of our collective threat modeling knowledge in a way that should inform, educate, and inspire other practitioners to adopt threat modeling as well as improve security and privacy during development.
We developed this Manifesto after years of experience thinking about, performing, teaching, and developing the practice of, Threat Modeling. We have diverse backgrounds as industry professionals, academics, authors, hands-on experts, and presenters. We bring together varied perspectives on threat modeling. Our ongoing conversations, which focus on the conditions and approaches that lead to the best results in threat modeling, as well as how to correct when we fail, continue to shape our ideas.
The working group of the Threat Modeling Manifesto consists of individuals with years of experience in threat modeling for security or privacy.
Other episodes on threat modeling:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is our final episode of Season 7, and we thought we'd share some of our favorite clips with you. We've covered lots of ground, from featuring many OWASP projects to DevSecOps, penetration testing, AWS security, SameSite cookies, crypto, and that just scratches the surface. We hope you enjoy this wrap-up episode with.... A whole bunch of Season 7 guests.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jb Aviat is CTO and co-founder at Sqreen. Prior to this, Jb worked at Apple as a reverse engineer, pentester, and developer. Jb joins us to discuss the new Application Security Report that Sqreen has released. We review what the report contains, key takeaways and conclusions, and even consider which framework/language is the most secure. We hope you enjoy this conversation with. Jb Aviat.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Frank Rietta is the CEO of Rietta.com, a Security Focused Web Application Firm. He is a web application security architect, expert witness, author, and speaker. Frank joins us to discuss secure coding with Ruby on Rails. We get into a discussion about RoR vs. other languages, primary threats, counters to threats, and tools available for the RoR developer to assist with security. We hope you enjoy this conversation with Frank Rietta.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dmitry Sotnikov serves as Chief Product Officer at 42Crunch an enterprise API security company. He maintains https://APISecurity.io, a popular community site with daily API Security news and weekly newsletter API vulnerabilities, breaches, standards, best practices, regulations, and tools. Dmitry joins us to discuss REST API Security. We talk about the top API security threats, counters to those threats, and the details on APISecurity.IO. We hope you enjoy this conversation with Dmitry Sotnikov.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Caroline Wong is the Chief Strategy Officer at Cobalt.io. Wong's close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec Product Manager, and day-to-day leadership roles at eBay and Zynga. Caroline joins us to talk about penetration testing and reviews key findings from the Cobalt.io "State of Pentesting" report. We hope you enjoy Caroline Wongs second visit to the Application Security Podcast.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Aaron Davis is a founder, dev, and a lead security researcher at MetaMask, a popular Ethereum wallet. He introduces us to LavaMoat, an approach to solving javascript software supply chain security for node and the browser. The LavaMoat runtime prevents modifying JavaScript's primordials, limits access to the platform API, and prevents packages from corrupting other packages. We hope you enjoy this conversation with Aaron Davis.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Anastasiia Voitova is a software engineer who works on data security solutions at @cossacklabs, making complex crypto easy-to-use in modern software. She joins us to explore the idea of boring crypto. She caught our attention with a talk at OWASP 24 where she encouraged developers to NOT learn crypto. You'll have to listen to understand her rationale. She explains mistakes folks make with crypto, boring crypto, and how to get started implementing boring crypto. We hope you enjoy this conversation withAnastasiia Voitova.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Michael Furman is the Lead Security Architect at Tufin, and is responsible for the security and Security Development Lifecycle (SDL) of Tufin software products. Michael is passionate about application security for over 13 years already and evangelizes about application security at various conferences (including OWASP conferences) and security meetups. Michael joins us to break down SameSite cookies, which are all the rage in browsers these days. He describes what they are, the threats they counter, and how SameSite + the Synchronizer Token Pattern work together to counter CSRF. We hope you enjoy this conversation with. Michael Furman.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application security applies to everyone, network architects included. Chris had an opportunity to join a friend's Podcast called "The Hedge." Chris talks with hosts Tom and Russ about the state of security and what network engineers need to know about security from an application perspective. They talk about the importance of empathy in all jobs, walking a mile in the shoes of those that work around you.
Youll find this episode on the Hedge site at https://rule11.tech/hedge-048/.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Neil Matatall is a product security engineer at GitHub. He focuses on designing and engineering user experiences solutions related to authentication and account recovery. Working remotely from Hawaii, Neil is a strong believer in the future of remote work. Neil joins us for a deep-dive into Content Security Policy. We explore what it is, the purpose, and why its so difficult to implement.
We hope you enjoy this conversation with Neil Matatall.
https://github.com/github/secure_headers
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Grant Ongers is co-founder of the bearded trio called Secure Delivery, with a philosophy and purpose for optimal delivery and security in one dynamic package. Grant's experience spans Dev, Ops, and Security, with over 30 years pushing the limits of (Info)Sec. Grants community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for nearly ten years and DC2721 co-founder, staff at BlackHat (USA and EU), and an OWASP Global Board member.
Grant joins us to talk about gamification and threat modeling, and introduces me to the OWASP Cornucopia card game, which you can use to teach developers and product team members threat modeling, in a fun and engaging way.
We hope you enjoy this conversation with. Grant Ongers. @rewtd
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Elie Saad is an application security engineer, leading three different OWASP projects. He focuses on helping developers own and champion security in their projects by providing guidance, tests, secure pipeline design and aiding them in applying external security measures. In this conversation, Elie educates us about the current happenings with WSTG, Cheat Sheets, and the Integration Standard. He walks us through demos of each project.
We hope you enjoy this conversation with Elie Saad. @7hunderson
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Graham Holmes is the founder and owner of AoP CyberSecurity, LLC whose mission is to enable organizations to create scalable and effective strategies for trustworthy outcomes. His career includes over 22 years as a leader at Cisco Systems, where he infamously served as my boss for a period of time, and before that he served in the US Navy as a commissioned officer for 9 years. Graham joins us to discuss adversarial machine learning. We explore the threats and attacks in an AI/ML world, and review solutions to address these challenges using trust as a foundation. Please enjoy this conversation with Graham Holmes.
Its Life 3.0
https://www.amazon.com/Life-3-0-Being-Artificial-Intelligence/dp/1101946598
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ochaun Marshall is a developer and security consultant. In his roles at Secure Ideas, he works on ongoing development projects utilizing Amazon Web Services and breaks other people's web applications. Ochaun joins us to talk about the changing tide of serverless and frustrations with AWS security. Before we got to the actual topic, we talked about how he currently works as a developer some times, and a pen tester/security person the rest of the time, and the conflict that arises from this split role. Please enjoy this conversation withOchaun Marshall.
@OchaunM
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Drew Dennison is the CTO & co-founder of r2c, a startup working to profoundly improve software security and reliability to safeguard human progress. Drew joins us to introduce a tool called semgrep. Semgrep is a fast source code analysis tool, potentially faster than anything you've seen before. If you want to see the live demo of semgrep, head over to the Application Security Podcast Youtube channel to see the video.
We hope you enjoy this conversation with Drew Dennison.
Twitter: DrewDennison
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Aaron Guzman specializes in IoT, embedded, and automotive security. Aaron is the Co-Author of IoT Penetration Testing Cookbook. He helps lead both OWASPs Embedded Application Security and Internet of Things projects; providing practical guidance for addressing top security vulnerabilities to the embedded and IoT community. Aaron joins us to explore IoTGoat. IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices. He describes what it is, where it comes from, and does a demo for us on how to put it to use.
For season 7 and beyond, weve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. Youll want to check it out, as many interviews now have demos included, where we capture screen during the interview. We hope you enjoy this conversation withAaron Guzman.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author, and game designer. He has taught threat modeling at a wide range of commercial, non-profit, and government organizations. Adam joins us to discuss his new white paper called the Jenga View of Threat Modeling. For season 7 and beyond, we've launched our YouTube channel, Application Security Podcast, where we post the video feeds for all episodes. Youll want to check it out, as many interviews now have demos included, where we capture a screen during the interview.
You can grab a copy of the whitepaper on Adams site, https://associates.shostack.org/whitepapers.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cindy Blake is the Senior Security Evangelist at GitLab. Cindy collaborates around best practices for integrated DevSecOps application security solutions with major enterprises. She is proud to introduce her new book, 10 Steps to Securing Next-Gen Software. The book combines her cyber security experience with a background in lean and software development, and simplifies the complexities of todays software evolution into pragmatic advice for security programs. Cindy joins us to discuss how to align security testing with Agile development.
For season 7 and beyond, weve launched our YouTube channel, Application Security Podcast, where we post the video feeds for all episodes. Youll want to check it out, as many interviews now have demos included, where we capture screen during the interview.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jannik Hollenbach is a Security Automation Engineer at iteratec GmbH, working on and with open source security testing tools to continuously detect security vulnerabilities in the companies software and systems. He is also a member of the OWASP Juice Shop project team. Jannik joins us to discuss MultiJuicer, or how to run JuiceShop in a Kubernetes cluster, with a separate JuiceShop instance for each user.
For season 7 and beyond, weve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. Youll want to check it out, as many interviews now have demos included, where we capture screens during the interview.
We hope you enjoy this conversation with.. Jannik Hollenbach.
Links:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sebastien Deleersnyder is co-founder, CEO of Toreon, and Bart De Win is a director within PwC Belgium. They work together to co-lead both the OWASP Belgium Chapter and the OWASP SAMM project. Sebastien and Bart join us to introduce OWASP SAMM 2.0. OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help organizations assess, formulate, and implement a strategy for software security they can integrate into an existing Software Development Lifecycle (SDLC). We explore where it came from, and walk through the framework.
For season 7 and beyond, weve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. Youll want to check it out, as many interviews now have demos included, where we capture a screen during the interview.
We hope you enjoy this conversation with Sebastien and Bart.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Weve reached the end of season six, and here are a few of our favorite clips. Season seven is around the corner.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mark Merkow works at WageWorks in Tempe, Arizona, leading application security architecture and engineering efforts in the office of the CISO. Mark has over 40 years of experience in IT in a variety of roles, including application development, systems analysis, and design, security engineering, and security management. Mark has authored or co-authored 17 books on IT and has been a contributing editor to four others.
Mark joins us to discuss how application security and Agile software development methodology fit together. We hope you enjoy this conversation with Mark Merkow.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Zsolt is the founder and CTO of GUARDARA with more than 15 years of experience in cybersecurity, both on the offensive and defensive side. Zsolt explains fuzz testing, who does it, and why. He also helps us to understand how to deal with fuzz testing results, and how to get started doing fuzz testing on your own. We hope you enjoy this conversation with Zolt Imre.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Adam joins us to discuss remote threat modeling, and we do a live threat modeling exercise to figure out how remote threat modeling actually works. If you want to see the screen share as we figure out remote threat modeling, check out the Youtube version of the episode. Bio: Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author and game designer. He has taught threat modeling at a wide range of commercial, non-profit and government organizations. Hes a member of the Black Hat Review Board, is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kim Wuyts is a postdoctoral researcher at the Department of Computer Science at KU Leuven (Belgium). She has more than 10 years of experience in security and privacy in software engineering. Kim is one of the main forces behind the development and extension of LINDDUN, a privacy threat modeling framework that provides systematic support to elicit and mitigate privacy threats in software systems. Kim joins us to explain the difference between security and privacy and introduce us to LINDDUN and how to use it.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
John Martin has owned responsibilities ranging from Software Supply Chain to DevSecOps Security Champions to Cloud Security Monitoring. His career spans the years between Blue-Box MF generators, through the era of automated hacks, and into our modern age of industrialized paranoia. He is a frequent speaker on the topic of commercial software security and a contributor to many SAFECode and CSA efforts. John joins us to discuss the prevention of a cyberpocalypse. You heard it correctly. Now tune in to learn what a cyberpocalypse is and why you need to care about it. We hope you enjoy this conversation with John Martin.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeremy Long is a principal engineer specializing in securing the SDLC. Jeremy is the founder and project lead for the OWASP dependency-check project; a software composition analysis tool that identifies known vulnerable 3rd party libraries. Jeremy joins us to share the origin story of dependency check, the problems it solves, the number of companies that use it, how to integrate it, and the future of the project.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Alyssa is a hacker, security evangelist, cybersecurity professional and international public speaker with almost 15 years of experience in the security industry. A former developer, her background is application security, not only conducting technical assessments but also helping develop complete security programs. Alyssa joins us to share her take on DevOps, automation, and beyond. She also shares a great story about how she got domain admin in 3 minutes.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vandana Verma is a passionate advocate for application security. From serving on the OWASP Board to running various groups promoting security to organizing conferences, she is engaged in making the global application security community a better place. She manages the @Infosecgirls organization and is a leader for the @OWASPBangalore chapter. Vandana joins us to discuss her work so far on the OWASP Board, to discuss her AppSec DC keynote on diversity, and to catch us up on InfoSecGirls and WIA.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DJ Schleen is a seasoned DevSecOps advocate at Sonatype and provides thought leadership to organizations looking to integrate security into their DevOps practices. He encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey. DJ joins us to talk about the philosophy of DevOps and flow, DevSecOps and silos, and the DevSecOps reference architectures. We hope you enjoy this conversation with DJ Schleen.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Niels Tanis has a background in .NET development, pen-testing, and security consultancy. He has experience breaking, defending and building secure applications. Neils joins us to continue our .NET conversation from last year. This time around we focus on the 3rd party risk we pull into our applications by using third party libraries in a .NET conversation from last year. This time around we focus on the 3rd party risk we pull into our applications by using third party libraries in a .NET world.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Maya is a Product Manager in Security & Privacy at Google, focused on container security. She previously worked on encryption at rest and encryption key management. Maya has a Master's in mathematics, focusing on cryptography and game theory. Maya joins us to discuss how containers improve security, a high-level threat model of containers and orchestration, and tips for enhancing security as you role out containers and Kubernetes.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Geoffrey Hill is an AppSec DevSecOps leader and Architect. Geoff joins us to discuss his experiences rolling out DevSecOps in both Agile and non-Agile practicing shops. We hope you enjoy this conversation with...Geoff Hill.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez joins us to speak about the new OWASP API Security Project, and more specifically, the new API Security Top 10. We hope you enjoy this conversation with Erez Yalon.
Find the Document on the OWASP GitHub: https://github.com/OWASP/API-Security
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Steve Lipner is a pioneer in cybersecurity, approaching 50 years experience. He retired in 2015 from Microsoft where he was the creator and long-time leader of Microsofts Security Development Lifecycle (SDL) team. While at Microsoft, Steve also created initiatives to encourage industry adoption of secure development practices and the SDL and served as a member and chair of the SAFECode board. Steve joins us to talk about all things SDL, and I must say, I was super excited for this interview, with way too many questions for someone who was there on day 1 of Secure Development Lifecycle. We hope you enjoy this conversation withSteve Lipner.
Youll find Steves Bio on the SafeCode website.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
David Kosorok is a code security expert, software tester, father of 9, and a self-described major nerd. David is the Director of AppSec at Align Tech, and a fellow member of the Raleigh Durham tech community. David joins us to speak about the three pillars of building an application security program: Prevent, Detect, and React. When we think the program, weve never heard anyone relate a program this way, and thought you needed to hear about a different approach to program building. We hope you enjoy this conversation with. David Kosorok.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As the hosts of the Application Security Podcast, we get the opportunity from time to time to mix it up. This week we gather a few security articles, share a summary, and offer our opinions (for what our opinions are worth). The source of the articles is Hi-5, a weekly newsletter containing five security articles that are worth your time. We scour the Interwebs looking for the best articles on application and product security and share those with you. You can subscribe to Hi-5 on the Security Journey website.
Hit us up on Twitter and let us know if you like this format and if we should do more of this type of content. We hope you enjoy this episode with, Chris and Robert.
These are the articles:
Interest In Secure Design Practices Is Increasing Leading To Two Predictions
Developers mentoring other developers: practices Ive seen work well
7 Web Application Security Best Practices
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bill Dougherty is the vice president of IT and security at Omada Health, where he leads a team responsible for all aspects of internal IT including SaaS strategy, end-user support, vendor management, operational security and compliance. Bill along with Patrick Curry created the INCLUDES NO DIRT approach to threat modeling, which takes threat modeling to the next level, beyond STRIDE, and goes head on with a more modern set of real-world security considerations. We hope you enjoy this conversation with, Bill Dougherty.
Find Bill on Twitter @bdognet.
For an article about the methodology, see INCLUDES NO DIRT: A Practical Threat Modeling Approach for Digital Healthcare and Beyond
For the paper that describes the methodology and how to implement, see INCLUDES NO DIRT
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Marc French is a security person, firearms geek, scuba guy, lousy golfer, and an aspiring blacksmith. We met Marc in the hallway at the Boston Application Security Conference. Marc has extensive experience as a CISO but came from the world of AppSec to the exec suite, which is not the normal path. We discuss what is a CISO, and what does a CISO actually do, the role of AppSec in the life of the CISO, and tips Marc has for those that wish to become a CISO someday. We hope you enjoy this conversation with Marc French.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Threat modeling, secrets, mentoring, self-care, program building, and much more. Clips from Georgia Weidman, Simon Bennetts, Izar Tarandach, Omer Levi Hevroni, Tanya Janca, Bjrn Kimminich, Caroline Wong, Adam Shostack, Steve Springett, Matt McGrath, Brook Schoenfield, and Ronnie Flathers.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ronnie Flathers is a security guy, a pentester, and a researcher. In this conversation, we explore his experiences in building application security programs. He's had the opportunity to program build inside of companies big and small.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brook Schoenfield is a Master Security Architect @IOActive and author of Securing Systems, as well as an industry leader in security architecture and threat modeling, and a friend. "We have a static analysis tool. Why do we need a program?" This is what Brook overheard at one point in his past, from a company CTO, and it sums up the program issue. The CTO was trying to drive a technical strategy for an entire company, and security was just one piece of that. A mandate or a tool would have made life so easy.
Brook takes us on a journey based on his experience building programs, with advice, stories, comments, and quotes. We talk about architecture, culture, mindset, tools, compilers and so much more.
Catch Brooks next book, Secrets of a Cyber Security Architect which arrives in Fall 2019.
Here is Brooks first book on Amazon: Securing Systems: Applied Security Architecture and Threat Models
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Liran Tal is a Developer Advocate @snyksec and is the author of Essential Node.js Security. He takes #opensource and protecting the #web very seriously. Liran and I start by geeking out about BBS's in the days of old. SYSOP page, anyone? Then we go into the state of open source security based on the report that Liran contributed heavily to and discuss many of the key takeaways from that report, including the developer response to open source security, security vulnerability rates in docker containers, and the length of time that vulnerabilities lie dormant in open source. We close out with the three things Liran would do to improve open source security if he could only do three things.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Why should someone care about open source security?
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Steve Springett is a technologist, husband, father, entrepreneur, and tequila aficionado. He is the creator of the OWASP @DependencyTrack and @CycloneDX_Spec. In this conversation, we begin with the problem of software supply chain risk and the failures of commercial Software Composition Analysis tools. We then go through an extensive list of criteria for purchasing a software composition analysis tool. I have never seen a list like this ever shared anywhere in the industry. Steve is definitely in the know when it comes to these types of tools, and this is a detailed checklist of what he looks for in a tool. We end with a 60-second update on Dependency Track.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The question is for Steve Springett, in regards to Software Composition Analysis / Software Supply Chain and OWASP Dependency Track.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Elissa Shevinsky is CEO at Faster Than Light. She's had a storied career as an entrepreneur with Brave, Everyday Health, and Geekcorps. We discuss Elissa's origin story, security startups, and the value of mentoring to her career. Then we get into Static Analysis and how we make security easier for people so that security gets done.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Robert asks Elissa Shevinsky, why should people be nice, or why is niceness important in security?
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Matt McGrath is an old school Java developer that made the transition into security. Matt has had success in rolling out a programmatic approach to security improvement called security coaching. A security coach is much more than a wellness or life coach for your developers. They have some commonalities, but the security coach is thinking about how you help the developer want to get better at security. In his experience, developers are not going to kick and scream away from security but will embrace it when asked.
The job description for a good coach does not require a development background. The biggest thing you need is a passion for security. Communication is one of the most important things for a coach to have as well, and technical skills do not hurt.
We hope you enjoy this conversation with Matt McGrath.
Our sponsor for this episode is Security Journey. Security Journey knows that building security culture takes time and planning. Our belts are carefully designed to help you build security culture from the ground up.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Erez Yalon and Liora Herman are both passionate security professionals. They joined forces to create the AppSec Village, an event at DefCon in Las Vegas. If you are in Vegas for BH/DC, stop by the village and say hi to Robert, who will be in attendance as well.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It's BlackHat and DefCon season, so we asked a question of Erez Yalon; why did you start the AppSec Village?
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tommy Ross serves as Senior Director, Policy with BSA | The Software Alliance. In this role, he works with BSA members to develop and advance global policy positions on a range of key issues, with a focus on cybersecurity, privacy, and market access barriers. Tommy is one of the coordinators/collaborators on the BSA Framework for Secure Software. This document caught our attention when it came out a few months ago, as it is a reliable representation of all the pieces an organization needs for software security. Tommy shares with us some of the background stories on how this document came to be, and also walks through the various pieces contained within.
If youd like to comment or collaborate on this document, it is available in the review form at https://github.com/thomasrbsa/BSA-Framework-for-Secure-Software
The PDF is available on the BSA website: https://www.bsa.org/files/reports/bsa_software_security_framework_web_final.pdf
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups. Adam is known for his work with threat modeling. In this episode, we take threat modeling to a whole new level as we explore the idea of threat modeling layer 8 or human beings, and explore the concept of conflict modeling.
Youll find Adams conflict modeling work on GitHub.
https://github.com/adamshostack/conflictmodeling
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you've done anything with threat modeling, you've heard of Adam Shostack. We asked him the question, "why would anyone threat model?".
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Zoe Braiterman is an Innovation Intelligence Strategist focused on both the Machine and Human and also the OWASP WIA Chair. We explore the intersection of application security with artificial intelligence and machine learning and end up discussing data protection. Zoe approaches AppSec from a different angle, and her perspectives get us thinking about the importance of appsec in the future of autonomous everything.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Caroline Wong has had a long career in security, starting with eBay and leading to her role today at Cobalt.IO as Chief Strategist. Caroline shares her explanation of self-care and tells her story about how neglecting self-care led to problems. She offers ideas about how to better approach self-care as a security professional, work-life balance, and ways for approaching a successful career in security.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bjrn Kimminich is the project leader for OWASP JuiceShop. This is his second visit to the podcast, and we discuss new features in JuiceShop, including XSS in jingle promo video, marketing campaign coupon hacking, GDPR related features and challenges, working 2FA with TOTP, and the DLP failure challenges. Then we get into the cool new things that will come as a result of the GSoC, where a developer will add new functionality to the JS where new vulns can be hidden. We end discussing the upcoming Open Security Summit from OWASP.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bjrn Kimminich is the project leader for OWASP JuiceShop. He created JuiceShop out of necessity, after reviewing all the available vulnerable web apps years ago, and not finding what he needed. OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security training, awareness demos, CTFs, and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nancy Garich and Tanya Janca are two of the project leaders for the OWASP DevSlop Project. As we learn more about DevSlop, we realize that it is much more than a project: it's a movement. DevSlop is about the learning and sharing of four awesome women and is a platform for them to share what theyve learned with the community.
DevSlop consists of four different modules:
We hope you enjoy.
Find Nancy, Tanya, and DevSlop on Twitter.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tanya Janca is excited about mentoring. She's started a hashtag on Twitter for mentors to find mentee's, and for mentee's to search for mentors. Mentoring is such an essential part of growing our community, so if you are not mentoring anyone today, I can only ask, why not? Here is Tanya's take on mentoring and her advice on how to get involved with #MentoringMonday.
5 Minute AppSec is an AppSec Podcast experiment with micro-content. Hit us up on Twitter and tell us what you think, @AppSecPodcast.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Matt Clapham is a product security person, as a developer, security engineer, advisor, and manager. He began his career as a software tester, which led him down the path of figuring out how to break things. Matt lives in the medical software world and visited the Healthcare Information and Management Systems Society (HIMSS) conference. Matt shares his perspectives on application/cybersecurity through the eyes of the healthcare industry. There is much for us to understand by viewing how other segments approach security and privacy. Matt believes in stepping outside the echo chamber and experiencing how other industries see security, and he achieved that by visiting this non-security conference and sharing his experiences with us. (And if he visits your booth at an event, you better know how your companies make a secure product or solution!)
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jon McCoy is a security engineer, a developer, and a hacker; and a passionate OWASP advocate. Maybe even a hacker first. Jon has a passion to connect people and break down barriers between hackers and corporate folks. Jon explains the idea of hacker outreach and breaks down what we can expect if we venture to the DefCon event in Las Vegas. Jon also remembered a cautionary tale of Roberts Fitbit out at a DefCon event. Jon is someone we can all learn from about giving back to our community.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Omer Levi Hevroni has written extensively on the topic of Kubernetes and secrets, and he's a super dev. He's the author of a tool for secrets management called Kamus. Kamus is an open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enables users to easily encrypt secrets that can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS, and AES).
Find Omer on Twitter to converse about all things K8s and secrets.
Show notes:
https://blog.solutotlv.com/can-kubernetes-keep-a-secret/
https://github.com/Soluto/kamus
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Izar Tarandach is a threat modeling pioneer, seen as one of the movers and shakers in the threat modeling world. Izar leads a small team that develops the pytm tool, which is self-described as a "A Pythonic framework for threat modeling". The GitHub page goes on to say define your system in Python using the elements and properties described in the pytm framework. Based on your definition, pytm can generate, a Data Flow Diagram (DFD), a Sequence Diagram and most important of all, threats to your system.
Reach out to Izar on Twitter and visit the pytm GitHub page to download and try this tool out for yourself!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Simon Bennetts is the project leader for OWASP ZAP. Simon joined Robert at CodeMash to talk about the origin of ZAP, the new heads up display, and ZAP API. ZAP is an OWASP FlagShip Project and is available here: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Robert meets up with Bill Sempf at the CodeMash conference and discusses how to grow AppSec people. Developers can transform into application security people. They also cover how to inspire the next generation of cybersecurity people (kids) through the example of KidzMash.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Georgia Weidman (@georgiaweidman) met with Robert at CodeMash to discuss her origin story, mobile, IoT, penetration testing, and details about her various companies. If you've never seen Georgia's book on penetration testing, we recommend you grab a copy. http://www.nostarch.com/pentesting To sign up for the newsletter mentioned at the start of this week's show, visithttps://info.securityjourney.com/hi5signup
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here it is. The finale of season four. Thanks to everyone who listens in, and remember, if there are any people you want us to interview on the podcast, tweet at us @AppSecPodcast
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Geoff Hill joins Chris and Robert to talk about Rapid Threat Model Prototyping Process. You can find Geoff on Twitter @Tutamantic_Sec
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bill Wilder joins Chris and Robert to talk about Running Azure Securely. You can find Bill on Twitter @codingoutloud
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Matt Konda joins Chris and Robert to talk about what Glue is.
You can find Matt on Twitter @mkonda
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Josh Grossman, Avi Douglen, and Ofer Maor at AppSec USA join Chris. They discuss the AppSec group in Israel and a few critical talks you should watch from AppSec USA this year.
You can find Josh on Twitter @JoshCGrossman
You can find Avi on Twitter @sec_tigger
You can find Ofer on Twitter @OferMaor
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Daniel Miessler joins Chris and Robert to talk about the upcoming Top 10 list for IoT.
You can find Daniel on Twitter @DanielMiessler
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Travis McPeak joins Chris to talk about SecOps and how it can help make a developer's life easier.
You can find Travis on Twitter @travismcpeak
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We listen in on the #AppSecUSA talk by Chris about Security Culture Hacking.
You can find Chris on Twitter @edgeroute
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jim Manico joins again to talk about how AppSec has changed over the years and gives us an in-depth look at the history of SQL Injection and XSS.
You can find Jim on Twitter @manicode
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris talks with Jeff Williams about the History of OWASP and where it came from.
You can find Jeff on Twitter @planetlevel
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bjorn Kimminich joins to talk about JuiceShop. He dives into what JuiceShop is and some of its use cases.
You can find Bjorn on Twitter @bkimminich
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris is at AppSec USA and is joined by Swaroop to talk about iGoat. They discuss how iGoat relates to WebGoat and how they can be used for pen testing.
You can find Swaroop on Twitter @swaroopsy
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris and Robert talk with Adam and John from HackerOne about Bug Bounty. They dive into bug bounty from the programming and security researcher sides to show how you can combine these pieces with being successful with a bug bounty.
You can find Adam on Twitter @SushiHack and Jon @jon_bottarini
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris talks with Erlend Oftedal about the Norway Chapter of OWASP and continues on to what retire.js is and how it works.
You can find Erlend on Twitter @webtonull
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Abhay Bhargav joins Robert to talk about threat modeling as code. He dives into how this can help you in your threat models.
You can find Abhay on Twitter @abhaybhargav
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tony UV joins Robert to discuss all things threat libraries in the cloud.
You can find Tony on Twitter @t0nyuv
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris and Robert talk to Aaron Rinehart about how the security community can embrace chaos engineering.
You can find Aaron on Twitter @aaronrinehart
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jessie and Vandana join Chris from Women in #AppSec to discuss the project! They dive into what the project is and how the numerous OWASP Chapters around the world can participate!
You can find them on Twitter @InfosecVandana and @jessrobin96
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This week we're joined by Karen Staley, the Executive Director of the OWASP Foundation. She dives into what's happening on OWASP and what we can look forward to in the future.
You can find her on Twitter @owasped
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mohammed Imran joins us to discuss the DevSecOps Studio and more about the beautiful world of DevOps.
You can find him on Twitter @secfigo
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Niels Tanis joins to talk about Razor and ASP.Net Core versus General.
You can find Niels on Twitter @nielstanis
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris is joined by Ofer Maor to talk about his journey of transitioning into the world of #AppSec from the world of Pen Testing.
You can find him on Twitter @OferMaor
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We're joined by Matt Tesauro, a co-lead for the AppSec Pipeline Project. He explains how they began building this project and some ways for you to start using this in your organization.
You can find Matt on Twitter @matt_tesauro
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Stephen de Vries joins to discuss Threat Modeling and the unique approach that he takes by using tooling. We also discuss application security and startups.
You can find Stephen on Twitter @stephendv
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Julien Vehent joins us to discuss all things DevOps + Security. We talk through Julien's new book, Securing DevOps, and go in-depth about his journey to building security into DevOps at his job.
You can find Julien on Twitter @jvehent
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Christian Folini joins Chris at AppSec EU for this episode about ModSecurity and the Core Rule Set project from OWASP. They dive into the timeline for the abstraction layer piece of the project and much more.
You can find Christian on Twitter @ChrFolini.
OWASP ModSecurity Core Rule Set
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sean Wright joins Chris to discuss the changes Google made to handle the HTTP Protocol. They also dive into TLS and some other pieces of crypto that relate to #AppSec.
You can find Sean on Twitter @SeanWrightSec
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The conclusion of Season 3, all the best highlights, and some great advice from our guests on what you need to build an #AppSec Program.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Martin Knobloch joins Chris and Robert to discuss all things OWASP. They dive into the history of OWASP and some of the plans for the future.
You can find Martin on Twitter @knoblochmartin.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Devin McMasters joins Chris to talk about bug bounties and how to make them successful.
You can find Devin on Twitter @DevinMcmasters
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode, Robert speaks about Malicious User Stories and DevOps with Apollo Clark. He discusses how to properly handle user stories in a world being taken over by DevOps.
You can find Apollo on Twitter @apolloclark
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Megan Roddie joins Robert at the SOURCE Conference in Boston. She talks about how neurodiverse people can truly help an organization.
You can find her on Twitter @megan_roddie
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chase Schultz joins to discuss the combination of AppSec and hardware. He also dives into how the Meltdown and Spectre attacks worked.
You can find Chase on Twitter @f47h3r_B0
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
John Melton joins to discuss the #OWASP AppSensor project. He talks about how AppSensor works and how it can be used in your application.
You can find John on Twitter @_jtmelton
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
David Habusha joins to discuss the OWASP Top 10 A9: Using components with known vulnerabilities. He also dives into the Software Composition Analysis (SCA) market.
You can find David on Twitter @davidhabusha
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Steve Springett joins the show to talk about Dependency Check and Dependency Track. He also discusses how they can help prevent you from using components with known vulnerabilities.
You can find Steve on Twitter @stevespringett
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Steven Wierckx joins Robert and Chris this week to talk about the #OWASP Threat Modeling project that hes involved in.
You can find Steven on Twitter @ihackforfun
https://open-security-summit.org/
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jim Manico joins us to discuss some of the changes with the OWASP Cheat Sheets and their plans for that project's future. Jim also talks about how they are looking for experts to create or update some of the Cheat Sheets.
You can find Jim on Twitter @manicode
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Neil Smithline joins this week to discuss one of the new items on the OWASP Top 10 List, Insufficient Logging and Monitoring.
You can find Neil on Twitter @neilsmithine
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jim Routh joins the podcast to discuss selling #AppSec up the chain. Jim has built five successful software security programs in his career and serves as a CISO now. Jim shares his real-world experience with successfully selling #AppSec to senior management (as well as many other pieces of wisdom for running an AppSec program).
You can find Jim on Twitter @jmrouth01
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris and Robert go over a plethora of recommendations they have accumulated over their years of experience in the industry.
Chriss recommendations
1. Book: Agile Application Security: Enabling Security in a Continuous Delivery Pipeline
by Laura Bell (Author), Michael Brunton-Spall (Author), Rich Smith (Author), Jim Bird (Author)
2. Website: Iron Geek
Adrian Crenshaw records many major, non-commercial security conferences and posts the talks to Youtube
3. Book: The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations
by Gene Kim (Author), Patrick Debois (Author), John Willis (Author), Jez Humble (Author)
4. News Source: The Register
News site, but has great sources and a bit of British humor attached to technology failures
http://www.theregister.co.uk/security/
5. Blog: TechBeacon
6. Book: Threat Modeling: Designing for Security
by Adam Shostack (Author)
7. Book: The Tangled Web: A Guide to Securing Modern Web Applications
by Michal Zalewski (Author)
8. Book: Start with Why: How Great Leaders Inspire Everyone to Take Action
by Simon Sinek (Author)
Not a security book, but a good approach for those trying to change a security culture
Roberts Recommendations
1. Books by Martin Fowler (Author)
He wrote many books on understanding Architecture.
https://martinfowler.com/books/
2. Book: Software Security: Building Security In
by Gary McGraw (Author)
3. Book: Core Software Security: Security at the Source
by James Ransome (Author) and Anmol Misra (Author)
4. Book: Threat Modeling: Designing for Security
by Adam Shostack (Author)
5. Websites: Troy Hunt
6. Conferences: #AppSec USA, , B-Sides, Source, Converge
https://www.convergeconference.org/
7. Website: Google Alerts
Use this to be notified about specific topics you want to learn about.
8. Book: The Checklist Manifesto: How to Get Things Right
by Atul Gawande (Author)
9. Book Securing Systems: Applied Security Architec
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Magen Wu works through the topic of burnout and mental health in security. She gives examples of handling this and recognizing if people around you are burning out.
You can find her on Twitter @infosec_tottie
Additional information on this topic:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Katy Anton joins this week to discuss number four on the OWASP Top 10. She dives into what XXE is, how to deal with it, and other new items on the OWASP Top 10 2017.
You can find Katy on Twitter @KatyAnton
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pete Chestna is an advocate for SAST, DAST, and IAST tools and a passionate #AppSec enthusiast. Pete shared A moving quote during this episode: "an #AppSec program is the byproduct of building secure developers. #Truth
Pete describes the differences between SAST, DAST, IAST, and RASP. The struggles developers encounter using new tools, false positives and how to reduce them, and advice for building an #AppSec program from scratch versus adding tools to a mature program.
You can find Pete on Twitter @PeteChestna.
Additional information on this topic:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Irene Michlin operates at the intersection of security and agility. She teaches about incremental threat modeling and how to make threat modeling when living in an Agile or DevOps world.
Irene ends the discussion by saying that her goal when working with a team on threat modeling is that they all conclude, We are not making it worse.
You can find Irene on Twitter @IreneMichlin, and check out Irenes talk on Incremental Threat Modeling last year at AppSec EU.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Bill Sempf joins to talk about insecure deserialization. We do a deep dive and contextual review of the generalities of deserialization and the specifics of how it applies to .NET. Bill begins his journey to understand these vulnerabilities and provides some hints and tips for looking for them in your code.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security champions are the hands and feet of any well-equipped product security team. Robert and Chris introduce security champions, where to find them, why you need them, and how to set up a beginning champion program from scratch.
Here are a few other resources that weve written about Security Champions:
Do you have Security Champions in your company?
Information security needs community: 6 ways to build up your teams
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Robert and Chris interview Kevin Greene from Mitre. We discuss an article Kevin wrote about shifting left and exploring codifying intuitions and new projects at Mitre that will bolster the knowledge of your developers and testers. Kevin brings up the need for accurate results from the SAST and DAST tools on the market. He brings an exciting perspective, focusing on research and development at DHS.
Kevins article on Dark Reading
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the conclusion of Season 02 for the AppSec PodCast. This episode focuses on all the OWASP goodness weve experienced this year. Youll hear our favorite clips and explanations from a season full of OWASP.
With the publication of this episode, season 02 is a wrap, and on to season 03, which will roll out in March.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the final interview from the #AppSecUSA Conference in Orlando, and Brian Andrzejewski joins Chris and Robert.
He talks about containers, their usage within #AppSec, and orchestrations.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tin Zaw, an advocate for ModSecurity, joins Robert and Chris.
He dives into its background, the use of rules, and the many advantages.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Aditya Gupta joins Robert and Chris.
They speak with him about the many facets of IoT and some of its effects on pen testing, training, and mobile application security.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris and Robert talk to Jim Manico and Katy Anton about the OWASP Proactive Controls project.
We have discussed this before, and they are looking for feedback on the upcoming update.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We talk about the future of the OWASP Top 10. We do this by meeting the new project leadership team, understanding the process for how they do governance now and into the future, and how they deal with provided feedback. We look behind the curtain at how they make decisions and use the data and feedback provided.
Side note, at the AppSec USA closing, the OWASP T10 leaders did announce that A7 and A10 from the OWASP Top 10 RC1 have been removed.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On this week's episode of the #AppSec Podcast, Chris and Robert are at #AppSecUSA.
We hear a conference talk done by Robert on the topic of Threat Modeling. He goes more in-depth than ever before on the show.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Robert and Chris talk about Passwords, something we all are familiar with.
They dive into specifics with passwords and threats that can occur with them. They also talk about how passwords interact with Identity and AppSec.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tanya and Nicole join Chris and Robert. They talk about what APIs are, how they are used, and some of the threats involved with them. They also look at what DevSlop and ZAP are in combination with APIs.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Robert and Chris speak with Jon Mccoy and Jonathan Marcil about using Agile #AppSec in the Secure Development Lifecycle.
They dive deeper into what agile is, how it can be used, some practical applications using security champions, and much more.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A listener asked for a recommendation for a PodCast or Blog post about Docker security. We looked but couldnt find one, so we created one. Robert interviews Jay Beale from Inguardians and asks what docker is, what threats it introduces, and the specific tie-ins with AppSec.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Robert and I try a new format for discussing a few topics per episode. We discuss changes with the Proactive Controls, AppSecUSA, and the Gartner Magic Quadrant for Application Security Testing.
We mentioned the link to OWASP Proactive Controls to review the draft and suggest updates.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We talk with Robert about his experiences at the Blackhat Security Conference.
He will explain some of the AppSec-focused parts of the conference and more about the Alec Stamos Keynote.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dave Ferguson discusses the OWASP Top 10 Proactive Controls in this episode with Chris.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Were here today with Jim Manico, a project lead with OWASP. We dive deep into some of the projects on his plate.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode, we speak with Mike Goodwin, the founder of the OWASP Threat Dragon.
We dive into what the threat dragon is and how it can work for you
You can find the tool here: https://github.com/mike-goodwin/owasp-threat-dragon
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Were back with another episode of The Application Security Podcast.
This time, we talked to Mark Willis about the many facets of static analysis and how it affects the DevOps world.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Welcome back to season two of the Application Security Podcast. In this week's episode, we talk to Eric Johnson about static analysis, pen testing, continuous integration, etc.
Thanks for listening!
Rate us on iTunes and provide a positive comment, please!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Our topic today is technical debt and how security plays into it. Chris was at Converge Conference 2017 in Detroit, Michigan (which he says is the best security conference around) and continued the AppSec PodCast series of hallway conversations. Matt Clapham joins Chris. This is Matts second time on the podcast.
Rate us on iTunes and provide a positive comment, please!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On this episode of the application security podcast, Robert and I jump over a wall. Just kidding. This isnt Top Gear.
This is our second episode of season two of the #AppSec PodCast. Robert and I talk about the OWASP Top 10 2017 release candidate. We walk through what the OWASP Top 10 is and what some of the controversies surround the changes made for this year.
Rate us on iTunes and provide a positive comment, please!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This episode is an interview Robert and I did with Brook Schoenfield (@BrkSchoenfield) during the RSA Conference 2017.
Brook S.E. Schoenfield is a Distinguished Engineer at Intel Security Group. At Intel Security (including the former McAfee), Mr. Schoenfield is the senior technical leader for delivering software products that protect themselves and Intel Securitys customers. He has been a security architecture leader at global technology companies for over 15 years of his 30+ years in high tech. He is a founding member of IEEEs Center For Secure Design.
We discuss secure design, architecture, and threat modeling. Brook has been an advocate for security across the industry for many years and has a knack for explaining complex things uncomplicatedly. What a pleasure to speak with him!
Rate us on iTunes and provide a positive comment, please!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Good day, friends. The Application Security PodCast has concluded our first season. With many friends' help, we could record 18 episodes. Weve done something different for this final episode of season 1. Our producer, Daniel Romeo, has collected some of our favorite clips from this season, the things that stood out to us. Enjoy! And we look forward to the release of season 2 in a few months.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greetings all! We have a treat for you in this episode. The crew joins Robert and me from the Down the Security Rabbit Hole Podcast. This includes Rafal Los (@wh1t3rabbit), James Jardine (@jardinesoftware), and Michael Santarcangelo (@catalyst). This is a unique conversation for me because the AppSec PodCast was born from my first interview with #DtSR. I was featured on DtSR Episode 204 in July 2016 after a friend suggested me to Raf on Twitter. (Thanks, Nigel!) The DtSR episode was entitled On Changing Culture. I had listened to these guys on and off for years and now had the chance to be interviewed by them. The experience pushed me to start this podcast.
In this conversation, we answer the question, What Makes a Good Security Consultant? We quickly admit that a consultant does not have to mean someone that charges per hour for security. These guys have a wealth of knowledge and experience on the topic, and I know youll walk away with multiple ideas to apply. Enjoy!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On this episode, Robert and I are joined by Adam Shostack (@adamshostack). Adam is a well-known speaker and thought leader in application security. We speak with Adam about how to connect with development teams. This all started about a year ago when Adam tackled the issue of thinking like a hacker and why he wanted people to think differently. We dive deep into this issue, but many other exciting nuggets also fall out in conversation.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Today we talk to Jon McCoy (@thejonmccoy), a developer turned security person. Hes been helping developers learn more about security. We talk about reverse engineering malware and .NET security, as well as a bit of security community and the mindset to Reverse Engineer.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We bring you a recorded version of Chriss security conference talk from 2016 for this episode. The talk is AppSec Awareness, A Blue Print for Security Culture Change. He covers The Problem Space, why we need application security, how to create sustainable security culture, and introduces the idea of Application Security Awareness. Chris had the luxury of building such a program while at Cisco and shares his experiences with the community.
There are slides available to correspond with this talk. They arent required, but some may want to follow along. Check out https://speakerdeck.com/edgeroute to get a copy.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode, Robert and I are joined by Tracy Maleeff. Tracy is an InfoSec enthusiast with an MLIS degree. She has mad research and organizational skills. She co-hosts the PVCSec podcast. You can find Tracy on Twitter @InfoSecSherpa.
Tracy is in the midst of a career transition. She began her career in Library Sciences and is moving into Information Security. We discussed the challenges of transition, how to network and connect, a process for transition, and three actionable things for those that want to make a transition. Enjoy!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode, Robert interviews Chris about the security community. Chris talks about his experiences doing security community at a large organization for 5+ years. Robert keeps pushing Chris to make this applicable to small companies as well. Youll hear best practices for building a security community in your org, including monthly training sessions, lunch and learns, and even an internal security conference. Chris also offers the profound statement that everyone eats lunch.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We are joined by Deidre Diamond, Founder, and CEO @cyber_sn & the Founder of @brain_babe. We discuss employment in the world of application security. We also dive deep into soft skills, exploring why they are foundational in the workforce. Deidre explains the benefits of win-win conversation, how words and everyday language connect, and how to have fun, compassion, love, integrity, and productivity all in one at work.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is our third interview from ISC2 Security Congress. We are joined by Tony UcedaVelez, or TonyUV, founder and CEO of VerSprite a global security consulting firm based in Atlanta, GA. Tony leads the OWASP Atlanta Chapter and BSides Atlanta.
This is a deep dive into Tonys experience with threat modeling. We explore the PASTA methodology he created.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is our second interview at ISC2 Security Congress. We are joined by Glenn Leifheit (@gleifhe), an InfoSec and Development Evangelist at Microsoft. Microsoft is the grandparent to almost every secure development lifecycle across the industry.
This is an in-depth discussion about how actually to do SDL. Glenn shares some things during this conversation that Ive never heard about the internals of Microsofts SDL process in public. You will take something away from this conversation to apply to your program.
Enjoy!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mike Landeck joins Robert and me. Mike is a Cyber security evangelist, AppSec junky & Docker Security geek, and can be found on Twitter @MikeLandeck.
We interviewed Mike in person at the ISC2 Security Congress event in Orlando, Florida. We discussed his latest talk on breach fatigue, the need to reach outside the echo chamber of security, Twitter as a news source for security, secure coding, and many other things.
Please enjoy, and search for something you can apply directly into your day-to-day life!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On this two-part episode of the Application Security PodCast, Robert and I speak with Daniel Ramsbrock about Web App Penetration testing. In part two, we focus on the process of pen testing and web app pen testing.
I (Chris) connected with Daniel through the RVASec security conference in Richmond, Virginia. Daniel has been in security for over ten years, focusing most of that time on application security. He spent two years as a full-time consultant at Cigital and is now doing independent AppSec consulting through his company, Enigma Technologies. We hope you enjoy it!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On this two-part episode of the Application Security PodCast, Robert and I speak with Daniel Ramsbrock about Web App Penetration testing. In part one, we focus on the difference between pen testing and web app pen testing, where pen testing fits your development methodology (waterfall, agile, and DevOps), and why someone should care about it.
I (Chris) connected with Daniel through the RVASec security conference in Richmond, Virginia. Daniel has been in security for over ten years, focusing most of that time on application security. He spent two years as a full-time consultant at Cigital and is now doing independent AppSec consulting through his company, Enigma Technologies. We hope you enjoy it!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Robert and I are joined today by Matt Clapham. Matt makes products more secure I mean, hey, his Twitter handle is @ProdSec.
The topic of this interview is what Matt calls development security maturity. This concept is based on Matts research and his talk at RSA. Matt created a simple process to measure the maturity of development security by looking at five key behaviors. We cover the what and why of development security, the five key behaviors, and scoring and reporting. In conclusion, we discuss how to make the results of an assessment actionable.
Matts RSA slides are a great resource to review in conjunction with the interview: str-w05-estimating-development-security-maturity-in-about-an-hour-final.pdf
Bio: Matt Clapham makes products more secure. His career is a rare blend of both product development and enterprise operations. He is currently a Principal of Product Development Security at GE Healthcare. Matt previously worked as a Software Tester, IT Policy Author, and Security Advisor to all things games at Microsoft. He is familiar with the security foibles of the Industrial Device Internet of Things and how to overcome them. Matt is a frequent speaker and author of magazine articles on IT, security, games, or some combination thereof. He holds degrees in engineering and music from the University of Michigan.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Welcome to the first of many interviews on the #AppSec Podcast. In this episode, Robert and I interview Elena Elkina (@el0chka) on privacy. We cover privacy, data protection, and customer data protection. This is a quick chat for around 20 minutes. In the future, well dive deeper into the crossroads of security and privacy.
Elena is a Senior Global Privacy & Data Protection Management Executive. She has worked with financial and healthcare institutions, software and internet companies, major law firms, and the government sector on both international and domestic levels. She co-founded Women in Security and Privacy, a non-profit organization focusing on advancing women in security and privacy. She is also a board member for Leading Women in Technology, a non-profit organization dedicated to unlocking the potential of female professionals who advise technology businesses.
We hope you enjoy this conversation with Elena about privacy and data protection!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode, we talk about product development methodologies and the impact of security. We explore how to apply security activities to waterfall and Agile and discuss the pros and cons. Weve both had experience with these methodologies and freely share what weve seen work and what weve seen fail. This applies whether you are new to security or have been doing security for decades. If you have anything to add, share your wisdom by catching us @AppSecPodcast on Twitter!
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On this episode of the Application Security PodCast, we continue our journey through the foundations of application security. We explore the activities of the secure development life cycle. We cover requirements, secure design, secure coding, 3rd party SW, static analysis, vulnerability scanning, and others.
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the inaugural episode of the Application Security PodCast, Robert and I introduce ourselves to the audience, explain our journeys into the security world, and answer the burning question, What the heck is application security?
The key takeaways from this episode are:
FOLLOW OUR SOCIAL MEDIA:
Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This week I will talk about investigating data spill cases involving exposed URLs. This is a typical privacy investigation many incident response teams handle and I thought it would be useful to go over some standard guidelines for handling such cases. To be effective with these investigations you need to know how to determine liability and responsibility, a little Google foo, and a number of odds and ends concerning mitigation, containment and remediation strategies....
This week is on lateral movement detection techniques. Inspecting Domain Admin account logons is a key component to lateral movement triage. Admin accounts are sought after by attackers for their elevated privileges. Evidence is often left behind both on the targeted system and on the domain controller. Both these factors provide protection opportunity through Windows event log analysis. Ill break down the method....
This week I want to talk about the value of having functional documentation for your organization, or, at least for your team. Functional documentation means you have thoughtful and up-to-date incident run books, and play books that provide utility and usefulness for a responder. Without such documentation, you are always in danger of some dangerous pitfalls, some of which I'll discuss. This episode I cover what functional documentation is, it's investigative value for an organization, how to get started...
The linux subsystem for windows, create both opportunity and challenges for forensic analysts. It makes Windows an excellent platform for multi platform forensic analysis tasks, allowing it to take it vantage of the many many Linux tools available. The challenges are foreseeable, you have Linux artifacts, now commingled on a Windows platform, which makes forensic analysis that much more difficult when examining such a system as evidence. This week I'm going to break down the linux subsystems for forensic investigators
This week I'm going to talk about tabletop exercises as part of a security training program. I feel that there is too much focus on technical skill training and not enough focus on actual incident management training in the industry. There are plenty of highly skilled professionals that can do DFIR work However, a roadblock, many organizations and practitioners encounter is in the struggle of how to actually implement their knowledge and skills for a security incident response investigation within a specific organization. They may know what to do, but there are many challenges in identifying actually how to do it when the time comes. I will share my thoughts on how to improve your security program through simulation training
This week I'm talking about The NIST (National Institute of Standards and Technology) investigation lifecycle. The NIST investigation lifecycle encompasses a series of well-defined steps, starting from problem identification and scoping, through data collection and analysis, to the formulation of conclusions and recommendations. This comprehensive framework ensures that investigations conducted by NIST are rigorous, unbiased, and provide reliable results that can be used to inform decision-making, improve practices, and promote innovation across a wide range of disciplines. More about it...
This week I'm talking about linux forensic triage strategy. In particular, I'm covering SSH. SSH traffic comes up in many different types of investigations. For that reason, it is a common and standard artifact every examiner should be familiar with. I will provide you the artifact background and the triage strategy..
The USN Journal, also known as the Update Sequence Number Journal, is a feature of the Windows operating system that serves as a record of changes made to files and directories on a disk volume. It provides valuable information and insights into file system activities, which can aid investigators in reconstructing events, understanding system behavior, and uncovering evidence. This week I break down the artifact from a DFIR point of view provide triage strategy.....
This week Jason Roslewicz from SUMURI returns for some web 3.0 and virtual reality talk.
This week I talk about adding, modifying, and removing network shares through the lens of detecting lateral movement.
This week I break down the three Windows task hosts from a DFIR point of view.
This week I talk about network share access events and lateral movement detection.
This week Jason Roslewicz from SUMURI returns for some cloud talk.
This week I talk about the exploitation of the Windows Management Instrumentation application.
This week Chris Currier and I talk about mobile forensics and protocol buffers.
This week I cover Windows events commonly associated with data spoliation and insider threats.
This week Jason Roslewicz from SUMURI returns for some ransomware talk.
This week I Cover my all-time favorite Windows event, security event 4688: new process creation. If you do windows, incident, response, forensics, this is a must-know know artifact.
This week I talk about SVCHOST; how it fits into the Windows operating system, and how to think about it from a DFIR point of view.
This week I talk with Interview with Yugal Pathak about organizational forensic readiness.
This week I talk about the role and typical responsibilities DFIR professionals may be called up to take to assist with a zero-day response.
This week Jason Roslewicz from SUMURI returns to talk more about AI issues.
This week I break down the Windows System Resource Usage Monitor from a DFIR point of view.
This week I cover some malware detection methods for Linux.
This week I talk about different ways to approach windows process triage. There are so many processes, especially in enterprise environments, having a standard approach that is fast and effective is key for security incident response.
This week Jason Roslewicz from SUMURI shares his insights about the impact of artificial intelligence and provides advice for navigating through changing times.
This week is a Windows artifact breakdown on a common source of evidence.
This week I cover malware on Linux file systems for new examiners.
This week is a guide to understanding SVCHOST from a DFIR point of view. It is one of the most abused Windows processes, and having a firm working knowledge for investigations is essential.
This week is a Windows artifact breakdown on a common source of evidence.
This week I cover the Linux file system for new examiners.
This week I breakdown the elements within a standard CVSS report for fast triage application.
This week I talk about how to triage Windows events for network connection activity.
This week I talk about how to approach investigations involving remote desktop connections.
This week I talk about Windows core processes from a DFIR point of view.
This week I talk about Powershell attack IOCs.
This week I talk about how to triage Windows events for network connection activity.
This week is my annual career assessment review - or, my guidelines of how to evaluate your past performance and your future goals.
This week I talk about how to triage Windows events for network listening activity.
This week I talk about an approach for reviewing Windows event logs.
This week I talk about an approach for reviewing CMD syntax for findings.
This week I talk about essential network basics necessary for triage.
This week I talk about Webshell forensics.
This week I talk about Webshell forensics.
This week I talk about Windows startup locations.
This week I talk about Windows Prefetch forensics.
This week I talk about fileless attacks Linux systems.
This week I talk about how to find evidence of malicious autoruns in the windows registry using Windows event codes.
This week I talk about strategies to determine root cause early during an investigation.
This week is a breakdown of HTTP log forensic triage.
This week I talk about finding evidence of Kernel file masquerading on Linux systems.
This week I talk about how to find evidence of malicious autoruns in the windows registry.
This week I talk about the forensic value of the Apple Spotlight DB.
When you talk autoruns you must talk about the Windows registry. This artifact is very dense and it may be difficult to zero in on the elements that are important for compromise assessment. Given that, I am going to begin the series with a breakdown of the Windows Registry from a DFIR point of view. This is crucial in understanding ...
This weeks focus is on other scheduled task events useful for DFIR triage.
This week I talk about a popular Windows utility attackers often exploit.
This week I breakdown the SUDOERS file for forensic triage.
This weeks focus is on new scheduled tasks, which are a common way of establishing longevity on system. I will have my breakdown of the artifact and how to interpret it for fast analysis coming up.
This week is about persistence artifacts. Namely the records for when services fail to start, are either started or stopped, have crashed have had their start type changed. Since services are one of the common ways attackers achieve persistence, understanding how these events may be used for triage purposes is very important...
This week I talk Mac autoruns.
This week is about bash history forensics.
Every so often I like to revisit certifications. Everyone seems to have their own opinion as to the value of one certification over another, whether or not certifications should carry as much weight as they do, or preference of certain certifications over others, and so on. In this episode Im sharing my thoughts on the topic as well as how I would approach certifications if I were new in the field but also retained everything I have learned over the years about the impact certifications have or can have on your career.
If you are accustomed to Windows forensics you may find you have to shift your way of thinking about executables when you are dealing with a Linux system. Unlike Windows, in Linux there is no fixed file extension to designate an executable. Everything on a Linux system of the file and any file can be executable, so where do you even begin? In this episode I am going to address how to approach Linux executables to help those newer to Linux exams deal with the nuances.
One of the first things attackers attempt to accomplish on a compromised system is to establish persistence. Unless you are dealing with a denial of service attack, most other attacker goals are centered on maintaining the degree of control over a compromise system in order to use system resources for things like cryptomining or to maintain a foothold to further an attack strategy. This week I am going to talk about a fast triage methodology for persistence, which is one of the first triage strategies I normally recommend for a compromise assessment. Because I am focusing on a fast triage methodology I am going to focus on the artifacts most examiners will have readily at hand and how to make the most of them during the initial pass.
This week Im covering the Master file table as a core forensic artifact for Windows investigations. This artifact has value is both a primary and secondary artifact and offers opportunity to decode evidence in a number of different situations. In this episode Im covering the forensic basics, some use cases and tools you can use to bring the value of the artifact to its full potential.
This week of talking malware fast triage. These are the techniques that are short of malware reverse engineering and allow analysts to identify malware and also get a sense of what it is does. This is a necessary skill set for all DFIR professionals as you typically deal with malware and you need a way to do some basic forensics on it for context to advance your investigation. This is going to be a two-part episode where I first go over the foundational information you need to have four common malware triage tasks and the second part will go over specific methods, tools, and indicators for different types of artifacts.
This week of talking malware fast triage. These are the techniques that are short of malware reverse engineering and allow analysts to identify malware and also get a sense of what it is does. This is a necessary skill set for all DFIR professionals as you typically deal with malware and you need a way to do some basic forensics on it for context to advance your investigation. This is going to be a two-part episode where I first go over the foundational information you need to have four common malware triage tasks and the second part will go over specific methods, tools, and indicators for different types of artifacts.
This week Im talking about SRUM, a Windows artifact that you dont hear that much about. It has a lot of great potential as evidence and it is something worth the time to check it out and see how it fits into your daily DFIR work.
This week Im going to cover detecting lateral movement using Windows event logs. This is not the Windows fast triage method I covered in previous episodes. This is more in-depth and focuses on specific attack tools and strategies seen in actual cases. Going into this level of detail is beyond the scope of a typical episode, however there is some research that has very granular details on the tools and methods you can use. Ill have that coming up right after this.
This we can talk about Arthir, an open source platform for windows incident response and threat hunting.
This week is a back to basic episode featuring Shimcache and Amcache. Learn what they are, why they are important to many investigations and the pitfalls to avoid.
This week is about Cloud Network Security Services.
This week is about cloud network segmentation. Network segmentation has security advantages, and thats regardless of whether or not security is the intention. There are some big differences between traditional on-prem network segmentation and cloud infrastructure segmentation. As a DFIR practitioner, knowing the difference is vital for your incident response preparedness. This week I will break it down from a DFIR point of view and provide some necessary insight that will help you better structure your investigations involving cloud assets.
This week I cover insider threat, which is sort of a gray area between traditional investigations and DFIR investigations.
This week Im talking about identity access controls commonly encountered in cloud environments. These come up during DFIR investigations and high-level awareness, at the least, is necessary for analysts in order to be effective during investigations. These are the things that may be part of root cause, part of the attack escalation, or part of mitigation will remediation. This week all cover the basics to help with your incident response preparedness.
This week is my advice for conducting a career critique as well as to plan for the future - or at least for 2022. I do this episode every year at this time with the intention of helping newer analysts maximize their efforts to achieve the desired career goals in both the short term and long term.
This week we continue with the Windows fast triage series and talk about lateral movement evidence that may be found in DC records.
This week is a continuation of the threats to cloud computing miniseries. We are stepping through the top 11 threats to cloud computing as identified by the Cloud Security alliance. When you are protecting cloud assets or investigating breaches of cloud assets, there is a lot to keep in mind. You must remember the standard security infrastructure, the new cloud infrastructure as well as any changes to the standard infrastructure that could be affected for your investigation. The top 11 threats to cloud computing help identify where you, as an analyst, should prioritize your time both as a starting point and how you use your limited time for continuing education.
This week I review a great method to detect file poisoning on Linux using all native commands.
This week SUMURI's Steve Whalen (a.k.a. 'MacBoy') talks Mac artifacts
This week we continue with the Windows fast triage series and talk about lateral movement evidence that may be found in logon event records.
This week Brian Carrier of Basis Technology joins me to talk about OSDFCon. The DFIR community relies on open source tools and the conference is a great way to get exposure to new tools and to learn how to use them. There's a great lineup this year with something for everyone. Registration is free for everyone.
This week is a case study where we look at an actual attack strategy and compared it against standard triage methods to see how well they hold up.In this episode I break down some attack methods attributed to APT32, also known as Ocean Lotus, and well see how standard triage techniques hold up against the attack chain.
Amanda Berlin of Blumira speaks on malicious Powershell attacks and defense techniques.
This week SUMURI's Steve Whalen (a.k.a. 'MacBoy') talks Mac forensics.
This week Im talking about Nested Groups and the risk they pose for security. Built-in to the functionality of Active Directory is the ability to attach a group to another group. While this has advantages for account administration across an organization, it also offers attackers opportunity if certain precautions are not taken. This week Ill break down Nested Groups in DFIR terms, talk about how attackers take advantage of it and what analysts need to know for investigations.
This week is a case study where we look at an actual attack strategy and compared it against standard triage methods to see how well they hold up. The Turla group using ComRat malware is our case example, lets see if standard triage techniques can save the day.
Matt Warner, Blumira CTO and Co-Founder, talks ransomware investigations.
This week is a continuation of the threats to cloud computing miniseries. We are stepping through the top 11 threats to cloud computing as identified by the Cloud Security alliance. When you are protecting cloud assets or investigating breaches of cloud assets, there is a lot to keep in mind. You must remember the standard security infrastructure, the new cloud infrastructure as well as any changes to the standard infrastructure that could be affected for your investigation. The top 11 threats to cloud computing help identify where you, as an analyst, should prioritize your time both as a starting point and how you use your limited time for continuing education.
This week is a case study that demonstrates how fundamental DFIR triage methods can detect advanced attacks. Examiners, especially newer examiners, should find confidence in the fact that standard triage techniques have such a powerful impact on security investigations.
This week Nato Riley from Blumira pays a visit to talk about the top threats to cloud computing.
This week we continue with the Windows fast triage series and talk about lateral movement evidence that may be found in admin shares event records. Four different types of logs are covered, each containing different information for triage purposes.
This week SUMURI's Steve Whalen (a.k.a. 'MacBoy') and Dave Melvin talk about the latest in Mac training and certification. Learn the advantages of vendor neutral training and how to prioritize it in your own training regiment.
As an analyst, it is important to identify root cause and link it back to security governance strategies. This is dealt with through root cause statements typically. What exactly should you be doing for a root cause statement? How important is it? If you produce a findings report you can count on the root cause statement being read. Other parts of the document may be skimmed through, or even ignored, but the root cause statement is going to draw the attention of a variety of different audiences. Therefore this is something you want to get right. In this episode Im going to deliver a simple approach you can use.
Most of my episodes are about computer forensic artifacts and methods. Once in a while I like to cover non-technical topics, such as thoughts and recommendations about career development, subject matter expertise strategies, and impact exposure or delivery of your work. These soft skills are important to your career success. So this week will be on maximizing DFIR exposure in your current role, whatever that role may be. I will cover how to connect the work you do with the high-level strategies that are important to your management or your customers.
This week is a continuation of the threats to cloud computing miniseries. We are stepping through the top 11 threats to cloud computing as identified by the Cloud Security alliance. When you are protecting cloud assets or investigating breaches of cloud assets, there is a lot to keep in mind. You must remember the standard security infrastructure, the new cloud infrastructure as well as any changes to the standard infrastructure that could be affected for your investigation. The top 11 threats to cloud computing help identify where you, as an analyst, should prioritize your time both as a starting point and how you use your limited time for continuing education.
This week we continue with the Windows fast triage series. We are up to lateral movement and talking about admin shares. On topic this week is event 5145 which is a Windows log that records verbose information about network share objects and it is an artifact you can use to triage a system or group of systems for evidence of malicious lateral movement.
This week I wanted to take a break from Windows forensics and talk about Linux malware triage. The Linux platform offers forensic analysts the opportunity to do a very decent job performing malware triage. What I mean by this is that you do not need any special tools installed, all you essentially need is the knowledge of a handful of commands in the ability to make sense of the output. Armed with this, any analyst can do a malware triage quickly and efficiently.
This week were going to take a look at how standard triage methodology can detect advanced attack techniques. Even as a newer examiners, if you learn the standard triage methods that I have covered in the fast triage series, you will find the skills provide ample opportunity to detect all sorts attack activity-even very advanced attack activity. This is because there are natural chokepoints in the attack chain that can be used to your advantage. This week we are going to see the non-Windows core process triage in action through the lens of a very advanced attack dubbed operation ghost.
This week we take another look at the top threats to cloud computing. On tap This week is account hijacking. All analysts working in the DFIR field today must be aware of threats to cloud computing in order to be effective in their roles.
This week I talk about lateral movement fast triage. This is the next topic in the Windows fast triage miniseries and it aligns with the goal of the entire series, which is to help new or any analyst identify the most accessible artifacts that may be quickly analyzed to find evidence of compromise. So far we have dealt with persistence, suspicious network activity, and suspicious processes. As always, I will provide a simple yet effective approach to work with lateral movement artifacts.
This week Im doing another walk-through to illustrate how standard triage methodology can detect advanced attack techniques. Sometimes as a newer examiner, its easy to become overwhelmed with the technical detail necessary to understand and attack. Its also easy to become discouraged and convince yourself that its way too complicated for your current skill set and you may not even feel useful as a team member. This episode is going to dispel all of that and show you how a focus on the standard fast triage method provides all the knowledge you need to detect and advanced breach into an environment.
This week Im covering malware fast triage. It occurred to me that I should revisit this issue for a couple of different reasons. I remember covering this many years ago and I believe thats why I havent thought about doing anything on it lately. However, it does go hand-in-hand with the Windows fast triage series that I am doing. Part of that strategy is to look for common malware patterns. In an effort to maximize what the listeners get from the episodes I figured this topic definitely needs to be revisited so that when I use that term, you are at least clear on what I mean by it and the method it represents.
This week is a continuation of the Windows fast triage miniseries. While other aspects of the triage miniseries had fairly contained artifacts to examine, new process triage presents a large and complex landscape to the analyst. I have already broken down a number of effective analysis methods to make this more manageable. This week I focus on key applications to look for during a review. These applications tend to be associated more with malicious activity, at least according to threat intelligence research, so being aware of them and recognizing the potential is important. I also spend some time talking about the nuances of CMD.
A while back I did an episode on learning from the red team which focused on methods blue team members can utilize to better understand attacks and the artifacts affected by those attacks. One of the advantages of this method that I did not mention in that episode was how to use open source vulnerability scanners for the same purpose. This week, will be part two and I will go over freely available resources and the method to help you gain better insight into forensic artifacts.
This week I interview Haseeb Awan, CEO of EFANI, about the rise of SIM swapping attacks. Haseeb explains the attack, how attackers carry it out, and provides some mitigation strategies.
This week is part 2 of the Mobile Attack series.
This week I interview Steve Whalen of SUMURI about Apple metadata.
This week I talk with MSAB about DHASH, learn what it is and its use in DFIR investigations
This week I talk about SVCHOST. This Windows core process is one of the most targeted artifacts that comes up again and again during investigations.
This week I go over how to approach windows core processes from the standpoint of fast triage methodology. Since these processes are found on all window systems it makes sense to develop and investigative approach that focuses on quickly reviewing each process for anomalies.
This week I talk about the investigative value of creating a mobile compromise assessment strategy.
This week I share my thoughts on DFIR job interviews. How to prepare. Things to consider. Pitfalls to avoid.
Tips from the DFIR Trenches
This week I talk about methodologies to investigate root cause during incident response investigations.
This week I talk Firefox forensics and identify the artifacts examiners need to know about.
This weekit's back to Mac forensics with a look at the the Finder Sidebar and it's value for File Use & Knowledge investigations.
This weekIpull back the focus for newer examiners andshare some thoughts on creating a system that works for you to organize, and keep readily accessible, all the knowledge you accumulate..... and a few words about Shimcache on Windows 10.
This week I breakdown iCloud forensic artifacts.
This weekI talkaboutwhere to find different listing of different recently accessed files on a Mac as well as how to break out the data for interpretation.
This week I go over some of myfavorite Mac tools.
This weekI talkaboutsome common PLISTS to check as part of an initial system triage.
This weekI talkabout common Mac file formats, Libraries and Keychains.
This weekI talkaboutMac Home Folders to give Mac Examiners an idea of how it is structured and where to look for certain artifacts.
This weekI talkabout OS X's Spotlight feature, a powerful indexing and search engine built into your Mac that may be harnessed for computer forensic purposes.
This weekI talk Apple double files and what to make of them during a forensic exam.
This week I am taking a breather and doing some planning for future topics. If you have a topic you would like to see covered mention it in the show notes. Full episodes will return the first week of September.
This week I go over some of my top reasons why Macs should be considered as a computer forensic platform.
File Juicer is an easy to use data carving tool that runs on OS X. Take most any file, drop it on File Juicer, and watch it spin out embedded image, movie, document files and text. Perfect for on-scene triage, lab work and exploring new file types.
This is part twoofRAM extraction tools. Part 1 looked at why RAM extraction is an important part of forensic analysis. In Part 2 the results ofa benchmark experiment withfour different RAM Extraction tools is discussed: DumpIt, Belkasoft's RAM Capturer, Magnet RAM Capture and the RAM extraction feature in FTK Imager.
This episode is a two-parter looking at RAM extraction tools. Part 1 will take a look at why RAM extraction is an important part of forensic analysis. Part 2 will go over an experiment I did with four different tools: DumpIt, Belkasoft's RAM Capturer, Magnet RAM Capture and the RAM extraction feature in FTK Imager.
This week I take a look at three popular computer forensic suites: FTK, Encase and WinHex. I offer my opinion as to the strengths and weaknesses of each.
If you take a look at all the different DFIR certifications that exist today you can easily get overwhelmed. There are so many to choose from it puts meaning to the saying that too many choices is no choice at all. In this episode I take a look at digital forensic certifications from two different vantage points to provide a little guidance to those that may be trying to advance themselves through a certification or two.
For those looking to get some real world hands-on experience in DFIR to build up or expand your skill set, check outhoneynet.org. The non-profit offers information and challenges to help sharpen your skills.
This week I talk about Amcache Forensics, a Windows artifact that collects details about programs that have been run on a given system. This evidence can support malware/ intrusion investigations, file use and knowledge exams and data spoliations inquiries.
The last talk in the Open-Source password cracking series focuses on a tool that rivals the pay tools in function and capability - Hashcat.
Last episode I talked about using Cain to attack Windows LANMAN and NTLM hashes. Next we will discuss John the Ripper, Linux password files and rainbow tables.
In the last episode I talked about PW psychology, an important part of operationalizing any PW cracking tool effectively. Face it, the math is against you so understanding a persons probable PW patterns is important.In this episode we will talk about our first tool that can be used against a PW file. First lets go over some general features you will likely find in a PW cracking tool.
The next mini series will focus on open source password attack tools.There are some pay options out there, however, most IR teams do not have a need for it and disk forensic teams use if infrequently. Despite this many labs want the capability so it makes sense to explore the open source options first before spending the money. My goal here is talk about these options to provide some insight and to open the series I thought I's talk about password psychology since the weakness link in any password algorithm is usually the person using it.
The$UsnJrnl is an artifact that logs certain changes to files in NTFS volumes. It is a great source of timeline information for malware\ IR investigations, time stomping concerns and anti-forensics activities (i.e. wiping) as well as an additional source of file use and knowledge evidence for disk forensics.
In this episode Italk Shimcache, otherwise known as the Application Compatibility Cache. This registry key has existed since Windows XP and tracks executableon a system, making it a great source of digital evidence for both disk forensics and incident response cases. In addition, there are freely available tools that will parse the data. It is not a difficult artifact to understand. Once an analyst spends the time learning how to pull, parse and interpret the data it is easily incorporated into an investigation and aligns well with other Windows artifacts.
In this episode I cover something I have been intending to do for some time: a Windows 10 artifacts overview. Here, I explore some key artifacts changes and what has stayed the same. Once I got into it I found there was a lot to talk about so, to start, I will discuss the topics from a high level. In future episodes I will dig in deeper to each artifact.
This episodeI talk Just-Metadata, a freely available tool that gathers data about IP addresses from publicly available resources. Check outTruncer's websiteto learn more. I put together my quick start notes (below) for anyone interested in getting set up. This tool is very powerful and useful for Incident Response investigations, especially since you can batch upload IP addresses and quickly get useful details.
This episodeI talk about PALADIN from SUMURI.PALADIN is a modified live Linux distribution based on Ubuntu that simplifies various forensics tasks in a forensically sound manner via the PALADIN Toolbox andused by thousands of digital forensic examiners from Law Enforcement, Military, Federal, State and Corporate agencies.
This episode covers Investigation Survival Tips.... for the new guy. Newer examiners are often thrown into a world where it is there mission to find "everything." Not on that, they are usually given inadequate investigative support to accomplish their assigned goals. I have seen this happen often so I thought I would spend an episode giving some advice on how to steer the conversation to keep expectation realistic and in-check.
In this episode Icover using Linux as a forensic platform... for the new guy. I find many examiners are very Windows-centric. There is nothing wrong with that as most tools and evidence is Windows based. However, Linux comes in handy from time to time and knowing some basic commands is always helpful.
In this episode I talk all about virtual machines; the reasons you should be using them (more), prebuilt ones that are freely available and loaded with digital forensic tools and a free virtual machine application that has the same functionality you need as the pay tools.
In this episode we wrap up the File Use & Knowledge artifacts discussed previously and talk about how they connect to help strengthen a case.
Have you ever been asked to find out what the "F" drive is? Have you ever needed to prove a USB drive was attached to a target system? Collecting and presenting this information is a core skill all computer forensic analysts need know. This episode breaksdown the process of collecting and interpreting the data necessary to make the connection between USB device and Windows systems.
In this episode we examine how to use Windows Shellbag records to help prove file use and knowledge. Shellbag records are created by certain user activity and can be used to show where a user has navigated to on a computer system and when they did so. Very powerful evidence!
Windows Prefetch data is a great source of evidence to help determine file use and knowledge of applications running on the system.
Oftentimes you will be asked to find information on a target system that shows if a user accessed certain files, the last time they did and/ or how often they did. Being able to put a picture together that answers these questions can be critical and make or break the case.
Windows LINK files are a great source of information when your aim is proving file use and knowledge during a computer forensic investigation. Knowing how to interpret these files will break reliance on automated tools and give you the versatility to quickly examine - interpret - and gain investigative insight.
Listen totalkabout computer forensic analysis, techniques, methodology, tool reviews and more.
TL;DR:
This week's show features Oded Hareven, Co-Founder & CEO at Akeyless, and we cover some topics that are important, but brand new to us. Oded started a secrets management company and addressed some of the challenges and new technology with us.
First, we discuss the "secret zero" problem (the one I worry about quite often), then zero-knowledge secrets management, and finally, this thing called "distributed fragmented crypto" (which is a bit mind-blowing honestly). I think you'll enjoy this podcast, as it's a little more technical than most, and something you may not hear elsewhere.
YouTube Video:https://youtube.com/live/uNtoFbFrTjo
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
This week we are starting a quarterly segment with Sean Scranton and Shawn Tuma - that's right folks, you'll get our favorite breach coach aka "The oh-shit moment guy" and one of the most knowledgeable cyber insurance people together on the podcast four times a year (at least).
So what did we cover on this show? Oye - looks like White Castle (yeah, my favorite of all time burger place from back in Illinois!) is in hot water, the SEC is ... well, being the SEC, and there's a bunch of stuff to catch up on in the insurance industry.
Buckle up!
YouTube Video:https://youtube.com/live/VduC2baCtoA
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
I'm so excited to announce this podcast. This week the one and only Dominic Vogel joins me on the show to talk about SMBs - you know, those building blocks of the economy that most vendors pretend don't exist because it doesn't make them big $$$. And it's a whopper of a conversation with insights, ideas, and conversation that is looking to change things for the better. Hell, at least raise the awareness (wilful?) of the problems SMBs face.
YouTube Video Stream: https://youtube.com/live/6IyGJHcMv7I
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
Kellman's been one of the guests I've been chasing for years but he's always been too busy or too tied up in corporate requirements to be on the podcast - but now he's available and here we are. Kellman's got a lot of years behind him slinging network security gear, so it's a bit of a surprise to some that he has pivoted hard into cloud concepts and has some harsh truths for people who still think of old security paradigms when it comes to new technologies like, ahem, the cloud.
Join us, this is a really fun episode!
YouTube video: https://youtube.com/live/DuzbIsxxdxM
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
This week's episode is packed with content, as the one and only Jim Tiller joins James and me for a podcast that ...well ...does a fair bit of analysis of Black Hat, the industry, and several other things that are probably top of mind for you as well. Let's not spoil it for you - give it a listen (and watch the video, it's good)
YouTube Video: https://youtube.com/live/se5M5vq5bcI
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
On this episode of post-Black Hat 2023, my buddy Will Gragido joins me to talk about what we saw, what we learned, and what shenanigans transpired. We're focused on marketing and booths - how do vendors differentiate, what do conferencegoers take away, and what makes your booth or offering unique? What about AI?
Yeah, we talk about all of that.
YouTube Video: https://youtube.com/live/cWwKA-2XsQU
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR
This week is Black Hat 2023, or "Hacker Summer Camp" if you prefer. That means that the hype machine will be working overtime, times 10, so here's an episode made to throw some cold water on the madness, and poke a little fun before things go entirely sideways.
I hope you enjoy this show, and as always, I welcome your comments on LinkedIn!
Guest
YouTube Video: https://youtube.com/live/CcoPUTSjPdI- honestly, my new favorite part of this podcast. I love the video we release...solid gold.
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
I crashed a party on Security Uncorked and the crew that was having the discussion was kind enough to indulge me and my "bombs" (questions, really) - so I decided to have JJ and Josh on DtSR, and James and I continued the debate and conversation.
This was so much more fun than it should have been, but the result is something I think we can be happy with - a healthy debate, some conclusions reached, and a lot of "it depends".
Take a listen and make up your own mind.
Security Uncorked episode that started it all: https://www.linkedin.com/events/byod-makeitorbreakit-securityun7087427632488722432/comments/
YouTube video: https://youtube.com/live/3zeyKpwuneU
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
This week my old buddies Jason Clark and James Robinson join James and me to talk about "AI" and the realm of possibilities (and risks) that it is.
We discuss Artificial Intelligence (AI) as a generational leap in technology - but also the risks it poses for corporations (and real-life, real people too).
Listen to the pod in your ears, and watch the video - trust me, you'll laugh along.
YouTube Livestream (replay): https://youtube.com/live/HyxhBVdTdB8
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
This week's episode is a come-back episode from the appearance I did on Dan Kuykendall's "Dan on Dev" podcast a couple of days ago. We started such a fun conversation, we just couldn't let it end there. We go through some interesting (in my opinion) history of the AppSec space, Dan does a little "back in my day" stuff, and I get all "Get off my lawn".
You'll enjoy the episode if for no other reason than the nostalgia...oh sweet nostalgia.
Go subscribe to Dan's channel on YouTube, he's an old-timer like me, and he always good great insights.
Dan-on-Dev Episode you should catch first (for context and stuff): https://www.youtube.com/watch?v=PJ3X6YiHw5E
YouTube Video Stream: https://youtube.com/live/P2o-SAGQMkU
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR
You've got a slightly different episode this week - it's just James and I on the mic to talk through one of my favorite topics. But first! ... we have to talk about "Threads" and the social media "too much" that's happening. Then we talk about the Law of Diminishing Returns in cyber security -from budget to effort - "How much is good enough?"
YouTube Link:https://youtube.com/live/eA6ugisBZb4
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Tl;DR:
** Happy Birthday America! **
This week the podcast is celebrating America's birthday by releasing an episode that is a conversation with one of my favorite Canadians. Mark Nunnikhoven is one ofthe foremost cloud and large scale security professionals, and if anyone in security understands how to explain some of the stresses and strains of security at massive scale it's Mark. We talk about what he's working on, and how we as an industry can start addressing security problems at massive scale.
YouTube Video: https://youtube.com/live/KIm5m8cAM0Q
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
On this week's episode we have an expert in leadership with experience in the Federal/Military sector as well as the civilian side. Bo talks about how culture can be changed, ways to approach your constituents, and which styles of information dissemination work best in organizations both large and small.
If you're thinking about how to getyour team more "security aware" and more bought in - this is an episode you must hear.
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
On this software security and regulation-focused episode of the podcast, the OG of AppSec (Jeff Williams) joins James & I to talk about the latest spate of regulations that require self-attested transparency about what companies are doing with respect to securing their software via supply chain and direct action.
Jeff contends this is a good thing and it's hard to argue that transparency drives good - however - I'm always curious what this does to those who struggle toafford to do better, which is what the vast majority of vendors to FedGov are.
Interesting discussion, join us!
YouTube Video: https://youtube.com/live/iavtEVADp4g
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
On this 555th episode, James Wickett joins James and me on an interesting discussion on AppSec, developer relationships, and why we just can't seem to make it work. Or maybe we're making it work but not giving ourselves credit? Listen in to this conversation and find out. This one will hook you in, as James, James, and I have a slightly depressing conversation that I think ends in something to be hopeful about.
YouTube video stream replay: https://youtube.com/live/UIXtZy61CKU
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR
This week's episode goes down the AppSec rabbit hole with Francesco Cipollone (call him "Frank") as we discuss some of the ins and outs of the modern software security challenge. We're all over the place on topics, but the message, in the end, is sane.
YouTube video replay: https://youtube.com/live/tJ6pvV3f0uA
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
In case you missed the epic LinkedIn Live livestream, here's the podcast version of the conversation with Chris Scanlan (President and Chief Commercial Officer at ExtraHop). James and I talk to Chris about his career, how he picks his next job, his team, and his thoughts on high-performance organizations. Sales is a topic many of our competitive podcasts in this space don't cover much - but I think it's worth the conversation to understand the seller-buyer relationship better because it's SO necessary to your work lives. Besides, Chris is a fantastic interview... enjoy it!
LinkedIn Live replay: https://www.linkedin.com/events/dtsrepisode553-sellingcybersecu7062465900553146368/about/
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
On this week's episode of Down the Security Rabbithole Podcast - Steve Riley visits to talk tall tales of VPN and other connectivity of yore, what it's evolving to, and why it's a generational leap.
The conversation with Steve is always a good one, and catch Steve here before you catch him on the Cloud Security Podcast (beat you to it guys!)
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
On this week's show, Grant joins us to discuss an episode that draws inspiration from a LinkedIn discussion with Patrick Garrity [original post] (whom could not make our recording, sorry Patrick). The gist of it is this - patching is hard, there are now 925 KEVs (known exploited vulnerabilities) on CISAs list, and that's a truck-ton. The discussion threads the needle between whether prioritization matters at that scale, alternatives, and some reasons to give up hope altogether.
Buckle up, this one's a rough one to be a passenger on.
Join (or start?) the discussion on the podcast's LinkedIn Page, here.
Video stream replay here: https://youtube.com/live/0L2aKUqjmQE
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
On this week's episode, the one and only Jeff Collins joins Rafal & James to talk about the shift to the cloud and what's gone wrong in the years since the collective "we" announced that the cloud was the answer. Feels like a decade has passed, and I think it has, since the start and we're observing increased complexity and varying degrees of security increase/decrease. What's next? Where are we right now? And what does it mean for security?
Tune in, find out.
YouTube video stream: https://youtube.com/live/Vdx73wpKzGA
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
This episode is a bit of a rant, a bit of an analysis, and an interview with returning podcast guest Ray Canzanese, Jr. from RSA Conference 2023. Yep, I went so you didn't have to... so in this show you'll get a few impressions, and maybe you'll agree or disagree on the themes and things we're seeing.
Maybe you'll even be compelled to write something up or leave a comment back?
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
Cyber Security seems to always be a technical topic. This week, we're taking it down a different lane as we discuss HR (right, Human Resources, remember those folks?) with Tom Venables. Tom's got seat time in the space, consulting with HR partners for various clients so he knows a thing or two about the processes and where they break down.
Listen in, and then go take a look at your own processes. Maybe you've learned something?
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
This week on the podcast we have Nathan Hamiel, Senior Director of Research at Kudelski Security on the podcast to talk about HYPE. It's a conversation rooted in skepticism, but also optimism in a strange mix that only Nathan can bring from his extensive experience and well-thought-out talking points.
YouTube Recorded LiveStream: https://youtube.com/live/ayPrWr-VWv0
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
Mark Simos of Microsoft joins Rafal & James this week to talk about why the 'tools-centric' security operations (SecOps) approach is failing us, and what an 'outcome centric' approach means and more importantly, how we get there. We discuss "vision versus execution", the history of "how we got here" and answer some questions we didn't know we had in the process. Mark's a wealth-spring of information on the topic, and his experience and time with the Open Group is huge for the work he's doing now to make tomorrow better for you all. Check out the podcast, and let us know what you think!
Article Link (the one we discuss)
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
This week's guest is Will Gragido, who has some significant experience developing security products. Will and I (Rafal) have a sit-down for a conversation about security products, their complexity then, now, and in the future. Point solutions, platforms, and portfolios - we discuss all the options you're faced with as a buyer - and attempt to suggest some solutions to the madness.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
This week on the podcast, my buddy Adam Meyers graciously joins the show from his "undisclosed location" deep under the Meyers compound to break apart the latest threat report. I'm sure you've read it, but if you haven't you can get it at the link below. On this show, Adam and Rafal talk about what's in the report, what's not in the report, and the delta which brings up some interesting things in the evolution of threat actors and "bad guys".
It's a podcast you don't want to miss because it feels like it's both a bellwether of what you'll be experiencing in your environments shortly, if you aren't already.
Check out the show on our new podcast distribution site (BuzzSprout) and update your RSS feeds if you haven't already. Go check out the video (link below), and don't forget to catch it on LinkedIn, and Twitter!
CrowdStrike Report: https://www.crowdstrike.com/global-threat-report/
YouTube Video Replay: https://youtube.com/live/HN9Qg42HCks?feature=share
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR
This week, on the podcast, Rafal and James host Brian Chidester and Jordan Burris to talk about the latest National Cyber Security Strategy from the Biden White House. It's an interesting piece of national policy that outlines our cyber security priorities as a nation - and you'll have to forgive me for calling it "aspirational".
The four of us discuss the likelyhood of this strategy ever being fully implemented, which pieces are most likely to work and which ones will struggle, and ultimately what will be the result here.
This is an important document - and if you're a defender or serious about cyber security at a national level - you should listen in.
YouTube video replay: https://youtube.com/live/O8lePu4ings?feature=share
Links:
Guests:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
On this week's episode of the podcast, James joins me to co-host a great episode with an old friend - Ray Emerly. Ray is a long-time veteran of the CISO chair, and no stranger to working at all aspects of the security leadership role. We talk through a number of important topics, ask him what's changed (and what hasn't) and of course we have a stumper at the end. Listen to the end, or you'll miss a golden nugget.
Guest
Watch the Video on our YouTube channel
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
** This episode is being re-published due to an issue with the RSS feed/provider **
TL;DR:
We've talked about cyber insurance a lot here on this podcast, and this episode is yet another angle on the topic. Nate Smolenski joins us to discuss his view, from the perspective of a CISO. This is a great conversation for those who are still investigating Cyber Insurance, or realizing that their policies are astronomical, or trying to right-size their security program along with insurance.
Video link: https://youtube.com/live/O0gpapA_r08?feature=share
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
** This episode is being re-published due to an issue with the RSS feed/provider **
TL;DR:
This week I brought on David Barton the CTO of HighWire Networks - who knows a few things about a few things. We discuss the complex nature of our business, where things get weird, and how we can work to make them better. We talk about complexity, specifically, and what makes this such a difficult thing for our industry where simple is the arch-enemy of secure.
Join us, and catch the video on the YouTube page (smash that subscribe button), or on LinkedIn.
Video Stream (replay):https://youtube.com/live/_rykxVh_VBw?feature=share
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR
It's been said that the road to hell is paved with good intentions. I feel like this applies to SBOM so much it's scary. All the good intentions in the world seemed to have led us to a place where we have tools that produce inconsistent results, tool sets that aren't necessarily integrated or mission-focused to deliver results, and a lot of confusion. Varun joins us with a boatload of entrepreneurial expertise and an eye for problem-solving so it's an interesting conversation.
Join Rafal & James in a conversation that you'll want to listen to a few times, and take notes.
Link to YouTube video
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
This DtSR podcast brings back a good friend of the show, and one of the most experienced leaders I know - Mr. Jim Tiller. We talk about an interesting topic - the "virtual CISO". vCISO is interesting because as markets tighten, and it becomes more difficult tofind andafford good CISOs and security leaders in this market. So how can a company best utilize this part-time resource?
We discuss...
YouTube video
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR:
I'm extremely excited to present to you, dear listeners and friends, a wonderful conversation with Sergio Caltagirone, who is quite the authority on 'threat intelligence' - where others talk tools and limited knowledge, Sergio literally was there at the birth of the cyber dawn of the threat intelligence operations we know (or don't know) today.
Sergio has been at an agency, at Microsoft, at Dragos - and he knows threat intelilgence from theory to applications. Listen in, learn a bit, and laugh along as the Chinese spy baloon (that's my story and I'm sticking to it) disrupts our communications with our pal, Sergio.
Video Link(unedited, and hilarious):https://youtube.com/live/SuH4uxBiX3E
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Tl;DR:
Automation. It's a precarious thing in cyber security. Whether you're thinking about SOAR, or incident investigation, or maybe SIEM (I'm sorry) - this conversation will be worth your time. Anton and Jonathan join us to talk about how "automation" has evolved over the last decade or so, and where it's largely failed. We also start to explore the future and requirements for how things can collectively improve.
We think you'll enjoy the podcast... share it and we'd love to hear from you.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR
A few days ago, my pal Kevin asked me if I had seen the LinkedIn post by Helen Patton that asked an interesting question of the podcast space... Her post made me think - why the heck not? So, I did. Thanks to Helen, whose idea this was - I hope you get a chance to watch and enjoy the outcome of your request ... we had far too much fun recording it.
Here on this episode - which I promise you is 100x better on video, we have Anton Chuvakin, Kevin Thompson, and Jeff Collins joining Rafal & James on the podcast to have a little fun and ask "ChatGPT" some questions. Anton drove the screen share, and we had a lot of fun. I have to wonder - how did some of those answers (you'll know when you see/hear them) make it on there. Holy cow... wow.
LinkedIn video replay -https://www.linkedin.com/video/event/urn:li:ugcPost:7021885147977314304/
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR
On this episode, we welcome Josh Grossman - who has a pretty interesting perspective on AppSec, or Software Security, or (cringe) "DevSecOps". Josh has a bit of an edge on the subject, so he fits in with myself & James perfectly. We talk about where things stand from the vendor perspective, building programs, and why it takes to make a real impact, versus continuing to push a very large boulder up a very steep hill.
Oh, hey, want to be on the show? Let us know a topic and your background and let's talk.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR
This week on 2023's first live-streamed episode (technical our first recorded in '23) our friend Larry Whiteside, Jr. joins us to talk about the prospects for 2023 and beyond. We discuss trends, make some rather sad predictions, and attempt to be hopeful about what the new year could bring us - if we don't find a way to walk ourselves off a cliff, first. It's a light discussion, that dives into some deep topics, and ultimately ends with some hope... 'ish. Join us!
Oh, hey, since some of you are looking for a new opportunity in the new year, Larry's hiring (check out his LinkedIn page).
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
TL;DR
Shawn Tuma, our favorite cyber legal eagle, joins Rafal & James to talk about the sorts of things we learned about 2022, in what could be confused for a year-in-review episode. We saw ransomware, big incidents, but overall ... things weren't the worst out there. If you missed our live-stream on LInkedIn (link below) you can replay that any time, or listen to this episode as a podcast. For 2023, I'm going to be tweaking some things to get us talking, sharing, and hopefully an even better experience of the podcast you already love.
LinkedIn Live-stream re-play:https://www.linkedin.com/video/event/urn:li:ugcPost:7013670254237163520/
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week James and I are joined by my good friend and many-timer on the podcast Brandon Dunlap, and our mad genius and serial entrepreneur pal Paul Calatayud to talk about all of these guarantees, warranties, and insurance. It's a strange discussion but quite necessary as the industry is littered with some of these offerings by providers and various software (security) vendors. These guarantees and warranties are made to make you feel better, but rest assured lawyers wrote these and there'salways a catch. The insurance conversation, that's a little different (way different) and Paul's got some interesting things to say here. Don't miss a great episode!
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Karim Hijazi joins Rafal & James this week on the podcast to talk about some interesting trends and developments in the world of bad actors. It's an interesting update including some things I wasn't expecting to hear about how threat actors "hit back at" incident responders and threat hunters. This is a good conversation about the current threat landscape with an eye on the Russian hackers out there, and pretty good listening for anyone who wants an added dose of situational awareness.
Links:
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This is a very interesting episode... Gadi Evron joins James and me on this slightly technically difficult (the IPoCP - IP over Carrier Pigeon - was awful at times) episode to talk about the CISO role and the potential liabilities that lie within. Whether we're talking about the Joe Sullivan case (and we're not, or we try not to), or we're generalizing about employment and legal culpability - this show traverses a lot of land and it's all worth your time.
Hopefully if I did an OK job, you won't notice all the edits :)
Pre-reading
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
It's always a pleasure when I can get some friends together and banter on about a topic we all find interesting. This week's topic was supposed to be released a bit later, but it couldn't wait. We hadso much fun that I thought it needed publication right now. The premise is simple - have you looked around at how many security vendors there are and just asked yourself ... "Are we solving anything, or just adding to the mess?" That's what we did on this podcast. And yeah, we'd know because we have some life experience in this industry.
Required Reading: https://www.linkedin.com/pulse/security-tools-crash-coming-mark-curphey/
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
On this episode Rafal & James re-visit the concepts of machine learning, "artificial intelligence", and applicability to cyber security from Sven Krasser, Chief Scientist at CrowdStrike. Dr Krasser has been working on algorithms and computers analyzing massive amounts of data since the early 2000's so his analysis of today's "state of the art" and projections for the future are likely spot on. We have a little fun poking at industry buzzwords and make some real projections for where things are moving.
If you're trying to sift through the hype and asking yourself is any of the "AI + ML" hype is real, right now, listen to this podcast. Some of your questions are likely answered here.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This podcast has attempted to go down-market a few times, with some success in discussing the important issues that service providers and security vendors oddly ignore. If you're not in the enterprise, you get ignored by 90%+ of the security vendor space, that's just fact, and that means that you're left to fend for yourself at the worst scale possible.
That's unfortunate, in the long run, because as all the vendors chase enterprise vendors, they at the same time lament the poor state of downmarket security. This podcast addresses something that may be able to help. A long-time colleague and friend has started a company and has a philosophy that we think y'all should hear about.
I'm going to encourage you to give ContraForce a look -- not just because they're named after one of my favorite video games of all time -- but because they are working hard to solve a fundamental problem that we have in the security space...small companies have big problems too.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Are you sick of hearing "Zero Trust"? Do you, like us, also feel like it's a marketing buzzword, and then a cute concept that has a very difficult time in reality? Yeah, this episode is for you.
David Fairman and Jason Clark, join Rafal to talk about what is essentially continuous signals evaluation, least privilege, and default deny with segmentation. All those things we love, and haven't done right.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, we take it back to the basics, that's right, thebasics, as we talk to Huxley Barbee about the need to identify and understand the assets on your network and in your various environments. A fascinating conversation with some history, some laughs, and some honest discussion a topic that's absolutely critical to cyber security.
If you've not done so, go check out the conversation with Dell Technologies' John Scimone -- a CSO's perspective onfundamentals:https://ftwr.libsyn.com/dtsr-episode-513-cso-perspective-on-security-fundamentals which will give you some additional perspective on this issue.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Today's guest helps James and Rafal attempt to unravel the completely confusing space of "modern remote access". Some call it SASE, some SSE, some ZTE and some are completely mad and still use the term VPN. Who knows who's right, or why any one is preferred over the other ...except Carlos Salas from NordLayer. Listen in, and give it some thought. Maybe you'll understand this big mess a little better by the end of the episode.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
It's been a while since we have done an episode on cyber insurance, in fact, the last episode was https://ftwr.libsyn.com/dtsr-episode-454-tpa-cyber-insurance-fact-vs-fiction back in July of 2021. So we revisit with the two experts plus a bonus guest for you.
We look at the issues from the perspective of the broker, buyer, and lawyer -- a complete picture if I do say so myself!
Story link in FastCompany: https://www.fastcompany.com/90781786/cyber-insurance-price-hikes-have-left-local-governments-reeling
LinkedIn Live video stream (on-demand): https://www.linkedin.com/video/event/urn:li:ugcPost:6980210814192402434/
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Our industry has been talking aboutXDR for a while now. Some people think it's the savior, some people think it's marketing garbage - and neither of them really understands what this "thing" named XDR is. Well, I figure we'll get some smart people on the podcast, people who live in this field and use this word a lot, and giddy up.
This episode is slightly PG-13'ish ... because Anton has a potty mouth and I don't want to edit.
Guests:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
We start Cyber Security Awareness Month - the 30-day window where corporate law requires you to check the box and take boring security 'awareness' training, then forget it November 1st. Not my favorite month... so what about scammers, criminals, and bad people who prey upon those who aren't covered by corporate mandated training? Join us, let's talk about it.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, Rafal takes the show on the road (literally) to Las Vegas for Fal.Con '22 -- this is CrowdStrike's premier global get-together of customers, partners, and industry experts to showcase some innovation and share ideas and insights.
I wanted to say a big thank you to CrowdStrike -- all the folks who helped make this happen and continue to support this podcast and provide access to these fantastic guests.
Thank you to Nick Lowe, Geeta Schmidt, Kapil Raina, and Bryan Lee for taking the time to share their unique insights.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Solving problems is a challenge not everyone is up for. The industry is littered with people and companies that bring small-time solutions to an industry begging and pleading for actual solutions. Jason Clark of Netskope, and long-time friend, joins James and Rafal to talk about the mindset and approach needed to solve BIG problems that change the game, change the landscape, and change our lives.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
For those of you paying attention - DtSR is officially 11 years old.
This episode is the first episode of year (season) 12. WOW. Thank you for listening, sharing, commenting, and watching us live!
Prologue
We work in a weird industry where marketing has to make ever-more outrageous claims that product and service teams then have to attempt to live up to, but it's a way of life. Now, I'm not strictly speaking blaming product marketing people, but they do have some blame in this insane climate we find ourselves in. On this episode, two good friends - and professional snark'ists - join James and I to talk about where our industry has over-marketed, over-hyped, and simply failed to deliver ...and where it may actually be meeting expectations. It's a fun conversation, and I bet you won't see the ending coming.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Fresh off his presentation at Defcon 2022, Ken Pyle joins Rafal to talk about the Emergency Alert System (EAS) he's been hacking since 2019 and discusses findings, challenges, and the work left to do.
It's a fascinating conversation that will leave you wondering - how do we fix this clear and present problem, and more importantly...where else should we be looking?
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week's guest is always a great interview. Gadi Evron has been around the industry longer than it's been an officially named discipline. In this episode, he talks about post-breach standards and the apparent but not previously discussed need. He also breaks your brain with disinformation, which we only lightly touch on before realizing we need at least one more podcast to go deeper into the topic.
Join us, and share this one, it's awesome.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
We've covered "threat intelligence" on the show a few times now, but the evolving nature of what threat data is, how it's useful, and how it enables defenders of a specific type identify malicious activity keep it interesting. This time around Adam Meyers of CrowdStrike joins Rafal to discuss threat intelligence, threat hunting, and clarifies some of the mis-conceptions and utilities around the topic. A good conversation for those defending their infrastructure and useful data points from someone who is a recognized expert. Adam joins us from his bunker, with all the elements you'd expect from Adam, so it's definitely worth your time to listen closely.
Check out Fal.Con, where you can catch the cutting-edge on CrowdStrike kit, industry knowledge, and hear some great industry speakers. Rafal will be there speaking on the topic of operationalizing and making the SOC more effective and efficient at small scale, check it out (link below).
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
"Just do the basics!"
"Remember the security fundamentals."
...sick of hearing those catch phrases without anything to actually get it DONE? Yeah, us too. This week we're joined by John Scimone of Dell Technologies to talk about his take on fundamentals both security and IT. His approach is notunique, per se, but it's one that works and it's repeatable. More importantly, he's willing to share his expertise and what he's done to be successful in raising the bar to his level of "good enough" -- so unless you've gotten where YOU want to be in those security fundamentals, it's time to listen to John's podcast and take notes. Take lots of notes.
By the way, if you want the video on LinkedIn Live where you can post questions too, click here: https://www.linkedin.com/video/event/urn:li:ugcPost:6953043382164209664/
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, long-time friend and well-known industry personality, Jessica Hebenstreit joins Rafal to talk about her journey in consulting to very large security programs and why maturity is elusive in many of those programs. As it turns out, maturity is influenced by many factors but highly dependent on actually solving problems and being able to show progress. This is an interesting conversation for anyone who wants to understand what's inside the head of a former practitioner who has ventured into the field to help others solve large-scale, complex, problems.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week on the podcast, the one and only Tom Eston joins Rafal & James to talk about managing teams. Tom is a well-known personality who runs the "Shared Security Show" podcast -- which has been running even longer than we have, give them a listen if you don't already.
Tom talks about the difficulties of managing, coping with various types of personalities, and helping employees thrive while finding the right balance between in-office and remote. Great show if you're in a leadership position, or hoping to be, managing technical teams.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
It's always a pleasure to have someone on the show who is an expert in their trade, someone who has experience, expertise, and depth of understanding like few others. In this case, James and I host Jim tiller - one of the people I consider a mentor and long-time friend, who is all of those things and more.
Jim is a quintessential expert on cybersecurity services - and in this discussion we push some of the buttons that really get him talking, passionate, and dispensing wisdom. I hope you brought a notepad, because you'll want to be taking notes.
This episode is for those out there who work in, or manage, services organizations. Truckloads of information here...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
James has been talking about "shift left" for a while so when Jeff Williams posted interesting research on LinkedIn - we jumped on an opportunity to have him on the show to talk about the subject. Let's face it, everyone is shifting left, and most of this is just marketing nonsense, but some of it is actually an attempt to push security "earlier" into the cycles - but is that good? Does it even make sense?
Jeff kills one of my favorite, go-to, security myths about software security...and a fun discussion ensues. Join us, and maybe add to the conversation!
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
DNS is a big topic, and you may be asking yourself why. Well, as we noted in a recent show ( https://ftwr.libsyn.com/dtsr-episode-504-dns-turns-40 ) DNS is officially middle-aged. And with that middle-age comes some more problems. These issues have caused a situation where it's increasingly evident that DNS needs to evolve, mature, or simply revise (2.0?) itself ... but into what? And why? Listen to Ken Carnesi from DNSFilter who joins James & Rafal to talk about the challenges and the future, and why it's still such a sh*tshow today.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Let's start with NDR - Network Detection and Response - because it's not new, but the discussions lately have been very interesting. Is it still relevant? Does it have a place in today's hybrid and cloud world? Well, in this conversation with Raja Mukerji, co-founder of ExtraHop, Rafal tackles these questions and gets some interesting answers.
For those of you who have followed for a while - I have a surprise reveal for you at the end.
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
As some of you know, I've been either in the AppSec space, or adjacent, since the fairly early days. I built a program at GE a million years ago, and worked selling dynamic web app testing software for many years. If you've been in the space, you can feel a little bit hopeless with all the different options, tools, and advice only to look at the stale OWASP Top 10 and wonder ...why aren't things improving? Matt Rose joins me in a post-RSA conversation about ASPM (Application Security Posture Management), and before you dismiss it as another analyst buzzword, let's talk about why this may actually (and finally) start to solve some of the complex issues around developing, releasing, and maintaining reasonably secure software.
This is a space I've been passionate about for a long time, and I feel like everyone should listen to this.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
RSA Conference 2022 has come and gone. Rafal was there for all the circus and madness, and sits down with James to discuss what was seen and heard.
Also, you'll get some clips in here from some of the interviews from the show as Rafal caught up with some interesting vendors, old friends, and even some poetry.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
In this RSA conference-themed episode, I bring on Jonathan Barnett from OpenText Security Solutions to discuss DNS turning 40 years old. Yeah, it was originally invented in 1983 y'all. As DNS turns 40, some of the lingering problems are getting worse, some of the new solutions open up other problems, and we're all about solutions here so we tackle some of the things Jonathan is doing to address the issues.
Interesting episode to ponder, and reflect on, as DNS turns 40 years old next year and we try and figure out "now what?"
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This is a bonus episode for the Episode 500 live-stream we did. I brought togetherCrowdstrike, OpenText,andNetskope technologists to talk about the technology they've worked with over the last 10 years, where it stands today, and what the future outlook looks like.
It's a fascinating conversation from some of the most common vendors out there in security - and you're probably using or relying on their platforms -- so it makes sense to get their take on the past, present, and future of technology in our industry.
Special thanks to Adam, Grayson, and Mark for taking the time out and sharing their expertise!
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, we talk about the cloud in a different way than we have previously. We discuss "blast radius" with regard to vast numbers of roles and permissions inside of a public cloud infrastructure. The numbers are staggering and you'll likely find yourself asking the obvious question -- "How does anyone manage all of this, with any hope of getting it right?" The beginnings of that answer lie in this show.
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
CMMC may be something you know nothing of, but if you're a government contractor, or work with government contractors of the DIB - you're probaby alll too familiar.
For some, it's hell. For the rest, it's mostly insane. Jacob joins Rafal & James to educate us, and give us the reality of this set of standards.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, on the first post-500 episode, we welcome Netskope's Ray Canzanese to talk about the Cloud & Threat Report they just published ( https://www.netskope.com/netskope-threat-labs/cloud-threat-report ) which has some interesting bits in it.
Ray discusses the details and some of the things that you won't find in the text of the report. Good conversation as Rafal & James break down the headlines.
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
First - thank you to everyone who listens to this show, shares it, and has left us a review. You all are the reason these past 500 episodes got published, and why this show will keep going into the forseeable future!
Link to video:https://www.linkedin.com/video/event/urn:li:ugcPost:6917850703235321856/
This episode features some of my favorite guests from the last 500 episodes, with something to say. We cover a lot of ground, totally unscripted, and we have opinions.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue - Part 1 of 2
First - thank you to everyone who listens to this show, shares it, and has left us a review. You all are the reason these past 500 episodes got published, and why this show will keep going into the forseeable future!
Link to video:https://www.linkedin.com/video/event/urn:li:ugcPost:6917850703235321856/
This episode features some of my favorite guests from the last 500 episodes, with something to say. We cover a lot of ground, totally unscripted, and we have opinions.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Friends and colleagues - I want to thank you from the bottom of my heart. It almost brings me to tears that over the last 11 years you've been sharing, downloading, and talking about this little thing I started back in 2011. Incredible doesn't even begin to describe the ride so far.
And to top it off, we've hit almost 32,000 downloads this month - the most we'veever gotten by almost 2,000 more. I'm flabbergasted.
So this episode, it's just James and I - just us doing what we do.
Thank you. We love you. Keep listening!
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Super pumped this week to have James Azar on the show. James hosts a collection of podcasts including one I try to catch as often as possible - https://www.linkedin.com/company/cyberhubpodcast/.
We cover a lot of ground, but you'll walk away with James' words ringing in your head, I can almost promise you that.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, as we approach episode 500 and the extravaganza that it will be, James and I welcome my personal friend and all-around wonderful marketing dude, Russell Wurth. We joke about what's wrong with cyber-security, and why it's mostly marketing's fault.
Join us, prep your buzzword bingo card, and have a drink in hand (unless you're driving, then please don't).
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Have you noticed that the relationship between buyer and seller, or more precisely, between CISO and seller is... eh ... tenuous lately? OK, maybe it's a lot worse than that in some cases. Why is that? How did we get here? And how do we fix a relationship that is quite clearly necessary, but just so broken? Yaron Levi, long-time industry veteran joins Rafal to discuss the challenges and opportunities of the CISO - vendor relationship.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, as Vladimir Putin's Russia continues to commit war crimes and genocide against the people of Ukraine, DtSR gathered a panel of experts to discuss and dissect the threat of a Russian-based cyber offensive against the west. Our panelists helped separate fact from fiction, and gave us some take-aways that we can use to rationally and realistically protect ourselves from this and other related threats.
LinkedIn Livestream video recording: https://www.linkedin.com/video/event/urn:li:ugcPost:6915354239766568960/
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Special thanks on this episode to OpenText for bringing Mike to us on this show. What a fantastic conversation about the state of forensics and a little bit of reminiscing too!
This episode we talk forensics, and the art and science, plus how to build that back-fill of talent this entire industry is short on. Michael has decades of knowledge and experience, and it's a joy of a conversation.
Also, if you're into nothing else on this episode, check out the world's cutest kitten. Come for the kitten, stay for the forensics goodness.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
With all these breaches, and all this money and productivity lost - is anyone paying attention? Is anyone learning anything? Join us, Shawn will tell you.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, the guy with the best vendor hoodies ever is back! Philippe Humeau of Crowdsec joins us again to talk about some of the data his team have gathered, analyzed, and are using to crowd-source protection in the form of block lists. Anton Chuvakin joins us to bring his useful manner of snarkasm, just to keep us honest.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
I read an article the other day that got me thinking, and inspired me to get Wesley onto the podcast to talk about SOAR. Yes, SOAR is absolutely boring - but that's OK, isn't it? What's the actual purpose of SOAR technology, and where is it being utilized today? Are we getting the most of this, or is it just a boring fad? All this and more on today's show.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
We open this episode with an acknowledgement of the crisis in Ukraine, as Putin's madness is unleashed. We stand with the brave people of Ukraine as they defend themselves from unprecedented evil.
That said, this week James and I bring Grant Sewell onto the show. Grant has experience being a "behind the scenes" CISO, and more recently in a customer-facing role. We discuss the evolution of the CISO into a "trust officer" and the focus that takes.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
LinkedIn Live stream (recorded): https://www.linkedin.com/video/event/urn:li:ugcPost:6895440886222643201/
DtSR LinkedIn Page (subscribe here!): https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Prologue
This week is a slightly longer (oops) episode of the DtSR Podcast with a three-timer, Adam Meyers of Crowdstrike. Adam joins James and Rafal to talk about the latest Global Threat Report and all the trends and insights.
There is a lot of good insight here, and if you want to catch the LIVE (recorded) video you can get that too! Don't forget to subscribe to our DtSR page on LinkedIn to get all the latest content.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week I'm so thankful that James and I have the opportunity to talk to the authors of "The CISO Evolution" -- a fantastic book for anyone who wants to be, or is working as, a security leader. Rock and Matt join us to talk about the book, share some insights, and maybe answer a tough question or two.
Guests:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Continuing our thread on the software supply chain and SBoM (Software Bill of Materials) we bring in Ed Moyle who is writing a series on the subject for his column. Ed brings up some very interesting points on some key aspects of software supply chain including feasibility and asks that difficult question "So what if you get it?"
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
SBoM ("Software Bill of Materials") is the new rage. Everyone's talking about it. What it means is you're expecting a list of software components and includes, libraries, etc that make up the software you're buying or using.
The problem is, in real life, SBoM is exceptionally difficult and maybe even slightly impractical. Listen in as Rafal & James discuss SBoM in real-life scenarios with Paul Caiazzo -- a guy who's trying to make this idea work in his day-job.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Back in episode 469 ( https://ftwr.libsyn.com/dtsr-episode-469-yght-they-hacked-ransomware ) we brought Steve Perkins of Nubeva ("Cloud Go" in Portuguese) to talk about a very interesting "accidental" development. They'd figured out a way to steal encryption keys from ransomware, thus rendering itpotentially toothless. Well, now Steve's back with a product, and a way toreverse ransomware's encryption with minimal friction and withoutpaying the ransom. So ... yeah. Listen in.
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Have you ever made a payment from your mobile device, wirelessly using NFC? Of course you have, most of us have by now. Did you know there are some (or at least were) fairly significant design flaws, otherwise known as "features", in the various platforms? On this show, we're interested in learning more about Timur's research and what he's uncovered. You'll want to do what I did, check your phone's NFC payments settings, once this show is over.
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
We have a repeat guest today! Mr. Mark Simos joins me once again to talk about Microsoft's Cloud Adoption Framework (CAF) and it's applicability to not only Azure, but also your other clouds.
Building resilient and secure clouds isn't just about security, it's about design and architecture that adheres to good practices. Microsoft's CAF is fantastic place to start - listen here to learn more.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, on a good start to the new year, Eric Escobar joins us to talk about hacking wireless - and a little bit of history on the topic. Taking us back to early wireless hacking where you had to have the right wireless PCMCIA card and drivers, to today where things are a little more complicated but oddly not too much has changed.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Bentsi is a guy with some experience in the bad guy world when it comes to devices and gadgets getting compromised. In this episode, he tells us stories and anecdotes on things he's seen and the threats gadgets face. It's a very interesting discussion, and might just make you a little more paranoid before it's over.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Have you ever plugged your smart phone, tablet or other "smart thing" into a power cable that wasn'tyours? I'm guessing you've answered yes - and if so, you need to listen to this episode.
As we travel and move around with our smart devices, we don't always have our charging cables & blocks with us, and that can lead to disaster. Hear more from Robert Rowley on how "juice jacking" can cause security problems we aren't even aware of.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
In a technically deeper episode, Ev joins Rafal to discuss how security has made productivitychallenging at times, in terms of having to jump through hoops to get work done, and what we should be doing about it. Ev asks us to image an entirely new paradigm of productive access to necessary resources - so listen in and dream big with us.
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week's episode is one of my favorite topics - marketing buzzwords. You've all heard the term "XDR" and wondered (probably like me) what the heck it is and how it's different than EDR or MDR. Do we really need more buzzwords?
Mark Alba from Anomali joins me this week to discuss this, and I think it'll help sort things out for you, it sure did for me. I'm still not a big fan of new buzzwords, but at least I get it now.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Welcome to the last month of 2021 - December. This month we have a few bonus episodes, starting with this gem on identity. We've got a great guest and Mike Kiser has some interesting opinions he's definitely not holding back on.
Thanks for listening - we hope you enjoy this episode. And special thanks to SailPoint for bringing Mike to the mic.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Folks, the video of this episode which was live-streamed to our YouTube channel is here: https://youtu.be/IYVB_LNhURQ - and if you can, watch it.
Huge mega-thanks to Microsoft and Lightstream for bringing together Jeff and Mark on this one to deliver some truly phenomenal content.
This week is Azure Security Benchmark (not baseline, oops) version 3.0 hot off the presses. We talk about what it is, how to apply it, and where and why it's so useful for keeping not just your Azure public cloud safe, but also the "other" public clouds you use too.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Fair warning y'all, this episode may have been just slightly more fun than the Surgeon General allows. That said, on this one we not only made up some new terms ("Threat Instructions", Anton) but also had some fun describing what a well-functioning system of highly automate-able threat data would look like. And as it turns out, it's CrowdSec's "Fire" data set.
Fascinating conversation, and most fascinating of all is that as Philippe described how it functions, Anton could find nothing wrong with it. Call me gobsmacked.
If you're interested in participating in the Crowd, click this link - because a typo will put you in a very weird and very different sort of crowd.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Hey! Are you attending OpenText World Enfuse? If not, click here and check it out - it's virtual!
Straight from Enfuse Chuck Dodson joins Rafal & James to talk about digital evidence collection, management, and processing in the realm of law enforcement. A fascinating look at the law enforcement side of things, and a topic perspective most of us never have occasion to think about, unless you're in the fight.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
In this episode, we host a lady who only needs one name, like a movie or rock star. But "Jax" deals with topics we normal people don't have the stomach for, like CMMC and government security. In this episode, she joins us to talk about the current Executive Order on Cybersecurity ( Executive Order 14028, May 12, 2021 - https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity ) and the implications and impact it will, might, and could have. A fascinating discussion that's worth listening to, whether you spend time in FedGov, or not.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Let me start by saying how much I enjoy chatting with Rick Howard, today's podcast guest. Rick's been on before, and we always go long (especially on this one, sorry not sorry), but the content is well worth your time.
On today's episode, we chat about "Zero Trust" and where technology meets concept, what's missing, and what's next. If you think you know all these is to know about Zero Trust, I promise you, you'll learn something new.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
On Episode 471, as we rapidly hurl towards our 500th episode, we bring back Chris Romeo to talk about threat modeling. Specifically, we discuss threat modeling of software - with developers, methodologies, silos, incentives, and outcomes all in play for discussion.
Chris has been doing this a while, and has some deep insights into what it takes to make things work - and he we welcome your feedback on howyou do it.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
On this episode of the DtSR Podcast - Ann Johnson joins special guest-host Ken Fishkin of NJ ISC2 chapter, along with James & Rafal to talk about leadership, and sports apparently.
Thanks to the NJ Chapter of ISC2 ( https://www.linkedin.com/groups/4425593/ )for submitting questions and Ken for joining us to guest-host.
On this episodes, we ask Ann to talk to us about leadership challenges, and what's in store for the future. Also, we briefly talk sports teams and discover Ann is a Cowboys fan.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week on a ridiculously awesome episode of the DtSR Podcast the one and only Mr. Steve Perkins of Nubeva joins Rafal & James to talk about something worth shouting about. They've figured out how to beat ransomware... yes, there are a few 'catch' things, but the tech seems solid and the possibilities endless.
Give this episode a listen, then scroll below to click the links, and give this a look for yourself!
Guest
Relevant Links
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, we get to meet Sean Jackson. You may not know Sean, but his journey may feel familiar. He got here much like many of you, and his story of discovery and understanding of his role in the business as "the security guy" is something you should probably know. There are many paths into our profession, and there are many different ways to view what we do - Sean's is compelling as it is timeless. Give it a listen, and join me on his journey.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, Kim Lewandowski joins Rafal & James to talk about Google's latest contribution to the Open Source software movement - Supply-chain Levels for Software Artifacts (SLSA). We have a great conversation, and I hope you guys go watch the video (when it comes out) and check out the axe in the background. I never did find the interesting logo Kim talks about- maybe one of you will find it and post it to #DtSR on Twitter!
Guest
SLSA Links
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, fresh off his Twitter rant, Travis McPeak joins Rafal to talk about the goat rodeo that vulnerability management in the enterprise. Travis talks about the multitude of reasons vulnerability management is so difficult, and what we can be done about the whole mess.
Great episode, lots of great discussion and big thanks to Travis for the contribution to the topic. This needs more discussion, folks!
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
I have no excuses, and no ideas, how this show has made it so far without having the one and only JJ as a guest. She's been doing network security and architecture for a long time, in addition to being a force for good. Her focus on NAC (Network Access Control) shines through in this discussion too. Hilarity ensues.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week our pal and previous guest Patrick Miller joins us to talk about the power grid, current state of the thing, and what he's working on in the power generation and distribution sector. It's a strange place where 8" floppy disks and DOS 2.2 still live. Yeah, go search those, you think there's a 0-day for DOS 2.2?
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week our friend Ira Winkler joins Rafal & James to talk about the human element in cyber security. Ira, like us, absolutely loathes the phrase "stupid user" - so you'll want to hear what he's working on, and his comments on the space.
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
With all the craziness going on in the world, from terrorism, to catastrophically botched withdraws from a 20 year war, to the incredible proliferation of ransomware, and "cyber privateering" making a comeback in the news - it's as good a time as any to discuss open source intelligence, collection, and analysis.
Aki is a guy who would know a little bit of something about the topic, because anytime someone has to choose the way they describe their past "work" - you know their background is pretty colorful.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Let me start off by saying that this episode isn't about politics. It's about facts, claims made, and election security facts and myths.
I want to thank Rob Graham for getting on the show and sharing his experience on short notice, and providing insights from Mike Lindell's "Symposium". It's truly eye-opening, and hopefully a conversation that strikes at the core of what we need to hear right now.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Thanks to Okta, for providing what is surely an entertaining (at least to record) and informative episode with some really cool guests. Bharat and John join James and Raf to talk about CIAM (a term Raf had to look up) and all things authentication history, past, and present.
By the way, if you haven't registered, you should register for this very cool Okta Developer Day "Auth for All".
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Big thanks this week to OpenText for providing access to Fabian Franco (go check out his bio below). He joins James & Rafal to talk about protecting endpoints, and some of the interesting things that go along with state-of-the-art detection and response capabilities. Also, if you'd be so kind as to support those who keep this show going, go check out the OpenText link below and give it a click, won't you?
Why are there so many acronyms for endpoint defense? What do EPP, EDR, MDR, XDR mean and are they at all any different? Let's dive into this, on today's episode.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week we have the pleasure of having Kevin Pope, one of Raf's close and long-time friends, and someone who's had one heck of a journey into and through our industry. Kevin is a veteran, a security-curious, and cyber security professional - and he's also got some metered opinions too. We discuss hiring, staffing, and some of the issues we've collectively - and he specifically - have seen. Give this one a listen if you want to understand why we have the staffing problem in cyber-security that we do. Seriously.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Huge thanks to Prevailion's Karim Hijazi for taking the time with us to dissect this Gartner headline and article on "adversaries killing people using OT". As we expected, a sensationalist headline, followed by some mildly fluffy stuff, with a kernel of truth. Good discussion nonetheless, though, and I even learned a thing.
Links
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Frankly, we have no idea how we got through 450 episodes without interviewing Rich. No clue. Rich is a man of many talents including a trained responder for situations like we've been facing. He's also a cloud security specialist, and happens to do a half-dozen other things in his "spare time" too. In this episode we chat about what the pandemic has taught cyber security professionals, and what we'll come out the other side looking like.
Warnings:
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
It's been a long time, maybe forever, since James and I sat down and just chatted on the podcast. With all these amazing guests we have on the show it's easy to get caught up in the fun and forget to just have a two-person conversation every once in a while. With that in mind, we did it this week. We sat down, just the two of us, and chatted about the last few hundred episodes, the things that have stayed with us, and some things we wished would "get better" but alas...
Jump in, this is a special episode.
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Sean Scranton joins Shawn Tuma and myself to talk about cyber insurance, specifically, as it is a massive topic of discussion lately. Building on top of the "does cyber insurance even pay out?" question and exploring if cyber insurance will actually change the industry (as Jeremiah hints in episode 447) we traverse a lot of related topics and answer some good questions. This is one of the most informative episodes on this specific topic I've found out there - without all the usual propaganda.
Huge thank you to Sean and Shawn for agreeing to take time away from client work to speak with DtSR, and leave this information accessible to my listeners.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Vulnerability Management has been a bit of a soapbox for me lately, and this episode brings in two experts on the topic directly from the enterprise to talk about how we prioritization, spreadsheets, and today's big vulnerability problem produces serious issues for enterprise professionals. The problem is as old as our profession, but in spite of the tools, testimonials, and hand-waving it's still a massive problem.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
On this episode of the podcast I have the pleasure of hosting one of my long-time friends and industry titan - Dawn-Marie "Rie" Hutchinson. She's fresh off of a stint as a CISO, and talking about burnout in our industry and beyond.
It's always a pleasure chatting with a friend, but this is an important topic so extra thanks for sharing her knowledge and insights with us; working in a globally diverse and multi-timezone workforce isn't easy, and the lessons are useful!
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
My pal Rock has ventured off on his own, so I wanted to catch up with him and get a quick update on the state of business, but also get a sense for what he's seeing in the industry as he's advising companies and helping them through compliance and regulatory challenges. Fascinating conversation, always fun stuff.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prolgue
Ladies and Gentlemen - we've hit ** 450 ** episodes.
Let me just take a moment and reflect on the number of awesome guests, long hours recording and editing, and all of you phenomenal fans and listeners spreading the show content.
Episode 450 feels like the right one to drop an episode with one of my real-life best friends, British sensation, and perennial entrepreneur Vikas Bhatia. We drop the gloves and go after the shitshow that is third party risk management in modern day enterprise.
There are answers, but not if you don't address it head-on.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
In this episode, our legal eagle Shawn Tuma is back to discuss the Colonial Pipeline incident and whether it could be a watershed moment for US Cyber interests. As Toby Keith's "Courtesy of the Red, White, and Blue" plays in the background, we discuss what's happened, what could happen, and what it all means.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
You've GOT to hear this!
This week on the podcast, I invited Martin Zizi of Aerendir, to talk about how we can use technology to not only distinguish between humans and non-humans (bots?) but also how to identify humans with staggering levels of precision - usingcommonly available and inexpensive components. He's got humor, an eclectic background, and great knowledge of the topic. Join us!
Guest
Aerendir Mobile Inc. is his second start-up. He was #2 at another start-up in the Medical technology vertical.
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
I don't know about you, but I have Jeremiah in a list on Twitter that allows me to read/think about some of the things he posts without the noise of the rest of Twitter.
Should a company that develops software be held responsible when a bug they missed is exploited? Why do we "Agree" on all those click-through agreements which basically disavow any responsibility, anyway?
What about security tools - if they scan and miss a flaw that's later exploited, shouldn't they be liable?
These and other salient topics are discussed in fairly great detail without all the usual hype you hear around this topic. Please join us, this is a wonderful episode to listen to more than once.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
When in Austin, TX ... meet up with some friends right? This week I have the pleasure of sitting down in-person with Joel whom has been doing the "AppSec thing" for longer than many of you who are reading this have been in our profession. Joel knows a thing or two - so we discuss a thing or two.
Philosophy, history, and some ugly truths come out in a conversation that can only happen in-person.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
I honestly am having a difficult time understanding how this show has gone so long, so many episodes, without sitting down with Dave Marcus 1:1. It hurts my brain. So I rectified this situation and here you are. Dave is one of the best humans in the industry, has a few truckloads of knowledge, and you could stand to learn something from him. Give this episode a shot.
Warning: Dave drops a pair of F-bombs, and the show goes a little longer than most at >40 minutes. But it's well worth your time. I promise.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
I'm honored to have Gary McGraw on with James and myself on this episode. I hadn't realized, but Gary retired from (what was formerly) Cigital - and by retired I mean "started something new". Gary sucks at retirement, but he's brilliant and has a lot to say about machine learning and its applications, so you shouldreally listen in. No, "AI" isn't going to take over security - but it's work exploring the enormous contributions machine learning make to our lives and how they can be abused.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Chris Eng has been elbows deep in software security for a very long time. Times have changed over the last 20 years, as have tools, methods, and outcomes - what hasn't changed is how much security debt we keep amassing in our applications. How bad is the problem, and what can be done? Tune in and find out what we think.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, the show is back after a brief spring break, and we have with us Dmitri Alperovitch - who has taken on a new venture in his latest role. We discuss cybersecurity policy, government's role in private enterprise defense, and why you should probably never run your own MS Exchange Server.
Lots of great content from the always informative and entertaining Dmitri.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
** First, before I say anything else, I want to thank Lonnie and his staff for their service to our country. Protecting diplomats is not an easy task I imagine, and being the most powerful nation on Earth, our diplomats are likely a target 24x7x365. **
This week, Lonnie Price joins me and James on the show for an intriguing talking through some very, very cool stuff. Now, this episode is special. Of course, every episode is special but some are more special than others. In this edition of the show we're talking to someone who keeps state secrets, well ... secret, as America's diplomats travel internally and abroad.
I can safely say I hadno idea how much there was to concern yourself with beyond just encryption.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Account Take-Over (ATO). You've probably not given this too much thought, unless you've had your account jacked. Whether it was someone stealing your Twitter account, or your bank account, or God-forbid your Facebook - you know the ramifications are serious. But how do you identify it, prevent it, detect and respond to it, and maybe even recover from it... at scale?
Rafal's guest, Ari Jacoby of Deduce has some ideas.
Ari talks about the broader ATO problem, and suggests some of the reasons it's gotten this bad (...how bad is it?...) and what companies that arenot in the Fortune 250 can do to protect themselves -and you.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
OK, say it with me, defender tools suck. They all have their own dashboards, data formats, ways to look at what's going on...and that wouldn't be bad if they even remotelyworked together.
OSQuery isn't the end-all for endpoint tools, but it surely can tell you a whole lot about what's going on out there - and then you can actuallyintelligently do something. But it needs a front-end...so enter Fleet. This episode is all about defending the endpoint using open source, and Fleet/OSQuery specifically.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week on a very cool conversation, Rafal snags a chance to do a virtual sit-down with Yuri all the way from the Netherlands. Yuri is one of the quintessential experts on Zero Trust (not the commercial tools stuff, but principles and foundations) and you need to hear his take on how we get it implemented, where, and why.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, DJ McArthur joins James and Rafal to talk shop about his career in defending healthcare IT. The Cliff's Notes version is that it's more complex, more under siege, and more critical than ever. No problem, right?
This episode has been a long-time coming, and DJ is an honest-to-goodness expert in the field. He teaches classes on this topic which you may just want to go and look up if this is your thing.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Continuing what accidentally became a series of AppSec or Software Security focused episodes, #436 takes it from yet another direction. Rey joins us to talk about AppSec from his perspective - that of a life-long developer that's moved into software security. It's been an interesting journey, and while some of the things we discuss aren't necessarily revelations - listen for the subtle clues about what software security teams are doing wrong in the corporate enterprise... you'll hear it.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Episode 435 is packed with OpenSource goodness, talking about WordPress and WPScan with Ryan Dewhurst. Ryan started WPScan (a tool you probably use as a security practitioner) and has now made a business out of it. He spends a half-hour discussing the product, his road, and Wordpress/security in general and includes some plans for the future.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, Jennifer Fernick of NCC Group joins me to talk about her work with open source software and security. With a storied career, Jennifer is well-qualified to talk about some really interesting topics, but finding bugs in open source software, at the scale we need it to be done, is a monumental task.
If you're a developer and keen on innovation and open-source, and know security or are interested in learning more - I encourage you to go check out the Open Source Security Foundation here: https://openssf.org/
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue:
This week, Gary Latham joins the podcast to talk about taking the reigns of the Security Advisor Alliance, at a pivotal time for the organization. If you don't know about the SAA,I highly encourage you to check it out here:https://www.securityadvisoralliance.org/
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
On this week's episode of the podcast, boomerang guest Robb Rock joins Rafal to talk identity, trust, and what's happened since the last time Robb was on the show (which was in 2016!). Of course they talk about the "big hack", and retreat into identity, Zero Trust, and the challenges of mid-market companies trying to do their own security.
The lesson here? "The more we learn, the more we recognize we know very little."
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week on DtSR, an old friend Jamison Utter joins Rafal to talk aboutmedical IoT devices, and what makes them different -- and of course, how we can better protect them. Jamison's company, Medigate, is a healthcare securityand medical analytics company - and it's an interesting discussion on how this type of IoT differs from others with security implications. You'll want to listen in, since the "Internet of Things" discussion is getting very varied, and you need to keep up.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
David was a guest on the podcast many years ago, back in episode 7. We had a great conversation and it's interesting to see how so many of the topics have evolved in the last nearly a decade. Or not.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
You Gotta Hear This! [YGHT]
This special edition of the Down the Security Rabbithole Podcast is the first of it's kind. For 2021 I've decided to throw in a bonus episode here and there that doesn't necessarily fit the typical format when I find something interesting, or a topic or person worth your time.
Right now, with CrowdSec is that time. Philippe Humeau is a wealth of information and the CEO of CrowdSec - a company that's picking up where someone else left off and making crowd-sourced security intelligence, free if you're a contributor to the system. Brilliant stuff... jump in and listen.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Let's start 2021 off right with a returning guest whose name you will want to remember. Joep (pronounced like "soup" but with a "you") Gommers the founder and CEO of EclecticIQ joins Rafal to talk about threat intelligence - from platforms to TIPs, use-cases, implementations, limitations, and the move to TIM. It's a fun conversation that looks at where "threat intelligence" started, and where it's gone over the last 5 years or so. If you're a threat intel analyst, another consumer, or even a vendor, you'll want to listen up carefully and maybe take notes.
By the way we need a "TIM-enabled NextGen SOC Platform" sticker to be made up, with "Tim the Enchanter" as the key figure ... this should happen. Someone has to have the talent!
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, on the last episode of 2020, Michael Coates joins Rafal to talk about wire-speed-data-protection. Sort of like CASB but more universal. Interestingly, Rafal and Michael talk through how DLP has evolved and into what, and some interesting developments along the way - then the promise of something better.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
First and foremost, thank you toPrevailion for giving us some of Karim's time, and content for this episode. Adversary intelligence is critical to protection and defense, so the methods and means in which it's gathered, refined, and provided back into the industry is always a great topic of discussion.
I can't stress enough how much I recommend going and doing this - https://www.prevailion.com/claim-your-apex-platform-account/ which isfree and can give you an idea of whether you have some of those pesky "bad actors" running around your infrastructure stealing your critical assets.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week, one of my old allies in the advocacy for sane media appearance joins James and me on the podcast. We talk about being a media liaison, managing speakers and security types with lots to say and few f***s to give for the media. It's an interesting conversation if you want to hear about what your media and PR person has to go through.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Fill up your coffee cup, find a comfortable seat, and get ready to dive into this show! Richard & Anton join James and Rafal to discuss the SOC and it's evolution (or not) in today's enterprise.
These and other questions will be answered, maybe, on this show... so listen in and please give us some love on the socials.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week,virtually live fromEnfuse 2020 we've invited Grayson Milbourne, who is the Director of Security Intelligence at OpenText (formerly Carbonite/Webroot), to the show to talk about his work, malware, and the ever-evolving battle between good and evil'ish.
This is a unique look at the intelligence, research, and innovation that goes into anti-malware tools and the arms race between attacker and defender in the real world.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue:
This week is a TREAT for you Down the Security Rabbithole Podcast listeners. Before she does her keynote on the topic, you'll get to hear Tarah Wheeler's take on the graying lines of privacy, security, and ethics. Just because we can ... does that mean we should?
Lots of interesting discussions, and some totally nerdy andpedantic references you'll want to listen to a few times.
Week 3 of OpenText's Enfuse Conference 2020 is kicking off with Tarah's keynote, and if you haven't checked in, or signed on, maybe this will convince you! Give her keynote a listen...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Welcome to week 2 of our coverage of the OpenText Enfuse conference! This week I'm super excited about two very cool guests - Brian Chidester and Tyler Moffitt. Y'all know Brian who is now officially a multi-time returning guest, and Tyler's background is pretty cool (literally, you'll know what I mean when I post the video hopefully soon).
Huge thanks to OpenText for giving us access to these great guests. Go check out #EnfuseOnAir (on Twitter's hashtag) with the links below:
Links:
Guests:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week on DtSR Anthony Di Bello from OpenText drops by the show to talk about Enfuse, and the future of forensics, eDiscovery, and cyber security - and happens to let out a few details of the Enfuse 2020 conference kicking off this week. Anthony's always a great interview and of course we talk about my favorite topic lately - "convergence" of security disciplines.
Join us - and if you're so inclined,virtually attend Enfuse 2020 by clicking over here: REGISTER FOR ENFUSE 2020.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week James and Rafal have the pleasure of being joined by Allan Alford, from his work-cave somewhere near Dallas, TX to talk about what we're hearing and seeing as we advise CISOs during the times that Covid brings. We discuss budgets, priorities, and "good enough" security strategy in a weird time in our industry and world.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week on DtSR, John Steven joins Rafal & James to talk about an inflection point in security that's happeningright now.As you may notice, everything about security is changing, especially in the AppSec space... listen in and you'll hear John's thoughts on a very interesting time to be in the industry.
Evolve, or die...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week on DtSR my long-time friend and pragmatic alter-ego, Chris Abramson, joins me to give a sneak peek at what you can expect on thenew podcast we're launching together in a few weeks... and also to discuss the "budget before breach/budget after breach" meme going around LinkedIn.
We discuss security, budget, process, threat modeling and a half-dozen other things you'll just have to listen to the show to hear.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
\\Prologue
As I was scrolling through LinkedIn looking for interesting things to read, who should scroll by but one Sven Krasser, whom you may remember from a few episodes ago ( http://ftwr.libsyn.com/dtsr-episode-261-deeper-down-the-ml-rabbit-hole ) - OK it was a long time ago now. We talk briefly about machine learning, algorithms and other relevant things and have a little fun in the process.
I hope you enjoy the episode!
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue:
This week on episode 414 of the podcast, I'm joined by Rick Howard who just retired ... no, wait ... scratch that, almost retired from Palo Alto Networks after a fantastic run. Rick tells the story of how he almost retired, why he's not on the beach somewhere yet, the Cyber Security Canon, and so much more.
Join me, this week on the podcast, because you never know just how many more of these he'll agree to before he actually and truly does retire some day!
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
This week we welcome Greg Foss to the show - Greg has some experience in security operations and managing SOCs and such. He dishes, we laugh, we learn, and hopefully you'll enjoy. Lots of topics covered including my personal favorite: "tools in the SOC" - in which we discuss how tools are actually hurting SOC efficiency and such.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue:
This week David Soto joins Rafal and James to talk about how throughout his career the cybersecurity landscape has evolved and the tools have consolidated, integrated, and how we're perhaps still misunderstanding "good enough". David of course has a very long and storied career where he's carried multiple roles from CISO to a consultant, so he has a depth of experience most of us don't get. He's great to listen to, as he shares his knowledge - tune in!
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue:
This week, the one and only @RSnake joins us to just ... talk. We notice he has a few cameras too many, or maybe he's just being monitored? We talk about the big problems in the industry, what he's doing to solve them, and some other random things you'll have to listen to get.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue:
Because we can't get enough of Brandon Dunlap and Shawn Tuma over here on the podcast, here we go again. Last episode Brandon talked about responsibility and accountability - so when we saw the story about a CISO being indicted for being less-than-truthful to the FTC, we couldn't resist. This episode is powerful, and doesn't tiptoe around difficult topics.
Guests:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue:
Hey friends, it's Tuesday so time for another dazzling edition of the podcast. This week we welcome Brandon Dunlap - hair model, professional snarkist - back to the show. This is Brandon's fourth trip around the merry-go-round, so I think he holds the record now. Someone may want to fact-check that... Brandon talks about transitioning between roles, managing big orgs, very remotely, and of course "Would you ever go back to a CISO role?"
Join us, and you may be able to help solve a mystery.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue:
This week, on episode 408 Shawn Tuma joins us again to talk about the legal side of cyber security. Shawn's one of the premier legal forces on breach law and litigation - you can fact check that - and it's great to have him on the show again. We talk through what's going on in laws, litigation, and whatever else is on his mind.
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue:
This week, a legend of the InfoSec (or Cyber Security, for some of you) space joins me on the show. Marc Rogers has been the guy heading up Defcon security, and at the helm of the security function for some ... "highly visible" companies doing great amounts of good. Now, he's doing tremendous amounts of good during the global Covid-19 pandemic by providing cyber security services to besieged healthcare firms via the CTI League (check out their open letter here, as it may apply toyou.)
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue
Cybersecurity is one of those industries where the one of the market segments that is the most desperate for support is also one of the segments that is the least supported. The Small and Medium Business (SMB) segment is largely ignored by most security vendors and service providers alike - and yet they need the most help.
Kiersten has put in the work to build tools and resources (all free, by the way) for this dramatically underserved market segment. In our episode, we talk about challenges, resources, and opportunities before us. Join us!
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue:
This week, Rafal welcomes Wayne Reynolds, a veteran of not only our industry, but of the US Marine Corps - where he's been a leader in multiple scenarios. We talk about what makes good leaders, good and bad styles, and the things you need to know if you either WANT to be a leader, or you are looking to find someone who you want to work for. Huge thanks to Wayne for taking time out of his crazy schedule early in the morning to talk with us.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue:
This week, on the "Episode Not Found", Rafal and James host Robert Lee from Dragos. It's a conversation about Operational Technologies that includes a deep dive into the business and management side of Industrial Controls and the Energy Sector. Robert gives us a frank, no-spin walkthrough in the good and bad of the space and talks about some of the misunderstandings many of us have. A great episode if you're interested in the non-traditional cybersecurity sector.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue:
This week on the podcast, episode 403 features two good friends of mine Joey Peloquin and John "JP" Pirc. John and I talked about the awful state of the MSSP back in episode 395 (LINK) and I was challenged to do more than just talk about the sorry state of security delivered as a service. So, I called up some friends, and we talked it though.
I'm curious - do you agree with us? Let us know on LinkedIn by going to our LinkedIn page, or on twitter using the hashtag #DtSR.
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Prologue:
First, I need to apologize for the quality of my (Rafal) audio. For a reason I don't understand, the Skype central record feature absolutely butchered it - could have been something on my end, I simply don't know. It should be listenable, albeit annoying.
Second, huge thanks to Carlos for taking the time out of his busy morning from being a dad and his day job to talk to us. He's got a lot of really interesting and important things to share about his adventures in our industry and community - you should probably listen closely.
Lastly - I have t-shirts to give away. If you want one, follow & re-tweet the @DtSR_Podcast handle and we'll pick a few of you (probably at random) to send shirts to.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Episode 401
Epilogue: This week, I got to sit down virtually with a long-time friend, and one of the most intelligent and quiet people you'll ever meet in InfoSec. My pal Carl Vincent (some of you may know him by other names) and I chat the transition from Red Team to Blue Team, tools, the state of the industry over the last few years, and just general conversation.
The world around us has changed, and it's important to have real conversations with people who shaped the industry in ways you probably didn't know or realize.
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Friends and Colleagues!
We've made it. Milestone episode 400 of the podcast is here. And for the 400th episode I have none other than Mr. Tom Nichols. He's truly a qualified expert on a topic that needs some serious attention in today's world - expertise. In fact, he's written a book about it.
Please enjoy this episode, share it, and I want to thank Tom for taking the time out of his crazy schedule to laugh, educate, and drop a little bit of snark into our day.
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Episode 399 ... what a crazy ride it's been.
This week we have Brian Chidester - you may recall we had a chat with him on episode 379 which was recorded live at EnFuse Conference 2019 - back to talk about some of the things he's been hearing state and local security leadership talk about.
Great conversation, lots of topics covered... you'll enjoy it.
Also, next up - EPISODE 400!
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, episode 398 features our Leadership Series and the one and only Allan Alford. Allan has spent a long career building various security practices, advising boards, and generally doing great things.
While we're at it, you should go check out and sign up for the RSS feed of "Defense In Depth" podcast that Allan is a co-host on. They have a great tagline: "Couples therapy for security vendors and practitioners". Check them out here: https://www.linkedin.com/company/ciso-security-vendor-relationship-series/
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Welcome Down the Security Rabbithole to yet another edition of the DtSR Podcast. We we roll on towards milestone episode 400 James and Rafal discuss a topic that doesn't get nearly enough airplay - vulnerability management.
This isn't just your dad's vulnerability scanning though, or is it? Have we doneanything exciting in this space in the last 15 years? Maybe... kind of...but the problem is much harder.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
It's Verizon Data Breach Investigations Report time again. This episode is a yearly walk-through of the DBIR, where Rafal and James once again welcome Gabe Bassett back to the show to talk data, graphics, and lessons we need to learn.
Link to the report:
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Special thanks to our friends at AlertLogic - for providing some great discussion points and John for the episode!
This week, as DtSR hits episode 395 on our way to Episode 400, James and Rafal take some time out to ask:
"Hey John, how's the hair?"
It's great to be able to spend time with old friends and just talk about solving some long-standing problems our industry faces. One of the perennial favorites is why MSSPs are all terrible. Well - we have some ideas! Listen in if you've ever been frustrated with your MSSP... and are maybe interested in how the industry can collectively do better.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Episode 394
Rafal & James host Keith Duemling from the Cleveland Clinic (talk about high-profile jobs!) to talk about security in the healthcare space, challenges, the future, and other random topics. Keith has spent a large part of his career leading healthcare organizations, so he has a lot to share. Listen in!
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Guess who's back, back again ... James is back, so listen in!
So James is officially back after a bit of a hiatus from the podcast, and on this episode him and Rafal sit down over a fun interview with Matt Lewis Research Director for the UK with NCC Group. Matt is the primary author on a report on "Smart Cities", and it's definitely somethingyou should read.
We talk about the report, discuss the true nature of asmart city and what it means to live in one. Pay particular attention to how difficult it was not to jump right into Die Hard 4 references... although we eventually broke down and did it anyway.
Links
Guest Bio
Matt Lewis is Research Director for the UK with NCC Group (https://www.nccgroup.trust/us/) a security consultancy that has over 35 global offices, 2,000 employees and 15,000 clients. Hes worked in Cyber Security for over 18 years since his Computer Science academic studies, which focused on formal methods for system specification and design. Since then Matt has worked in various roles across Defence, Intelligence, Commercial and Big 4. He specializes in security consultancy, scenario-based penetration testing, vulnerability research and development of security testing tools and methodologies. His consultancy, testing and research experience spans multiple technologies across all sectors and many FTSE 100 and Forbes 2000 companies. He has vast experience in facilitating security assurance within the Government sector. Matt is a public speaker with global recognition of his knowledge and expertise in biometric security. He regularly presents at international conferences and seminars on all manner of cybersecurity-related topics.
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Ladies and Gentlemen, friends, countrymen, lend me your ears!
This episode of DtSR features one of my favorite guests and one of the better storytelling from the "old days" opportunities I can recall. It also, not accidentally, features one of my favorite totally genuine people from our industry - Chris Nickerson.
I think the best way to describe Chris is like a charismatic honey badger. And if you haven't had the pleasure, you can listen to this episode and get just a small taste of what he's been up to the last few years. Buckle in, it's story time.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, I'd like to thank JD Work for taking the time to be on the show and sharing his professional experience and expertise with us. The space of cyber policy, at the national and international level, is growing by leaps and bounds; and difficult decisions are often debated even as rapid reactions have to be made. These are difficult times for policymakers in the theater of cybersecurity. JD is an expert in this space and provides some real inside into what's going on, what our policymakers are thinking.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, Brian Carrier joins DtSR to talk about digital forensics and incident response in 20/20. Forensics and incident response has had to evolve and change as devices become more mobile, smaller, and purpose-built. Brian talks through what this change has meant, and how tools and techniques have had to evolve to deal not only with the explosion of device types, but also sizes and various log capabilities (or none at all).
Guest
Related episodes:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, DtSR dives into security leadership with an academic twist. We have the pleasure of hosting Robert Turner, the CISO of the University of Wisconsin, Madison.
This episode was recorded March 13th, 2020 right as the University and other institutions across the country and the world started their efforts to social distance and work from home due to the Corona Virus (Covid-19) pandemic.
Special thanks to Bob for taking the time out of his busy day, and crazy schedule given the times, to give us insights on his strategy, challenges, and successes!
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Welcome to episode 388, an episode at least 5 years in the making...mainly because it's taken this long to figure out a good way to get Anton on the podcast! Now that he's not an analyst anymore, I snagged him for an honest and open conversation about the one topic he has more expertise in than most anyone I know - the SIEM.
We wax philosophically, I manage to show my ignorance of the state of the art and history of SIEM, and we talk about where SIEM is going. Join us on a great conversation I am thrilled to have been a part of.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, as we all continue quarantines and work-from-home DtSR hosts Valentina Thrner,who is an expert on remote workforce leadership. Valentinaliterally wrote the book (From a Distance) and now she's on the show discussing how to be a leader when your workforce is remote.
Additional Links and Resources
Guest 411
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Covid-19 ... that's the headlines. Everywhere.
The suddenly remote workforce is a problem for many enterprises, and as workers are forced to work from home - security is a problem.
To that end, I snagged Brian Foster who has a long and storied history in our industry, to talk about what he thinks we should be thinking about.
Listen in, share, and let's hear what you think folks! Stay safe and well and most of alldo not panic.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Greetings! On this episode of the podcast we present to you an episode we recorded back in January (but then due to a storage error we lost temporarily) with Nathan Collier from Malwarebytes. Nathan reported some findings from his research that basically there was some pre-installed malware running around, impossible to uninstall, on low-cost mobile phones. That kind of villainy is unforgivable (praying on the weak!) so we wanted to hear the whole story...and then some.
Here's one link to the full story, in case you're interested in reading it on your own... https://blog.malwarebytes.com/android/2020/01/united-states-government-funded-phones-come-pre-installed-with-unremovable-malware/
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week Rafal hosts Dr. Chase Cunningham, Forrester analyst and all-around security badass to redux Zero Trust. The last time we tackled the topic was Episode 222 with John Kindervag back in 2016 - so it's time to see what's new.
Zero trust is more than just firewall rules, and it encompasses a lot of security technologies we don't even think about - so this update is a great primer for 2020.
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Join Rafal & James this week, as they welcome Jennifer Ayers. Jennifer is the Vice President of Overwatch and Security Response at Crowdstrike.
Rafal and Jennifer worked together "back in the day" so the conversation starts with a little storytelling from the old days, and then works its way into Jennifer's fantastic career and lessons learned over the years in her various leadership positions.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week on DtSR Podcast, a long-awaited guest joins us. That's right, the one and only Jeremiah Grossman joins us live from a tropical paradise, and you need to hear his message.
On this show we cover history, "the basics", and the necessity to know what your security attack surface looks like. It's perhaps one of the least sexy topics ever - but if you ignore it, you're pretty much screwed.
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Welcome friends and fans!
This week we go down the rabbithole with Russell Mohr of MobileIron as we talk about the security implications for 5G. The new standard unleashed upon the American consumer (but more importantly on the commercial market) is changing mobile communication and connectedness.
About the guest...
Russell Mohr is an expert in 5G and mobile technology, with a wide breadth of expertise in other areas as well. Apparently during the early part of the interview, he was attacked by a dog that tried to eat him (I may be guessing, but that's what it sounded like).
LinkedIn: https://www.linkedin.com/in/russmohr/
Big thanks to Becca Chambers for setting this up, and lining up another future guest too!
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Welcome to episode 380 of the DtSR Podcast.
We have a special treat for you this episode, with long-time friend Gadi Evron, and he holds nothing back in his start discussion of our industry. We virtually guarantee this will quickly be your favorite episode...or at least your top 5.
Highlights from this week's episode include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, in our final (for real this time) episode recorded LIVE from Enfuse Conference 2019, courtesy of OpenText, we chat with Brian Chidester. It's a fascinating conversation about what the IoT world can (and is) do for law enforcement and government ... think smart cities + Cops.
Highlights from this week's episode include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
In our final "Live from Enfuse 2019" episode, I had the pleasure of sitting down with Paul Shomo to talk about some of the things he's talked to CISOs about as he travels and advises on behalf of OpenText. It's a pretty interesting conversation...
Once again, thanks to OpenText for having the DtSR Podcast in Vegas!
Highlights from this week's episode include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Welcome to 2020, as Down the Security Rabbithole rolls on!
This week we're back with a timely episode on the global war for soft power, with Andrea Limbago, Chief Social Scientist from Virtru. This is an interesting episode, touching on some topics such as privacy and censorship, and very timely.
Highlights from this week's episode include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Merry Christmas, and a Happy New Year listeners of the Down the Security Rabbithole Podcast!
This week the show focuses on one of the most important things any of us really have - our children. Protecting kids in an increasingly digital world is tough, but not impossible. We decided to bring Theresa Desuyo from Qustodio on the show this week to discuss what her company is doing, and the broader theme of protecting children online.
Apologies in advance for Theresa's audio quality. Couldn't fix that in post.
Highlights from this week's episode include...
Guest
Theresa is Qustodios Digital Family expert, leading Qustodios insights into how to best generate talking points around technology use adapted to each familys reality. In addition, she leads growth, partnerships and operations in the US. Before joining Qustodio, Theresa worked in gamification for enterprises and a social enterprise, leveraging technologies to engage employees and for cause marketing initiatives respectively.
She holds a B.A. from UCLA and an MBA from ESADE, is fluent in Spanish, Cataln and native English speaker from California.
As a mother of 3 school-aged children (13, 11, and 5), decisions around technology use is an everyday topic and different for every child. She believes in educating kids and openly discussing the good and the risks associated to digital devices and the internet for them to build the resilience needed today.
Read her professional bio here: https://www.linkedin.com/in/theresadesuyo/
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, DtSR is joined by Malcolm Harkins - former CISO of Intel and industry insider extraordinaire. Malcolm shares insights from his long and distinguished career so pull up a virtual chair, grab your notebook, and pull over because this is one that's a great listen.
Highlights from this week's episode include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, on a very special show recorded from his home studio in Atlanta, Rafal welcomes Mike Daugherty back onto the show to tell the story of his crazy journey and battle with the FTC.
Highlights from this week's episode include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Welcome back for another great episode. This week we have a boomerang guest, Amber Schroader, recorded live in Las Vegas at Enfuse 2019.
Highlights from this week's episode include...
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week on #DtSR (live from Las Vegas, Enfuse 2019 Conference) Rafal chats with Nick Patience of 451 Group. Nick has some expertise in ML and provides context and content that is badly needed to dispel the crazy marketing hype out there.
Highlights from this week's episode include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
First, and foremost, thank you to OpenText for having the #DtSR Podcast live and in-person in Las Vegas. Enfuse is a fantastic conference bringing together security operations professionals (forensics, threat hunters, SOC analysts), privacy, and legal professionals under one banner. It's a fantastic opportunity to hear some very involved talks, hear about the state-of-the-art, and join the conversation.
Also ... the people you will meet there are amazing - guests and staff.
Highlights from this week's episode include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Dropping in for a quick announcement - youheard it here first!
This week a few different announcements went out from OpenText, but this one caught my attention because it could honestly and truly be agame-changer for security and legal teams when it comes to breaches.
Going beyond the typical EDR solution, this announcement may be able to shine light into the questions security and legal professionals need answered in the case of a breach. Check it out.
Official Name: OpenText Content Security for EnCase by Reveille.
Press release: https://www.opentext.com/about/press-releases?id=6A68BD4D22384A45A910DEFBD22BECBD
Guests:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Down the Security Rabbithole is back for Episode 370, and this week's podcast focuses on gamification, and it's applications to InfoSec. Big thanks to Chlo for joining us and sharing her knowledge. She's a legitimate expert in the field, so give this a listen.
Highlights from this week's episode include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Welcome to episode 369!
This week Rafal talks ransomware andwelcomesOussama El-Hilali, Chief Technology Officer at Arcserve, andChester Wisniewski, Principal Research Scientist at Sophos to the podcast.
Highlights from this week's episode include...
Guests
Links
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Welcome to another edition of the DtSR Podcast! This week Liz Rice joins us all the way from the(still) UK, and James is back too! What a treat... join us and read the show notes!
Highlights from this week's episode include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, #DtSR Podcast is recordedlive from Dallas at the Armor SecureCon inaugural user conference. Rafal had the occasion (and good fortune) to get a few minutes to sit down with Jeff Collins (CSO, Lightstream) and Kristopher Russo (Security Architect, Herman Miller) and chat cloud.
P.S. - Welove in-person conversations!
Highlights from this week's episode include...
Guests
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Welcome Down the Security Rabbithole, to the DtSR Podcast.
This week, Zac Rosenbauer joins us to talk about what it's like to be "the IT guy" who also has to be vigilant of security in a fast-paced startup...based on Google's cloud platform. It's a riveting episode that will give you some good guideposts if you're about to DIY.
Highlights from this week's episode include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Welcome back to another episode ... this one sets up DtSRs appearance at the Enfuse Conference 2019 in Las Vegas in November. Give this topic a listen, as it doesn't matter whether you're in legal, compliance, or security - you need to understand this topic well.
We want to thank Opentext for sponsoring DtSR's trip out to Las Vegas for the conference, and of course we encourage you tojoin us out in the desert for another really well-done conference on the intersection of law, compliance, privacy, and security.
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Welcome!
This episode of Down the Security Rabbithole Podcast was recorded live from Dallas, TX where the Security Advisor Alliance Summit 2019 was happening. One of the hardest working men in the business, Mr. Jerry Archer, stopped by and took a few minutes off his schedule to let Rafal interview him and get some of those amazing nuggets of wisdom and experience into your ears.
Feedback, as always, is welcome!
Highlights from this week's show include...
Big thanks to Sidney, AJ, Jerry and the rest of the SAA crew for having me aboard and letting me add some value to this very worthy cause. Folks, if you aren't a part of this thing, go tohttps://www.securityadvisoralliance.org/and find your cause.
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This episode was recordedlive from the Security Advisor Alliance Summit, 2019 in blistering hot Dallas, TX. If you don't know what the Alliance is, or are asking yourself why you should bother, click here and find out why this is one of those organizations that youmust be part of if you're serious about cybersecurity.
Highlights from this week's episode include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Friends & Colleagues, this week I have the pleasure of being joined by one of my good friends and industry veteran - the one and only Jim Tiller. We revisit the things we talked about in Episode 102 and get an update on the state of security from a guy who would know.
Pre-requisite listening: Episode 102 -http://ftwr.libsyn.com/dtr-episode-102-security-leaders-series-jim-tiller
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week Adam Meyers joins James & Rafal to talk about the Crowdstrike Mobile Threat Landscape Report 2019 -https://www.crowdstrike.com/resources/reports/mobile-threat-report-2019/and the learnings and lessons therein.
Highlights from this week's episode include...
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, Rafal sits down in person with Sam Bouso of Precognitive, in Chicago headquarters to talk about some very cool tech that's probably only on the periphery of security. Give it a listen!
Highlights from this week's show include...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, in the 2nd of two installments recorded live at Black Hat 2019, Alyssa Miller joins Rafal live to talk about some of the talks she's giving, and takes us back in time.
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week on another jammed-packed episode, Rafal takes to Black Hat 2019 to interview some interesting guests that have something unique to tell you. We start with Deidre Diamond, the lady behind CyberSN - and why she's reinventing the way you get your next InfoSec job.
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, James and I sit down to think (and talk) through Black Hat (and Defcon) 2019. "Hacker Summer Camp" as it's affectionately known in the industry, is a rite of every summer...but is it delivering value to attendees, do we have the right audience, and is the content worthwhile? This and more...
Highlights from this week's show include...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Welcome down the security rabbithole friends! This week, Andy Kalat takes a few minutes off from recovering to chat and comment on the state of security, and what's different since we first met back in... 2003? Fun episode... It's been a while, Andy!
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
My dear listeners - we have John Steven back on this episode! If you don't remember his first appearance, it's OK, it was a little while ago back on episode42 ...http://podcast.wh1t3rabbit.net/dt-r-episode-42-threat-modelingso it's been a while!
Highlights from this week's show include...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Fans & Listeners!
This week we have a treat for you... as this episode is recorded LIVE from Microsoft's Inspire 2019 in Las Vegas (where it was 117F) but the conversation here is way hotter.
Highlights from this week's show include...
Links to things you need:
Guests:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Yes, DtSR took a week off ... we were due.
This week, Ira Winkler joins Rafal to go down the rabbithole and talk about his career, opinions on our profession, and other important stuff. Sit back, take notes, and enjoy.
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, ahead of AWS RE:INFORCE 2019 (the first one) Rafal gets a conversation with buddy Mark for a candid talk about the top 3 public cloud providers, and a little insight into the evolution of the industry ... or not...
Highlights from this week's show include...
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Thank you to Microsoft for sponsoring this show, and our podcast over the years...
Highlights from this week's show include...
Guest:
Microsoft Responsibilities/Contributions As corporate vice president for M365 Security within Experiences and Devices, Rob Lefferts is responsible for ensuring that Microsoft 365 provides a comprehensive and cohesive security experience for our all of our customers. Prior to this role, he led the Windows Enterprise & Security team, where he was responsible for hardening the Windows platform, building intelligent security agents, and driving commercial adoption of Windows 10.Since joining Microsoft in 1997,Lefferts has been instrumental in shaping key products and technologies, from helping develop the original SharePoint Portal Server to leading extensibility efforts for the Office platform to championing the vision for Microsoft 365.
Pre-Microsoft Work Experience Rob began his career at Claritech, a startup that was born from a Carnegie Mellon research project. He then consulted with the Government of Namibia, Africa.
Education Heearned a bachelors degree in logic and computation, as well as a masters degree in computation linguistics, from Carnegie Mellon University.
Family/Other Interests Rob and his wife have two children and live in the Seattle area.
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Show Note:As most of you know, this show has long refused to use advertisements, or ad revenue to keep itself going. That said, I openly welcome organizations who have something interesting to say and some extra marketing dollars to give, to sponsor an episode while still going through the same vetting process as everyone else. This is one of those shows.
This week James and Rafal are joined by Saumitra Das, the Chief Technology Officer for an interesting little start-up called Blue Hexagon. If you find yourself nodding along and interested in hearing more, we encourage you to go check out their website and let them know you hear of them on this show.
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Friends & listeners - welcome to the 2nd half of the 2019 Verizon DBIR 2-part extravaganza. Gabe Bassett, one of the authors of the DBIR, joins Rafal & James to talk stats and lessons we can take away from the report.
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
Friends & listeners - welcome to the 2019 Verizon DBIR 2-part extravaganza. Gabe Bassett, one of the authors of the DBIR, joins Rafal & James to talk stats and lessons we can take away from the report.
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, Tommy McDowell who is theVice President at the Retail and Hospitality Information Sharing and Analysis Center, joins Rafalin person, in Dallas.
Highlights from this week's show include...
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, Rafal gets the rare occasion of sitting down face-to-face with someone and do an interview in person. Andy Green is a great if not sharky fellow, who helped me get over my PG rating for this podcast. So ... it's probably PG-13.
Highlights from this week's show include...
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week on the podcast, Rafal gets some one on one time with Raffael Marty ... and it's #RaffCon.
Highlights from this week's show include...
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, Rafal is joined by the man, the myth, the Aussie legend - Troy Hunt. We basically talk about whatever is on his mind - which, as it turns out is a lot. Take a listen, we may publish an English translation later (joking, Troy!).
Highlights from this week's show include...
Guest
I created HIBP as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach. I wanted to keep it dead simple to use and entirely free so that it could be of maximum benefit to the community.
Short of the odddonation, all costs for building, running and keeping the service currently come directly out of my own pocket. Fortunately, today's modern cloud services like Microsoft Azure make it possible to do this without breaking the bank!
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, on a riveting edition of Down the Security Rabbithole Podcast Raf sits down with Richie Etwaru, a human data ethicist and Founder and CEO of Hu-manity.co.
What's a human data ethicist, you ask? Listen to the podcast, and find out.
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week on episode 342, Michael Coates joins Rafal & James for the 2nd time. Michael's first episode was way, way back in 2015 on episode 134 titled "Fundamental Security". Looks like things haven't changed much.
We highly recommend you check out episode 134 first, then listen to this one. Trust us, you want the context.
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, in the final installment of "Live from RSA Conference 2019" Rafal interviews Mark Simos, who is the definitive source for reference architectures at Microsoft. He's the Lead Architect in the Enterprise Security Group and he's doing some amazing things for the community with regards to the Azure cloud and other Microsoft-related security things. Give this episode a listen and share it ...maybe listen again and take good notes!
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, Down the Security RabbitholePodcast is publishing episode 3 of 4 which were recorded LIVE at RSA Conference 2019. This episode features Diana Kelley, of Microsoft, talking about the latest security report and other goodies.
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, driven by the news cycle, and an interesting story... Rafal & James invite George and Shawn, as actual experts, onto the show.
Highlights from this week's show include...
Other links related to this podcast:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, part 2 of a four-episode set recorded live from RSA Conference 2019. This time, it's Phil Beyer's turn to have a turn at the microphone...
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, in the first of a four-part "Live from RSA Conference 2019" series, Rafal interviews Deidre Diamond. Deidre knows a little something about cybersecurity talent having worked in the field most of her professional career. We discuss all kinds of interesting and relevant topics...
Highlights from this week's show include...
Guest:
Combining my 21 years of experience working in technology and staffing, my love for the cybersecurity community, and a genuine enthusiasm for people; I created Cyber Security Network (http://www.cybersn.com), a company transforming the way Cyber Security Professionals approach job searches. CyberSN.com will remove the frustration from job-hunting, and aid in interpersonal connections and education.
Throughout my career, I have built large-scale sales and operations teams that achieved high performances. Creating cultures based on an anything is possible attitude allows people to achieve above and beyond the usual. By establishing an open communication framework throughout an organization; I have created cultures of positive energy, career advancement, and kindness, that enables teams to reach beyond peak performance and have fun at work.
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, Patrick Miller joins Rafal to provide an update on the energy sector, and what's different (or not). Another episode with a returning guest who continues to provide timely and important updates on key "big picture" security issues.
Highlights from this week's show include...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, in a special episode, Dmitri Alperovitch of Crowdstrike joins Rafal to talk about a brand new report thatCrowdstrike is releasing. The Crowdstrike2019 Global Threat Report is a must-read with some very interesting topics covered. Dmitri joins Rafal to talk specifically about the ranking of threat actors, and what it means toyou.
Highlights from this week's show include...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, on the DtSR Podcast,Rafal is joined by Matt Herring, long time listener, and first-time caller. We talk through Matt's career path, and how he got to head up a global security operations team. It's a pretty interesting story - you should listen.
Highlights from this week's show include...
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week James and Rafal talk to Sean Martin, one of the people who have been quietly making a difference in the security industry for almost three decades. Sean is credited with many innovations, ideas, and trends...and he spends some time discussing that with us.
Highlights from this week's show include...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, long-time friend and colleague Jenn Black (doer of interesting things) joins James and Rafal on the podcast to talk about the role of security leaders in the digital transformation efforts of enterprise shops. Interesting conversation ensues.
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week second-timer Jon Hawes is back for another trip to the microphone to talk about his interesting take on risk, response, and the security world we live and breathe. With interesting anecdotes and a firm grasp on real-world risk discussions, Jon and Raf have a pretty enlightening chat you will benefit from.
Highlights from this week's show include...
Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, James and I sit down to discuss biometric authentication and some of the FUD around ways it can be broken. This ends pretty much the way you think it does.
Highlights from this week's show include...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, on the DtSRPodcast recorded way too early on a Monday morning, we talk volunteering in InfoSec with Kathleen Smith. Kathleen is the CMO of ClearedJobs.net and CyberJobs.com - and she recently ran a volunteerism survey (link:https://cybersecjobs.com/cyber-security-community-volunteering-report) you should probably check out too.
Highlights of this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, James and Rafal welcome in 2019 with a look at the fundamentally fatalistic argument that "everyone gets hacked" - with Richard Bird. They discuss whether that's even a valid statement, and if so, what can we do about it?
Highlights from this week's show include...
Guest
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week James is back on the microphone with Rafal as they interview 2 industry veterans to talk about the right approach to security leadership, and developing that talent pool. We talk to Yaron and Setu to get a sense of what their thoughts are on where good security leaders come from, and the hallmarks of that experience.
Highlights from this week's show include...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, go down the security rabbit hole with someone who has been working on security in the mid-market (likely the kind of company you work at, statistically) for a long time. Bob has some great lessons learned and is willing to share. Listen in
Highlights from this week's show include...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
In another episode LIVE'ish from AWS re:Invent2018 I catch perennial favorite and long-time friend Dustin Wilcox as he wandered the vendor show floor.
Highlights from this week's show include...
Rafal's Guest:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
At day 2 of re:Invent 2018 I tracked down Arash Marzban, Armor's head of product to talk about his stage session and where the market is going for security - at a developer/builder focused cloud conference. This short conversation is quite interesting...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This episode of the Down the Security Rabbithole Podcast is sponsored in part by Armor Cloud Security. Go check us out at www.armor.com!
This week's show is a multi-part release from AWS re:Invent 2018. We sit down with two of Armor's solutions consultants to discuss trends, insights from day 0, and discuss anticipated moves and market shifts.
Expect this to be an insightful episode where we dive intocloud security from a development and security perspective.
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
On episode 323, Richard Rushing (aka the "Security Ninua") joins us to talk about being the CISO of a global organization, and multi-national enterprise.
Highlights from this week's show include...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week #DtSR tackles the topic no one else wants to - ethics in cybersecurity. There are a lot of things to be said, so rather than writing them down here, go listen to the episode. Repeatedly.
Highlights from this week's show include...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
** Go Vote **
Do your civic duty, and go vote. Heck, while you're standing in that long line to vote, listen to the podcast, we're not picky.
This week, Rob Graham joins Rafal and James (who's back!) to talk about various topics related to threats. We start with the hacking voting machines, and it go from there.
Highlights from this week's show include...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, James Habben joins me in studio for what turns out to be an introspective walk through the evolving world of forensics.
Highlights from this week's show include...
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week, my good friend and entrepreneur Rock Lambros (of the newly formed Rock Cyber) joins me to talk about getting the itch to go out on your own and actually doing it. Many of us have thought about it, daydreamed, but very fewdo it. So hear an episode from someone who did...
Highlights of this week's show include...
Links:
Connect with DtSR on LinkedIn: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/
Follow along on Twitter: https://twitter.com/dtsr_podcast
This week the DtSR podcast tackles one of the thornier issues going around in the news. As the accusations of Russsian hacking continue to mount, international leaders are speaking out and mak