Cyber Security & Cloud Podcast

Follow Cyber Security & Cloud Podcast
Share on
Copy link to clipboard

Welcome to the Cybersecurity & Cloud Podcast where we will explore the dark secret of cloud and cyber. The podcast focus on people and their stories and explore the human element that brings so many people together The focus of the podcast is >

cscp


    • Apr 10, 2022 LATEST EPISODE
    • infrequent NEW EPISODES
    • 38m AVG DURATION
    • 80 EPISODES


    Search for episodes from Cyber Security & Cloud Podcast with a specific topic:

    Latest episodes from Cyber Security & Cloud Podcast

    CSCP S03EP12 - Jonathan Slater - Reskilling and starting in cyber

    Play Episode Listen Later Apr 10, 2022 33:50


      Jonathan Slater is one of three Co-founders at Capslock, a cyber security education start-up tackling the cybersecurity skills gap and helping adults re-skill. CAPSLOCK has raised over £1m pre-seed funding and re-skilled over 200 UK adults in cyber security in 2021.  Jonathan's previous career as a recruiter made him realise there was a gap in the market and he sat down with the other two female co-founders and started capslock. To note capslock is one of the rare startups, luckily more and more common, that is made for more than 50% by a female cofounder.   The episode is brought to you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register Capslock Team 0.00           Introduction 0.35           Jonathan's background 1.04           Welcome Jonathan 3.30           The state of the industry 6.30           Education catch up 7.35           The importance of soft skills 10.05         Gender diversity and unconscious bias 16.36         Measuring potential 18.40         Team based learning/diversity of thought 23.00         The curriculum 26.15         Cyber – the multidisciplinary field 27.35         Avoiding career redundancy 29.15         Start-up life 30.24         Working remotely 31.08         Maintaining good mental health 32.48         Positive message 33.50         Conclusion   Jonathan Slater   https://www.linkedin.com/company/capslockuk https://www.facebook.com/CAPSLOCKCyber/ @CAPSLOCKcyber for IG + Twitter     Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

    CSCP S03EP11 - LiRan - Appsec and Open source where do we start

    Play Episode Listen Later Mar 27, 2022 37:20


      Liran Tal is a Developer, Full stack, who joined forces with security professionals to fight the good battle. Github Star, Published author, DevRel and wearer of Yoda hat (hear more in the podcast)   The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0.00          Introduction 0.38          LiRan's background 1.23          Welcome LiRan 3.10          What's with the hat? 4.15          Getting involved in the industry/ stumbling across cyber security 6.33          Cyber security is a mindset 7.20          Open source security 10.22        How organisations see through a sea of data 13.16        Infrastructure risk 14.18        The responsibility of a developer 18.41       The true core of DevSecOps – the speed of development 21.06       Risk tolerance/Investing in security 22.58       Quantifying risk 25.28       Security is a must 27.00       A systematic approach to security 30.30       Auto-remediation vs. Manual assessment 34.01       Positive message 35.10       The Big Fix 36.00        Connect with LiRan 36.23        Conclusion   Tinesh Chayya   https://www.linkedin.com/in/talliran/  https://twitter.com/liran_tal    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

    CSCP S03E10 - Tinesh Chayya - Cybersecurity Startups in modern world

    Play Episode Listen Later Mar 13, 2022 38:34


      Tinesh Chhaya is a cybersecurity specialist, a veteran in the industry and CEO of Decipher Cyber - Jenny. Tinesh has 15 years of successful Chief Revenue Officer/cyber corporate and 5 years of start-up entrepreneurial cyber experience. He has built and exited 2 start-ups and currently sits on the board as an advisor to startups within Cyber, EdTech, Software Development and Social Tech.   The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0.00          Introduction 0.41          Tinesh's background 1.39          Welcome Tinesh 2.04          Tinesh's view on the market 3.10          Cyber security start-ups 5.22          The hot-bed of cyber investment 5.48          4 main areas of cyber searched for 9.55          Differences across the world 12.50        Partnering up with big names 21.34        The mentorship group 22.03        The absence of an accelerator 23.05        Strong community 25.37        The mental struggle 32.08        Failure and resiliency 33.19        Support mechanisms (the importance of a strong team) 35.20        Celebrating successes and failures 36.02        Positive message 37.30        Thank you 37.35        Connect with Tinesh 38.34        Conclusion   Tinesh Chayya   https://www.linkedin.com/in/tinesh-chhaya-07623097/  https://deciphercyber.com/    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

    CSCP S03E09 - Karissa Breen - Women in cyber and breaking stereotypes

    Play Episode Listen Later Mar 6, 2022 36:09


      Karissa Breen is Cyber Communications Specialist, Security Investigative Journalist, start-up advisor, entrepreneur, and podcast host based in Sydney. She quickly rose up in the cyber field getting promoted as a Cyber Reporting Analyst, then Pen Testing Engagement Lead then started her own company. She says that better marketing and communication skills would improve many issues in the field. They discuss diversity, women in cyber, soft skills, and how the industry is rapidly changing.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 0:28 Karissa's background 6:50 Promotions and rising up the ranks 8:46 Creating own company 9:50 Communicating technical terms 12:00 Lightbulb moment 16:05 Chaining role of security 17:50 Advise developing soft skills 20:27 Marketing 23:20 Women in cyber 29:10 Job requirements and diversity 33:40 Positive message 35:15 Connect with Karissa 36:09 Outro    Chris Foulon   Twitter @iamkarissabreen linkedin.com/in/karissabreen https://karissabreen.com Podcast— KBKAST    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

    CSCP S03E08 - Christopher Foulon - How do i start in cyber mythbusting and other jedi tricks

    Play Episode Listen Later Feb 27, 2022 30:50


      Christophe Foulon is a cyber security practitioner, career coach, speaker, and currently the Sr Manager Cyber Security Consultant at (Undisclosed) and F10 Fintech. He is the co-host of “Breaking into Cybersecurity,” a podcast that encourages people from diverse backgrounds to consider a career in security. He volunteers with two non-profits, “Boots to Books” and “The Whole Cyber Human Initiative,” that benefit veterans and lessen the talent shortage in cyber. Chris shares why mentoring and giving back is important to him.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 0:28 Chris' background 2:33 Work with non-profits 5:02 Recruiting cyber workforce 8:20 Career possibilities in cyber 10:23 Veterans transition to a cuber career 12:20 Starting a podcast 15:50 Need to network 16:50 Advice for starting in security 19:15 Success stories 23:00 Mentoring 27:20 Positive Message 29:43 Connect with Chris 30:50 Outro    Chris Foulon https://linkedin.com/in/christophefoulon  Twitter @chris_foulon https://anchor.fm/breakingintocybersecurity https://youtube.com/c/BreakingIntoCybersecurity https://cpf-coaching.com https://www.boots2books.com https://www.wholecyberhumaninitiative.org   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

    CSCP S03E07 - Jim Manico - Appsec in modern world and DevSecOps methodologies

    Play Episode Listen Later Feb 20, 2022 35:00


      Is a pleasure to host again our good friend Jim. Jim Manico is an AppSec enthusiast, educator, the Manicode founder, an investor, Java Champion, and an OWASP leader. This passionate conversation revolves around the new OWASP Top 10, reference architecture, threat modelling, SMS authentication, and TLS certificates.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 0:28 Jim's background 1:50 OWASP Top 10 Old and New 4:05 Secure design and threat modelling 9:55 Reference architecture 14:15 Follow through and scale 16:30 Security bugs 18:13 Authentication 24:32 JWT 27:45 TLS certificates 31:50 Zero trust 32:14 Positive Message 33:50 Connect with Jim 35:00 Outro    Jim Manico Twitter @manicode linkedin.com/in/jmanico manicode.com   manicode.com    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

    CSCP S03E06 - Aladdin Almubayed - Appsec Journey from FAANG to Robinhood

    Play Episode Listen Later Feb 13, 2022 35:10


      Aladdin Almubayed is the AppSec Engineering Technical Lead at Robinhood, previously a Senior Security Software Engineer at Netflix. After getting his master in Jordan, he moved to Silicon Valley to work at Yahoo. Francesco and Aladdin discuss the evolving industry, fostering positive relationships with developers, and identifying organizations' crown jewels.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 0:28 Aladdin's background 3:40 Masters in Jordan 6:50 Industry past 10 years 7:54 Micro-service architecture 9:44 Work at Netflix 11:08 Work at Robinhood 13:40 Challenges in security 16:00 Security nightmare story 19:40 Security revolution breaking point 21:30 Threat Modeling and Pen Testing 24:50 Creating positive opinion of security 28:36 Quantifying risk 31:26 Positive message 34:40 Connect with Aladdin 35:10 Outro    Aladdin Almubayed https://www.linkedin.com/in/aladdin-mubaied/ Twitter @0xshellrider    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

    CSCP S03E05 - Glenn Wilson - Modern Devsecops Hero

    Play Episode Listen Later Feb 6, 2022 33:44


      Glenn Wilson is a DevOps advocate, an agile security consultant, the founder of Dynaminet, the best-selling author of “DevSecOps: A leader's guide to producing secure software without compromising flow, feedback and continuous improvement,” the co-organizer of DevSecOps London Gathering, the Co-Host of DevSecOps Overflow Podcast, and a member of OWASP. Francesco and Glenn discuss the industry's current state, security champions, risk considerations, and the importance of pen-testing.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 1:50 View of industry 6:12 Automation, support developers 9:12 Security language barrier 11:25 3 types of communication 14:06 Less reactive, more proactive 17:50 Business owns risk 20:36 Writing a book 26:34 Pen testing 28:28 Auditors and regulators 31:10 Positive Message 32:16 Connect with Glenn 33:44 Outro    Glenn Wilson https://www.linkedin.com/in/glennwilson  Twitter @GlennDynaminet https://dynaminet.com  Book—“DevSecOps: A Leader's Guide to Producing Secure Software Without Compromising Flow, Feedback and Continuous Improvement”    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

    CSCP S03E04 - Naomi Buckwalter - The Path to Cyberber

    Play Episode Listen Later Jan 30, 2022 35:00


      Naomi is on a secret mission to change the world of cyber and make it accessible to everybody! Naomi Buckwalter is the Director of Information Security & IT at Beam Technologies and the founder and Executive Director of Cybersecurity Gatekeepers Foundation, a nonprofit dedicated to closing the demand gap in cybersecurity hiring. Originally an aspiring FBI agent, Naomi is passionate about stopping the war on cybercrime and is recruiting and training people of all skill levels to join the fight.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:46 Introducing Naomi 4:50 War on cyber crime 7:50 Small businesses 10:30 Ransomware 14:00 Principles of security 16:00 Hiring opera singer 19:47 Plane crash analogy 23:00 Mentoring 25:25 InfoSec drama and toxicity 29:20 Path to cyber 33:40 Positive message 35:00 Outro    Christopher Hodson Twitter @ChrisHInfoSec https://cybersecuritymatters.blog https://www.linkedin.com/in/christopherjhodson/   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

    CSCP S03E03 - Vandana Verma - Baby Stepping in Cyber - Cyberkids

    Play Episode Listen Later Jan 24, 2022 37:02


      CSCP is back with this brand new season 3 Vandana Verma is the Security Solutions Architect at Snyk, a Chapter Leader and Board Member of OWASP, an advocate for women and girls in AppSec, and the founder of Infosec Kids. Vandana explains why security teams need to be more empathetic, why she started the Spotlight Project and Infosec Kids, the importance of security champions, and her view on the future of security.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:47 Introducing Vandana 3:30 Overview of industry 6:12 Open source and application security 8:38 Cloud-native application security 11:50 Educate developers 14:40 Security champions 18:30 Application security posture management 20:24 Spotlight project 23:53 Infosec Kids 27:00 Infosec Diversity 28:54 Future of security 35:36 Final positive message 37:02 Outro    Vandana Verma Twitter @InfosecVandana https://linkedin.com/in/vandana-verma   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

    CSCP S03E02 - Paddy Viswanathan - The Risky Journey To The Cloud

    Play Episode Listen Later Jan 16, 2022 26:10


      CSCP is back with this brand new season 3 Paddy Viswanathan is the CEO and founder of C3M. C3M Cloud Control is a cloud security platform that helps cloud and security teams continuously monitor and manage their cloud security posture. Frank and Paddy discuss risk assessment in the cloud, how to prevent breaches associated with a third party, and the overall state of the cyber security industry.    The episode is brought you by C3M. C3M Cloud Control is a cloud security platform that helps cloud and security teams continuously monitor and manage their cloud security posture. To know more go to www.c3m.io        0:47 Introducing Paddy 2:25 State of the industry 5:55 Risk and alert fatigue 10:21 Risk code 13:19 Security breaches 17:35 Access and authentication 18:50 Cloud assessment 23:24 Final Positive Message 26:15 Outro    Paddy Viswanathan https://www.linkedin.com/in/paddyviswanathan/ https://www.c3m.io   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

    CSCP S03E01 - Chris Hodson - The Evolution of the CISO

    Play Episode Listen Later Jan 9, 2022 34:34


      CSCP is back with this brand new season 3 Christopher Hodson is the CISO at Contentful, the former CISO of Tanium, the author of Cyber Risk Management, and an all around Cyber Security and DevSecOps expert. Francesco and Christopher discuss changes in the industry since COVID, whether coding should be a requirement to work in cyber security, and communicating technical security risks with executives.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:50 Introducing Chris 3:30 Changes due to COVID 7:05 Cloud capacity and security 11:40 Misconfigurations 13:50 Working cross-functionally 17:40 Shifting security approach 19:58 Communicating with executives 26:10 Burnout 28:35 Is coding a requirement 31:10 Final positive message 34:40 Connect with Chris 34:34 Outro    Christopher Hodson Twitter @ChrisHInfoSec https://cybersecuritymatters.blog https://www.linkedin.com/in/christopherjhodson/   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

    CSCP S03E00 - Steve Wilson - Log4J and Log4Shell Special - Nightmare On Christmas Eve

    Play Episode Listen Later Dec 20, 2021 32:00


      CSCP is Coming back with Season 3 in the new year! As a teaser, we bring you the latest story on the blog...Log4j with Steve Wilson from Contrast Security   Steve Wilson is an Application Security expert development manager and currently and currently the head of product at Contrast. Steve joins the podcast to discuss the nightmare just unleashed, log4j, that has been affecting everyone around the cybersecurity industry and the reason why we are facing this other pandemic   We will return with a special launch in 2022 with some special guest  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:28 Introducing Steve 2:13 Cybersecurity Advice 3:15 Supply chain issues 8:30 Lg4J 12:47 Issue of Supply and software 19:16 What to do to avoid 23:07 Why we are getting it wrong 27:52 Final Positive Message 29:40 Outro   Steve Wilson Twitter @virtualsteve https://www.linkedin.com/in/wilsonsd/    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/    Full Transcript   00:00.00 franksec Hello everyone and welcome back to another episode of the cyber security and cloud podcast today. We have a topic that probably nobody has ever spoken in the recent time that is Goingnna be obligation security vulnerability management but the whole thing that has taken. By the storm the industry that is fundamental log for js and today we have a special guest but before we crack on. Let let us start with our intro. 00:54.11 franksec All right? or right or right we are Back. So I'd like to welcome steel wilson that came we started chatting over over a Twitter over Twitter threadad around of course up for j. So I've reminded him on the show to actually chat a little bit about the topic and his particular take is been He's the chief product officer of contra security 1 product that we absolutely love and we saw that was quite well reacting on the log four j issue but also he is an early member of the Java team on the early ninety s. But before I talk through it. Let me welcome steve steve welcome on the show. 01:33.74 Steve Wilson Hey thank you Francisco for having me really looking forward to it. So. 01:37.60 franksec Brilliant and can you give our audience a little bit about your background. What brought you into side by you know how did you start the journey from the early days with java. 01:47.24 Steve Wilson Yeah, so um, I started out really early in my career back in the ninety s at Sun microsystems I was an early member of the Java development team. Um. Went on from working really around development tools developer tools for several years and then shifted my focus over to cloud and I spent a lot of time at large companies like oracle and citrix building cloud services and cloud infrastructure and really got exposed. To a lot of the security challenges that are out there in the industry and decided about a year ago that I wanted to really move into the cyber security industry from the inside and so I joined contrast a little over a year ago to head product development. 02:35.60 franksec Nice, fantastic. And and we need we need more more ally in Cyber especially over over these challenging time. But we have a tradition on the show that we give an overview on the industry of what's working. What's not working so what will be your take on on. 02:53.16 Steve Wilson Yeah, so um, with the area of the industry that we're really focused on looking at the security of applications and code. It's a really challenging environment out there I Think what we really see is that. 02:53.40 franksec What's going on. 03:11.40 Steve Wilson Over the past several years. The complexity in software out there means that the number of security vulnerabilities in a typical program is is escalating dramatically as they get larger and more complicated and really the fact is human brains have a hard time. Ah, dealing with the complexities in the number of paths and things that are through the code today and so you know really this industry around application security has developed there to create tools that ah people can use to make their applications more secure. But 1 of the big shifts going on now is really moving from a focus on standalone security teams working to audit applications sort of almost after they're done to really bringing that security mindset into development at the beginning. And really creating a new culture where um, security comes very early in the cycle of what's going on with code development. 04:18.55 franksec Right? And I Ah think I think we move towards that space. But as you rightfully say the number of vulnerability and the number of issues that a lot of organizations are finding are escalating over and over and over. And that's just on application security. But then you know development team and now devops teams are faced with you know the Cloud issue the Cloud misconfiguration the deployment in the Cloud then the container base container Image. You know the landscape is in my opinion becoming quite quite. Ah, intense and it' complicated for developer team and security team to have that broad spectrum of knowledge. But then you take even an executive they need to make decision of what is your target. What? what is security what security looking like or what good looks like. 05:11.36 Steve Wilson Yeah, well I think that in what I'll call the olden days which were really not that long ago in a Pre-cloud world. You could depend a lot more on the idea that many of your applications were hidden behind a firewall that they were. 05:11.59 franksec What's your take on that. 05:29.29 Steve Wilson Not exposed to the internet and thus less valuable in ah in a cloud-based world in a zero trust-based world more and more of your applications really are on the internet and that means that every 1 of these vulnerabilities is a potential place that you could be exploited and. 05:37.96 franksec Um. 05:47.79 Steve Wilson You know when we start working with a new customer and help them start to evaluate their applications. We'll find that that typical applications have dozens of vulnerabilities in them potentially serious ones and then you look at ah at a large corporation. They may have thousands of applications. 06:05.84 franksec Right. 06:07.73 Steve Wilson In their environment. So it's it's not uncommon to see a fortune five hundred or global 2000 company having tens of thousands of discrete vulnerabilities in their software and so from an executive point of view. The question is how do you manage that there's. Ah, sometimes a snap back reaction that says we better stop everything that we're going to that we're doing and and fix this on the other hand. Every company today is a software company. Your competitive advantage is in your software your ability to compete in the market your ability to deliver new services is dependent on that and so the challenge as a leader is how do I balance the real risk. 06:36.69 franksec Right. 06:51.50 Steve Wilson With my my need to compete in the market and deliver new value to my customers. 06:55.30 franksec Right? And you know I like your take I Really like your take on the rest because I think um because there're a lot of tooling around different areas. You know you have Cloud Security Infrastructure security container Security. You know you have your pantasy rapport coming in your read teaming just trying in different things. Your ah security lifecycle tooling that is dust must and you name me rast you know and and and more ah more of those coming and despite that every tool is is doing. 07:21.36 Steve Wilson So. 07:29.34 franksec A different level of of ah scanning and and trying to reduce the false positive I think what we're missing in a lot of program of work and a lot of these organization is the contextualization and and the Breadth of view of ah where are those kind of element deployed. That could potentially ah in my in my humble opinion simplify a lot of those kind of conversations and the conversation that traditionally happened between security team development team and executive because everybody could have an opinion on that while. If we display the complexity of the landscape nobody will be able to inform the opinion unless they're very technical. So. What do you think? steve. 08:12.42 Steve Wilson Yeah, so this this element of risk analysis is is really critical and you know log for J is a really good example of this This is this is an exploit or ah, a vulnerability that has exploits that are incredibly high risk. Right? It's ah it's a 10 out of 10 Cvs Cvss score because it's you know you're you're basically enabling complete remote code execution on your servers and it's really easy to exploit. But when you really go look at it and. 08:32.60 franksec So. 08:46.86 Steve Wilson And we've been looking at this specifically with customers. You know we estimate something like fifty fifty six percent of the Java applications out there are packaging of vulnerable um version of log for j but when you really look at it. It actually matters how you use it? um. 08:55.91 franksec Right. 09:06.14 Steve Wilson Whether your application is vulnerable and so being able to have tools that are able to analyze. Not just do you have 1 of these things the sort of Naive view. But but are you really vulnerable. That's really really critical to you being able to. For example, prioritize the work that you're going to do? What are you going to mitigate first because again, if you have thousands of applications. You know how are you going to do this all at once can't can't do this in a day this is going to be going on honestly for weeks or months. Um, so yeah, being able to really. 09:30.32 franksec Where is still not right. 09:41.79 Steve Wilson Establish risk in an urgent situation like this for triage but then more on a day-to-day basis when you're dealing with an environment where um, you know dozens hundreds or even thousands of software developers continually building New software. How do you evaluate the the risk of different. Um, Conditions vulnerabilities and really decide where you need to make compromises in terms of your development and and really lean into to securing yourself versus continuing to generate that that new business value. 10:15.40 franksec Right? up. Absolutely agree and and I think the other thing that we saw that that was working was also trying to prioritize the things that are externally exposed that is easily attackable and you know every team right now is scrambling and trying to find a way to. As you rightfully say you know if you if you belong to an enterprise that has multiple deployment even your web come could be bulletproof to log for j but maybe if we take a step back? Um I wanted to understand considering you come from that kind of environment in Java in the early days I want to understand. What happened in there. Why why are we facing with ah vulnerability that is so easy to exploit that should be really never been in the place you know something so trivial ascend a string and that string can then execute. Ah whatever rce or remote code execution. And then download whatever payload you can want and want how how are we in that situation in the year twenty twenty twelve 2. 11:19.86 Steve Wilson So um, it's it's really interesting to think back to the early days of java and so much emphasis was on creating it as a secure environment. You know, really Java pioneered these concepts like having the the security manager in the runtime that managed what permissions. 11:29.22 franksec Right. 11:39.81 Steve Wilson Things had but but a lot of that in in the inception of Java was you have to rewind so far to remember that Java was originally intended for environments like set top boxes and running applets in a browser and so the the security manager was for things like making sure that um. 11:50.79 franksec And. 11:58.32 Steve Wilson your your java applet couldn't escape the sandbox and get onto somebody's desktop um the actual security of getting something into the Java runtime environment wasn't what the team was optimizing for originally and so when when you look at this log for j. Vulnerability I think there's a couple of things that come in obviously logging is in some ways the least glamorous thing you know task that you can think of and um, you know that log this log for j library is more than 20 years old it's been 12:25.45 franksec Rise. 12:35.84 Steve Wilson You know it got created then it got donated to apache. It's been in Apache for 20 years now with ah with a very small team of honestly very dedicated folks maintaining it but but it's ah it's a small team with minimal investment and minimal tooling. And while it doesn't seem glamorous. Um, this library has been copied literally millions of times different versions of it at different points in different physical locations. So you know you think about? Okay there's a bug and I want to patch the bug. All right? Well, that's that's 1 challenge but the problem is the the offending code has been copied millions of times around the planet. So. There's there's no single place to fix it on top of that. Um, you know the the. 13:17.52 franksec Drive. 13:26.43 Steve Wilson Confluence of events that create this vulnerability and make it exploitable are pretty insidious in terms of the the snarly code path you have to go through and while the exploit is trivial. Um, the vulnerability is actually really intricate and so you know what that means is the. The first attempt that the team put out at apache to fix the vulnerability. Um it. It didn't even fix it so you know people went out and started patching to a new version of the log for j library and now they're having to go back and do it again and so in in a lot of ways I think what we're going to find is. Is people continuing to hammer on some of this and until we really get to the bottom of it and then we're going to start the long arduous process of patching this um and we have you know. 14:16.18 franksec Um, at scale. 14:19.75 Steve Wilson Certain places where they have tooling in place and they're able to execute very very quickly on it and that's you know 1 of the things we're really proud about at contrast is that I think we have tooling that in some ways was designed for the fact that someday this would happen and and it's been great to work with. Customers and and kind of feel like we're helping them. But so many places don't have that kind of tooling in place they're using. Um you know, free and open source tools to do their software composition analysis that don't have enterprise level management. They're writing scripts trying to figure this out themselves. And then you get all the way to the limit case you know you mentioned something like your webcam could be vulnerable and that's not absurd at all. We've seen out in the industry now very specific attacks where people are targeting things like s and mp where they're actually going out and looking for embedded devices. 15:00.21 franksec Yeah. 15:13.72 Steve Wilson And those embedded devices are going to have in some cases literally no way to update them. 15:19.39 franksec Right? And you know I want to cover this in detail. But before we jump on that we have to we had to have a small section for our sponsors so bear with me a second. 16:16.36 franksec All right bra and and thank you again for up Phoenix or our sponsor and and keeping us running but I wanted to to touch point on this on this particular topic because I remember Jeff ah kind of wrote a white paper like. 6 or 7 years ago and it actually presented it to black cat as well. This is not a new thing. The industry has been screamed about this is something that will happen. This is something that will be out there and and now it suddenly happened and I ah do also subscribe to your view and. To your pain in a way that code has been forked so many times and have been distributed in so many places that it becomes very very complex to fix it and we're never going to know that the the extreme expansion but maybe on on on there the more scary topics that I want. As to maybe debate if that's what was 1 library. What's stopping attacking now or poking at the other side of libraries to discover um, similar log for j kind of problems. What do you think. 17:25.19 Steve Wilson Well look the the way I'd like to say this is this has happened before and it will happen again right? if we if we rewind a few years ago to 2017 the apache struts library had a severe vulnerability in it and that is um. 17:30.97 franksec Um. 17:38.57 franksec Right. 17:44.91 Steve Wilson Ah, a less used library than log for J but the same basic concept is there popular open source library embedded in lots and lots of places with a vulnerability in it that could lead to really severe consequences and. You know what's interesting is the world remembers this vulnerability but they don't remember it as the strut's vulnerability. They remember it as the Equifax breach right? and there were many people that were breached from that. But if you don't remember this 1 about 1 hundred and fifty million people lost. 18:08.30 franksec Ah, right. 18:20.75 Steve Wilson Their their personal financial info from equifax which is 1 of the global credit rating organizations and as a result they they wound up paying four hundred and 25 million dollars in fines for not being secure. Um, but the the interesting thing here is. Um, did the world learn anything from this and they absolutely did right? if you look at the difference in response between the Struts vulnerability and the log for j vulnerability um, 1 of the reasons that Equifax was penalized so heavily. Is they could have done much better. This was for them. Not a zero day vulnerability. It was a disclosed vulnerability. It was well known. There were patches that were available and they simply did not act on it. Um. 19:01.11 franksec Um, is a well known. 19:16.79 Steve Wilson What's interesting here to see the difference. 4 years later is that the industry realized how serious this was um, you know I yeah yeah you know on thursday night last week people started. 19:23.25 franksec Um, enacted fast. 19:33.61 Steve Wilson Exploiting this in minecraft of all places you know minecraft the popular video game. Um, you know famously is written in Java you know I remember a few years ago my daughter went to coding camp over the summer and learns to write her first java programs as Minecraft extensions. So you know. Probably millions of people learned to program by hacking on minecraft and so um, in some ways. It's it's not surprising that that was the not the first place that this was exploited but the the place people realized how serious this was is people were exploiting this by. 19:56.27 franksec Um, has great. 20:05.97 franksec Right. 20:10.39 Steve Wilson Putting messages into the minecraft chat window that was how easy it was to exploit. Um, but that was happening on Thursday and thursday night you know our research team at contrast started getting information about this. Um, you know I heard something about it and I went to bed and I got up at. 5 in the morning the next morning I get up early I'm on the west coast of the us and we have teams in europe so I get up early to talk to them and I had slack messages from our our chief architect that said stevie need to call me right now and I talked to him and he said you know by Friday morning he said. 20:42.78 franksec Um. 20:49.10 Steve Wilson Steve this is the most serious thing I've ever seen. We have to help our customers get in front of this and so you know you started to see the news coming out on Friday people were reacting to it not everywhere. There's it's it's far from perfect and it's. 21:02.89 franksec It was pocket. 21:06.36 Steve Wilson Far from uniform but but the industry is jumping on this and there are let's say the more advanced shops are much better prepared. The tooling is better. It's absolutely better than it was 4 years ago and so we we have moved forward from that. But then your question is will this happen again. Of course it will um the the fact that we still build software where you know you see different different figures but up to 80 percent of the code in a typical business application is open source. 21:26.94 franksec Nope yeah. 21:40.45 Steve Wilson And so really, what people are starting to talk about you know, started before this really going back to solar winds. But the the topic around software supply chain management is now the hot topic and I think that's actually a really good way to phrase it because it makes it a bigger problem than just. 21:52.50 franksec And right. 21:59.78 Steve Wilson Thinking about managing vulnerabilities. It's about understanding where your codes coming from what's the Providence of it and being able to really understand that end to end and I think that's going to be the next step in making this better. 22:12.55 franksec So show. Will we start seeing vul be deploying stock trace. That's gonna be the next 1 gonna get it. Ah am I giving wrong suggestion of the wrong people. Ah. 22:18.64 Steve Wilson Oh my? yeah. 22:28.90 franksec Ah, you know because after after open source destins used kind of to by every single developer on earth and I'm pretty actually some of my friends actually have done this experiment of publishing exploit and poc with vulnerable code in there so you had hackers actually just blindfoldingly. Trusting a piece of software just downloading executing it with boom in there and and a callback home and it was a friendly experiment by Andy hilllabs. But um, it was quite interesting to see how blind trust was deployed on. You know piece of code running on the web that is like going outside and asking candy to a strangerr right. 23:12.17 Steve Wilson Yeah, well the um, you know the the more insidious example of this is something we started to see earlier. This year is a rise in um, a tax that it's going by different names but dependency confusion is 1 of them. 23:29.10 franksec The. 23:31.89 Steve Wilson And when you think about the way that that people's build systems and cicd systems work they're they're constantly going out on the internet and pulling down these packages from massive open source repositories where you actually you know you're you're somewhat hoping that you're getting the right thing. And actually a lot of the ways that these work you're you're only providing a general description of the package that you want and it's trying to find the 1 that's best fit and people have found that they can go and create their own version of popular open source libraries put them up in those repos and have people pull them down and um. 1 of our researchers at contrast went went did a proof of concept with this went and looked for applications that looked like they were exposed to this and actually Microsoft teams wound up being a good example now Microsoft's an investor and a partner. Um. Ah, and we're in their bug bounty Program. So we we did this all above board but we actually created some open source libraries and Microsoft pulled them down and compiled them into into their binary and it was just an example. 24:40.97 franksec Teams. 24:45.22 Steve Wilson Of How even a sophisticated software shop um can be vulnerable to this so you know they've hardened their processes since then but other people have not This is a really new example of ah of a vulnerability out there being able to divert the software supply chain. Um. To you know a Hacker's nefarious ends and so the ability of someone to go and create their own version of an open source library with some nefarious code. You know we've seen this so far largely people doing things like dumping in crypto minorers and and that's well documented. But. 25:21.90 franksec Bri yeah or run somewhere. That's I think I saw I saw a couple of days ago. Ah, payload and conti starting to deploy this as as potentially run some arrow or or run some my payload so we start seeing. 25:24.20 Steve Wilson We know there must be examples of much more defarious usage. Absolutely. 25:41.22 franksec Fundamentally ransome are going towards this and that's that's the other scary part that the industry from the Attacker prospect. This seems to have industrialized the use of this massive scale vulnerability and decimal scary factor that we had just a week or maybe 2 time to actually breathe text vulnerabilit be so time to detection and and and remediation is actually being shorted dramatically I mean our ourtistic goes from roughly 3 to fifteen days to deploy something like this at scale and it's being confirmed basically by this but it's. Think is is a scary factor and then on the other side maybe here more in the u k we saw fundamentally british airways being attacked with a much more malicious code where somebody ah fundamentally hijacked 1 of the developer trusted account and. Injected malicious code e in a library so that's that's even worse you know and I agree with you. It's it double down on the subject of controlling your supply chain but controlling how you pull in things where you're deploying and. In my humble opinion I think we've been. We've been using security in the wrong way right now and we've being putting them in the front foot and firefighting vulnerability on day in and the out and they kind of lost their way by not focusing on systemating and on strategic thing like creating. Ah, proxy for libraries or or analyzing open source of what comes in and out like what the the security team in contrast does and that's how we should be using back security for that instrumental systemic change rather than day in and out management of vulnerability. 27:26.62 Steve Wilson So yeah I mean look I think the the day-to-day management of vulnerability actually to some extent hasn't been done at all in a lot of shops right? It's been um, it's been completely pushed off to a. 27:26.89 franksec What do you think safe. 27:36.95 franksec Ah. 27:43.92 Steve Wilson Ah, periodic scanning based procedure run by the security team where you scan things on a quarterly or even yearly basis and I lived this in my last job it's 1 of the reasons I got excited about about this job opportunity when it came up was I was running a large development team. And the head of engineering came to me and said I need to cancel all the features that I promised for next quarter because the security team just ran a scan and filed a thousand jira tickets. Um, and and now there was this record of this potential vulnerability that we were obliged to deal with and it turned out. Most of them weren't real vulnerabilities almost all of them weren't um, but it wound up being a huge amount of work to so to sift through it on the other hand for for companies that really adopt this devsec ops attitude and get the right tooling in place to enable it. Um, you find a potential vulnerability maybe before you even complete your pull request to put the put the software back and it's just like any other bug if the bug gets into the code base. It's 10 times as expensive to fix it as it was for the developer to fix it on their desktop. Um, if it actually gets out to a customer It's a Hundred times more expensive and you know with security given the stakes. It's much worse than that. So um, the the real shift here is to push so much more of the responsibility down to this. To the developers but also really not make the developers responsible for it because it's hard for developers but to put the right tool chain around them that makes it easy and it really is possible with the modern tools to do that now and that's the big opportunity to change how we do development. 29:35.39 franksec Brian I agree with you. It should be It should be a collaboration between shift left and the copy is on more automation in the place because a lot of this as you rightfully say is still pretty much reactive is still pretty much that debate in Discussion. And then the endless argument between the se security team and the development team saying this is false positive. This is internal is a false positive rather than you know it's accept the risk and is different priorities and stuff like that. So. I think we can do better at thefsecops to actually remove security people on doing consistently these firefighting in this endless debate. Um, and and and automate a lot of the relationship but also the detection of um false positive based on contextual aspect and contextual information. If you can actually exploit it if it's actually visible to attack. Ah then you know we we focus on it because otherwise we're going to be always overflloded by these issues and you know look for js all similar are going to keep on piling up right. 30:42.60 Steve Wilson Absolutely I mean I think we really do have the the tools at our disposal and the processes being developed out there in the industry to to just fundamentally shift this change the game and make this so much more efficient and create. Really much more secure applications as a result. So. 31:00.59 franksec Fantastic! and I guess we we this is just a a nice input to the to the conclusion that is the positive message on our industry. So if you want to double down on that Steve what will be your positive message overall rather than we. We have the 2 and we have the technology and we can rebuild this. Ah. 31:20.62 Steve Wilson Like I think going going back to a little bit earlier I think the good news is you know this has happened before the industry has moved a tremendous distance since the Struts vulnerability for example, um, this really would be much worse. If we weren't in the position that we are now that we had better understanding of the risks better tools better processes. We have the tools out there now widely deployed to understand your your open source footprint. What's vulnerable. Um, we have the tools in place that help people upgrade and fix this. We even have tools today like like rasp tools that can protect you and we've seen evidence that these rash tools were protecting people um before day zero now. So really, we're in a position where we're moving forward. 32:09.23 franksec Um. 32:15.56 Steve Wilson So quickly that look there's no end in sight for this but really, the bar has raised dramatically and if we work together as an industry the next time this happens we'll be even better prepared. 32:27.90 franksec Fantastic. And yeah I agree with you. We've seen an enormous collaboration between teams and information out there. So I Really appreciated that collaboration and and enjoy that seeing that collaboration and the community getting together to to fix. But ah on the conclusion of the show if people want to find more about what you do day in in day out where where is the best place for them to contact you and how they can reach you yet. Stay. 32:53.99 Steve Wilson Yeah, so please so please come over check out what we're doing at the Contrastsecurity Dot Com Website. You can get all the details on all of our commercial tools. Also check out our blog there. There's a link off the front page to some free and open source tools that we've put out to help with log for J in particular so we really want people in the community to engage with us on this also feel free to reach out to me direct on linkedin. 33:23.13 franksec All right brave and everybody. Thank you very much we we understand that everybody is tired and stressed. We really hope that everybody can enjoy christmas at some stage or time and get away from the lock for j unfortunately attack it don't sleep so defend it on. Don't sleep either. But we're gonna get ahead of this together. So this is your host francesco I had the pleasure to talk with Steve wilson the chief product officer for contra security and I wish you everybody to stay safe and have a lovely christmas Thank you. 00:00.00 franksec Hello everyone and welcome back to another episode of the cyber security and cloud podcast today. We have a topic that probably nobody has ever spoken in the recent time that is Goingnna be obligation security vulnerability management but the whole thing that has taken. By the storm the industry that is fundamental log for js and today we have a special guest but before we crack on. Let let us start with our intro. 00:54.11 franksec All right? or right or right we are Back. So I'd like to welcome steel wilson that came we started chatting over over a Twitter over Twitter threadad around of course up for j. So I've reminded him on the show to actually chat a little bit about the topic and his particular take is been He's the chief product officer of contra security 1 product that we absolutely love and we saw that was quite well reacting on the log four j issue but also he is an early member of the Java team on the early ninety s. But before I talk through it. Let me welcome steve steve welcome on the show. 01:33.74 Steve Wilson Hey thank you Francisco for having me really looking forward to it. So. 01:37.60 franksec Brilliant and can you give our audience a little bit about your background. What brought you into side by you know how did you start the journey from the early days with java. 01:47.24 Steve Wilson Yeah, so um, I started out really early in my career back in the ninety s at Sun microsystems I was an early member of the Java development team. Um. Went on from working really around development tools developer tools for several years and then shifted my focus over to cloud and I spent a lot of time at large companies like oracle and citrix building cloud services and cloud infrastructure and really got exposed. To a lot of the security challenges that are out there in the industry and decided about a year ago that I wanted to really move into the cyber security industry from the inside and so I joined contrast a little over a year ago to head product development. 02:35.60 franksec Nice, fantastic. And and we need we need more more ally in Cyber especially over over these challenging time. But we have a tradition on the show that we give an overview on the industry of what's working. What's not working so what will be your take on on. 02:53.16 Steve Wilson Yeah, so um, with the area of the industry that we're really focused on looking at the security of applications and code. It's a really challenging environment out there I Think what we really see is that. 02:53.40 franksec What's going on. 03:11.40 Steve Wilson Over the past several years. The complexity in software out there means that the number of security vulnerabilities in a typical program is is escalating dramatically as they get larger and more complicated and really the fact is human brains have a hard time. Ah, dealing with the complexities in the number of paths and things that are through the code today and so you know really this industry around application security has developed there to create tools that ah people can use to make their applications more secure. But 1 of the big shifts going on now is really moving from a focus on standalone security teams working to audit applications sort of almost after they're done to really bringing that security mindset into development at the beginning. And really creating a new culture where um, security comes very early in the cycle of what's going on with code development. 04:18.55 franksec Right? And I Ah think I think we move towards that space. But as you rightfully say the number of vulnerability and the number of issues that a lot of organizations are finding are escalating over and over and over. And that's just on application security. But then you know development team and now devops teams are faced with you know the Cloud issue the Cloud misconfiguration the deployment in the Cloud then the container base container Image. You know the landscape is in my opinion becoming quite quite. Ah, intense and it' complicated for developer team and security team to have that broad spectrum of knowledge. But then you take even an executive they need to make decision of what is your target. What? what is security what security looking like or what good looks like. 05:11.36 Steve Wilson Yeah, well I think that in what I'll call the olden days which were really not that long ago in a Pre-cloud world. You could depend a lot more on the idea that many of your applications were hidden behind a firewall that they were. 05:11.59 franksec What's your take on that. 05:29.29 Steve Wilson Not exposed to the internet and thus less valuable in ah in a cloud-based world in a zero trust-based world more and more of your applications really are on the internet and that means that every 1 of these vulnerabilities is a potential place that you could be exploited and. 05:37.96 franksec Um. 05:47.79 Steve Wilson You know when we start working with a new customer and help them start to evaluate their applications. We'll find that that typical applications have dozens of vulnerabilities in them potentially serious ones and then you look at ah at a large corporation. They may have thousands of applications. 06:05.84 franksec Right. 06:07.73 Steve Wilson In their environment. So it's it's not uncommon to see a fortune five hundred or global 2000 company having tens of thousands of discrete vulnerabilities in their software and so from an executive point of view. The question is how do you manage that there's. Ah, sometimes a snap back reaction that says we better stop everything that we're going to that we're doing and and fix this on the other hand. Every company today is a software company. Your competitive advantage is in your software your ability to compete in the market your ability to deliver new services is dependent on that and so the challenge as a leader is how do I balance the real risk. 06:36.69 franksec Right. 06:51.50 Steve Wilson With my my need to compete in the market and deliver new value to my customers. 06:55.30 franksec Right? And you know I like your take I Really like your take on the rest because I think um because there're a lot of tooling around different areas. You know you have Cloud Security Infrastructure security container Security. You know you have your pantasy rapport coming in your read teaming just trying in different things. Your ah security lifecycle tooling that is dust must and you name me rast you know and and and more ah more of those coming and despite that every tool is is doing. 07:21.36 Steve Wilson So. 07:29.34 franksec A different level of of ah scanning and and trying to reduce the false positive I think what we're missing in a lot of program of work and a lot of these organization is the contextualization and and the Breadth of view of ah where are those kind of element deployed. That could potentially ah in my in my humble opinion simplify a lot of those kind of conversations and the conversation that traditionally happened between security team development team and executive because everybody could have an opinion on that while. If we display the complexity of the landscape nobody will be able to inform the opinion unless they're very technical. So. What do you think? steve. 08:12.42 Steve Wilson Yeah, so this this element of risk analysis is is really critical and you know log for J is a really good example of this This is this is an exploit or ah, a vulnerability that has exploits that are incredibly high risk. Right? It's ah it's a 10 out of 10 Cvs Cvss score because it's you know you're you're basically enabling complete remote code execution on your servers and it's really easy to exploit. But when you really go look at it and. 08:32.60 franksec So. 08:46.86 Steve Wilson And we've been looking at this specifically with customers. You know we estimate something like fifty fifty six percent of the Java applications out there are packaging of vulnerable um version of log for j but when you really look at it. It actually matters how you use it? um. 08:55.91 franksec Right. 09:06.14 Steve Wilson Whether your application is vulnerable and so being able to have tools that are able to analyze. Not just do you have 1 of these things the sort of Naive view. But but are you really vulnerable. That's really really critical to you being able to. For example, prioritize the work that you're going to do? What are you going to mitigate first because again, if you have thousands of applications. You know how are you going to do this all at once can't can't do this in a day this is going to be going on honestly for weeks or months. Um, so yeah, being able to really. 09:30.32 franksec Where is still not right. 09:41.79 Steve Wilson Establish risk in an urgent situation like this for triage but then more on a day-to-day basis when you're dealing with an environment where um, you know dozens hundreds or even thousands of software developers continually building New software. How do you evaluate the the risk of different. Um, Conditions vulnerabilities and really decide where you need to make compromises in terms of your development and and really lean into to securing yourself versus continuing to generate that that new business value. 10:15.40 franksec Right? up. Absolutely agree and and I think the other thing that we saw that that was working was also trying to prioritize the things that are externally exposed that is easily attackable and you know every team right now is scrambling and trying to find a way to. As you rightfully say you know if you if you belong to an enterprise that has multiple deployment even your web come could be bulletproof to log for j but maybe if we take a step back? Um I wanted to understand considering you come from that kind of environment in Java in the early days I want to understand. What happened in there. Why why are we facing with ah vulnerability that is so easy to exploit that should be really never been in the place you know something so trivial ascend a string and that string can then execute. Ah whatever rce or remote code execution. And then download whatever payload you can want and want how how are we in that situation in the year twenty twenty twelve 2. 11:19.86 Steve Wilson So um, it's it's really interesting to think back to the early days of java and so much emphasis was on creating it as a secure environment. You know, really Java pioneered these concepts like having the the security manager in the runtime that managed what permissions. 11:29.22 franksec Right. 11:39.81 Steve Wilson Things had but but a lot of that in in the inception of Java was you have to rewind so far to remember that Java was originally intended for environments like set top boxes and running applets in a browser and so the the security manager was for things like making sure that um. 11:50.79 franksec And. 11:58.32 Steve Wilson your your java applet couldn't escape the sandbox and get onto somebody's desktop um the actual security of getting something into the Java runtime environment wasn't what the team was optimizing for originally and so when when you look at this log for j. Vulnerability I think there's a couple of things that come in obviously logging is in some ways the least glamorous thing you know task that you can think of and um, you know that log this log for j library is more than 20 years old it's been 12:25.45 franksec Rise. 12:35.84 Steve Wilson You know it got created then it got donated to apache. It's been in Apache for 20 years now with ah with a very small team of honestly very dedicated folks maintaining it but but it's ah it's a small team with minimal investment and minimal tooling. And while it doesn't seem glamorous. Um, this library has been copied literally millions of times different versions of it at different points in different physical locations. So you know you think about? Okay there's a bug and I want to patch the bug. All right? Well, that's that's 1 challenge but the problem is the the offending code has been copied millions of times around the planet. So. There's there's no single place to fix it on top of that. Um, you know the the. 13:17.52 franksec Drive. 13:26.43 Steve Wilson Confluence of events that create this vulnerability and make it exploitable are pretty insidious in terms of the the snarly code path you have to go through and while the exploit is trivial. Um, the vulnerability is actually really intricate and so you know what that means is the. The first attempt that the team put out at apache to fix the vulnerability. Um it. It didn't even fix it so you know people went out and started patching to a new version of the log for j library and now they're having to go back and do it again and so in in a lot of ways I think what we're going to find is. Is people continuing to hammer on some of this and until we really get to the bottom of it and then we're going to start the long arduous process of patching this um and we have you know. 14:16.18 franksec Um, at scale. 14:19.75 Steve Wilson Certain places where they have tooling in place and they're able to execute very very quickly on it and that's you know 1 of the things we're really proud about at contrast is that I think we have tooling that in some ways was designed for the fact that someday this would happen and and it's been great to work with. Customers and and kind of feel like we're helping them. But so many places don't have that kind of tooling in place they're using. Um you know, free and open source tools to do their software composition analysis that don't have enterprise level management. They're writing scripts trying to figure this out themselves. And then you get all the way to the limit case you know you mentioned something like your webcam could be vulnerable and that's not absurd at all. We've seen out in the industry now very specific attacks where people are targeting things like s and mp where they're actually going out and looking for embedded devices. 15:00.21 franksec Yeah. 15:13.72 Steve Wilson And those embedded devices are going to have in some cases literally no way to update them. 15:19.39 franksec Right? And you know I want to cover this in detail. But before we jump on that we have to we had to have a small section for our sponsors so bear with me a second. 16:16.36 franksec All right bra and and thank you again for up Phoenix or our sponsor and and keeping us running but I wanted to to touch point on this on this particular topic because I remember Jeff ah kind of wrote a white paper like. 6 or 7 years ago and it actually presented it to black cat as well. This is not a new thing. The industry has been screamed about this is something that will happen. This is something that will be out there and and now it suddenly happened and I ah do also subscribe to your view and. To your pain in a way that code has been forked so many times and have been distributed in so many places that it becomes very very complex to fix it and we're never going to know that the the extreme expansion but maybe on on on there the more scary topics that I want. As to maybe debate if that's what was 1 library. What's stopping attacking now or poking at the other side of libraries to discover um, similar log for j kind of problems. What do you think. 17:25.19 Steve Wilson Well look the the way I'd like to say this is this has happened before and it will happen again right? if we if we rewind a few years ago to 2017 the apache struts library had a severe vulnerability in it and that is um. 17:30.97 franksec Um. 17:38.57 franksec Right. 17:44.91 Steve Wilson Ah, a less used library than log for J but the same basic concept is there popular open source library embedded in lots and lots of places with a vulnerability in it that could lead to really severe consequences and. You know what's interesting is the world remembers this vulnerability but they don't remember it as the strut's vulnerability. They remember it as the Equifax breach right? and there were many people that were breached from that. But if you don't remember this 1 about 1 hundred and fifty million people lost. 18:08.30 franksec Ah, right. 18:20.75 Steve Wilson Their their personal financial info from equifax which is 1 of the global credit rating organizations and as a result they they wound up paying four hundred and 25 million dollars in fines for not being secure. Um, but the the interesting thing here is. Um, did the world learn anything from this and they absolutely did right? if you look at the difference in response between the Struts vulnerability and the log for j vulnerability um, 1 of the reasons that Equifax was penalized so heavily. Is they could have done much better. This was for them. Not a zero day vulnerability. It was a disclosed vulnerability. It was well known. There were patches that were available and they simply did not act on it. Um. 19:01.11 franksec Um, is a well known. 19:16.79 Steve Wilson What's interesting here to see the difference. 4 years later is that the industry realized how serious this was um, you know I yeah yeah you know on thursday night last week people started. 19:23.25 franksec Um, enacted fast. 19:33.61 Steve Wilson Exploiting this in minecraft of all places you know minecraft the popular video game. Um, you know famously is written in Java you know I remember a few years ago my daughter went to coding camp over the summer and learns to write her first java programs as Minecraft extensions. So you know. Probably millions of people learned to program by hacking on minecraft and so um, in some ways. It's it's not surprising that that was the not the first place that this was exploited but the the place people realized how serious this was is people were exploiting this by. 19:56.27 franksec Um, has great. 20:05.97 franksec Right. 20:10.39 Steve Wilson Putting messages into the minecraft chat window that was how easy it was to exploit. Um, but that was happening on Thursday and thursday night you know our research team at contrast started getting information about this. Um, you know I heard something about it and I went to bed and I got up at. 5 in the morning the next morning I get up early I'm on the west coast of the us and we have teams in europe so I get up early to talk to them and I had slack messages from our our chief architect that said stevie need to call me right now and I talked to him and he said you know by Friday morning he said. 20:42.78 franksec Um. 20:49.10 Steve Wilson Steve this is the most serious thing I've ever seen. We have to help our customers get in front of this and so you know you started to see the news coming out on Friday people were reacting to it not everywhere. There's it's it's far from perfect and it's. 21:02.89 franksec It was pocket. 21:06.36 Steve Wilson Far from uniform but but the industry is jumping on this and there are let's say the more advanced shops are much better prepared. The tooling is better. It's absolutely better than it was 4 years ago and so we we have moved forward from that. But then your question is will this happen again. Of course it will um the the fact that we still build software where you know you see different different figures but up to 80 percent of the code in a typical business application is open source. 21:26.94 franksec Nope yeah. 21:40.45 Steve Wilson And so really, what people are starting to talk about you know, started before this really going back to solar winds. But the the topic around software supply chain management is now the hot topic and I think that's actually a really good way to phrase it because it makes it a bigger problem than just. 21:52.50 franksec And right. 21:59.78 Steve Wilson Thinking about managing vulnerabilities. It's about understanding where your codes coming from what's the Providence of it and being able to really understand that end to end and I think that's going to be the next step in making this better. 22:12.55 franksec So show. Will we start seeing vul be deploying stock trace. That's gonna be the next 1 gonna get it. Ah am I giving wrong suggestion of the wrong people. Ah. 22:18.64 Steve Wilson Oh my? yeah. 22:28.90 franksec Ah, you know because after after open source destins used kind of to by every single developer on earth and I'm pretty actually some of my friends actually have done this experiment of publishing exploit and poc with vulnerable code in there so you had hackers actually just blindfoldingly. Trusting a piece of software just downloading executing it with boom in there and and a callback home and it was a friendly experiment by Andy hilllabs. But um, it was quite interesting to see how blind trust was deployed on. You know piece of code running on the web that is like going outside and asking candy to a strangerr right. 23:12.17 Steve Wilson Yeah, well the um, you know the the more insidious example of this is something we started to see earlier. This year is a rise in um, a tax that it's going by different names but dependency confusion is 1 of them. 23:29.10 franksec The. 23:31.89 Steve Wilson And when you think about the way that that people's build systems and cicd systems work they're they're constantly going out on the internet and pulling down these packages from massive open source repositories where you actually you know you're you're somewhat hoping that you're getting the right thing. And actually a lot of the ways that these work you're you're only providing a general description of the package that you want and it's trying to find the 1 that's best fit and people have found that they can go and create their own version of popular open source libraries put them up in those repos and have people pull them down and um. 1 of our researchers at contrast went went did a proof of concept with this went and looked for applications that looked like they were exposed to this and actually Microsoft teams wound up being a good example now Microsoft's an investor and a partner. Um. Ah, and we're in their bug bounty Program. So we we did this all above board but we actually created some open source libraries and Microsoft pulled them down and compiled them into into their binary and it was just an example. 24:40.97 franksec Teams. 24:45.22 Steve Wilson Of How even a sophisticated software shop um can be vulnerable to this so you know they've hardened their processes since then but other people have not This is a really new example of ah of a vulnerability out there being able to divert the software supply chain. Um. To you know a Hacker's nefarious ends and so the ability of someone to go and create their own version of an open source library with some nefarious code. You know we've seen this so far largely people doing things like dumping in crypto minorers and and that's well documented. But. 25:21.90 franksec Bri yeah or run somewhere. That's I think I saw I saw a couple of days ago. Ah, payload and conti starting to deploy this as as potentially run some arrow or or run some my payload so we start seeing. 25:24.20 Steve Wilson We know there must be examples of much more defarious usage. Absolutely. 25:41.22 franksec Fundamentally ransome are going towards this and that's that's the other scary part that the industry from the Attacker prospect. This seems to have industrialized the use of this massive scale vulnerability and decimal scary factor that we had just a week or maybe 2 time to actually breathe text vulnerabilit be so time to detection and and and remediation is actually being shorted dramatically I mean our ourtistic goes from roughly 3 to fifteen days to deploy something like this at scale and it's being confirmed basically by this but it's. Think is is a scary factor and then on the other side maybe here more in the u k we saw fundamentally british airways being attacked with a much more malicious code where somebody ah fundamentally hijacked 1 of the developer trusted account and. Injected malicious code e in a library so that's that's even worse you know and I agree with you. It's it double down on the subject of controlling your supply chain but controlling how you pull in things where you're deploying and. In my humble opinion I think we've been. We've been using security in the wrong way right now and we've being putting them in the front foot and firefighting vulnerability on day in and the out and they kind of lost their way by not focusing on systemating and on strategic thing like creating. Ah, proxy for libraries or or analyzing open source of what comes in and out like what the the security team in contrast does and that's how we should be using back security for that instrumental systemic change rather than day in and out management of vulnerability. 27:26.62 Steve Wilson So yeah I mean look I think the the day-to-day management of vulnerability actually to some extent hasn't been done at all in a lot of shops right? It's been um, it's been completely pushed off to a. 27:26.89 franksec What do you think safe. 27:36.95 franksec Ah. 27:43.92 Steve Wilson Ah, periodic scanning based procedure run by the security team where you scan things on a quarterly or even yearly basis and I lived this in my last job it's 1 of the reasons I got excited about about this job opportunity when it came up was I was running a large development team. And the head of engineering came to me and said I need to cancel all the features that I promised for next quarter because the security team just ran a scan and filed a thousand jira tickets. Um, and and now there was this record of this potential vulnerability that we were obliged to deal with and it turned out. Most of them weren't real vulnerabilities almost all of them weren't um, but it wound up being a huge amount of work to so to sift through it on the other hand for for companies that really adopt this devsec ops attitude and get the right tooling in place to enable it. Um, you find a potential vulnerability maybe before you even complete your pull request to put the put the software back and it's just like any other bug if the bug gets into the code base. It's 10 times as expensive to fix it as it was for the developer to fix it on their desktop. Um, if it actually gets out to a customer It's a Hundred times more expensive and you know with security given the stakes. It's much worse than that. So um, the the real shift here is to push so much more of the responsibility down to this. To the developers but also really not make the developers responsible for it because it's hard for developers but to put the right tool chain around them that makes it easy and it really is possible with the modern tools to do that now and that's the big opportunity to change how we do development. 29:35.39 franksec Brian I agree with you. It should be It should be a collaboration between shift left and the copy is on more automation in the place because a lot of this as you rightfully say is still pretty much reactive is still pretty much that debate in Discussion. And then the endless argument between the se security team and the development team saying this is false positive. This is internal is a false positive rather than you know it's accept the risk and is different priorities and stuff like that. So. I think we can do better at thefsecops to actually remove security people on doing consistently these firefighting in this endless debate. Um, and and and automate a lot of the relationship but also the detection of um false positive based on contextual aspect and contextual information. If you can actually exploit it if it's actually visible to attack. Ah then you know we we focus on it because otherwise we're going to be always overflloded by these issues and you know look for js all similar are going to keep on piling up right. 30:42.60 Steve Wilson Absolutely I mean I think we really do have the the tools at our disposal and the processes being developed out there in the industry to to just fundamentally shift this change the game and make this so much more efficient and create. Really much more secure applications as a result. So. 31:00.59 franksec Fantastic! and I guess we we this is just a a nice input to the to the conclusion that is the positive message on our industry. So if you want to double down on that Steve what will be your positive message overall rather than we. We have the 2 and we have the technology and we can rebuild this. Ah. 31:20.62 Steve Wilson Like I think going going back to a little bit earlier I think the good news is you know this has happened before the industry has moved a tremendous distance since the Struts vulnerability for example, um, this really would be much worse. If we weren't in the position that we are now that we had better understanding of the risks better tools better processes. We have the tools out there now widely deployed to understand your your open source footprint. What's vulnerable. Um, we have the tools in place that help people upgrade and fix this. We even have tools today like like rasp tools that can protect you and we've seen evidence that these rash tools were protecting people um before day zero now. So really, we're in a position where we're moving forward. 32:09.23 franksec Um. 32:15.56 Steve Wilson So quickly that look there's no end in sight for this but really, the bar has raised dramatically and if we work together as an industry the next time this happens we'll be even better prepared. 32:27.90 franksec Fantastic. And yeah I agree with you. We've seen an enormous collaboration between teams and information out there. So I Really appreciated that collaboration and and enjoy that seeing that collaboration and the community getting together to to fix. But ah on the conclusion of the show if people want to find more about what you do day in in day out where where is the best place for them to contact you and how they can reach you yet. Stay. 32:53.99 Steve Wilson Yeah, so please so please come over check out what we're doing at the Contrastsecurity Dot Com Website. You can get all the details on all of our commercial tools. Also check out our blog there. There's a link off the front page to some free and open source tools that we've put out to help with log for J in particular so we really want people in the community to engage with us on this also feel free to reach out to me direct on linkedin. 33:23.13 franksec All right brave and everybody. Thank you very much we we understand that everybody is tired and stressed. We really hope that everybody can enjoy christmas at some stage or time and get away from the lock for j unfortunately attack it don't sleep so defend it on. Don't sleep either. But we're gonna get ahead of this together. So this is your host francesco I had the pleasure to talk with Steve wilson the chief product officer for contra security and I wish you everybody to stay safe and have a lovely christmas Thank you.  

    CSCP S01E14 - Sam Stepanyan - Part 2 - OWASP AppSec Nettacker and Scaling appsec programmes

    Play Episode Listen Later Dec 19, 2021 25:45


      CSCP is bringing back season 1 in a newly remastered version. This is part 2 of the interview with Sam. Sam Stepanyan is an Application Security Architect and Consultant, an OWASP London Chapter Leader, and a WAF Specialist. Sam joins the podcast to discuss many of the opportunities for young aspiring security professionals, the big picture purpose of OWASP, and the first steps to addressing application security This is part 2 with Sam Stepanyan, an Application Security Architect and Consultant, the OWASP London Chapter Leader, and a WAF Specialist. Sam encourages everyone in the cyber community to join a local OWASP chapter, network at conferences, and compete in games. He also shares a horror story and a success story from his career.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:47 Threat modelling 3:30 Pen testing 5:19 Cost of security 5:58 Dependency checker 7:55 GitHub community 12:20 Local chapters 14:45 Conferences, competitions, events 18:02 OWASP Zed Attack Proxy (Zap) 20:01 Positive and horror story in security 24:12 Future of cyber 25:45 Outro    Sam Stepanyan Twitter @securestep9 https://www.linkedin.com/in/samstepanyan/      Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E14 - Sam Stepanyan - Part 1 - OWASP AppSec Nettacker and Scaling appsec programmes

    Play Episode Listen Later Dec 12, 2021 30:00


      CSCP is bringing back season 1 in a newly remastered version. This is part 1 of the interview with Sam. Sam Stepanyan is an Application Security Architect and Consultant, an OWASP London Chapter Leader, and a WAF Specialist. Sam joins the podcast to discuss many of the opportunities for young aspiring security professionals, the big picture purpose of OWASP, and the first steps to addressing application security   The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:47 Introducing Sam 2:15 Conversation begins 4:10 Positive message 8:10 Purpose of OWASP 10:55 Nettacker 13:40 Asset discovery 15:30 Multi-factor authentication  16:30 Google summer of code 19:49 OWASP top 10 22:46 Capital One and cloud breaches 24:02 Basics of Application Security program 30:00 Outro    Sam Stepanyan Twitter @securestep9 https://www.linkedin.com/in/samstepanyan/      Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E13 - Chani Simms - Part 2 - vCISO compliance cybersecurity and women in cyber

    Play Episode Listen Later Dec 5, 2021 22:50


      CSCP is bringing back season 1 in a newly remastered version. Chani Simms is the Managing Director and Co-Founder of Meta Defense Labs LTD, a consultant, the Founder of SHe CISO, a TEDx Speaker, and an Award-winning Cybersecurity Leader. Chani shares how she prepared for her TedX talk and her thoughts on emotional intelligence and mental health in the workplace.  This is part 2 with Chani Sims. Chani explains what a Virtual CISO does, the importance of basic cyber hygiene, and the initial steps to becoming a cyber security professional. Chani's approach to security is to operate on zero trust.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 0:46 Virtual CISO 5:10 Cyber hygiene 8:55 Starting in cyber 13:24 Assume breach 18:53 Twitter drama 22:10 Closing words 22:50 Out    Chani Simms linkedin.com/in/chani-simms  metadefencelabs.com/    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E13 - Chani Simms - Past 1 - vCISO compliance cybersecurity and women in cyber

    Play Episode Listen Later Nov 28, 2021 27:20


      CSCP is bringing back season 1 in a newly remastered version. This is part 1 of the interview with Chani. Chani Simms is the Managing Director and Co-Founder of Meta Defense Labs LTD, a consultant, the Founder of SHe CISO, a TEDx Speaker, and an Award-winning Cybersecurity Leader. Chani shares how she prepared for her TedX talk and her thoughts on emotional intelligence and mental health in the workplace.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 0:46 Chani's background 3:00 TEDx talk 8:00 Women in cyber and mental health 10:56 SHe CISO 14:00 Self-esteem 16:00 Emotional Intelligence 19:08 Managing emotion 21:20 Outro    Chani Simms linkedin.com/in/chani-simms  metadefencelabs.com/    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E12 - Kevin Fielder - Part 2 - Becoming a CISO

    Play Episode Listen Later Nov 22, 2021 28:02


      CSCP is bringing back season 1 in a newly remastered version. This is part two with Kevin Fielder, a CISO, NED, start-up and board advisor, researcher, and speaker based in the UK. Kevin is a CrossFit athlete who values a healthy work-life balance that allows him time for fitness and family. He answers questions about diversity in the workplace, recruiting, and the biggest challenges in his role.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Intro 0:47 Crossfit 4:36 Work-life balance 8:58 Remote working 10:50 Cognitive diversity in cyber 16:05 Working with deaf 17:50 Working under stress 20:35 Recruiter 23:50 Biggest challenge in current role 25:26 Final positive message 28:02 Outro    Kevin Fielder https://www.linkedin.com/in/kevinfielder/ Twitter @kevin_fielder    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E12 - Kevin Fielder - Part 1 -Becoming a CISO

    Play Episode Listen Later Nov 15, 2021 28:35


      CSCP is bringing back season 1 in a newly remastered version. This is part 1 of the interview with Kevin. Kevin Fielder is a CISO, NED, start-up and board advisor, researcher, and speaker based in the UK. In part one of the interviews, Kevin discusses his approach to recurring and hiring new talent for junior cyber security roles, managing and leading teams with both junior and senior talent, and his own career trajectory    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Intro 0:47 Introducing Kevin 2:06 Career in cyber 5:30 Favorite area/role 7:30 Recruiting junior roles 12:00 Balancing junior and senior talent 16:09 Managing teams and technical jargon 21:16 Story leading teams 24:55 Cloud-Native DevOps 28:35 DecSecOps and engagement    Kevin Fielder https://www.linkedin.com/in/kevinfielder/ Twitter @kevin_fielder    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E11 - Tanya Janca - Part 2 - AppSec OWASP Community and diversity

    Play Episode Listen Later Nov 8, 2021 37:00


      CSCP is bringing back season 1 in a newly remastered version. This is part 2 of the interview with Tanya Janca. In this episode, Tanya shares her passion for WoSec, her decision to leave Microsoft, giving back to the community, encouraging women to get involved in cyber security, and defines DevSecOps.  Tanya Janca is an application security evangelist, a web application penetration tester and vulnerability assessor, trainer, public speaker, ethical hacker, the Co-Leader of the OWASP Ottawa chapter, a best-selling author, and independent consultant, specializing in Cloud Security, DevSecOps, and AppSec.   The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Intro 0:47 WoSec 4:08 Cyber ladies in Israel 13:03 Leaving Microsoft 14:30 Mentoring Monday 17:10 Future of AppSec 24:18 Issues at conferences 27:25 What is DevSecOps 36:35 Final positive message 37:17 Outro    Tanya Janca Twitter @shehackspurple https://wehackpurple.com https://www.linkedin.com/in/tanya-janca/?originalSubdomain=ca https://www.womenofsecurity.com       Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E11 - Tanya Janca - Part 1 - AppSec OWASP Community and diversity

    Play Episode Listen Later Nov 1, 2021 27:00


      CSCP is bringing back season 1 in a newly remastered version. This is part 1 of the interview with Tanya Janca. Tanya Janca is an application security evangelist, a web application penetration tester and vulnerability assessor, trainer, public speaker, ethical hacker, the Co-Leader of the OWASP Ottawa chapter, a best-selling author, and independent consultant, specializing in Cloud Security, DevSecOps, and AppSec. In part 1 of the conversation, Tanya discusses the importance of professional mentorship, getting women involved in cyber security, conferences, online communities, and overcoming her fear of public speaking.  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Intro 0:47 Introducing Tanya 1:55 Conversation begins 7:08 Women in security 13:35 Conference 17:26 Online community 18:30 Days as a software developer 20:55 Women in OWASP 24:20 Public speaking 26:48 WoSec 27:30 Outro    Tanya Janca Twitter @shehackspurple https://wehackpurple.com https://www.linkedin.com/in/tanya-janca/?originalSubdomain=ca https://www.womenofsecurity.com       Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E10 - Jim Manico - Part 2 - AppSec OWASP and DevSecOps

    Play Episode Listen Later Oct 24, 2021 26:54


      CSCP is bringing back season 1 in a newly remastered version. This is part 2 of the interview with Jim Manico. Jim and Francesco address some of the criticisms of OWASP, discuss what makes a chapter great, and the future of cyber security.  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Intro 0:27 Fixing the legacy problem 7:00 Critics of OWASP 13:00 OWASP can't be tamed 16:26 Order VS chaos 22:20 What makes a chapter great 24:04 Final positive message 26:18 Closing words 26:54 Outro    Jim Manico Twitter @manicode https://www.linkedin.com/in/jmanico/     Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E10 - Jim Manico - AppSec OWASP and DevSecOps

    Play Episode Listen Later Oct 18, 2021 26:10


      CSCP is bringing back season 1 in a newly remastered version. Jim Manico is the Founder and Secure Coding Instructor at Manicode Security, a member of OWASP, and an AppSec enthusiast. In part 1 of this lively conversation, they discuss Netflix, automated security, and the complex problem of fixing legacy software.  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:46 Introducing Jim 2:15 Conversation begins 5:15 Painful problem of AppSec 10:10 Security and money 11:20 Security testing 12:05 Privacy laws 14:50 Automated/integrated security 15:45 DevSecOps 18:06 Netflix 19:40 OWASP 20:50 Java 26:10 Outro    Jim Manico Twitter @manicode https://www.linkedin.com/in/jmanico/     Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E09 - Grant Ongers - AppSec Devsecops and OWASP

    Play Episode Listen Later Oct 10, 2021 38:15


      CSCP is bringing back season 1 in a newly remastered version. Grant Ongers is on the Global Board of Directors at OWASP Foundation and has spent his entire career in DevSecOps. Grant is also the co-founder of Secure Delivery and speak with Francesco and co-host, Zoe,  about DevSecOps, mentoring, and OWASP. Grant says DevSecOps is actually just DevOps done right  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:46 Introducing Grant 2:00 Conversation 2:35 Positive message 3:45 Career background 5:50 DevSecOps 9:45 CISO and CIO 11:05 Mentoring 15:55 OWASP 20:00 Valuable resources 23:10 Communication 26:00 Joining OWASP and mission 37:40 Closing words 38:15 Outro    Grant Ongers Twitter @rewtd https://www.linkedin.com/in/rewtd/     Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E08 - Vandana Verma - Part 2 - Appsec & Diversity Talk

    Play Episode Listen Later Oct 3, 2021 26:30


      CSCP is bringing back season 1 in a newly remastered version. This is the second part of the interviews with Vandana Verma, Vandana Verma is a Security Relationship Leader for SNYK, an advocate for women and girls in AppSec, and on the board of OWASP. Francesco and Vandana discuss the best way to communicate the importance of security without using scare tactics and the challenges of working with clients around the world.  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   In part two with Vandana Verma, the conversation continues on mentoring within the AppSec community, involving more women, and communicating the importance of cybersecurity to web designers and coders. Vandana is a Security Architect, an advocate for women and girls in AppSec, and on the board of OWASP.    0:46 Introduction 1:37 Conversation with Vandana 4:00 Streaming meetings 6:00 Spreading the word 9:04 Women in security 12:05 Mentoring in AppSec 11:20 DevSecOps and governance 20:08 Design and automation 24:52 Final positive message 25:54 Closing words 26:30 Outro    Vandana Verma Twitter @InfosecVandana https://www.linkedin.com/in/vandana-verma    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E08 - Vandana Verma - Part 1 - Appsec & Diversity Talk

    Play Episode Listen Later Sep 26, 2021 23:01


      CSCP is bringing back season 1 in a newly remastered version. This is the second part of the interviews with Vandana Verma, Vandana Verma is a Security Relationship Leader for SNYK, an advocate for women and girls in AppSec, and on the board of OWASP. Francesco and Vandana discuss the best way to communicate the importance of security without using scare tactics and the challenges of working with clients around the world.  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:46 Introduction 2:08 Conversation with Vandana 4:05 Importance of AppSec 8:10 Avoid scare tactics 9:20 Fix bugs early 13:44 Working globally with different cultures and timezones 16:46 Best ways to communicate 18:55 OWASP 22:40 Closing words 23:10 Outro    Vandana Verma Twitter @InfosecVandana https://www.linkedin.com/in/vandana-verma    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E07 - Allan Alford - Part 2 - CISO Talk, starting in cyber and basic 10 cyber steps to get started

    Play Episode Listen Later Sep 19, 2021 25:40


      CSCP is bringing back season 1 in a newly remastered version. This is the second part of the interviews with Allan Alford, Delivery CISO at NTT data and now CISO at TrustMAPP a cybersecurity startup-like AppSec Phoenix The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register Allan Alford is an experienced CISO living in Texas. In part two, Allan Alford answers listener questions about getting involved in Cybersecurity, his path to becoming a CISO, he lists the pros and cons of earning an MBA, and stresses the importance of networking and mentoring. They also discuss how video gaming and role-playing games can translate to real-life leadership skills.    0:45 Recap of Part 1 1:47 Part 2 with Allan 2:20 Balancing MBA with work and life 3:10 Do you need MBA to be a CISO 7:35 Formal mentoring 11:11 Typical path to CISO 13:55 Certifications 19:28 Curiosity and video games 23:08 Final positive message 25:04 Closing words 25:40 Outro    Allan Alford, CISO, Host of Cyber Ranch Podcast Twitter @AllanAlfordinTX https://allanalford.com/the-cyber-ranch-podcast  https://hackervalley.com/cyberranch/ https://www.linkedin.com/in/allanalford/      Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E07 - Allan Alford - Part 1 - CISO Talk, starting in cyber and basic 10 cyber steps to get started

    Play Episode Listen Later Sep 12, 2021 18:20


      CSCP is bringing back season 1 in a newly remastered version. This is the first part of 2 interviews with Allan Alford, Delivery CISO at NTT data and now CISO at TrustMAPP a cybersecurity startup like AppSec Phoenix The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register Allan Alford is an experienced CISO living in Texas. In part 1 of Francesco's interview with Allan Alford, they discuss multi-factor authentication, the role of CISO, and getting started in cybersecurity. Logical and critical thinking skills are important to work in tech, but equally so are soft and people skills, like communication, leadership, and public speaking.    1:21 Part 1 with Allan 2:30 Masters 3:16 Advice on security awareness 4:23 Multi-factor authentication 7:35 Consumer pressure for security 8:35 Kinds of CISO 10:50 Communication and leadership skills 15:34 Hiring and learning of the job 17:51 Closing words 18:20 Outro    Allan Alford, CISO, Host of Cyber Ranch Podcast Twitter @AllanAlfordinTX https://allanalford.com/the-cyber-ranch-podcast  https://hackervalley.com/cyberranch/ https://www.linkedin.com/in/allanalford/      Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E06 - Greg van Der Gaast - Part 2 - Leadership and authority in cyber

    Play Episode Listen Later Aug 30, 2021 30:00


      CSCP is bringing back season 1 in a newly remastered version. This is the second part of 2 interviews with Greg The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register In part 2 of Francesco's interview with Greg van der Gaast, they discuss the challenges of working in the cyber security industry and how communicating more clearly and calmly can solve some of those issues. They speculate why security breaches happen and share the appropriate way to react when they do. Greg van der Gaast is a CISO, the author of "Rethinking InfoSec,” an international speaker, people enthusiast, and is passionate about creating information security programs that work.    1:30 Part 1 with Greg van der Gaast 2:46 Experiences in cyber 7:04 Risk management 10:15 Being personable 11:37 People, process, technology 13:05 Avoid toxic work environments 20:17 Closing words 20:40 Outro    Greg van der Gaast Twitter @SidewaysGreg https://www.linkedin.com/in/gregvandergaast/   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E06 - Greg van Der Gaast - Part 1 - Leadership and authority in cyber

    Play Episode Listen Later Aug 22, 2021 25:00


      CSCP is bringing back season 1 in a newly remastered version. This is the first part of 2 interviews with Greg The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register Greg van der Gaast is a CISO, the author of "Rethinking InfoSec,” an international speaker, people enthusiast, and is passionate about creating information security programs that work. Francesco and Greg discuss the importance of communication skills and being personable in the tech field. In order to avoid a toxic and hostile work environment, everyone needs to have a better attitude, think human-first, and stay calm.    1:30 Part 1 with Greg van der Gaast 2:46 Experiences in cyber 7:04 Risk management 10:15 Being personable 11:37 People, process, technology 13:05 Avoid toxic work environments 20:17 Closing words 20:40 Outro    Greg van der Gaast Twitter @SidewaysGreg https://www.linkedin.com/in/gregvandergaast/   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E05 - Jane Frankland - Part 2 - Women in Cyber and Leadership

    Play Episode Listen Later Aug 15, 2021 28:50


      CSCP is bringing back season 1 in a newly remastered version. This is the second interview with Jane, a returning guest in season 2 The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register Jane Frankland and Francesco continue the conversation about inclusion, diversity, and supporting women in cybersecurity and tech, a male-dominated industry. Jane Frankland is an award-winning cybersecurity entrepreneur, author, consultant, keynote speaker, women's activist, and market influencer  1:30 Part 2 with Jane Frankland 5:36 Listener question— tips for implementing change 11:35 Supporting women in tech 15:08 Doing the right thing 17:55 Creating an appropriate and safe workplace 19:45 HR protects company 23:30 Inclusion of people with intellectual disabilities 26:30 Final positive message 28:23 Closing words 28:50 Outro    Jane Frankland Twitter @JaneFrankland https://jane-frankland.com  https://www.linkedin.com/in/janefrankland/  https://www.youtube.com/user/JaneFranklandTV    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E05 - Jane Frankland - Part 1 - Women in Cyber and Leadership

    Play Episode Listen Later Aug 8, 2021 29:10


      CSCP is bringing back season 1 in a newly remastered version. This is the First interview with Jane, a returning guest in season 2 The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register Jane Frankland is an award-winning cybersecurity entrepreneur, author, consultant, keynote speaker, women's activist, and market influencer. Jane shares her journey going from being a fashion designer to starting a successful tech company. Francesco and Jane discuss the challenges of breaking into tech, entrepreneurship, starting a business, living in the fourth industrial revolution, and diversity and inclusion in the industry.    1:15 Introducing Jane Frankland 5:20 How Jane got into cybersecurity 6:54 Penetration testing 9:45 Risks of starting a tech business 14:20 Challenges breaking into tech 19:33 Leveraging design skills 23:30 Importance of community 24:05 Abundance mindset 25:40 Women in tech 29:10 Outro      Jane Frankland Twitter @JaneFrankland https://jane-frankland.com  https://www.linkedin.com/in/janefrankland/  https://www.youtube.com/user/JaneFranklandTV    CSCP Links Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

    CSCP S01E04 - P2 - Shamane Tan - Executive, Risk, CISO, and Books

    Play Episode Listen Later Aug 1, 2021 33:00


      CSCP is bringing back season 1 in a newly remastered version. This is the second interview with shamane on the subject of risk and Cyber in Australia We explore with Shamane the cybersecurity market in Australia, events running, and the diversity subject without holding back. Hear this first part of the interview before jumping onto the next one :) We have all heard about the talent shortfall in cybersecurity and the worrying number of jobs that remain unfilled so we talk about how we can attract and retain staff to the industry and what we can all do to nurture talent. The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha This is the FIRST part of the two interviews with Shamane Tan an executive advisor at Privasec. Shamane is the organizer of the Cyber Risk meetup that exploded in popularity in Australia and now counts many locations. Shamane is also the author of a renowned book on Cybersecurity Risk with interviews with many C level execs. Also, Shamane has been speaking at TEDx     Bio   Shamane is passionate about Cyber Risk. She holds a Bachelor of Computer Engineering (Hons) and enjoys the challenge of keeping up to date with the constant evolution of technology & Cyber trends. As Privasec's APAC Executive Advisor, she desires to use her business mindset coupled with her Computer Engineering background, to help businesses bridge their gaps between technical and business spheres. In this day and age, it is crucial for companies to have in place strong & effective governance to protect their current infrastructure/ services. Throughout her career, Shamane has partnered directly with CISOs, CTOs, and Global Heads of IT, Infrastructure and Security to help both enterprises to smaller companies in APAC in their growth strategy. As the author of 'Cyber Risk Leaders' and international speaker, Shamane has frequently been invited to speak on various topics; some recent examples include: - CISO insights from around the globe - The world of the Board Directors - Befriending the Hacker - The Influencers' secret to building key relationships   You can reach Shamane at: https://www.linkedin.com/in/shamane/   Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/       Bringing Back Season 1 All episodes of season 1 are available at: https://www.youtube.com/playlist?list=PLmfEooB4S-vXZ3OsFRrgqd9rIvd99oqI7

    CSCP S01E04 - P1 - Shamane Tan - Risk Executive, Cybersecurity & Asia Pacific

    Play Episode Listen Later Aug 1, 2021 30:00


      CSCP is bringing back season 1 in a newly remastered version We explore with Shamane the cybersecurity market in Australia, events running, and the diversity subject without holding back. Hear this first part of the interview before jumping onto the next one :) We have all heard about the talent shortfall in cybersecurity and the worrying number of jobs that remain unfilled so we talk about how we can attract and retain staff to the industry and what we can all do to nurture talent. The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha This is the FIRST part of the two interviews with Shamane Tan an executive advisor at Privasec. Shamane is the organizer of the Cyber Risk meetup that exploded in popularity in Australia and now counts many locations. Shamane is also the author of a renowned book on Cybersecurity Risk with interviews with many C level execs. Also Shamane has been speaking at TedX   Bio   Shamane is passionate about Cyber Risk. She holds a Bachelor of Computer Engineering (Hons) and enjoys the challenge of keeping up to date with the constant evolution of technology & Cyber trends. As Privasec's APAC Executive Advisor, she desires to use her business mindset coupled with her Computer Engineering background, to help businesses bridge their gaps between technical and business spheres. In this day and age, it is crucial for companies to have in place strong & effective governance to protect their current infrastructure/ services. Throughout her career, Shamane has partnered directly with CISOs, CTOs, and Global Heads of IT, Infrastructure and Security to help both enterprises to smaller companies in APAC in their growth strategy. As the author of 'Cyber Risk Leaders' and international speaker, Shamane has frequently been invited to speak on various topics; some recent examples include: - CISO insights from around the globe - The world of the Board Directors - Befriending the Hacker - The Influencers' secret to building key relationships   You can reach Shamane at: https://www.linkedin.com/in/shamane/  Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/       Bringing Back Season 1 All episodes of season 1 are available at: https://www.youtube.com/playlist?list=PLmfEooB4S-vXZ3OsFRrgqd9rIvd99oqI7

    CSCP S01E03 - P2 - Lisa Forte - Social Engineering - Police to private

    Play Episode Listen Later Jul 25, 2021 30:00


    CSCP is bringing back season 1 in a newly remastered version This is the second of 2 episode conversation with Lisa Forte  We have all heard about social engineering but as Lisa explains it can be so much simpler than we all think and how virtually every conversation could put you in danger ....... The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha This episode is broken down into two parts, this is the first part of the interview with Lisa Forte a social engineer and a fellow Italian. Lisa grew through the rank of police and then took social engineering into the commercial world. The episode is full of stories and will keep you gripping to your chair to know more. The second episode will follow. Bio Lisa forte is a partner at Red Goat Cyber Security, Keynote Speaker, Vlogger, Won the “Top 100 Women In Tech” Award, Social Engineering & Insider Threats expert As a winner of the "Top 100 Women In Tech" Award I am passionate about cybersecurity, social engineering and most importantly helping organisations establish effective and lasting cultural change amongst staff. Lisa is an established keynote speaker and gets hired to speak around the world sharing my stories and experiences of social engineering, cybercrime and wargaming. Lisa is a passionate and energetic public speaker too recently appearing at conferences such as IPExpo Europe; London Law Expo; Voxxed Days; International Security Expo; MarineTech China and Secure Computing Dublin.  Lisa also does a lot of pro-bono security work for the NHS and various charities and care deeply about helping the communities we live in becoming more aware of the growing threat.   Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://cybercloudpodcast.com You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463 
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ Linkedin: https://www.linkedin.com/company/35703565/admin/ 
Twitter: https://twitter.com/podcast_cyber  
  

    CSCP S01E03 - P1 - Lisa Forte - Social Engineering - Police to Private

    Play Episode Listen Later Jul 25, 2021 30:00


    CSCP is bringing back season 1 in a newly remastered version This is the first of 2 episode conversation with Lisa Forte  We have all heard about social engineering but as Lisa explains it can be so much simpler than we all think and how virtually every conversation could put you in danger ....... The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha This episode is broken down into two parts, this is the first part of the interview with Lisa Forte a social engineer and a fellow Italian. Lisa grew through the rank of police and then took social engineering into the commercial world. The episode is full of stories and will keep you gripping to your chair to know more. The second episode will follow. Bio Lisa forte is a partner at Red Goat Cyber Security, Keynote Speaker, Vlogger, Won the “Top 100 Women In Tech” Award, Social Engineering & Insider Threats expert As a winner of the "Top 100 Women In Tech" Award I am passionate about cybersecurity, social engineering and most importantly helping organisations establish effective and lasting cultural change amongst staff. Lisa is an established keynote speaker and gets hired to speak around the world sharing my stories and experiences of social engineering, cybercrime and wargaming. Lisa is a passionate and energetic public speaker too recently appearing at conferences such as IPExpo Europe; London Law Expo; Voxxed Days; International Security Expo; MarineTech China and Secure Computing Dublin.  Lisa also does a lot of pro-bono security work for the NHS and various charities and care deeply about helping the communities we live in becoming more aware of the growing threat.   Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://cybercloudpodcast.com You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463 
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ Linkedin: https://www.linkedin.com/company/35703565/admin/ 
Twitter: https://twitter.com/podcast_cyber  
  

    CSCP S01E02 - Chris Hodson - Becoming a CISO with the head in the Cloud

    Play Episode Listen Later Jul 24, 2021 40:00


    CSCP is bringing back season 1 in a newly remastered version Chris will join us in the new season 3 in recording  We talk all things Leadership, Risk Compliance with Chris Hodson CISO at Tanium After 17 years in cybersecurity, as well as talking all things cyber, Chris talks about the route he took to become a CISO and opens up on how to communicate with others in a similar position. The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha Chris is a CISO with 20 years of experience working in technology roles. I build and run security organisations that help companies reduce IT and cybersecurity risk. Chris served as a trusted advisor to executives and board members, helping them define well-balanced strategies for managing risk and improving business outcomes. I've worked as a CISO, architect, designer, engineer and DPO for market-leading companies in the energy, retail, media, technology and financial services industries.   Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://cybercloudpodcast.com You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463 
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ Linkedin: https://www.linkedin.com/company/35703565/admin/ 
Twitter: https://twitter.com/podcast_cyber  
  

    CSCP S01E01 - Daniel Card - From architect to hacker

    Play Episode Listen Later Jul 12, 2021 59:00


    CSCP is bringing back season 1 in a newly remastered version In this episode, we talk about all things cyber, from how to establish yourself in the industry and how not being allowed to play Doom when he was just eight years old led Daniel to become a hacker and eventually embark on a career in cybersecurity. Daniel is a hacker by day and by night, creator of the pwndefend CTF, Hackermouse, and many other CTFs. He is also a massive supporter of the community and one of the first to participate in the podcast The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha   Bio: Daniel is an experienced technology and security consultant and he is a mix between technical and business skills. Daniel founded Xservus as a boutique consulting services organisation that uses modern approaches to tackle the security challenges of the organization Daniel is a very active member of the cybersecurity community on Twitter and well known for disrupting status quo and demystifying LinkedIn sales pitches  You can find Daniel in discord, ranting on Twitter or working with friends in the community on CTF challenges, threat intelligence or random security research adventures. I also write on itsm.tools focusing on IT leadership and security! Daniel also founded and helped the covid cyber response team and featured in a number of articles    Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://cybercloudpodcast.com You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463 
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ Linkedin: https://www.linkedin.com/company/35703565/admin/ 
Twitter: https://twitter.com/podcast_cyber  
  

    CSCP S02E44 - S2E44 AA-RE-CC-AR - Season 2 Finale - Hacking podcast around the world

    Play Episode Listen Later Jun 27, 2021 57:38


      We reached the milestone of 50 Episodes on season 4 and celebrated with a live with 3 podcasts around the world. This is the recorded session of the live.  Francesco Cipollone interview three hosts of cyber podcasts— Chris Cochran of Hacker Valley Studio, Allan Alford of Cyber Ranch Podcast, Ashish Rajan of Cloud Security Podcast. The four discuss the labour of love for podcasting, hacks for growing an audience, dream guests, post-process, most memorable episodes, and scouting bigger and bigger guests. All agree that passion and consistency are key to having a successful podcast.  The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha   0:00 Intro 0:47 Introducing Chris, Allan, Ashish 3:45 How similar are App Sec and Cloud Sec 4:03 Chris's past year podcasting 5:48 Allan's past year podcasting 7:16 Ashish's past year podcasting 9:52 Behind the scenes 17:46 Passion and consistency 19:26 Post-process and editing 24:45 Most memorable episodes 32:08 Perks of having a podcast 35:55 Ambitions, goals, dreams guests 37:34 Business side of cyber security 41:32 Scouting guests 51:09 How to connect and final positive message 57:17 Outro    Chris Cochran— Host of Hacker Valley Studio https://hackervalley.com  Twitter @chriscochrcyber https://www.linkedin.com/in/chriscochrancyber/  Allan Alford— Host of Cyber Ranch Podcast https://allanalford.com/the-cyber-ranch-podcast  https://hackervalley.com/cyberranch/  Twitter @AllanAlfordinTX https://www.linkedin.com/in/allanalford/ Ashish Rajan— Host of Cloud Security Podcast https://www.cloudsecuritypodcast.tv  Twitter @hashishrajan Francesco Cipollone— Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday cybercloudpodcast.com Twitter @FrankSEC42    Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://cybercloudpodcast.com  

    CSCP S02E43 - Sam Stepanyan - Hacking Owasp and Nettacker stories

    Play Episode Listen Later Apr 24, 2021 52:24


    Sam Stephanyan is an independent applications security consultant and Chapter Leader of OWASP London. Sam explains the history and purpose of OWASP (The Open Web Application Security Project), a non-profit that outlines the Top 10 security concerns. Francesco and Sam also discuss Nettacker, virtual hackathons and meetups, and the various ways to explain to developers the importance of security.  The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha   0:28 Introducing Sam Stepanyan 2:00 OWASP 4:32 Progress in security 12:16 Security at startups 14:15 Tools to explain security to developers 17:10 Rapid threat modelling 25:00 Open source tools 31:10 OWASP meetups and hackathons 27:14 Nettacker 41:55 Google Summer of Code paid internship 50:53 Final positive message 51:54 Connecting with Sam 52:24 Outro    Sam Stepanyan Twitter securestep9 sam.stepanyan@owasp.org https://securestep9.medium.com https://www.linkedin.com/in/samstepanyan/?originalSubdomain=uk   Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://cybercloudpodcast.com  

    CSCP S02E42 - Karla Reffold - Supply Chain Attacks and Solarwind

    Play Episode Listen Later Apr 18, 2021 29:40


    Karla Reffold is the COO for Orpheus, the founder of BeecherMadden, and a contributor at Forbes. Francesco and Karla discuss supply chain issues, the recent Solarwind attack and the consequences,  recent security breaches, and privacy concerns while working from home.  The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha   0:28 Introducing Karla 2:13 Cybersecurity Advice 3:15 Solarwind attack & Supply chain issues  8:30 Security soft skills 12:47 Breaking stereotypes of professions 19:16 Work from home privacy concerns 23:07 Risk management maturity 27:52 Final Positive Message 29:40 Outro   Karla Reffold Twitter @karla_reffold https://www.linkedin.com/in/karlareffold/  https://www.karlajobling.com        Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://cybercloudpodcast.com  

    CSCP S02E41 - Guy Podjarny - Security vs DEV - Fireside Chat with the Snyk CoFounder

    Play Episode Listen Later Apr 11, 2021 49:38


    Guy Podjarny is the Co-Founder and President at Snyk, who's focused on securing open-source code. Guy is an author, speaker, podcaster, ex-CTO at Akamai, founder of Blaze, and a startup advisor and investor. Francesco and Guy discuss the state of the industry, what it means to be empathetic and empowering, and how to create a fantastic company culture.   The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha   0:28 Introducing Guy 4:50 State of the industry 8:10 App Sec VS Cloud-Native App Sec 11:45 Shifts in cybersecurity 17:00 Empathy, service, and empowerment 24:50 Snyk 30:22 Vulnerability management 37:48 Journey from CTO to Security 41:45 Company culture 46:14 Diversity in cybersecurity 47:30 Final Positive Message 49:38 Outro    Guy Podjarny Twitter @guypod https://www.linkedin.com/in/guypo/?originalSubdomain=uk https://snyk.io The Secure Developer Podcast https://www.devseccon.com/the-secure-developer-podcast/     Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://cybercloudpodcast.com  

    CSCP S02E40 - Eddie Jaude - Security vs DEV P2 - The revenge of the DEV

    Play Episode Listen Later Apr 2, 2021 37:00


    Eddie Jaude is an Open Source expert, the GitHub Star 2020, a passionate DevRel, and a YouTuber with 18,000+ subscribers. Eddie and Francesco continue their conversation about how security and developer teams can work better together. They also discuss Eddie's growing online community and the importance of diversity and inclusion in the industry. The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha   0:38 Introducing Eddie Jaoude 3:55 Mentoring 6:50 COVID effects on Eddie's community 10:20 Collaboration first, code second 22:10 Building a positive online presence 26:40 Diversity and inclusion 37:15 Outro     Eddie Jaude Twitter @eddiejaoude https://www.youtube.com/c/eddiejaoude/about https://www.eddiejaoude.io/?r_done=1 https://www.eddiejaoude.io/ Instagram @eddiejaoude   Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://cybercloudpodcast.com  

    CSCP S02E38 - Craig Ford - From Architect to hacker

    Play Episode Listen Later Mar 28, 2021 31:00


    Craig Ford author of a Hacker I am, an architect turned into a hacker. Craig talks about cybersecurity, industry, working together as well as covering the basics and beginning in the cloud and cybersecurity The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha

    CSCP S02E38 - Aj Yawn - I Declare war on boring compliance

    Play Episode Listen Later Mar 21, 2021 47:00


    AJ Yawn is LinkedIn's Top Voice 2020, a Veteran, and the Co-Founder and CEO at ByteCheck whose goal is to “make compliance suck less.” AJ shares what it takes to be a successful entrepreneur, taking calculated risks, and why you need to start taking advantage of LinkedIn right now before it's too late!  The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha   0:38 Introducing AJ Yawn 3:57 Overview of the industry 7:06 Compliance and automation 10:50 From consulting to entrepreneur 13:35 Leaving the cooperate world 26:10 Networking on LinkedIn 33:00 Final Positive Message 47:00 Outro    AJ Yawn https://www.linkedin.com/in/ajyawn/ https://www.infosecurity-magazine.com/profile/aj-yawn/  https://www.bytechek.com     Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://cybercloudpodcast.com  

    CSCP S02E37 - Martin Knobloch - And that is how you start in cyber

    Play Episode Listen Later Mar 14, 2021 43:36


    Martin Knobloch is a Global AppSec Strategist at Micro Focus and the Chapter Leader of OWASP (Open Web Application Security Project) in the Netherlands. OWASP provides free resources and tools in the field of web application security. Francesco and Martins discuss the challenges of working with DevOps and the importance of writing secure code from the start of a project. Don't fix the symptoms, fix the cause.  The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30-day licence quoting CSCP https://landing.securityphoenix.com/alpha   0:38 Introducing Martin Knobloch 2:40 OWASP 9:00 Challenges with DevOps 21:05 Advice for security professionals 26:30 Need for regulation 31:00 Communicating code 37:55 SKF- Security Knowledge Framework 43:28 Final Positive Message 43:36 Outro    Martin Knobloch @knoblochmartin https://owasp.org/www-board-candidates/martin_knobloch  https://www.linkedin.com/in/martin-knobloch/?originalSubdomain=nl OWASP SFK Security Knowledge Framework https://owasp.org/www-project-security-knowledge-framework/   Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://cybercloudpodcast.com  

    CSCP S02E36 - Michael Fraser - From Airforce combat to Cyber combat

    Play Episode Listen Later Mar 6, 2021 32:00


    Michael Fraser is the Co-founder, CEO, and Chief Architect at Refactr, a Seattle-based DevSecOps software startup. He is an Air Force Veteran, serial entrepreneur, and expert in cloud and cybersecurity. They discuss their concern and apprehension around low code, no code, and citizen developers. The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appsecsmart https://www.securityphoenix.com get a free 30 day licence quoting CSCP https://landing.securityphoenix.com/register-phoenix   0:38 Introducing Michael Fraser 6:55 Interest in security and IT 11:20 Impact of pandemic 13:38 Automation 20:05 Vulnerability Mangement 22:30 Citizen developer 32:10 Low code 38:30 Final Positive Message 41:10 Outro   Michael Fraser Twitter- @itascode https://www.linkedin.com/in/itascode/ Refactr https://www.refactr.it @RefactrIT https://www.linkedin.com/company/refactr/ Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://cybercloudpodcast.com  

    CSCP S02E35 - Caleb Sima - tell me more about your pentest patent

    Play Episode Listen Later Feb 28, 2021 43:36


    Caleb Sima started his first tech company at only nineteen years old and is currently the VP of Security at Databricks. Caleb is a technologist at heart but had to learn how to manage people as his career progressed. Caleb shares his insights on the industry, no-code tools, and venture capitalism.  The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appsecsmart   0:38 Introducing Caleb Sima 5:06 Starting Spy Dynamics 9:43 Venture capitalism 14:04 Getting hired at Databricks 20:35 Cybersecurity and Machine Learning 24:15 Zero-trust and cloud authorization 27:45 Hyper-growing Silicon Valley tech company 32:00 No-code capability 38:29 Risk management 40:50 Final Positive Message 43:36 Outro   Caleb Sima Twitter @csima https://www.linkedin.com/in/calebsima/ https://github.com/csima Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday HTTP://cybercloudpodcast.com  

    CSCP S02E34 - Ian_Murphy - That line is too light let me make it blunt.mp3

    Play Episode Listen Later Feb 21, 2021 40:15


    Ian Murphy is the Vice President of LMNTRIX and CEO CyberOff. Ian has been working in the industry for over 30 years and his goal is to make Cyber Security a little less dull. Ian shares his early interest in computers and how he's seen the industry grow and change. The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appseceasy   0:38 Introducing Ian Murphy 3:45 Covid-related security 7:55 Being authentic and human 14:45 Making social media videos 19:06 Early interest in computers 24:00 Best way to learn 27:44 Tinkerer vs hacker 29:56 Advise to newbies 39:26 Final Positive Message 40:15 Outro   Ian Murphy Twitter @CyberIanUK https://www.linkedin.com/in/ianmurphy/?originalSubdomain=uk https://www.lmntrix.com https://cyberoff.co.uk   Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://www.cybercloudpodcast.com 

    CSCP S02E33 - Jake Moore - Google how do i Hide a body?

    Play Episode Listen Later Feb 14, 2021 40:20


    Jake Moore formerly worked for the Dorset Police in the Cyber Crime & Digital Forensics Department. He is now the spokesperson for ESET and a Cyber Security Specialist. In this episode, Francesco and Jake discuss paying ransoms, the security threats raised by the pandemic, and investigating murderer's laptops. The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appseceasy   0:38 Introducing Jake Moore 5:30 Putting a face to a company 6:40 Phishing and Smishing 10:56 Psychology Myers-Briggs 14:11 Working for the police 17:00 Working during the pandemic 24:00 To pay or not to pay the ransom 28:45 Investigating murder 39:28 Final Positive Message 40:20 Outro   Jake Moore Twitter @Jake_MooreUK https://jakemoore.uk https://www.linkedin.com/in/jakecyber/ Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday HTTP://www.cybercloudpodcast.com

    CSCP S02E32 - Shasha Rosenbaum - Github does it again with CodeQL- find out cyber and dev

    Play Episode Listen Later Feb 7, 2021 37:44


    Sasha Rosenbaum is a Sr. Product Manager at GitHub, former developer, and the organizer of the DevOps Days conference. Francesco and Sasha vent some the frustrations of explaining security threats to developers and engineers who are more focused on creating and coding. Sasha also explains about GitHub's CodeQL, a semantic code analysis engine. Note FYI sasha now has migrated to redhat. The episode is brought you by Security Phoenix Ltd with the AppSec Phoenix platform you can make Application Security and Software development finally easy. Follow the tag #appseceasy 0:38 Introducing Sasha Rosenbaum 3:10 Communicate security issues 10:32 GitHub CodeQL 15:15 Security starts with developers and engineers 19:40 Test-able code is better 26:55 Demystifying, not fear mongering 31:02 Biggest frustrations in security 36:22 Final Positive Message 37:44 Outro   Sasha Rosenbaum Twitter @DivineOps Organizer @DevOpsDaysChi Linkedin: https://www.linkedin.com/in/sasha-rosenbaum/ https://www.sasharosenbaum.com Cyber Security and Cloud Podcast #CSCP #cybermentoringmonday http://cybercloudpodcast.com

    Claim Cyber Security & Cloud Podcast

    In order to claim this podcast we'll send an email to with a verification link. Simply click the link and you will be able to edit tags, request a refresh, and other features to take control of your podcast page!

    Claim Cancel