SilverLining IL

Guest: Vladi Sandler, Co-Founder & CEO, Gafnit Amiga, VP of Research, Lightspin Topic: Researching Cloud giants security mechanisms Language: English Abstract The leading cloud providers these days are storing growing parts of human knowledge and businesses , and therefore their services require to be top notch in security and most of the time, they actually provide very resilient security services. But every now and then, a talented security researcher finds vulnerabilities even on the most mature services - In this episode we spoke with Vladi Sandler & Gafnit Amiga from Lightspin regarding the AWS RDS vulnerability they recently discovered and what is the process of researching cloud provider vulnerabilities and how to do responsible disclosure. As a bonus, we also discussed the open-source tools released by Lightspin and the way they can help organizations protect their cloud resources. https://blog.lightspin.io/aws-rds-critical-security-vulnerability https://recon.cloud - Free CNAPP tool https://github.com/lightspin-tech/red-detector - EC2 vulnerability scanner https://github.com/lightspin-tech/red-kube - K8S Adversary Emulation

Guest: Boris Gorin Guest Title: CEO & Co-Founder at Canonic Topic: Analyzing SaaS Applications Threats Language: English Abstract The 2022 history of security incidents proved that SaaS services present major security challenges for organizations. As SaaS adoption grows - more attack vectors are being discovered. In this episode we spoke with Boris Gorin, Co-founder and CEO at Canonic about the attack vector of malicious apps inside SaaS services and the Canonic AppTotal portal for analyzing 3rd party applications.

Guest: Guy Flechter Guest Title: CEO & Co-Founder at Cider Security Topic: Threats on CI/CD pipeline Language: English Abstract The main attraction point in cloud for most organizations is the ability to produce scalable and resilient applications - faster. One of the main foundations for that is the ability to create CI/CD pipelines that will automate the integration of new code to old code and the deployment of the code to the various testing and production environments. But as organizations continue to adopt CI/CD - there is an increasing number of attacks on the pipelines. In this episode we spoke with Guy Flechter, Co-founder and CEO at Cider Security - on CI/CD relevant threats and risks and incidents that happened in the past and things we can learn from them.

Guest: Rob Hirschfeld Guest Title: CEO & Co-Founder at RackN Topic: Automating Infrastructure Pipelines Language: English Abstract In modern applications, Infrastructure automation is an important piece in the puzzle. Manual infrastructure management and security tasks in the volume required for modern application will probably lead to mistakes, misconfigurations and non compliance platforms. In this episode we spoke with Rob Hirschfeld, CEO and Co-Founder at RackN, about Infrastructure as code and how organizations should automate their infrastructure pipeline.

Guest: Leonid Sandler Guest title: CTO, Armosec Topic: Securing K8’s Deployments Language: English Abstract As K8’s adoption grows and matures, we sat down with Leonid Sandler, CTO and Co-Founder of ARMO, to talk about K8’s security - starting from the shared responsibility model, going through the initial configuration and deployment, and all the way to building a runtime protection solution. ARMO github page - https://github.com/armosec/kubescape

Guest: Niv David Guest title: Customer Cyber Security Director, Ericsson North America; Fellow & Lecturer, Yuval Ne'eman Workshop for Science, Technology and Security, Tel-Aviv University Language: English Abstract The 5th generation of cellular networks is not just an upgrade of previous generations such as LTE. 5G is changing the cellular networks infrastructure, deployment, orchestration, operations and security. 5G infrastructure, and Private Networks, blur the traditional distinction between IT, 3GPP, Wi-Fi and Cellular, providing incredible functionality, while creating new challenges. In this episode we spoke with Niv David, Customer Cyber security director at Ericsson North America, about the innovation of 5G networks and how it is changing the networking infrastructure and cloud usage.

Guest: Ravid Circus Guest title: Co-Founder, Seemplicity Language: English Abstract As organizations develop more software, and in faster cycles, greater responsibility is laid on security teams who have a full-stack responsibility for infrastructure, applications, IT services and many other aspects in the business. In this episode we spoke with Ravid Circus co-founder and CPO at Seemplicity to understand how security teams can efficiently scale their risk reduction efforts and interact with their counterparts productively by using digital workflows for security operations.

Guest: Alex Gestin Guest title: CISO, Riseup Language: English Abstract The growing number of fintech companies represent a shift in the market from traditional banking & financing to new models and tools that are empowered by technology. But fintech companies face security challenges - they need to provide customers and financial partners with assurance & security at a level of giant institutes - while being young and small companies. In this episode we spoke with Alex Gestin, CISO for Riseup - about the challenges of Fintech companies and how Riseup builds environments that provide assurance and trust with regulators, consumers and other banks.

Guest: Yan Michalevsky Guest title: Co-Founder and CTO at Anjuna Language: English Abstract Confidential computing is one of the more interesting technologies that is developed today. The combination of using secure hardware features, advanced cryptography with tight virtualization integration enables us to protect data at untrusted environments and protect from very illusive threats such as government access and malicious insiders. In this episode we spoke with Yan Michalevsky, Co-Founder and CTO at Anjuna, regarding confidential computing and why we should pay attention to it.

Guest: Oren Penso Guest title: Senior Product Line Manager, VMware Language: English Abstract As k8’s adoption grows and flourish, organizations are starting to ask themselves how they should manage the complex network settings inside K8’s. Services mesh is a technology that adds a layer of networking & security capabilities on top of traditional K8’s environment. In this episode we discuss service mesh technology, its past and its future with Oren Penso, Senior product line manager in VMware and he provided us with interesting insights on the future on networking & microservices architecture.

Guest: Alex Peleg Guest title: Co-founder and CVO at Cynergy Language: English Abstract Small and medium businesses are currently the most vulnerable sector in the market. They don’t have the knowledge and awareness to secure their own operations, and security vendors and IT services companies often neglect this sector. In this episode we spoke with Alex Peleg, CVO at Cynergy, on the challenges of securing SMB and how regulators, Security vendors and the security community should bridge the gap of knowledge and awareness in the SMB market.

Guest: Omri Segev Moyal Guest title: Co-Founder and CEO at Profero Language: English Abstract Incident response and forensics of cloud breaches is one of the most challenging topics in Information security. In this episode, (recording date Aug 2021) Omri Segev Moyal, co-founder & CEO at Profero, shares fascinating stories regarding recent incidents his team was involved in and provides insights, recommendations and best practices that are really eye opening for any organization out there.

Guest: David W. Schropfer Guest Title: Host of DIY Cyber Guy Podcast Abstract: Many IT & security professionals are asking what Is the best way to enter the world of cloud computing. In this episode we continue our conversation with David W. Schropfer from DIY cyber guy about the cloud computing career paths

Guest: David W. Schropfer Guest Title: Host of DIY Cyber Guy Podcast Abstract: Many IT & security professionals are asking what Is the best way to enter the world of cloud computing. In this episode we had the privilege of cooperating with David W. Schropfer from the successful podcast DIY cyber guy to discuss the career paths that are relevant for beginners or experienced professionals who wish to explore how cloud computing can promote their career.

Guest: Hemi Gur-Ary Guest Title: Co-Founder & CEO at VATA Abstract: Various organizations around the world are struggling to build & mature their devsecops operations. DSOM (Devsecops Maturity Model) is an OWASP project designed to help organizations plan and prioritize their devsecops strategies. In this episode, Hemi Gur-Ary, co-founder at VATA and senior devsecops consultant, shares his insights about DSOM and how organizations can use it for reshaping their devsecops practices.

Guest: Eran Leib (vp product), Maor Goldberg (CEO) Guest Title: Founders at Apolicy (a sysdig company) Abstract: Infrastructure and policy as code is one of the hottest topics in security today. In this episode we spoke with Eran & Maor, founders at aPolicy (acquired by Sysdig shortly after the recording) , about cloud native security and how organizations should use automated policy templates for security CI/CD pipelines.

Guest: Adam Gavish Guest Title: Co-Founder and CEO, DoControl.io Topic: Protecting SaaS services using automation & continuous monitoring Abstract: SaaS services are blooming and organizations are adopting more and more of them. In this episode, we hosted Adam Gavish, co-founder, and CEO at DoControl - an innovative startup that is reshaping the way we govern and monitor SaaS applications - about the business case of SaaS services, the market gaps, and how organizations should catalog, protect and monitor their SaaS portfolio.

Attendees Guest: Oz Avenstein Guest Title: Founder & CEO @ Avensec - Cloud & Application Security Topic: Securing API Services Abstract The applicative infrastructure is becoming more and more complex due to different requirements, design patterns, and technologies. In many of these cases, one of those requirements is to connect other parties to systems, and in other cases, to connect systems to other parties. Nowadays, the most common connection method is to use Application Programming Interfaces (APIs). In this episode we spoke with Oz Avenstein, co-author of the CSA Security Guidelines for Providing and Consuming APIs about the guidelines creation process and how organizations should secure access to API resources.

Attendees Guest: Gadi Naor Guest Title: VP Software Engineering, Cloud Security @ Rapid7 Topic: Cloud Native Security Foundations Abstract Lately, The CNCF (Cloud Native Computing Foundation) released the cloud native security whitepaper: the first release of security guidelines for organizations who adopt cloud native approaches. In order to better understand the guidelines, we hosted Gadi Naor, VP Software Engineering, Cloud Security @ Rapid7, and co-author of the guidelines, for a conversation about what is cloud native security and why & how organizations should adopt this approach.

Attendees Guest: Tzachi Zornstain Guest Title: Co-Founder & CEO, Dustico Topic: Software Package Dependencies Attacks Abstract Supply chain and software dependencies attacks are becoming more popular, and organizations are having a hard time coping with those types of vectors. In this episode, we spoke with Tzach Zornstain, Co-Founder at Dustico, about the difference between malicious software and vulnerable software, and how organizations should use 3rd party software for the development of their own applications securely.

Attendees Guest: Yinon Costica Guest title: VP Product Abstract Wiz is the new star in the cloud security market, founded by veterans with a proven record and raised over $100M in less than a year of operations. In this episode, we talked with Yinon Costica, Co-Founder and VP Product at Wiz, about cloud security challenges, how is Wiz different from others, and how are they going to disrupt the market.

Sponsored By: ‍‍ Attendees Guest: Malgorzata (Gosia) SteinderGuest title: CTO of Hybrid Cloud Research. IBM researchTopic: Compliance automation and zero trust containers Abstract Continuous monitoring, containers, zero trust, confidential computing - those are all examples of technologies that will be the main focus in the upcoming years. In this episode, we hosted Malgorzata (Gosia) Steinder, CTO of Hybrid Cloud Research at IBM, who provided her vision on how all those technologies mentioned above, should be integrated into highly secure applications deployments. Links: NIST OSCAL standard: https://pages.nist.gov/OSCAL/ Automated compliance Open Source tool by IBM https://github.com/IBM/compliance-trestle Security monitoring open source tool by IBM: https://www.ibm.com/blogs/research/2020/01/sysflow/ workload identity: https://developer.ibm.com/solutions/security/articles/protecting-data-using-secret-management-trusted-service-identity/

Attendees Guest: Assaf Keren Guest Title: VP, Enterprise Cyber Security Company: PayPal Abstract PayPal is one of the most interesting organizations in the world in terms of security. The combination of online presence with the unique line of business is making PayPal one of the most secure hi-tech companies and one of the most innovative financial institutions. In this episode, we hosted Assaf Keren, VP of enterprise cyber security, for a discussion about PayPal’s cloud journey from traditional on-premise to the multi-cloud / multi-locations giant they are now, and how COVID-19 is changing Paypal’s digital journey with their customers & employees.

Attendees Guest: Asaf Hecht Guest Title: Security research team leader Company: CyberArk Abstract With the growth of cloud services, more knowledge is gathered on vulnerabilities and misconfigurations in cloud infrastructure. A great deal of this knowledge is coming from cloud security researchers. In this episode, we host Asaf Hecht, Security research team leader At Cyberark, for a conversation about cloud security research and the vulnerabilities they disclose are various cloud vendors.

Attendees Guest: Ohad Maislish Guest Title: Co-Founder & CEO Company: env0 Abstract Infrastructure as code is one of the most interesting technologies in the market. It enables organizations to deploy heavy workloads within seconds and avoid risky configuration mistakes. In this episode, we talked with Ohad Maislish, Co-Founder and CEO at env0, about infrastructure as code technology, how and where it is being used, and how env0 helps organizations to better utilize this technology. Timing 0:00 introducing our guest 2:26 What is infrastructure as a code 10:16 Examples for practical deployment of IaaC 13:55 How IaaC is helping governance 19:20 IaaC behind the scenes 25:18 IaaC in a multi-cloud environment 28:40 Summary and last words

Attendees Guest: Benjy Portnoy Guest Title: Sr. Director, Solution Architects Company: Aqua Security Abstract A cloud-native security strategy entails protecting the infrastructure, build, and running workloads. In this episode, we spoke with Benjy Portnoy, Sr Director of Solution Architects at Aqua Security regarding cloud-native security fundamentals. We also delve into various attacks identified in the recently published Cloud Native Threat Report by Aqua's security research team, Nautilus. Timing 0:00 introducing our guest 2:50 what is cloud native security 5:11 Sorting out between CWPP, CSPM & DevSecOps 8:01 Protecting the build, the platform and workload 10:30 Understanding what is CASB 12:45 diving into the kinsing attack 29.11 Summary and last words

Attendees Guest: Eitan Satmary Guest Title: CISO Company: Tufin Abstract Being a CISO is challenging, being a CISO at a security vendor is even more challenging. In this episode we host Eitan Satmary, CISO for Tufin, to talk about the good and bad of being a CISO in a cyber security vendor. We will talk about CISO's ability to influence innovation and product roadmap in the company and how the transition from on-prem offering to SaaS offering changed the company's security posture. Timing: 0:00 introducing our guest 4:20 CISO in a security company: influence the innovation team 10:30 the relationship between CISO and the sales department 12:30 the company journey of adding cloud capabilities 15:00 CISO’s first steps 20:11 Risk management considerations for SaaS companies 25:00 Summary and final thoughts

Sponsored By: Attendees Guest: Arick Goomanovsky Guest title: Co-Founder & Chief Business Officer Company: Ermetic Abstract In cloud platforms, identity and permissions are the most important control that customers get to implement. Network segmentation and other traditional controls are often ineffective and access to resources is determined by a mixture of roles & policies. This mixture can become very complex and difficult to lock down. In this episode, we are hosting Arick Goomanovsky, Chief Business Officer at Ermetic, to discuss Cloud identity and access challenges, and to review real life examples of what can happen when neglecting identity and access entitlements in cloud infrastructure. Mail to: info@ermetic.com Timing: 0:00 Introducing our guest and Ermetic 2:21 Understanding Identity Governance 4:40 Cloud identity challenges 10:55 Dealing with identity challenges by adding visualization and analysis of permissions 16:30 Who are the organizational stakeholders relevant? 22:01 Examples for IAM challenges and outbreaks 22:25 Example 1: Protecting sensitive resources 26:25 Example 2: Third party access 29:49 Example 3: The visibility challenge when using SSO 31:30 Summary and final words

Attendees Guest: Ofer Maor Guest title: Co-Founder & CTO Company: Mitiga Abstract The recent increase of cloud based attacks gives us an opportunity to examine new attack vectors and how attackers exploit new services. In this episode we talked with Ofer Maor, Co-Founder at Mitiga, about new attack vectors in cloud computing and how attackers exploit new services such as marketplaces, community repos and other examples. Timing: 0:00 Introducing our guest and Mitiga 3:32 Preparing for cloud incident response 7:15 Cloud attack vector - malicious AMI 11:00 More attack vectors on marketplaces 13:18 Github attack vectors 18:15 attack vector - Business email compromise on 365 25:44 how to mitigate cloud incidents 27:58 Summary and last words

Attendees Guest: Dalit Ben Israel Guest title: Partner, head of IT & Data protection practice Company: Naschitz Brandes Amir In the cloud era, the information security officer's new best friends are the lawyers in the legal department. Legal matters such as cross border data transfers, contractual controls and privacy laws becoming critical in cloud migrations. In this episode we talk with Dalit Ben Israel, Partner at NBlaw, about the legal challenges of cloud computing: cross border transfers, the rise of privacy laws and proper contract management and monitoring. Timing: 0:00 - Opening 2:03 - Introduction of our guest 4:95 - Considerations of data center location and the effect of the Schrems2 judgement invalidating the Privacy shield 12:50 - The roles and responsibilities of cloud providers and customers 15:27 - Choosing cloud providers - why do we need lawyers in the process and the obligation to enter into DPAs 20:00 - Specific challenges with SaaS and agreements with subprocessors 22:12 – Negotiating cloud contracts - what are the challenges? minimizing risks. 30:32 - Dispute resolution and venue of jurisdiction 33:24 - Ongoing contract monitoring 36:10 - Summary Connect with Dalit here: Email: marketing@nblaw.com Website: www.nblaw.com

This is a special episode where both of us (Moshe & Ariel – no guests this time) discuss the future of cloud computing and challenges that should be solved. We take a detailed look at shortage in manpower and knowledge, privacy laws and their influence on innovation and technology challenges such as multi tenancy, APi’s, encryption, continuous monitoring and more. Agenda Opening words - 5 min introducing the podcast - Moshe / Ariel Introducing our guest - Ariel Introducing myself - Moshe Introducing the topic and context of the podcast - Moshe Security challenges People Shortage in manpower: There are missing jobs for cyber professional and especially application security Shortage in knowledge: security professional lag behind learning new technologies Process Malicious insider - one of the biggest challenges for cloud providers Shared responsibility model collapsing Privacy laws are creating islands of data - Privacy laws are limiting the transfer of data Jurisdiction, Court orders and government access to data - as cloud provider host more data - they are a target for more & more government interest Technology API security best practices - there will be more & more API’s, we did not master how to protect them Encryption and key management - the holy grail for holding your own encryption keys is fading Multi tenancy - we don't have clear practices on building multi tenant applications Identity based access controls - network access controls are useless in cloud computing, but our ability to create granular access controls based on identity is not mature yet Multi tenancy Continuous monitoring Automation and devops - Security automation is still maturing. We still don't know how to integrate developers and operation without breaking best practices Using the wrong tools Closure (5 min) Moshe - Summersing Ariel - closing

Attendees Guest: Shira Shamban Guest title: CEO & Co-Founder Company: Solvo Abstract In modern cloud environments, Identity and Access Management controls are crucial controls. Many of the access decisions are now made not based on networking structure but rather on roles and permissions. In this episode we talk (again) with Shira Shamban, founder at Solvo about cloud IAM challenges - why is it so hard to get IAM right and how Solvo is planning to revolutionize the IAM management process. Timing: 0:00 Introducing our guest 3:00 Introducing cloud identity challenges 6:20 Why role management is not enough 11:40 Why we fail to create least-privilege-roles 15:10 How to manage IAM securly - the people angle 18:13 How to manage IAM securly - the process angle 21:08 How to manage IAM securly - the technology angle 31:08 Summary and last words

Attendees Guest: Dima Revelis Guest title: Senior Devops engineer Company: MoonActive Abstract DevsecOps is accelerating fast as the new buzzword for modern information security practices. In this episode we use the expertise of Dima Revelis in order to dive deep into understanding DevOps practices, what is CI/ CD pipeline and which security tools are relevant for all of those new practices. Timing: 0:00 - Introducing our guest 2:50 - What is devops 7:50 - What is deployment pipeline 14:20 - What is CI and which security testing can be implemented 17:20 - What is CD and which security consideration 18:40 - Dive deeper into security testing - QA, code review, static & dynamic analysis 20:45 - So much automation, do we still need manual testing? 22:30 - Additional security aspects: using Jenkins, authentication and authorization, secret management 26:40 - Availability considerations and disaster recovery 33:30 - Summary and final words

Attendees Guest: Yoad Dvir Guest title: Security Lead, Central and Eastern Europe Company: Microsoft Abstract Microsoft security portfolio has been growing and diversifying in the last couple of years, adding more capabilities at various areas of information security. In order to better understand Microsoft strategy and offering, we talked with Yoad Dvir, Cyber Security Lead at Microsoft, about the Microsoft new security pillars: Monitoring, Threat Protection and Information Protection. Timing: 0:00 - Introducing our guest 5:45 - Introducing Microsoft security strategy 12:50 - Security monitoring pillars - Azure monitor, Sentinel, Azure analytics and more 21:10 - Microsoft Threat Protection family - Cloudapp, O365 ATP, Defender ATP, Azure ATP 30:50 - diving deeper into Cloudapp 35:30 - Microsoft Information Protection 44:00 - summary and last words

Attendees Guest: Liran Tal Guest title: Developer Advocate Company: Synk Abstract Open source software takes a big part in our daily lives, and also in our development environments. Many applications developers rely on open source libraries & tools and integrating it into their code. This is a great improvement for developers allowing them to innovate quickly and efficiently. But all this good comes with a big responsibility - open source software should be carefully examined in order to make sure its reliability. In this episode we talk with Liran Tal from Synk about the growing importance of adding security evaluation of open source software in the development cycle. Timing: 0:00 introducing our guest 5:50 what is the challenge of open-source security 10:05 - open source security - the people angel 16:00 - open source security - the process angel 24:55 - open source security - the technology angel 29:42 summary and last words

Attendees Guest: Eran Feigenbaum Guest title: CSO, Oracle Cloud Abstract The first generation of cloud services began about 15 years ago and stretched until now, but it came with many built-in challenges due to lack of maturity and the fact that security was added on top and not present from the start. In this episode we talk with Eran Feigenbaum, CISO of Oracle cloud about the next generation of cloud services - how can we build cloud that is more secure,, immuned to miss-configuration and other pitfalls that are relevant to today's cloud services. Timing: 0:00 introducing our guest 5:40 Generation one of cloud infrastructure 8:40 so what is second generation of cloud infrastructure 10:30 how Oracle is planning to change the cloud market 11:40 how second generation cloud services can help with common mistakes such as misconfiguration 13:35 what cloud provider should do in order to increase security 16:05 how cloud providers can be proactive with their customers 19:00 handling miss-configuration such as open buckets and lost API’s keys 23:40 summary and last words

Attendees Guest: Menny Barzilay Guest title: Partner @ Herzog Strategic, CTO, ICRC, Tel Aviv University Abstract For our 20’ish episode we spoke with a very special guest, the one and only - Menny Barzilay. Menny is one of the most interesting speakers in the cyber landscape, he is an expert in simplifying complex concepts, integrating interesting stories and great examples into stimulating review of technology challenges we are facing as a community. In this episode we talk with Menny about Privacy - why it is so hard to define what exactly is privacy in the modern age, what people miss about the concepts of privacy and how this affects our everyday lives. This talk will make you laugh, will make you sad and definitely will make you think. We hope you will enjoy listening to it as much as we enjoyed recording it. Comment: since this is more of a lecture and not a regular podcast, we didn't add our regular podcast timing. Enjoy! Timing: 0:00 introducing our guest 5:25 Privacy

Attendees Guest: Or Kamara Guest Title: Senior team lead Company: Synk Abstract Cloud computing can bring interesting and new attack vectors. In this episode, we talk with Or Kamara, Senior team lead at Synk, about the Capital-one hacking and what can be learned from the event in order to better protect our networks. We will analyze the attack step by step and add mitigating controls that can help in preventing the next attack. Timing: 0:35 Introducing our guest 4:10 introducing the story the capital one hack 5:45 The phases of the Capital One hack 7:50 The first misconfiguration - servers exposed to the internet unintentionally 11:05 the SSRF vulnerability and understanding meta-data service 19:38 Using API keys for browsing S3 and how to mitigate it 26:00 things that Capital One did right and additional insights 28:00 how should developers and IT 30:50 shifting from traditional security to new cloud security mindset 36:00 summary and final words

Attendees Guest: Bar Hofesh Guest Title: Co-Founder Company: Neurolegion Abstract Application security is among the hardest things to get right. In this episode we are talking with Bar Hofesh from Neurolegion about the world of automated security testing - what are the challenges, what are the different stages of integration and delivery and how to perform each stage correctly. Timing: 0:50 - introducing our guest 2:58 - the need to automate security testing - the challenge of developing faster 7:15 - so what is testing automation - describing the process - the code integration stage 13:50 - security testing the packing and delivery stage 18:50 - testing live application stage 20:20 - appsec finding strategy - what do when found an alert 22:20 - Static analysis vs. dynamic analysis 24:58 - emerging technologies - RASP, IAST 30:50 - Is there still room for manual penetration testing? 34:05 - summary and last words

Attendees Guest: Oz Avenstein Guest Title: Founder Company: Avensec Abstract Penetration tests are one of the strongest controls that we use. It is testing the overall resilience of our application and allows us to be more confident in our workloads. But in the cloud era, cloud applications pen testing needs to be coordinated with the providers. In this episode we talk with Oz Avenstein, an application security expert, about the challenges of cloud penetration testing and how to do it correctly. Timing: 0.50 introducing our guest 3.40 How is cloud penetration tests different from regular pen tests? 5.01 elaborating about IaaS/PaaS particular pen test policies 8.45 pen testing SaaS applications 11.05 relaying on 3rd party pen testing 12.02 cloud pen test considerations and phases 17.35 the actual pen testing 21.20 the reporting phase 23.40 incorporating pen test into applications development cycle 34:00 Summary and last words

022 How to add open source code to your applications, securely

In this episode we talk with Eran Feigenbaum, CISO of Oracle cloud about the next generation of cloud services - how can we build cloud that is more secure,, immuned to miss-configuration and other pitfalls that are relevant to today's cloud services.

In this episode we talk with Menny about Privacy - why it is so hard to define what exactly is privacy in the modern age, what people miss about the concepts of privacy and how this affects our everyday lives. This talk will make you laugh, will make you sad and definitely will make you think. We hope you will enjoy listening to it as much as we enjoyed recording it.

In this episode we talk with Or Kamara, Senior team lead at Synk, about the Capital-one hacking and what can be learned from to better protect our networks. We will analyze the attack step by step and add mitigating controls that can help preventing the next attack.

In this episode we are talking with Bar Hofesh from Neurolegion about the world of automated security testing - what are the challenges, what are the different stages of integration and delivery and how to perform each stage correctly.

Penetration tests are one of the strongest controls that we use. It is testing the overall resilience of our application and allows us to be more confident in our workloads. But in the cloud era, cloud applications pen testing needs to be coordinated with the providers. In this episode, we talk with Oz Avenstein, an application security expert, about the challenges of cloud penetration testing and how to do it correctly.

Attendees Guest: Ori Troyna Guest title: Global head of product security at Payu Company: Payu Abstract Payu, a global fintech gaint acquired Zooz , a small payment startup. In this episode we talk with Ori Troyna, Global head of product security at Payu about the challenges that such a merger between two very different companies with different engineering methodologies and how they cope with those challenges. Timing: 1.14 Ori introduce himself 11.40 challenges of merging small companies into financial giants. Integrating different technologies stacks into one. 18.33 how to build the organizational structure the consolidate the different companies and technology stacks 21.30 understanding the acquisition considerations of PayU and its effect on security considerations 27.0 solving the consolidation challenges - the people angel. Moving to tribes and clans and providing security goals 34.30 the difference between product security and IT security 36.0 solving the consolidation challenges - the process angel. How to integrate different tribes and clans to create one joint development backlog and mature devops 46.40 solving the consolidation challenges - the technology angel. Building global infrastructure that support multiple projects 53.22 summary and last words

Consuming SaaS from various vendors can be a challenging task, the first challenge is to distinguish who are the mature providers that you can trust your data with, and the second challenge is auditing them and their services. In this episode we talk with Tal Arad, former CISO of CEVA logistics about the challenges of selecting SaaS providers and how to auditing them wisely.

Attendees Guest: Tal Arad Guest title: Former CISO Company: CEVA logistics Abstract Consuming SaaS from various vendors can be a challenging task, the first challenge is to distinguish who are the mature providers that you can trust your data with, and the second challenge is auditing them and their services. In this episode we talk with Tal Arad, former CISO of CEVA logistics about the challenges of selecting SaaS providers and how to auditing them wisely. Timing: 0:35 introducing our guest 02:30 Introducing Ceva Logistics and the CISO challenges 5:55 How to get started in as a new CISO 9:20 Challenges with SaaS providers - distinguishing between mature and immature Providers 16:15 tips for selecting SaaS providers 22:30 what happens when something happens and choosing providers carefully 24:50 Tips for managing ongoing relationships with SaaS providers 34:27 Summary and final words

Payu, a global fintech gaint acquired Zooz , a small payment startup. In this episode we talk with Ori Troyna, Global head of product security at Payu about the challenges that such a merger between two very different companies with different engineering methodologies and how they cope with those challenges

Attendees Guest: Oded Hareven Guest title: Founder & CEO Company: A-Key-Less Abstract Application Secret management is becoming one of the biggest challenges for application security. With cloud, CI/CD and micro services architecture we discover that we are using a growing number of encryption keys, API keys, SSH keys tokens and connection strings. In this episode we talk with Oded HarEven, Founder at A-Key-Less about the challenges of secret management and the way to build secure secret management solution. Timing 0:00 Intro and introducing our guest 1:40 Application secret management - defining what secret is, and what is secret management 6.00 Challenges with encryption keys 9:47 How to handle application secret management and encryption keys - requirements and best practices 12.25 Zero trust in key management - what does it mean and how to implement it 20:10 The process of integrating keys with cloud platform 25:35 A-Key-Less state of the market approach 27.35 Summary and conclusions