POPULARITY
Hosted by chris romeo
Hosted by chris romeo
2 episodes with chris romeo
2 episodes with chris romeo
2 episodes with chris romeo
2 episodes with chris romeo
2 episodes with chris romeo
⬥GUEST⬥Izar Tarandach, Sr. Principal Security Architect for a large media company | On LinkedIn: https://www.linkedin.com/in/izartarandach/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com⬥EPISODE NOTES⬥In this episode of Redefining CyberSecurity, host Sean Martin sits down with Izar Tarandach, Senior Principal Security Architect at a major entertainment company, to unpack a concept gaining traction across some developer circles: vibe coding.Vibe coding, as discussed by Izar and Sean, isn't just about AI-assisted development—it's about coding based on a feeling or a flow, often driven by prompts to large language models (LLMs). It's being explored in organizations from startups to large tech companies, where the appeal lies in speed and ease: describe what you want, and the machine generates the code. But this emerging approach is raising significant concerns, particularly in security circles.Izar, who co-hosts the Security Table podcast with Matt Coles and Chris Romeo, calls attention to the deeper implications of vibe coding. At the heart of his concern is the risk of ignoring past lessons. Generating code through AI may feel like progress, but without understanding what's being written or how it fits into the broader architecture, teams risk reintroducing old vulnerabilities—at scale.One major issue: the assumption that code generated by AI is inherently good or secure. Izar challenges that notion, reminding listeners that today's coding models function like junior developers—they may produce working code, but they're also prone to mistakes, hallucinations, and a lack of contextual understanding. Worse yet, organizations may begin to skip traditional checks like code reviews and secure development lifecycles, assuming the machine already got it right.Sean highlights a potential opportunity—if used wisely, vibe coding could allow developers to focus more on outcomes and user needs, rather than syntax and structure. But even he acknowledges that, without collaboration and proper feedback loops, it's more of a one-way zone than a true jam session between human and machine.Together, Sean and Izar explore whether security leaders are aware of vibe-coded systems running in their environments—and how they should respond. Their advice: assume you already have vibe-coded components in play, treat that code with the same scrutiny as anything else, and don't trust blindly. Review it, test it, threat model it, and hold it to the same standards.Tune in to hear how this new style of development is reshaping conversations about security, responsibility, and collaboration in software engineering.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥Inspiring LinkedIn Post — https://www.linkedin.com/posts/izartarandach_sigh-vibecoding-when-will-we-be-able-activity-7308105048926879744-fNMSSecurity Table Podcast: Vibe Coding: What Could Possibly Go Wrong? — https://securitytable.buzzsprout.com/2094080/episodes/16861651-vibe-coding-what-could-possibly-go-wrongWebinar: Secure Coding = Developer Power, An ITSPmagazine Webinar with Manicode Security — https://www.crowdcast.io/c/secure-coding-equals-developer-power-how-to-convince-your-boss-to-invest-in-you-an-itspmagazine-webinar-with-manicode-security-ad147fba034a⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast:
⬥GUEST⬥Izar Tarandach, Sr. Principal Security Architect for a large media company | On LinkedIn: https://www.linkedin.com/in/izartarandach/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com⬥EPISODE NOTES⬥In this episode of Redefining CyberSecurity, host Sean Martin sits down with Izar Tarandach, Senior Principal Security Architect at a major entertainment company, to unpack a concept gaining traction across some developer circles: vibe coding.Vibe coding, as discussed by Izar and Sean, isn't just about AI-assisted development—it's about coding based on a feeling or a flow, often driven by prompts to large language models (LLMs). It's being explored in organizations from startups to large tech companies, where the appeal lies in speed and ease: describe what you want, and the machine generates the code. But this emerging approach is raising significant concerns, particularly in security circles.Izar, who co-hosts the Security Table podcast with Matt Coles and Chris Romeo, calls attention to the deeper implications of vibe coding. At the heart of his concern is the risk of ignoring past lessons. Generating code through AI may feel like progress, but without understanding what's being written or how it fits into the broader architecture, teams risk reintroducing old vulnerabilities—at scale.One major issue: the assumption that code generated by AI is inherently good or secure. Izar challenges that notion, reminding listeners that today's coding models function like junior developers—they may produce working code, but they're also prone to mistakes, hallucinations, and a lack of contextual understanding. Worse yet, organizations may begin to skip traditional checks like code reviews and secure development lifecycles, assuming the machine already got it right.Sean highlights a potential opportunity—if used wisely, vibe coding could allow developers to focus more on outcomes and user needs, rather than syntax and structure. But even he acknowledges that, without collaboration and proper feedback loops, it's more of a one-way zone than a true jam session between human and machine.Together, Sean and Izar explore whether security leaders are aware of vibe-coded systems running in their environments—and how they should respond. Their advice: assume you already have vibe-coded components in play, treat that code with the same scrutiny as anything else, and don't trust blindly. Review it, test it, threat model it, and hold it to the same standards.Tune in to hear how this new style of development is reshaping conversations about security, responsibility, and collaboration in software engineering.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥Inspiring LinkedIn Post — https://www.linkedin.com/posts/izartarandach_sigh-vibecoding-when-will-we-be-able-activity-7308105048926879744-fNMSSecurity Table Podcast: Vibe Coding: What Could Possibly Go Wrong? — https://securitytable.buzzsprout.com/2094080/episodes/16861651-vibe-coding-what-could-possibly-go-wrongWebinar: Secure Coding = Developer Power, An ITSPmagazine Webinar with Manicode Security — https://www.crowdcast.io/c/secure-coding-equals-developer-power-how-to-convince-your-boss-to-invest-in-you-an-itspmagazine-webinar-with-manicode-security-ad147fba034a⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast:
Join hosts Chris Romeo and Robert Hurlbut on the Application Security Podcast as they welcome back Steve Wilson, author of 'The Developer's Playbook for Large Language Model Security.' In this episode, they dive into critical topics such as AI hallucinations, trust, and the future of AI. Steve shares insights from his book, discusses the biggest fears surrounding AI and LLMs. He also provides practical advice on security boundaries, LLM-specific security testing tools, and the evolving landscape of AI technologies. Links:The Developer's Playbook for Large Language Model Security by Steve WilsonFind Steve on LinkedInPrevious Episodes:Steve Wilson -- OWASP Top Ten for LLMsSteve Wilson and Gavin Klondike -- OWASP Top Ten for LLM Applications ReleaseTwo people Steve recommends you look up:Chris Voss, Former FBI Negotiator and author of “Never Split the Difference”Arshan DabirsiaghiFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Join Robert and Chris Romeo as they dive into the world of pen testing with their guest Philip Wiley. In this episode, Philip shares his unique journey from professional wrestling to being a renowned pen tester. Hear some great stories from his wrestling days, in-depth discussions on application security, and good advice on starting a career in cybersecurity. Whether you're interested in pen testing techniques, learning about security origin stories, or gaining insights into career development, this episode has something for everyone!The Pentester Blueprint Starting a Career as an Ethical Hacker written by Phillip WylieThe Web Application Hacker's Handbook written by Dafydd Stuttard, Marcus PintoWhere to find Phillip:Website: https://thehackermaker.com/Podcast: https://phillipwylieshow.com/X: https://x.com/PhillipWylieLinkedIn: https://www.linkedin.com/in/phillipwylie/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut welcome back Steve Springett, an expert in secure software development and a key figure in several OWASP projects. Steve unpacks CycloneDX and the value proposition of various BOMs. He gives us a rundown of the BOM landscape and unveils some new BOM projects that will continue to unify the security industry. Steve is a seasoned guest of the show so we learn a bit more about Steve's hobbies, providing a personal glimpse into his life outside of technology.Links from this episode:https://cyclonedx.org/Previous episodes with Steve Springett:JC Herz and Steve Springett -- SBOMs and software supply chain assuranceSteve Springett — An insiders checklist for Software Composition AnalysisSteve Springett -- Dependency Check and Dependency TrackBook: Software Transparency: Supply Chain Security in an Era of a Software-Driven Society by Chris Hughes and Tony TurnerFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode of the Threat Modeling Podcast, host Chris Romeo takes listeners on a journey through the intricate world of threat modeling. Joined by senior security consultant Gavin Klondike, the episode delves into Gavin's experiences and insights into threat modeling, particularly in the context of artificial intelligence and machine learning. Gavin shares a detailed case study, discussing methodologies, strengths, weaknesses, and the importance of holistic threat modeling processes. The conversation also highlights the challenges posed by large language models (LLMs), and Gavin provides a comprehensive threat model for LLM applications, exploring various vulnerabilities and mitigations. Links for this episode:The Threat Modeling blog post discussed during the episode.danielmiessler.comembracethered.comaivillage.orgllmtop10.comWelcome to Smart Threat Modeling. Devici makes threat modeling simple, actionable, and scalable. Identify and deal with threats faster than ever. Build three free models and collaborate with up to ten people in our Free Forever plan. Get started at devici.com and threat model for free! Smart threat modeling for development teams.
Join Irfaan Santoe and hosts Chris Romeo and Robert Hurlbut for an in-depth discussion on the maturity and strategy of Application Security programs. They delve into measuring AppSec maturity, return on investment, and communicating technical needs to business leaders. Irfaan shares his unique journey from consulting to becoming an AppSec professional, and addresses the gaps between CISOs and AppSec knowledge. This episode provides valuable insights for scaling AppSec programs and aligning them with business objectives. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode of the Application Security Podcast, Chris Romeo and Robert Hurlbut welcome back Derek Fisher, an expert in hardware, software, and cybersecurity with over 25 years of experience. Derek shares his advice on cybersecurity hiring, specifically in application security, and dives into the challenges of entry-level roles in the industry. The discussion also explores the value of certifications, the necessity of lifelong learning, and the importance of networking. Tune in for valuable insights on getting noticed in cybersecurity, resume tips, and the evolving landscape of AppSec careers.Mentioned in this episode:The Application Security Handbook by Derek FisherWith the Old Breed by E.B. SledgeCyber for Builders by Ross HaleliukEffective Vulnerability Management by Chris HughesPrevious episode:Derek Fisher – The Application Security HandbookFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut are joined by Jahanzeb Farooq to discuss his journey in cybersecurity and the challenges of building AppSec programs from scratch. Jahanzeb shares his experience working in various industries, including Siemens, Novo Nordisk, and Danske Bank, highlighting the importance of understanding developer needs and implementing the right tools. The conversation covers the complexities of cybersecurity in the pharmaceutical and financial sectors, shedding light on regulatory requirements and the role of software in critical industries. Learn about prioritizing security education, threat modeling, and navigating digital transformation.Mentioned in this Episode:The Power of Habit by Charles DuhiggFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut engage in a deep discussion with guest David Quisenberry about various aspects of application security. They cover David's journey into the security world, insights on building AppSec programs in small to mid-sized companies, and the importance of data-driven decision-making. The conversation also delves into the value of mentoring, the vital role of trust with engineering teams, and the significance of mental health and community in the industry. Additionally, Chris, David and Robert share personal stories that emphasize the importance of relationships and balance in life. Books Shared in the Episode:SRE Engineering by Betsy Beyer, Chris Jones, Jennifer Petoff and Niall Richard Murphy The Phoenix Project by Gene Kim, Kevin Behr and George Spafford Security Chaos Engineering by Aaron Rinehart and Kelly Shortridge CISO Desk Reference Guide by Bill Bonney, Gary Hayslip, Matt Stamper Wiring the Winning Organization by Gene Kim and Dr. Steven J. Spear The Body Keeps the Score by Bessel van der Kolk, M.D. Intelligence Driven Incident Response by Rebekah Brown and Scott J. Roberts Never Eat Alone by Keith Ferrazzi Thinking Fast and Slow by Daniel Kahneman Do Hard Things by Steve Magness How Leaders Create and Use Networks, Whitepaper by Herminia Ibarra and Mark Lee HunterFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut welcome Matt Rose, an experienced technical AppSec testing leader. Matt discusses his career journey and significant contributions in AppSec. The conversation delves into the nuances of software supply chain security, exploring how different perceptions affect its understanding. Matt provides insights into the XZ compromise, critiques the buzzword 'shift left,' and discusses the role of digital twins and AI in enhancing the supply chain security. He emphasizes the need for a comprehensive approach beyond SCA, the relevance of threat modeling, and the potential risks and benefits of AI in security. The discussion also touches on industry trends, the importance of understanding marketing terms, and the future directions of AppSec.Mentioned in the episode:The Application Security Program Handbook by Derek Fisher https://www.manning.com/books/application-security-program-handbookPodcast Episode: Derek Fisher – The Application Security Program Handbook https://youtu.be/DgmlHgNT-UMAuthors mentioned: Steven E. Ambrose https://www.simonandschuster.com/authors/Stephen-E-Ambrose/1063454 Mark Frost https://en.wikipedia.org/wiki/Mark_FrostFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode of the Application Security Podcast, host Chris Romeo welcomes James Berthoty, a cloud security engineer with a diverse IT background, to discuss his journey into application and product security. The conversation spans James's career trajectory from IT operations to cloud security, his experiences with security tools like Snyk and StackHawk, and the evolving landscape of Dynamic Application Security Testing (DAST) and API security. They delve into the practical challenges of CVEs, reachability analysis, and the complexities of patching in mid-sized companies. James shares his views on the often misunderstood role of WAF and the importance of fixing issues over merely identifying them. The discussion concludes with insights into James's initiative, Latio Tech, which aims to help security professionals evaluate and understand application security products better. James Berthoty's LinkedIn post: AppSec Kool-Aid Statements I Disagree Withhttps://www.linkedin.com/posts/james-berthoty_appsec-kool-aid-statements-i-disagree-with-activity-7166084208686256128-tb1U?utm_source=share&utm_medium=member_desktopWhat is Art by Leo Tolstoyhttps://www.gutenberg.org/files/64908/64908-h/64908-h.htmFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How many times have you heard you should "shift left" in the last few years? What does "shift left" even mean? Even if it had meaning once, does it still have any meaning today? Should we abandon the concept, or just the term? Listen in as Chris Romeo joins Tom Ammon and Russ White to talk about the origin, meaning, and modern uselessness of the term "shift left."
Itzik Alvas, Co-founder and CEO of Entro, is an expert on secrets security.Itzik joins Chris and Robert to discuss the significance of understanding and managing secrets, emphasizing the importance of knowing how many secrets an organization has, where they are located, and their potential impact. He elaborates on the three pillars of secrets management: listing and locating secrets, classifying and understanding their potential blast radius, and monitoring them for any abnormal behavior.The conversation takes a turn towards the future of secrets management, where Itzik believes there's a need for a shift in mentality. He stresses the importance of education in this domain, urging listeners to seek knowledge, understand the potential risks, and start with actionable steps. Itzik's perspective on prioritizing risks, investing in processes, and the challenges of remediation offers a fresh take on application security.As the episode wraps up, Itzik shares a key takeaway for the audience: the importance of getting educated about secrets, understanding their potential risks, and starting with quick, actionable steps. Chris Romeo, the host, and Itzik also touch upon their love for sci-fi, adding a personal touch to the conversation. This episode is a must-listen for anyone keen on enhancing their understanding of secrets security and management.Helpful Links:Entro -- https://entro.security/Recommended Reading:Foundation by Isaac Asimov -- https://www.amazon.com/Foundation-Isaac-Asimov/dp/0553293354Ringworld by Larry Niven -- https://www.amazon.com/dp/B0B1911GL1Seveneves by Neal Stephenson -- https://www.amazon.com/Seveneves-Neal-Stephenson/dp/0062334514FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In episode one of the Threat Modeling podcast, host Chris Romeo explores various definitions of threat modeling gathered from industry experts. The podcast discusses whether risk assessment and threat modeling are the same, the essence of threat modeling, collaboration and documentation, identifying and mitigating threats early, the Five W's and an H approach, structured brainstorming, and proactive security. The Threat Modeling Manifesto's definition is favored by Chris, which states that threat modeling is "analyzing representations of a system to highlight concerns about security and privacy characteristics." In addition, the podcast highlights that threat modeling involves art, science, collaboration, and brainstorming, aiming to improve security and privacy in systems.
On this podcast, we'll journey together into the world of threat modeling. On this journey, we'll learn the history of threat modeling, hear from influential folks, explore the available methodologies and tools, and have fun. My name is Chris Romeo, and I've been threat modeling my entire 25+ year career in security. In addition, I host other podcasts, including the Application Security Podcast and the Security Table. The AppSec Podcast is an interview format where my co-host Robert Hurlbut and I deconstruct world-class application security performers to find the tools, tactics, and tricks listeners can use. The Security Table is a round table with three of my friends, where we explore and discuss/debate various issues impacting the world of cybersecurity. This podcast is different. This podcast is my journey to understand a subject I know about. I aim to achieve a more profound understanding by breaking threat modeling down to its fundamental pieces and explaining them to you. They say the best way to understand a topic is to study and teach it, so here we go. After laying the foundation, we'll return to the starting point for threat modeling and understand the history. From there, I'll talk to various experts in the field to break down what they think threat modeling is and ask them to teach me something new that I need to learn about the topic. Please subscribe, continue to tune in as we go on this threat modeling journey together, and remember to threat model all the things.
For this week's episode of the Hedge, Tom Ammon and Russ White are joined by Chris Romeo to talk about the importance of the human element in threat modeling. If you've ever wondered about the importance of threat modeling or how to get started in threat modeling, this episode will guide you on your way.
Security Journey Co-Founder Chris Romeo is chatting LIVE with the GrepBeat crew this Friday. Chris is a lifelong cybersecurity professional who embarked on an entrepreneurial path. In 2016, he launched the cloud-based platform Security Journey, which teaches developers how to improve security in their own companies. Earlier this year, the company was acquired by Pittsburgh-based HackEDU.
In this episode of the Application Security Podcast, Chris Romeo walks through the origin story of Security Journey and shares some experiences taking a security startup from bootstrap to acquisition. Chris talks about how and why he started the company, what defining factors made Security Journey successful and why they're being acquired now. He ends by giving an overview of what to expect from Security Journey moving forward. We hope you enjoy this conversation with…Chris Romeo.Check out these resources for more information about the acquisition!Press Release: https://www.accesswire.com/702562/HackEDU-Acquires-Security-Journey-to-Provide-the-Most-Comprehensive-Application-Security-Training-Offering-Helping-Development-Teams-Deliver-Secure-Code-and-Protect-DataChris's Blog Post: https://www.securityjourney.com/post/hackedu-acquires-security-journeyJoe's Blog Post: https://www.hackedu.com/blog/hackedu-acquires-security-journey-to-create-industry-leading-application-security-offering
As product managers, we're taught to prioritize customer needs above all else. If that's correct, where does threat modeling land in our list of priorities? After all, if we can't provide a secure solution, our users will go elsewhere. Chris Romeo, CEO and co-founder of Security Journey, suggests we “shift left” to get these concepts … The post 82 / Threat Modeling for Product Managers appeared first on ITX Corp..
Prologue On Episode 471, as we rapidly hurl towards our 500th episode, we bring back Chris Romeo to talk about threat modeling. Specifically, we discuss threat modeling of software - with developers, methodologies, silos, incentives, and outcomes all in play for discussion. Chris has been doing this a while, and has some deep insights into what it takes to make things work - and he we welcome your feedback on how you do it. Guest Chris Romeo LinkedIn: https://www.linkedin.com/in/securityjourney/ Twitter: https://twitter.com/edgeroute
Attorney Chris Romeo of Thurmond Kirchner & Timbes in Charleston, SC, shares how illegal fireworks are causing serious injuries across the country and what you should expect when handling consumer fireworks cases.
Chris Romeo is a partner at Thurmond Kirchner & Timbes, in Charleston, South Carolina. Chris handles serious injury and wrongful death cases and is widely considered a rising star amongst the South Carolina Plaintiff's bar. He recently obtained a $6.7 million dollar verdict in Georgetown County. In this episode, Chris discusses the trial and how he obtained full justice for his client using advanced trial techniques and changing strategy on-the-fly due to developments at trial. Host: Mark Bringardner (mark@bringardner.com)Producer: Bill Dujmovic (bdujmovic@joyelawfirm.com)
Each week our CEO, Chris Romeo, will take you through the five articles he thinks are worth your time. Check out the video and links to each article below! 1. Shifting Left on Security: Solutions, Google Cloud(https://cloud.google.com/solutions/sh...)2. Best Practices for REST API Design(https://stackoverflow.blog/2020/03/02...)3. The Future of Web Software is HTML Over WebSockets(https://alistapart.com/article/the-fu...)4. Be Afraid of the Ruby on Rails Supply Chain(https://www.securityjourney.com/post/...)5. NurseryCam Hacked, Company Shuts Down IoT Camera Service(https://www.theregister.com/2021/02/2...)
For this episode, Robert and I decided to talk about an article I wrote called "DevOps security culture: 12 fails your team can learn from". We hope you enjoy this walkthrough of the 12 fails. If we missed any, hit us up on Twitter and let us know what we should add to the list.
This week, we welcome Chris Romeo, CEO at Security Journey, to discuss Things Every Developer Should Know About Security! In the Application Security News, DOMOS 5.8 - OS Command Injection, 4G, 5G networks could be vulnerable to exploit due to ‘mishmash’ of old technologies, Google sets up research grant for finding bugs in browser JavaScript engines, Announcing the launch of the Android Partner Vulnerability Initiative, and more! Show Notes: https://wiki.securityweekly.com/asw124 Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Chris Romeo, CEO at Security Journey, to discuss Things Every Developer Should Know About Security! In the Application Security News, DOMOS 5.8 - OS Command Injection, 4G, 5G networks could be vulnerable to exploit due to ‘mishmash’ of old technologies, Google sets up research grant for finding bugs in browser JavaScript engines, Announcing the launch of the Android Partner Vulnerability Initiative, and more! Show Notes: https://wiki.securityweekly.com/asw124 Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
Developers are at the center of properly securing applications. A large number of security issues bury developers. We must understand the things every developer must know about security in order to help them. We must practice developer empathy, walking a mile in their shoes. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/asw124
Developers are at the center of properly securing applications. A large number of security issues bury developers. We must understand the things every developer must know about security in order to help them. We must practice developer empathy, walking a mile in their shoes. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/asw124
All links and images for this episode can be found on CISO Series (https://cisoseries.com/security-is-suffering-from-devops-fomo/) Darn it. DevOps is having this awesome successful party and we want in! We've tried inserting ourselves in the middle (DevSecOps) and we launched a pre-party (shift left), but they still don't like us. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Dayo Adetoye (@dayoadetoye), senior manager - security architecture and engineering, Mimecast. Thanks to our sponsor, Capsule8. Capsule8 is defining modern enterprise protection by providing detection and response for Linux infrastructure in any environment. Capsule8 provides host-based detection and investigatory data for incident response with on-going support. Unlike anyone else, Capsule8 mitigates the financial, scalability and reliability limitations of protecting your Linux infrastructure. On this week’s episode Are we making the situation better or worse? What makes a successful phish? On Sophos' blog Paul Ducklin writes about their most successful phishing emails. Ducklin noted that most of the successful phishes dealt with mundane and undramatic issues that still had a sense of importance. Looking at these examples they do seem to follow a similar pattern of something looking official that is being requested from the company and could you click here to check it out. Is that the majority of what you're testing? If so, what exactly is the value in conducting phishing tests on employees? Can the testing have a negative effect in security or even morale? There’s got to be a better way to handle this What is the right approach to threat modeling? In a blog post, Chris Romeo of Security Journey opines that formal training or tools won't work. Security needs to ask questions of developers about features and then show them how a threat evolves, thus allowing them to ultimately do it themselves. Adam Shostack of Shostack and Associates advocates for formal training. He says Romeo's informal approach to threat modeling sounds attractive, but doesn't work because you're trying to scale threat modeling across developers and if you tell one developer the information it's going to be passed down like a game of telephone where each successive person tells a distorted version of what the last person said. So what's the right approach to building threat models across a DevOps environment? What's Worse?! What's the worst place to find your company assets? Close your eyes and visualize the perfect engagement Shifting Left. DevSecOps, These are the mechanisms that have been used to infuse security into the DevOps supply chain. While noble, both concepts break the philosophy and structure of DevOps which is based on automation, speed, and delivery. But, DevOps is also about delivering quality. So rather than inserting themselves, how does security participate in a way that DevOps already loves? If you haven’t made this mistake, you’re not in security On AskNetSec on reddit, Triffid-oil asked, "What was something that you spent effort learning and later realized that it was never going to be useful?" And let me add to that, it's something either someone told you or you believed for some reason it was critical for your cybersecurity education and you later realized it wasn't valuable at all.
Application security applies to everyone, network architects included. Chris had an opportunity to join a friend's Podcast called "The Hedge." Chris talks with hosts Tom and Russ about the state of security and what network engineers need to know about security from an application perspective. They talk about the importance of empathy in all jobs, [...] The post Chris Romeo — The State of Security and the Importance of Empathy appeared first on Security Journey Podcasts.
We all know, whether from experience or just intuitively, that bolting security on an IoT product after much of the development has been completed is a total rookie mistake and a recipe for disaster. Yet this still happens. By crowdfunded startups who don't mention security in their videos, to internal teams in larger enterprises who also emphasize the bling in order to get their project greenlit from within. In this episode of the IoT Business Show, I speak with Chris Romeo about the Security Development Lifecycle, the polar opposite to the bolt-on, that's been successfully used in IT security for years. Read the rest of the show analysis notes including the transcripts at: http://bit.ly/IoTPodcast63notes This show is brought to you by DIGITAL OPERATING PARTNERS Related links you may find useful: Season 1: Episodes and show notes Season 1 book: IoT Inc Season 2: Episodes and show notes Season 2 book: The Private Equity Digital Operating Partner Training: Digital transformation certification
Full episode with images and links available at CISO Series (https://cisoseries.com/do-these-jeans-make-my-vulnerabilities-look-too-big/) We're starting to get a little self-conscious that our vulnerabilities are starting to show. People we don't even know are telling us we have them on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Fredrick Lee (AKA "Flee") (@fredrickl), CSO of Gusto. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. What's a CISO to do? Chris Romeo, CEO of Security Journey, wrote a post where he asked, "What if I had to develop an application security program with a budget of zero dollars?" What he presented was a means to lean on the OWASP open source community and tools to build an application security program. You're a CISO, what's your take on this? I was chatting with a pentester, Benjamin McEwan, from Scotland, who reaches out to CISOs trying to responsibly disclose, not expose, a credible security vulnerability. It's his effort to get recognized. He's frustrated though in his ability to find permanent work because those hiring only see him as an independent researcher. Is his exercise the right approach? What can a talented security person in his position do to make himself more attractive to CISOs? What's Worse?! We've got a couple of scenarios that shocked our guest at the sheer InfoSec horror. Breathe In, It's Time for a Little Security Philosophy On Quora, a question right out of the Matthew Broderick movie WarGames asks, "If a student hacked into university computers and changed his grade in cyber security to an A, does he actually deserve the A?" Except for one person, everyone said, "No," but for different reasons. Mike, are you saying no, and if so, what reason? What do you think of this pitch? We've got two pitches from vendors this week. One came directly to me. Cloud Security Tip, by Steve Prentice - Sponsored by OpenVPN. The idea behind an Advanced Persistent Threat is both intriguing and a little distracting. It sounds like the title of a Tom Clancy novel – maybe a sequel to Clear and Present Danger. Designed to penetrate a network, operate while hidden for a long time, all the while receiving commands from an outside agent, an APT is more sophisticated than everyday malware and tends to be deployed against large targets.
"Remember, security is EVERYONE'S problem, regardless of what your role is." GBD2. In light of recent data breach and privacy concerns news, Chris Romeo of Security Journey explores why accounting and finance professionals at all levels should be more mindful and aware of cybersecurity threats affecting our data, as well as our clients' data, and how we can start building a security culture. OUR GUEST Chris Romeo CEO and co-founder of Security Journey, which specialises in online application security training organised as a security belt program. Before Security Journey, Chris was the Chief Security Advocate at a Fortune 100 company with over 60,000 employees where he built the most massive security training program that has ever constructed, industry-wide. He left to found Security Journey and bring the lessons he learned teaching developers about security to the entire industry. Connect with him on LinkedIn at https://www.linkedin.com/in/securityjourney. DON'T MISS OUT. Get the latest show every week, automatically and free, at https://www.aicpa-cima.com/disruption.html. Share it easily with colleagues and friends by using the icons on the media player. TAKE IT FURTHER. Find related CPD/CPE resources at https://www.aicpastore.com/GoBeyondDisruption and https://www.cgmastore.com/GoBeyonddisruption. STAY CONNECTED. Follow #GoBeyondDisruption, @AICPANews and @CIMA_News on social." ©2018 Association of International Certified Professional Accountants (AICPA & CIMA). All rights reserved
Equifax, one of the three major credit bureaus, was hacked - over 143 million U.S. accounts may have been leaked, making them much more vulnerable to identity theft and fraud. In this episode, I help you understand the potential impacts of this breach and give you several important actions you can take to protect yourself, including instituting a credit freeze on your account. Chris Romeo, CEO and Founder of Security Journey will help us understand the severity of this major news story and what we need to do to protect ourselves moving forward! Is there such a thing as a good hacker? We will tackle what it takes to be a hacker - and why you actually might want to become one! Hackers are not all bad guys in hoodies hunched over a laptop. The hacker mentality is much more about a desire to tinker and solve puzzles, just applied to computers - and we need good hackers to help us combat the bad ones. Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring security belt programs to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Security Advocates, empowering engineers to “build security in” to all products at Cisco. He led the creation of Cisco’s internal, end-to-end security belt program launched in 2012. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP. Help me to help you! Visit: https://patreon.com/FirewallsDontStopDragons For Further Insight: Website, www.securityjourney.com Follow on Twitter, @SecurityJourney Facebook, https://www.facebook.com/SecJourney/ Additional Resources: Freeze your credit at all three credit bureaus: Equifax, Experian and TransUnion. Get your free annual credit reports: https://www.ftc.gov/faq/consumer-protection/get-my-free-credit-report
Chris Romeo regales us with tales of safe-cracking robots, demonic car washes, possessed Teslas, and hacking of voting machines! Where did this all happen? At the hacker conferences, of course! We’ll help you understand how hackers really think and what they really do every year in Las Vegas at the DEFCON and BlackHat conferences. Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring security belt programs to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Security Advocates, empowering engineers to “build security in” to all products at Cisco. He led the creation of Cisco’s internal, end-to-end security belt program launched in 2012. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP. For Further Insight: Website, www.securityjourney.com Follow on Twitter, @SecurityJourney Facebook, https://www.facebook.com/SecJourney/ Additional Resources: Hackers: Heroes of the Computer Revolution by Steven Levy WITH HOVER… YOUR PRIVACY IS INCLUDED Get 10% off your first domain name order!
This week, Chris Romeo joins Michael, James and I to talk about changing the security posture of an organization by changing culture. This episode talks through tough issues like incentives, measurements and success factors. This episode with Chris is of particular interest for leaders and those who are working hard to change companies at their core, for the long term. Chris Romeo's bio: Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring application security awareness to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Secure Development Life Cycle program, empowering engineers to "build security in" to all products at Cisco. He led the creation of Cisco’s internal, end-to-end application security awareness program launched in 2012. Chris has twenty years of experience in security, holding positions in application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications, and is a frequent conference speaker at RSA and AppSec.
The podcast crew invites back a special return guest - Mr. Chris Romeo - to share with the world Cisco's Security Ninja program. Which is an educational arm of Cisco Secure Development Lifecycle (CSDL). The intent of this episode is to educate listeners about Cisco's internal Ninja program and to also help our listeners start their own Security education program within their company.
Join us this week as we welcome the classical pop trio, Klassika. What do you get when you combine classically-trained singers with pop music? You get Klassika! Merging the starkly different genres of pop and opera, Klassika has created a fresh, unique sound for its listeners. Known as Popera, or Classical Crossover, the genre features the best traits of each style, creating a beautiful partnership that’s music to the ears - literally!. Made up of classically-trained vocalists Jolanda Nel, Clint Shepherd and Chris Romeo, Klassika create gorgeous arrangements of popular songs, adding rich three-part harmonies. While staying true to the original essence of the song, the trio imparts their distinct crossover influence to each song to make it their own. Each member of Klassika brings years of training and experience to the group, creating a sound that’s impossible to ignore. If you’re looking for a fresh take on today’s music, look no further than Popera icon Klassika. We will talk to Klassika about their upcoming schedule, get a behind the scenes look at their music, feature their latest songs, and ask them to share their message for the troops. Please be sure to visit Klassika at http://www.klassikashow.com/ and spread the word. Fans are welcome to call in and speak live with them during the show (718) 766-4193. If you would like to participate in the live chat during the show, you must sign up on the show site first and then log in during the show. And as always we will give shout outs to our deployed military listeners. Be sure to join us, Sunday 7/19/2015 at 4 PM EDT! Our message to the troops....WE do what we do, because YOU do what you do.
The podcast panel talks with Chris Romeo and Lisa Meyers McDonald from the Cisco Trustworthy Systems Organization all about the Cisco Secure Development Lifecycle.
© 2020-2025 Ivy Podcast Discovery LLC
