Podcasts about cscp

Show Notes: In this episode of Unleashed, the panel discussion focuses on the pros and cons of becoming an adjunct professor. The panelists discuss the motivations behind teaching courses as an adjunct professor, how to get hired, whether to teach in traditional MBA programs or other certificate or degree programs, the amount of work involved, typical pay, relationship building opportunities, project opportunities, and ancillary benefits such as access to datasets or research services. The discussion kicks off with Adam Braff, a data analytics executive/advisor, shares his reasons for teaching, stating that the best reasons to teach are not practical instrumental reasons but more passion and love for teaching and believes it is a creative act. Mary Kate Scott follows Adam. She teaches at the University of Southern California, Marshall School of Business in the MBA program, and Keck School of Medicine, focusing on healthcare. She has taught the business of healthcare, innovation and health care, new business models in health care, entrepreneurship and health care, and medical device business models. Mary Kate also shares her background with Procter and Gamble and later joined McKinsey for two years to become a better professor. She found she loved the position and stayed there for seven years, but she states that she found the joy of teaching to be both inspirational and fun. She enjoys the level of engagement and interaction in her classes. Sven Beiker teaches Strategy Making in an MBA program at Stanford Business School, and also at a university in Sweden about AI and product development.  He discusses his experience teaching at Stanford and their passion for teaching. He began his teaching career at Stanford which led from a position as an automotive program manager. He also enjoys working with younger people, finding it intellectually stimulating. He has also found the position to be an asset in branding, and has found that it helps in terms of being considered as a keynote speaker from Stanford Business School.    Mohannad Gomaa shares his experience teaching at US Navy PostGraduate School, which was motivated by a contract with a colleague and his subject matter expertise. He designed and delivered the curriculum. He has also taught in consulting colleges, and recently, he was authorized by the Association of Supply Chain Management to teach supply chain certifications, including the CSCP certified supply chain professional certification. This allows him to associate with a reputable knowledge body and meet with stakeholders interested in his work. He has also signed an agreement to be a consulting partner for the ACM, which will allow him to explore more opportunities across industries. He believes teaching is a passion that can generate revenue beyond the passion. An adjunct professor at the University of Copenhagen shares her passion for teaching consulting and adds to her reputation for expertise in her field, but she finds teaching fun and energizing.    How to Secure a Position as an Adjunct Professor The conversation also touches on how to get started as an adjunct professor. To do this, one should be flexible about the institution they want to teach in and focus on the dimensions that are necessary to their field. Many schools have executive MBA programs and masters of leadership programs and other programs  that are growing and need teachers who can teach their specific subject matter area and create and pitch syllabuses. To reach out to the right people in these institutions, one should reach out to the Academic Director of different degree programs. This person will be responsible for the substantive side of these programs and can help with informational interviews. For example, if one wants to teach in New York City, one could reach out to HR or the dean of the school. Mary Kate discusses the benefits of adjunct teaching, including the joy of publications, networking, and credibility. She suggests starting as a guest speaker and gradually delivering classes, either shorter or elective, and eventually creating the curriculum. She also encourages reaching out to people teaching similar courses to your field to get started. She also mentions simply letting people know you are interested in teaching.  Sven mentions that many full-time professors don't like to teach, but they are constantly looking for someone to bring real-world experience into the classroom, to interact with a class, and bring their knowledge to the table. He states that, there are continuing education programs at universities, such as Stanford, that offer continuing education programs on both the professional side of education. These programs can help students gain experience and develop their interest in graduate programs and could be a first step into teaching. Networking is a key aspect of adjunct teaching, and can lead to a board position.  The Evaluation Process Revealed The panelists discussed the typical evaluation process for teaching positions, including the need for specific credentials or certificates, and how to express interest. Having someone internally who can vouch for you can make a difference. The first step in the evaluation process is to have a track record, such as a recording of a lecture, a written syllabus, and student evaluations. This ensures that when applying to another institution, they feel confident in their ability to teach a class.  Compensation for Teaching The compensation for teaching varies between $6,000 for a semester to 15,000, with a median of $10. The time commitment for creating a syllabus from scratch is around 200 hours. There may be additional benefits associated with teaching, such as subsidized healthcare benefits. The panelists discuss the range of compensation, which can range from $1,000 for a 90-minute class to $2,000 for a two-hour class and could for a 7, 12, or 14 week program.  The first time teaching, the teacher takes over the curriculum and develops it, however, they could be writing the entire curriculum, which can be a lot of responsibility but also an opportunity to shape the educational experience for students. It is worth noting that the course can also impact your consulting business, as committing to a class every week can limit your consulting business if you travel frequently. In contrast, in-person classes can be more effective due to scheduling. Another panelist, who is a Professor of Practice at Michigan State University's School of Business, states that the course is a salaried position, but it is not a full-time gig. The pay is based on a W-2 and a salary, which is a relatively small amount. The Benefits of Teaching The conversation revolves around the benefits of teaching and consulting, including inspiration, credibility, and carryover spillover benefits. Mary Kay shares her experience with getting clients and consulting project leads and converting leads into confirmed projects due to her credibility. Her students have become clients, and she concludes that the network is an enormous benefit.  Adam suggests that teaching should be synergistic with consulting work, and that it is synergistic to his writing work and that he has adapted the courses he teaches to corporate training. However, in this situation, it is advised to focus on the language of contracts to ensure that intellectual property rights are portable to a corporate context. Sven shares his experience with gaining project leads, which can be former students who become clients or organizations seeking advice from a professor who is also a consultant, and he has often been asked to be on the advisory board of startups by former students. This nurtures the network and gives the professor more standing and credibility. Clients often recognise the professor's expertise and reputation, making it a valuable asset. Best Practices for Networking Opportunities To maximize networking opportunities, Nick has found partnering opportunities with fellow professors. Mary Kate suggests connecting with other faculty members, attending university events, and partnering with fellow professors. She also shares her experiences of being wasted in the first semester of teaching and finding it difficult to find opportunities to meet with faculty members.  Developing a Curriculum in Academia The conversation turns to the complexity of developing a curriculum in academia. Developing a syllabus can be challenging, especially when it comes to creating evaluation materials and quizzes that can be objective and not lead to low grades. The tension between grades and evaluations can also be a challenge, but it becomes easier after the first time. The complexity of creating a syllabus depends on the type of class, for example, a seminar class at Stanford may require more discussion and bringing in guest lecturers. Another may require more content creation; a new class may require more detailed teaching material, including a reading list, quizzes, preparing exams etc.  Teaching As a Learning Experience Jared Lee, a faculty lecturer at McGill University and principal at Juniper, a Montreal-based consultancy, believes that teaching is a deeper way to learn and develop skills, as it requires a lot of preparation, the ability to defend theories against questions, and to be able to implement storytelling techniques. He believes that teaching 180 students who have detailed questions requires being bulletproof in preparation and how to apply the theories.   Jared also shares that this experience has built his ability in educating clients. Panelists also state that teaching has helped develop stronger public speaking skills, and the ability to manage a crowd. The discussion revolves around the challenges of teaching at universities like Stanford and the importance of facilitation in making discussions meaningful and meaningful. Access to Ancillary Benefits As an Adjunct Professor Additional ancillary benefits include access to datasets, academic journal articles, and other resources. Academic resources, such as the MSU library, are free and can be used in private practice. Academics can also leverage their academic connections to engage in conversations with people for various purposes, such as building lectures for their courses or collaborating on consulting projects. Health insurance is another asset. For example, at McGill, teaching three sections within a year can grant access to health insurance and supplemental pension and investment plans. The conversation ends with the participants discussing their takeaway from the discussion, including:  The importance of 200 hours of syllabus development The importance of fostering meaningful discussions and connections within academia for both students and faculty The importance of passion, preparation, and genuine effort in creating content for a class The need for preparation Staying updated on relevant topics and staying updated on the latest developments Credibility The panelists agreed that you should have good reasons for taking this position, and having a clear purpose for teaching can lead to better results. One additional tip was to be clear about why you are doing it and this will help you focus on how to achieve your goal. Another is to take advantage of a guest lecturer opportunity, and to be open to learning from your students. In conclusion, the panelists discussed the importance of passion, preparation, and genuine effort in creating content for a class. They also highlighted the importance of being proactive, asking questions, and embracing the unique experiences of students. By doing so, teachers can gain valuable insights and develop a deeper understanding of their field. Timestamps: 07:03 Consulting career paths and teaching experience 10:25 Adjunct teaching roles in economics 12:37 Finding teaching opportunities in higher education 15:06 Adjunct teaching opportunities and how to get started 17:24 Teaching at universities, networking, and evaluation processes 24:31 Teaching gigs, compensation, and time commitment 27:07 Teaching and consulting gigs for experts in customer experience management 31:22 Leveraging academic faculty status for consulting opportunities 34:48 Curriculum development and networking at a university 36:42 Teaching methods and challenges in higher education 39:58 Teaching and learning theories in consulting 42:48 Teaching strategies and access to academic resources 45:16 Academic benefits, networking, and health insurance 53:21 Teaching and consulting in academia   Unleashed is produced by Umbrex, which has a mission of connecting independent management consultants with one another, creating opportunities for members to meet, build relationships, and share lessons learned. Learn more at www.umbrex.com.  

Blake Harris, CSCP, is a specialist in standards and process enhancement, digital solution development, and implementation, with more than a decade of experience in supply chain-related functions within the private sector and at non-governmental organizations (NGOs). He places high value on tackling complex issues to create efficient and uncomplicated solutions. As the Technical Director at the Institute of Food Technologists' Global Food Traceability Center (IFT's GFTC), his focus centers on enhancing data digitization in food systems, which involves collaborative efforts with a diverse range of stakeholders from industry, government, and NGO sectors. Alison Grantham, Ph.D., is a consultant who brings a rigorous, practical approach to her work with public and private sector organizations to improve the food system. Alison focuses on helping her clients develop data-driven tools and programs to define and achieve goals to enhance food and agriculture. She has worked closely with IFT's Global Food Traceability Center since 2019, developing the Global Dialogue in Seafood Traceability (GDST) standards, among other traceability initiatives. Prior to consulting, she led food systems research and development, and then food procurement, at an $800-million revenue e-commerce food company. Previously, she led Penn State Extension's beginning farmer training program and directed research at the Rodale Institute. Alison currently serves on the Rodale Institute's Board of Directors and the National Academy of Sciences' Committee to advise the U.S. Global Change Research Program, the body that oversees climate and other global change research across the 14 federal agencies. In this episode of Food Safety Matters, we speak with Blake and Allison [35:05] about: IFT traceability experts' observations over the past year regarding industry preparation to comply with FSMA 204 in 2026 Advances in traceability initiatives and technology, especially low-cost/no-cost technologies promoted by FDA, to assist industry compliance Advice for companies that have not made much progress in compliance efforts on how they can get started Advice for companies that have made strides toward assuring compliance on how they can ensure they are on track to fully meet FSMA regulations by January 2026 How worldwide adoption of Global Dialogue on Seafood Traceability (GDST) standards has been facilitated, tools offered to help the seafood industry comply with GDST standards, and how GDST standards are influenced by FSMA 204 Ways in which FSMA 204 compliance will benefit public health and food safety How FSMA 204 can help optimize individual company and entire supply chain operations. News and Resources CDC Study Highlights Restaurant Characteristics Most Associated With Food Cross-Contamination [2:24]Study Shows Potential of Antimicrobial Blue Light for Listeria Inactivation in Food Processing Plants [8:49]WHO Provides Step-by-Step Guide on Use of WGS for Foodborne Illness Surveillance, Response [13:18]FDA Clarifies "In-Shell Product" Definition and Requirements for Shellfish per 2022 Food Code [18:08] IFT Global Food Traceability Center Sponsored by: Wiliot We Want to Hear from You! Please send us your questions and suggestions to podcast@food-safety.com

After several sports injuries I lived with chronic neck and back pain for years, and I tried all kinds of treatments including massage, Rolphing, physical therapy, and traditional chiropractic care. These helped to some degree, but the benefits were always pretty short-lived. Thankfully through my previous clinic job I got turned on to Craniopoathy, and connected with Dr. Scoppa. It sounds cliché, but he has truly changed my life so I want to introduce his work to all of you. In his Bellevue practice, Dr. Scoppa sees a little bit of everything, but most of his patients come to him for hypermobility issues, cranial-facial pain, TMJ, and headaches.Dr. Jason Scoppa has been practicing in the Seattle area since 2012. Having graduated from Palmer Chiropractic College in California, Dr. Scoppa went on to earn post graduate certifications in SOT (Sacro Occipital Technique), SOT Craniopathy, Applied Kinesiology, and Sports Medicine through the ACBSP.He is one of only two doctors in Washington that is certified as an SOT Craniopath and has completed hundreds of hours of post graduate coursework in the areas of TMJ (Jaw dynamics and issues), TMD (conditions associated with TMJ problems), airway compromise, cranial facial growth and development, and cranial-dental co-management. Dr. Scoppa currently teaches courses in SOT, TMJ analysis and treatment, cranial growth and development models, cranial-dental co-management, and integrated care models.He sits on the board of SOTO-USA (the SOT technique organization) and has an online education company geared towards healthcare professionals.Where to find Dr. Scoppa:Jason Scoppa, DC, CSCP, CCSP®, PAK - Dr. Scoppa sees people locally and offers out of state case reviews.Schedule a free consultation with Dr. Scoppa at Northwest Structural Medicine - www.StructuralMed.com On social:Instagram - @northwest_structural_medicineFacebook - https://www.facebook.com/structuralmedYouTubeHow to find a certified practitioner if you don't live in the Seattle area:International College of applied Kinesiology - ICAK USA Practitioner ListSacro Occipital Technique - SOTOusa.comAlso mentioned in the episode:Foundation Training – Dr. Eric Goodman - Start with The Founder ExerciseToe SpacersInterested in working with Jeannie? Schedule a 30-minute Coffee Talk here.Connect with me on Instagram @joliverwellness and check out the options for my more affordable self-study programs here:

Although the world is a few years removed from the pandemic, the supply chain still finds itself trying to adapt to lingering uncertainty in the market. Concerns over capacity and labor are just some of the factors forcing companies to consider other options such as outsourcing. But do the current trends support bringing operations in house or working with LSPs? Will Post of DAT Freight and Analytics chats with us about how shippers can utilize the right data to get better control of their own supply chains. FOR MORE INFORMATION: https://data.dat.com/Empower_iQ DO YOU WANT TO RESPOND TO THIS EPISODE? Call our Dialog Line: 888-878-3247 DOWNLOAD THE NEW INBOUND LOGISTICS APP featuring the updated and expanded Logistics Planner! Available on iTunes and the Google Play Store: bit.ly/ILMagApp  bit.ly/ILMagAppGoogle Are you a #logistics Thought Leader that would like to be featured on the Inbound Logistics Podcast?  Connect with me on Twitter:  @ILMagPodcast   Email me: podcast@inboundlogistics.com   Connect with Inbound Logistics Magazine on LinkedIn: https://www.linkedin.com/company/inbound-logistics Follow us on Twitter: www.twitter.com/ILMagazine Like us on Facebook: www.facebook.com/InboundLogistics Catch our latest videos on YouTube: www.youtube.com/inboundlogistics   Visit us at www.inboundlogistics.com

Dan and Will speak with Brooklinen's Director of Production & Procurement JD Davis, CSCP, about their latest launch and what's key to running a successful supply chain. Davis answers about her latest challenges, why having a stellar internal team and supplier team is so crucial, and what's next for Brooklinen.View Anvyl's 2023 Supply Chain Outlook report here: https://anvyl.wpenginepowered.com/wp-content/uploads/2023/03/Supply-Chain-Outlook-2023.pdf

David Steven Jacoby is a well-known expert in the global supply chain. He is changing the supply chain game. He has written make books on the topic, which you will find in his Bio below. To learn more about David, visit these websites: http://www.supplychainification.com/ (COMING SOON) https://bostonstrategies.com/ https://davidstevenjacoby.com/ BIO David is the President of Boston Strategies International, a consultancy that helps energy companies and national governments develop strategic value chains for critical materials, components, and equipment to achieve superior profitability and energy independence. He is teaches Operations Management and Supply Chain Management at New York University's Tandon School of Engineering and is a Senior Fellow at Boston University's Institute for Global Sustainability, as well as a former adjunct professor at Boston University's Questrom Graduate School of Business. He wrote Guide to Supply Chain Management for The Economist, Reinventing the Energy Value Chain for PennWell Books, and four other books on supply chain management and international trade. He earned his MBA and a Masters of Arts from the Wharton School at the University of Pennsylvania, and his academic and professional contributions to the field of supply chain management span hundreds of publications and media events. He holds supply chain certifications including C.P.M. CTL, CIRM, CFPM, CSCP, and AEE. He has served as an advisory board member at New York Energy Week and a Chief Judge at the International Supply Chain Educational Association and was previously an international management consultant at Kearney and Oliver Wyman in the United States, France, Brazil, Hong Kong, and elsewhere. David is passionate about building businesses that transform global supply chains. Based on extensive management experience in energy, automotive, transport, and retail in more than 50 countries managing and advising executive leadership teams, he has deep and practical first-hand knowledge of what's on the other end of your international supply chain and how you can use that information to reduce cost, grow revenue, and increase shareholder value. To learn more about David, please visit https://davidstevenjacoby.com/

Progress Over Perfection Coaching is a podcast focused on career management and development by offering insight on how to build an intentionally balanced and purpose-filled career.We have another entry in our Career Deep Dive series - where I bring on guests that are living successful careers, to have them share their insights, experiences and perspectives on career building and development.My guest for this episode is Clarke Potter. Clarke is currently a Supply Chain Leader with Winnebago, and has a deep background in Supply Chain, spanning nearly 20 years, holding multiple Director-level jobs in a variety of industries, including high tech, medical devices, private equity and automotive.Clarke is a US Army Veteran, holds an MBA from George Fox University, and holds both his CPIM and CSCP designations through APICS. His profound commitment to continuous self-improvement is reflected not only in his professional career, but also in his personal life, where he maintains focus on ways to grow as a husband and father.-----------------------------------------------------------------------More information about Progress Over Perfection Coaching can be found at:https://prgscoach.com/https://app.delenta.com/ta/@prgscoachhttps://www.linkedin.com/company/progress-over-perfection-coaching/-----------------------------------------------------------------------Intro and Outro music:Music: Right Ways [Original Mix] by Imperss is licensed under a Creative Commons License. https://creativecommons.org/licenses/... Support by RFM - NCM: https://bit.ly/3po6gnm

What exactly is Craniosacral Therapy and how can it affect your baby's latch? Today on the Milk Minute, Heather & Maureen interview Dr. Martin Rosen of Peak Potential Institute on his expertise in chiropractic care for babies, specifically how the structure and function of your baby's body relates to their latch for feeding. Tune in to learn more!THANK YOU, PATRONS!Emily Hannaman who is an IBCLC from Baton Rouge,  LA, Mandi Parrish from Suwanee, Georgia, Tara Y from Texas, Janie CTHANK YOU TO THIS EPISODE'S SPONSORSGet your breastfeeding journey BACK ON TRACK with a Lactation Consult with Heather! Telehealth available and some insurance accepted. Click HERE for the deets. If you have Blue Cross Blue Shield, Anthem, or Cigna PPO – you can fill out a short form to get pre-approval to get your visits with Heather 100% approved! Click HERE to access the form.Book a Lactation Consult today! Booking a virtual consult with Maureen is now easier than ever. Click HERE to get started!Click HERE to save 25% off and free shipping on all Liquid IV products with the code MILK_MINUTEClick HERE to get HappiTummi and enter code MILKMINUTE10 for 10% off your order!Dairy Fairy – Click HERE for free shipping by using code MILKMINUTEListener Question: Is there an episode or do you have advice about whether, or how to, switch breasts during a single feed?Mentioned in This Episode:Book: It's All In the Head, by Dr. Martin Rosen and Dr. Nancy Watson, at ItsAllInTheHeadBook.comLearn With Dr. Rosen at Peak Potential Institute peakpotentialprogram.comProfessionals - drmartinrosen.comPatients - wellesleychiro.comEmail - drmartinrosen@gmail.comAlso, Dr. Rosen is on Facebook and InstagramFind the new Milk Minute Podcast website by clicking here!Become a Milk Minute VIP: Click here to get behind-the-scenes-access and exclusive merch!Contact us: To send us feedback, personal stories, or just to chat you can send us an email at milkminutepodcast@gmail.comGet Community Support: Click Here to Join our Free Facebook Community!Stay up to Date: Find us on INSTAGRAM @milk_minute_podcastStare at us on TikTokPrefer to read the transcript?  Click Here to read the edited version of this episode!All of the resources cited in this episode are available on our professional transcript.Support the show

This episode explores how sustainable practices have evolved over time and the currentstates of affairs with Chris Coulter, CEO at GlobeScan, and Michael Kuhndt, ExecutiveDirector at CSCP.

  Jonathan Slater is one of three Co-founders at Capslock, a cyber security education start-up tackling the cybersecurity skills gap and helping adults re-skill. CAPSLOCK has raised over £1m pre-seed funding and re-skilled over 200 UK adults in cyber security in 2021.  Jonathan's previous career as a recruiter made him realise there was a gap in the market and he sat down with the other two female co-founders and started capslock. To note capslock is one of the rare startups, luckily more and more common, that is made for more than 50% by a female cofounder.   The episode is brought to you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register Capslock Team 0.00           Introduction 0.35           Jonathan's background 1.04           Welcome Jonathan 3.30           The state of the industry 6.30           Education catch up 7.35           The importance of soft skills 10.05         Gender diversity and unconscious bias 16.36         Measuring potential 18.40         Team based learning/diversity of thought 23.00         The curriculum 26.15         Cyber – the multidisciplinary field 27.35         Avoiding career redundancy 29.15         Start-up life 30.24         Working remotely 31.08         Maintaining good mental health 32.48         Positive message 33.50         Conclusion   Jonathan Slater   https://www.linkedin.com/company/capslockuk https://www.facebook.com/CAPSLOCKCyber/ @CAPSLOCKcyber for IG + Twitter     Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Liran Tal is a Developer, Full stack, who joined forces with security professionals to fight the good battle. Github Star, Published author, DevRel and wearer of Yoda hat (hear more in the podcast)   The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0.00          Introduction 0.38          LiRan's background 1.23          Welcome LiRan 3.10          What's with the hat? 4.15          Getting involved in the industry/ stumbling across cyber security 6.33          Cyber security is a mindset 7.20          Open source security 10.22        How organisations see through a sea of data 13.16        Infrastructure risk 14.18        The responsibility of a developer 18.41       The true core of DevSecOps – the speed of development 21.06       Risk tolerance/Investing in security 22.58       Quantifying risk 25.28       Security is a must 27.00       A systematic approach to security 30.30       Auto-remediation vs. Manual assessment 34.01       Positive message 35.10       The Big Fix 36.00        Connect with LiRan 36.23        Conclusion   Tinesh Chayya   https://www.linkedin.com/in/talliran/  https://twitter.com/liran_tal    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Tinesh Chhaya is a cybersecurity specialist, a veteran in the industry and CEO of Decipher Cyber - Jenny. Tinesh has 15 years of successful Chief Revenue Officer/cyber corporate and 5 years of start-up entrepreneurial cyber experience. He has built and exited 2 start-ups and currently sits on the board as an advisor to startups within Cyber, EdTech, Software Development and Social Tech.   The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0.00          Introduction 0.41          Tinesh's background 1.39          Welcome Tinesh 2.04          Tinesh's view on the market 3.10          Cyber security start-ups 5.22          The hot-bed of cyber investment 5.48          4 main areas of cyber searched for 9.55          Differences across the world 12.50        Partnering up with big names 21.34        The mentorship group 22.03        The absence of an accelerator 23.05        Strong community 25.37        The mental struggle 32.08        Failure and resiliency 33.19        Support mechanisms (the importance of a strong team) 35.20        Celebrating successes and failures 36.02        Positive message 37.30        Thank you 37.35        Connect with Tinesh 38.34        Conclusion   Tinesh Chayya   https://www.linkedin.com/in/tinesh-chhaya-07623097/  https://deciphercyber.com/    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Karissa Breen is Cyber Communications Specialist, Security Investigative Journalist, start-up advisor, entrepreneur, and podcast host based in Sydney. She quickly rose up in the cyber field getting promoted as a Cyber Reporting Analyst, then Pen Testing Engagement Lead then started her own company. She says that better marketing and communication skills would improve many issues in the field. They discuss diversity, women in cyber, soft skills, and how the industry is rapidly changing.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 0:28 Karissa's background 6:50 Promotions and rising up the ranks 8:46 Creating own company 9:50 Communicating technical terms 12:00 Lightbulb moment 16:05 Chaining role of security 17:50 Advise developing soft skills 20:27 Marketing 23:20 Women in cyber 29:10 Job requirements and diversity 33:40 Positive message 35:15 Connect with Karissa 36:09 Outro    Chris Foulon   Twitter @iamkarissabreen linkedin.com/in/karissabreen https://karissabreen.com Podcast— KBKAST    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Christophe Foulon is a cyber security practitioner, career coach, speaker, and currently the Sr Manager Cyber Security Consultant at (Undisclosed) and F10 Fintech. He is the co-host of “Breaking into Cybersecurity,” a podcast that encourages people from diverse backgrounds to consider a career in security. He volunteers with two non-profits, “Boots to Books” and “The Whole Cyber Human Initiative,” that benefit veterans and lessen the talent shortage in cyber. Chris shares why mentoring and giving back is important to him.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 0:28 Chris' background 2:33 Work with non-profits 5:02 Recruiting cyber workforce 8:20 Career possibilities in cyber 10:23 Veterans transition to a cuber career 12:20 Starting a podcast 15:50 Need to network 16:50 Advice for starting in security 19:15 Success stories 23:00 Mentoring 27:20 Positive Message 29:43 Connect with Chris 30:50 Outro    Chris Foulon https://linkedin.com/in/christophefoulon  Twitter @chris_foulon https://anchor.fm/breakingintocybersecurity https://youtube.com/c/BreakingIntoCybersecurity https://cpf-coaching.com https://www.boots2books.com https://www.wholecyberhumaninitiative.org   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Is a pleasure to host again our good friend Jim. Jim Manico is an AppSec enthusiast, educator, the Manicode founder, an investor, Java Champion, and an OWASP leader. This passionate conversation revolves around the new OWASP Top 10, reference architecture, threat modelling, SMS authentication, and TLS certificates.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 0:28 Jim's background 1:50 OWASP Top 10 Old and New 4:05 Secure design and threat modelling 9:55 Reference architecture 14:15 Follow through and scale 16:30 Security bugs 18:13 Authentication 24:32 JWT 27:45 TLS certificates 31:50 Zero trust 32:14 Positive Message 33:50 Connect with Jim 35:00 Outro    Jim Manico Twitter @manicode linkedin.com/in/jmanico manicode.com   manicode.com    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Aladdin Almubayed is the AppSec Engineering Technical Lead at Robinhood, previously a Senior Security Software Engineer at Netflix. After getting his master in Jordan, he moved to Silicon Valley to work at Yahoo. Francesco and Aladdin discuss the evolving industry, fostering positive relationships with developers, and identifying organizations' crown jewels.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 0:28 Aladdin's background 3:40 Masters in Jordan 6:50 Industry past 10 years 7:54 Micro-service architecture 9:44 Work at Netflix 11:08 Work at Robinhood 13:40 Challenges in security 16:00 Security nightmare story 19:40 Security revolution breaking point 21:30 Threat Modeling and Pen Testing 24:50 Creating positive opinion of security 28:36 Quantifying risk 31:26 Positive message 34:40 Connect with Aladdin 35:10 Outro    Aladdin Almubayed https://www.linkedin.com/in/aladdin-mubaied/ Twitter @0xshellrider    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Glenn Wilson is a DevOps advocate, an agile security consultant, the founder of Dynaminet, the best-selling author of “DevSecOps: A leader's guide to producing secure software without compromising flow, feedback and continuous improvement,” the co-organizer of DevSecOps London Gathering, the Co-Host of DevSecOps Overflow Podcast, and a member of OWASP. Francesco and Glenn discuss the industry's current state, security champions, risk considerations, and the importance of pen-testing.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 1:50 View of industry 6:12 Automation, support developers 9:12 Security language barrier 11:25 3 types of communication 14:06 Less reactive, more proactive 17:50 Business owns risk 20:36 Writing a book 26:34 Pen testing 28:28 Auditors and regulators 31:10 Positive Message 32:16 Connect with Glenn 33:44 Outro    Glenn Wilson https://www.linkedin.com/in/glennwilson  Twitter @GlennDynaminet https://dynaminet.com  Book—“DevSecOps: A Leader's Guide to Producing Secure Software Without Compromising Flow, Feedback and Continuous Improvement”    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Naomi is on a secret mission to change the world of cyber and make it accessible to everybody! Naomi Buckwalter is the Director of Information Security & IT at Beam Technologies and the founder and Executive Director of Cybersecurity Gatekeepers Foundation, a nonprofit dedicated to closing the demand gap in cybersecurity hiring. Originally an aspiring FBI agent, Naomi is passionate about stopping the war on cybercrime and is recruiting and training people of all skill levels to join the fight.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:46 Introducing Naomi 4:50 War on cyber crime 7:50 Small businesses 10:30 Ransomware 14:00 Principles of security 16:00 Hiring opera singer 19:47 Plane crash analogy 23:00 Mentoring 25:25 InfoSec drama and toxicity 29:20 Path to cyber 33:40 Positive message 35:00 Outro    Christopher Hodson Twitter @ChrisHInfoSec https://cybersecuritymatters.blog https://www.linkedin.com/in/christopherjhodson/   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  CSCP is back with this brand new season 3 Vandana Verma is the Security Solutions Architect at Snyk, a Chapter Leader and Board Member of OWASP, an advocate for women and girls in AppSec, and the founder of Infosec Kids. Vandana explains why security teams need to be more empathetic, why she started the Spotlight Project and Infosec Kids, the importance of security champions, and her view on the future of security.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:47 Introducing Vandana 3:30 Overview of industry 6:12 Open source and application security 8:38 Cloud-native application security 11:50 Educate developers 14:40 Security champions 18:30 Application security posture management 20:24 Spotlight project 23:53 Infosec Kids 27:00 Infosec Diversity 28:54 Future of security 35:36 Final positive message 37:02 Outro    Vandana Verma Twitter @InfosecVandana https://linkedin.com/in/vandana-verma   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  CSCP is back with this brand new season 3 Paddy Viswanathan is the CEO and founder of C3M. C3M Cloud Control is a cloud security platform that helps cloud and security teams continuously monitor and manage their cloud security posture. Frank and Paddy discuss risk assessment in the cloud, how to prevent breaches associated with a third party, and the overall state of the cyber security industry.    The episode is brought you by C3M. C3M Cloud Control is a cloud security platform that helps cloud and security teams continuously monitor and manage their cloud security posture. To know more go to www.c3m.io        0:47 Introducing Paddy 2:25 State of the industry 5:55 Risk and alert fatigue 10:21 Risk code 13:19 Security breaches 17:35 Access and authentication 18:50 Cloud assessment 23:24 Final Positive Message 26:15 Outro    Paddy Viswanathan https://www.linkedin.com/in/paddyviswanathan/ https://www.c3m.io   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  CSCP is back with this brand new season 3 Christopher Hodson is the CISO at Contentful, the former CISO of Tanium, the author of Cyber Risk Management, and an all around Cyber Security and DevSecOps expert. Francesco and Christopher discuss changes in the industry since COVID, whether coding should be a requirement to work in cyber security, and communicating technical security risks with executives.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:50 Introducing Chris 3:30 Changes due to COVID 7:05 Cloud capacity and security 11:40 Misconfigurations 13:50 Working cross-functionally 17:40 Shifting security approach 19:58 Communicating with executives 26:10 Burnout 28:35 Is coding a requirement 31:10 Final positive message 34:40 Connect with Chris 34:34 Outro    Christopher Hodson Twitter @ChrisHInfoSec https://cybersecuritymatters.blog https://www.linkedin.com/in/christopherjhodson/   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  CSCP is Coming back with Season 3 in the new year! As a teaser, we bring you the latest story on the blog...Log4j with Steve Wilson from Contrast Security   Steve Wilson is an Application Security expert development manager and currently and currently the head of product at Contrast. Steve joins the podcast to discuss the nightmare just unleashed, log4j, that has been affecting everyone around the cybersecurity industry and the reason why we are facing this other pandemic   We will return with a special launch in 2022 with some special guest  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:28 Introducing Steve 2:13 Cybersecurity Advice 3:15 Supply chain issues 8:30 Lg4J 12:47 Issue of Supply and software 19:16 What to do to avoid 23:07 Why we are getting it wrong 27:52 Final Positive Message 29:40 Outro   Steve Wilson Twitter @virtualsteve https://www.linkedin.com/in/wilsonsd/    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/    Full Transcript   00:00.00 franksec Hello everyone and welcome back to another episode of the cyber security and cloud podcast today. We have a topic that probably nobody has ever spoken in the recent time that is Goingnna be obligation security vulnerability management but the whole thing that has taken. By the storm the industry that is fundamental log for js and today we have a special guest but before we crack on. Let let us start with our intro. 00:54.11 franksec All right? or right or right we are Back. So I'd like to welcome steel wilson that came we started chatting over over a Twitter over Twitter threadad around of course up for j. So I've reminded him on the show to actually chat a little bit about the topic and his particular take is been He's the chief product officer of contra security 1 product that we absolutely love and we saw that was quite well reacting on the log four j issue but also he is an early member of the Java team on the early ninety s. But before I talk through it. Let me welcome steve steve welcome on the show. 01:33.74 Steve Wilson Hey thank you Francisco for having me really looking forward to it. So. 01:37.60 franksec Brilliant and can you give our audience a little bit about your background. What brought you into side by you know how did you start the journey from the early days with java. 01:47.24 Steve Wilson Yeah, so um, I started out really early in my career back in the ninety s at Sun microsystems I was an early member of the Java development team. Um. Went on from working really around development tools developer tools for several years and then shifted my focus over to cloud and I spent a lot of time at large companies like oracle and citrix building cloud services and cloud infrastructure and really got exposed. To a lot of the security challenges that are out there in the industry and decided about a year ago that I wanted to really move into the cyber security industry from the inside and so I joined contrast a little over a year ago to head product development. 02:35.60 franksec Nice, fantastic. And and we need we need more more ally in Cyber especially over over these challenging time. But we have a tradition on the show that we give an overview on the industry of what's working. What's not working so what will be your take on on. 02:53.16 Steve Wilson Yeah, so um, with the area of the industry that we're really focused on looking at the security of applications and code. It's a really challenging environment out there I Think what we really see is that. 02:53.40 franksec What's going on. 03:11.40 Steve Wilson Over the past several years. The complexity in software out there means that the number of security vulnerabilities in a typical program is is escalating dramatically as they get larger and more complicated and really the fact is human brains have a hard time. Ah, dealing with the complexities in the number of paths and things that are through the code today and so you know really this industry around application security has developed there to create tools that ah people can use to make their applications more secure. But 1 of the big shifts going on now is really moving from a focus on standalone security teams working to audit applications sort of almost after they're done to really bringing that security mindset into development at the beginning. And really creating a new culture where um, security comes very early in the cycle of what's going on with code development. 04:18.55 franksec Right? And I Ah think I think we move towards that space. But as you rightfully say the number of vulnerability and the number of issues that a lot of organizations are finding are escalating over and over and over. And that's just on application security. But then you know development team and now devops teams are faced with you know the Cloud issue the Cloud misconfiguration the deployment in the Cloud then the container base container Image. You know the landscape is in my opinion becoming quite quite. Ah, intense and it' complicated for developer team and security team to have that broad spectrum of knowledge. But then you take even an executive they need to make decision of what is your target. What? what is security what security looking like or what good looks like. 05:11.36 Steve Wilson Yeah, well I think that in what I'll call the olden days which were really not that long ago in a Pre-cloud world. You could depend a lot more on the idea that many of your applications were hidden behind a firewall that they were. 05:11.59 franksec What's your take on that. 05:29.29 Steve Wilson Not exposed to the internet and thus less valuable in ah in a cloud-based world in a zero trust-based world more and more of your applications really are on the internet and that means that every 1 of these vulnerabilities is a potential place that you could be exploited and. 05:37.96 franksec Um. 05:47.79 Steve Wilson You know when we start working with a new customer and help them start to evaluate their applications. We'll find that that typical applications have dozens of vulnerabilities in them potentially serious ones and then you look at ah at a large corporation. They may have thousands of applications. 06:05.84 franksec Right. 06:07.73 Steve Wilson In their environment. So it's it's not uncommon to see a fortune five hundred or global 2000 company having tens of thousands of discrete vulnerabilities in their software and so from an executive point of view. The question is how do you manage that there's. Ah, sometimes a snap back reaction that says we better stop everything that we're going to that we're doing and and fix this on the other hand. Every company today is a software company. Your competitive advantage is in your software your ability to compete in the market your ability to deliver new services is dependent on that and so the challenge as a leader is how do I balance the real risk. 06:36.69 franksec Right. 06:51.50 Steve Wilson With my my need to compete in the market and deliver new value to my customers. 06:55.30 franksec Right? And you know I like your take I Really like your take on the rest because I think um because there're a lot of tooling around different areas. You know you have Cloud Security Infrastructure security container Security. You know you have your pantasy rapport coming in your read teaming just trying in different things. Your ah security lifecycle tooling that is dust must and you name me rast you know and and and more ah more of those coming and despite that every tool is is doing. 07:21.36 Steve Wilson So. 07:29.34 franksec A different level of of ah scanning and and trying to reduce the false positive I think what we're missing in a lot of program of work and a lot of these organization is the contextualization and and the Breadth of view of ah where are those kind of element deployed. That could potentially ah in my in my humble opinion simplify a lot of those kind of conversations and the conversation that traditionally happened between security team development team and executive because everybody could have an opinion on that while. If we display the complexity of the landscape nobody will be able to inform the opinion unless they're very technical. So. What do you think? steve. 08:12.42 Steve Wilson Yeah, so this this element of risk analysis is is really critical and you know log for J is a really good example of this This is this is an exploit or ah, a vulnerability that has exploits that are incredibly high risk. Right? It's ah it's a 10 out of 10 Cvs Cvss score because it's you know you're you're basically enabling complete remote code execution on your servers and it's really easy to exploit. But when you really go look at it and. 08:32.60 franksec So. 08:46.86 Steve Wilson And we've been looking at this specifically with customers. You know we estimate something like fifty fifty six percent of the Java applications out there are packaging of vulnerable um version of log for j but when you really look at it. It actually matters how you use it? um. 08:55.91 franksec Right. 09:06.14 Steve Wilson Whether your application is vulnerable and so being able to have tools that are able to analyze. Not just do you have 1 of these things the sort of Naive view. But but are you really vulnerable. That's really really critical to you being able to. For example, prioritize the work that you're going to do? What are you going to mitigate first because again, if you have thousands of applications. You know how are you going to do this all at once can't can't do this in a day this is going to be going on honestly for weeks or months. Um, so yeah, being able to really. 09:30.32 franksec Where is still not right. 09:41.79 Steve Wilson Establish risk in an urgent situation like this for triage but then more on a day-to-day basis when you're dealing with an environment where um, you know dozens hundreds or even thousands of software developers continually building New software. How do you evaluate the the risk of different. Um, Conditions vulnerabilities and really decide where you need to make compromises in terms of your development and and really lean into to securing yourself versus continuing to generate that that new business value. 10:15.40 franksec Right? up. Absolutely agree and and I think the other thing that we saw that that was working was also trying to prioritize the things that are externally exposed that is easily attackable and you know every team right now is scrambling and trying to find a way to. As you rightfully say you know if you if you belong to an enterprise that has multiple deployment even your web come could be bulletproof to log for j but maybe if we take a step back? Um I wanted to understand considering you come from that kind of environment in Java in the early days I want to understand. What happened in there. Why why are we facing with ah vulnerability that is so easy to exploit that should be really never been in the place you know something so trivial ascend a string and that string can then execute. Ah whatever rce or remote code execution. And then download whatever payload you can want and want how how are we in that situation in the year twenty twenty twelve 2. 11:19.86 Steve Wilson So um, it's it's really interesting to think back to the early days of java and so much emphasis was on creating it as a secure environment. You know, really Java pioneered these concepts like having the the security manager in the runtime that managed what permissions. 11:29.22 franksec Right. 11:39.81 Steve Wilson Things had but but a lot of that in in the inception of Java was you have to rewind so far to remember that Java was originally intended for environments like set top boxes and running applets in a browser and so the the security manager was for things like making sure that um. 11:50.79 franksec And. 11:58.32 Steve Wilson your your java applet couldn't escape the sandbox and get onto somebody's desktop um the actual security of getting something into the Java runtime environment wasn't what the team was optimizing for originally and so when when you look at this log for j. Vulnerability I think there's a couple of things that come in obviously logging is in some ways the least glamorous thing you know task that you can think of and um, you know that log this log for j library is more than 20 years old it's been 12:25.45 franksec Rise. 12:35.84 Steve Wilson You know it got created then it got donated to apache. It's been in Apache for 20 years now with ah with a very small team of honestly very dedicated folks maintaining it but but it's ah it's a small team with minimal investment and minimal tooling. And while it doesn't seem glamorous. Um, this library has been copied literally millions of times different versions of it at different points in different physical locations. So you know you think about? Okay there's a bug and I want to patch the bug. All right? Well, that's that's 1 challenge but the problem is the the offending code has been copied millions of times around the planet. So. There's there's no single place to fix it on top of that. Um, you know the the. 13:17.52 franksec Drive. 13:26.43 Steve Wilson Confluence of events that create this vulnerability and make it exploitable are pretty insidious in terms of the the snarly code path you have to go through and while the exploit is trivial. Um, the vulnerability is actually really intricate and so you know what that means is the. The first attempt that the team put out at apache to fix the vulnerability. Um it. It didn't even fix it so you know people went out and started patching to a new version of the log for j library and now they're having to go back and do it again and so in in a lot of ways I think what we're going to find is. Is people continuing to hammer on some of this and until we really get to the bottom of it and then we're going to start the long arduous process of patching this um and we have you know. 14:16.18 franksec Um, at scale. 14:19.75 Steve Wilson Certain places where they have tooling in place and they're able to execute very very quickly on it and that's you know 1 of the things we're really proud about at contrast is that I think we have tooling that in some ways was designed for the fact that someday this would happen and and it's been great to work with. Customers and and kind of feel like we're helping them. But so many places don't have that kind of tooling in place they're using. Um you know, free and open source tools to do their software composition analysis that don't have enterprise level management. They're writing scripts trying to figure this out themselves. And then you get all the way to the limit case you know you mentioned something like your webcam could be vulnerable and that's not absurd at all. We've seen out in the industry now very specific attacks where people are targeting things like s and mp where they're actually going out and looking for embedded devices. 15:00.21 franksec Yeah. 15:13.72 Steve Wilson And those embedded devices are going to have in some cases literally no way to update them. 15:19.39 franksec Right? And you know I want to cover this in detail. But before we jump on that we have to we had to have a small section for our sponsors so bear with me a second. 16:16.36 franksec All right bra and and thank you again for up Phoenix or our sponsor and and keeping us running but I wanted to to touch point on this on this particular topic because I remember Jeff ah kind of wrote a white paper like. 6 or 7 years ago and it actually presented it to black cat as well. This is not a new thing. The industry has been screamed about this is something that will happen. This is something that will be out there and and now it suddenly happened and I ah do also subscribe to your view and. To your pain in a way that code has been forked so many times and have been distributed in so many places that it becomes very very complex to fix it and we're never going to know that the the extreme expansion but maybe on on on there the more scary topics that I want. As to maybe debate if that's what was 1 library. What's stopping attacking now or poking at the other side of libraries to discover um, similar log for j kind of problems. What do you think. 17:25.19 Steve Wilson Well look the the way I'd like to say this is this has happened before and it will happen again right? if we if we rewind a few years ago to 2017 the apache struts library had a severe vulnerability in it and that is um. 17:30.97 franksec Um. 17:38.57 franksec Right. 17:44.91 Steve Wilson Ah, a less used library than log for J but the same basic concept is there popular open source library embedded in lots and lots of places with a vulnerability in it that could lead to really severe consequences and. You know what's interesting is the world remembers this vulnerability but they don't remember it as the strut's vulnerability. They remember it as the Equifax breach right? and there were many people that were breached from that. But if you don't remember this 1 about 1 hundred and fifty million people lost. 18:08.30 franksec Ah, right. 18:20.75 Steve Wilson Their their personal financial info from equifax which is 1 of the global credit rating organizations and as a result they they wound up paying four hundred and 25 million dollars in fines for not being secure. Um, but the the interesting thing here is. Um, did the world learn anything from this and they absolutely did right? if you look at the difference in response between the Struts vulnerability and the log for j vulnerability um, 1 of the reasons that Equifax was penalized so heavily. Is they could have done much better. This was for them. Not a zero day vulnerability. It was a disclosed vulnerability. It was well known. There were patches that were available and they simply did not act on it. Um. 19:01.11 franksec Um, is a well known. 19:16.79 Steve Wilson What's interesting here to see the difference. 4 years later is that the industry realized how serious this was um, you know I yeah yeah you know on thursday night last week people started. 19:23.25 franksec Um, enacted fast. 19:33.61 Steve Wilson Exploiting this in minecraft of all places you know minecraft the popular video game. Um, you know famously is written in Java you know I remember a few years ago my daughter went to coding camp over the summer and learns to write her first java programs as Minecraft extensions. So you know. Probably millions of people learned to program by hacking on minecraft and so um, in some ways. It's it's not surprising that that was the not the first place that this was exploited but the the place people realized how serious this was is people were exploiting this by. 19:56.27 franksec Um, has great. 20:05.97 franksec Right. 20:10.39 Steve Wilson Putting messages into the minecraft chat window that was how easy it was to exploit. Um, but that was happening on Thursday and thursday night you know our research team at contrast started getting information about this. Um, you know I heard something about it and I went to bed and I got up at. 5 in the morning the next morning I get up early I'm on the west coast of the us and we have teams in europe so I get up early to talk to them and I had slack messages from our our chief architect that said stevie need to call me right now and I talked to him and he said you know by Friday morning he said. 20:42.78 franksec Um. 20:49.10 Steve Wilson Steve this is the most serious thing I've ever seen. We have to help our customers get in front of this and so you know you started to see the news coming out on Friday people were reacting to it not everywhere. There's it's it's far from perfect and it's. 21:02.89 franksec It was pocket. 21:06.36 Steve Wilson Far from uniform but but the industry is jumping on this and there are let's say the more advanced shops are much better prepared. The tooling is better. It's absolutely better than it was 4 years ago and so we we have moved forward from that. But then your question is will this happen again. Of course it will um the the fact that we still build software where you know you see different different figures but up to 80 percent of the code in a typical business application is open source. 21:26.94 franksec Nope yeah. 21:40.45 Steve Wilson And so really, what people are starting to talk about you know, started before this really going back to solar winds. But the the topic around software supply chain management is now the hot topic and I think that's actually a really good way to phrase it because it makes it a bigger problem than just. 21:52.50 franksec And right. 21:59.78 Steve Wilson Thinking about managing vulnerabilities. It's about understanding where your codes coming from what's the Providence of it and being able to really understand that end to end and I think that's going to be the next step in making this better. 22:12.55 franksec So show. Will we start seeing vul be deploying stock trace. That's gonna be the next 1 gonna get it. Ah am I giving wrong suggestion of the wrong people. Ah. 22:18.64 Steve Wilson Oh my? yeah. 22:28.90 franksec Ah, you know because after after open source destins used kind of to by every single developer on earth and I'm pretty actually some of my friends actually have done this experiment of publishing exploit and poc with vulnerable code in there so you had hackers actually just blindfoldingly. Trusting a piece of software just downloading executing it with boom in there and and a callback home and it was a friendly experiment by Andy hilllabs. But um, it was quite interesting to see how blind trust was deployed on. You know piece of code running on the web that is like going outside and asking candy to a strangerr right. 23:12.17 Steve Wilson Yeah, well the um, you know the the more insidious example of this is something we started to see earlier. This year is a rise in um, a tax that it's going by different names but dependency confusion is 1 of them. 23:29.10 franksec The. 23:31.89 Steve Wilson And when you think about the way that that people's build systems and cicd systems work they're they're constantly going out on the internet and pulling down these packages from massive open source repositories where you actually you know you're you're somewhat hoping that you're getting the right thing. And actually a lot of the ways that these work you're you're only providing a general description of the package that you want and it's trying to find the 1 that's best fit and people have found that they can go and create their own version of popular open source libraries put them up in those repos and have people pull them down and um. 1 of our researchers at contrast went went did a proof of concept with this went and looked for applications that looked like they were exposed to this and actually Microsoft teams wound up being a good example now Microsoft's an investor and a partner. Um. Ah, and we're in their bug bounty Program. So we we did this all above board but we actually created some open source libraries and Microsoft pulled them down and compiled them into into their binary and it was just an example. 24:40.97 franksec Teams. 24:45.22 Steve Wilson Of How even a sophisticated software shop um can be vulnerable to this so you know they've hardened their processes since then but other people have not This is a really new example of ah of a vulnerability out there being able to divert the software supply chain. Um. To you know a Hacker's nefarious ends and so the ability of someone to go and create their own version of an open source library with some nefarious code. You know we've seen this so far largely people doing things like dumping in crypto minorers and and that's well documented. But. 25:21.90 franksec Bri yeah or run somewhere. That's I think I saw I saw a couple of days ago. Ah, payload and conti starting to deploy this as as potentially run some arrow or or run some my payload so we start seeing. 25:24.20 Steve Wilson We know there must be examples of much more defarious usage. Absolutely. 25:41.22 franksec Fundamentally ransome are going towards this and that's that's the other scary part that the industry from the Attacker prospect. This seems to have industrialized the use of this massive scale vulnerability and decimal scary factor that we had just a week or maybe 2 time to actually breathe text vulnerabilit be so time to detection and and and remediation is actually being shorted dramatically I mean our ourtistic goes from roughly 3 to fifteen days to deploy something like this at scale and it's being confirmed basically by this but it's. Think is is a scary factor and then on the other side maybe here more in the u k we saw fundamentally british airways being attacked with a much more malicious code where somebody ah fundamentally hijacked 1 of the developer trusted account and. Injected malicious code e in a library so that's that's even worse you know and I agree with you. It's it double down on the subject of controlling your supply chain but controlling how you pull in things where you're deploying and. In my humble opinion I think we've been. We've been using security in the wrong way right now and we've being putting them in the front foot and firefighting vulnerability on day in and the out and they kind of lost their way by not focusing on systemating and on strategic thing like creating. Ah, proxy for libraries or or analyzing open source of what comes in and out like what the the security team in contrast does and that's how we should be using back security for that instrumental systemic change rather than day in and out management of vulnerability. 27:26.62 Steve Wilson So yeah I mean look I think the the day-to-day management of vulnerability actually to some extent hasn't been done at all in a lot of shops right? It's been um, it's been completely pushed off to a. 27:26.89 franksec What do you think safe. 27:36.95 franksec Ah. 27:43.92 Steve Wilson Ah, periodic scanning based procedure run by the security team where you scan things on a quarterly or even yearly basis and I lived this in my last job it's 1 of the reasons I got excited about about this job opportunity when it came up was I was running a large development team. And the head of engineering came to me and said I need to cancel all the features that I promised for next quarter because the security team just ran a scan and filed a thousand jira tickets. Um, and and now there was this record of this potential vulnerability that we were obliged to deal with and it turned out. Most of them weren't real vulnerabilities almost all of them weren't um, but it wound up being a huge amount of work to so to sift through it on the other hand for for companies that really adopt this devsec ops attitude and get the right tooling in place to enable it. Um, you find a potential vulnerability maybe before you even complete your pull request to put the put the software back and it's just like any other bug if the bug gets into the code base. It's 10 times as expensive to fix it as it was for the developer to fix it on their desktop. Um, if it actually gets out to a customer It's a Hundred times more expensive and you know with security given the stakes. It's much worse than that. So um, the the real shift here is to push so much more of the responsibility down to this. To the developers but also really not make the developers responsible for it because it's hard for developers but to put the right tool chain around them that makes it easy and it really is possible with the modern tools to do that now and that's the big opportunity to change how we do development. 29:35.39 franksec Brian I agree with you. It should be It should be a collaboration between shift left and the copy is on more automation in the place because a lot of this as you rightfully say is still pretty much reactive is still pretty much that debate in Discussion. And then the endless argument between the se security team and the development team saying this is false positive. This is internal is a false positive rather than you know it's accept the risk and is different priorities and stuff like that. So. I think we can do better at thefsecops to actually remove security people on doing consistently these firefighting in this endless debate. Um, and and and automate a lot of the relationship but also the detection of um false positive based on contextual aspect and contextual information. If you can actually exploit it if it's actually visible to attack. Ah then you know we we focus on it because otherwise we're going to be always overflloded by these issues and you know look for js all similar are going to keep on piling up right. 30:42.60 Steve Wilson Absolutely I mean I think we really do have the the tools at our disposal and the processes being developed out there in the industry to to just fundamentally shift this change the game and make this so much more efficient and create. Really much more secure applications as a result. So. 31:00.59 franksec Fantastic! and I guess we we this is just a a nice input to the to the conclusion that is the positive message on our industry. So if you want to double down on that Steve what will be your positive message overall rather than we. We have the 2 and we have the technology and we can rebuild this. Ah. 31:20.62 Steve Wilson Like I think going going back to a little bit earlier I think the good news is you know this has happened before the industry has moved a tremendous distance since the Struts vulnerability for example, um, this really would be much worse. If we weren't in the position that we are now that we had better understanding of the risks better tools better processes. We have the tools out there now widely deployed to understand your your open source footprint. What's vulnerable. Um, we have the tools in place that help people upgrade and fix this. We even have tools today like like rasp tools that can protect you and we've seen evidence that these rash tools were protecting people um before day zero now. So really, we're in a position where we're moving forward. 32:09.23 franksec Um. 32:15.56 Steve Wilson So quickly that look there's no end in sight for this but really, the bar has raised dramatically and if we work together as an industry the next time this happens we'll be even better prepared. 32:27.90 franksec Fantastic. And yeah I agree with you. We've seen an enormous collaboration between teams and information out there. So I Really appreciated that collaboration and and enjoy that seeing that collaboration and the community getting together to to fix. But ah on the conclusion of the show if people want to find more about what you do day in in day out where where is the best place for them to contact you and how they can reach you yet. Stay. 32:53.99 Steve Wilson Yeah, so please so please come over check out what we're doing at the Contrastsecurity Dot Com Website. You can get all the details on all of our commercial tools. Also check out our blog there. There's a link off the front page to some free and open source tools that we've put out to help with log for J in particular so we really want people in the community to engage with us on this also feel free to reach out to me direct on linkedin. 33:23.13 franksec All right brave and everybody. Thank you very much we we understand that everybody is tired and stressed. We really hope that everybody can enjoy christmas at some stage or time and get away from the lock for j unfortunately attack it don't sleep so defend it on. Don't sleep either. But we're gonna get ahead of this together. So this is your host francesco I had the pleasure to talk with Steve wilson the chief product officer for contra security and I wish you everybody to stay safe and have a lovely christmas Thank you. 00:00.00 franksec Hello everyone and welcome back to another episode of the cyber security and cloud podcast today. We have a topic that probably nobody has ever spoken in the recent time that is Goingnna be obligation security vulnerability management but the whole thing that has taken. By the storm the industry that is fundamental log for js and today we have a special guest but before we crack on. Let let us start with our intro. 00:54.11 franksec All right? or right or right we are Back. So I'd like to welcome steel wilson that came we started chatting over over a Twitter over Twitter threadad around of course up for j. So I've reminded him on the show to actually chat a little bit about the topic and his particular take is been He's the chief product officer of contra security 1 product that we absolutely love and we saw that was quite well reacting on the log four j issue but also he is an early member of the Java team on the early ninety s. But before I talk through it. Let me welcome steve steve welcome on the show. 01:33.74 Steve Wilson Hey thank you Francisco for having me really looking forward to it. So. 01:37.60 franksec Brilliant and can you give our audience a little bit about your background. What brought you into side by you know how did you start the journey from the early days with java. 01:47.24 Steve Wilson Yeah, so um, I started out really early in my career back in the ninety s at Sun microsystems I was an early member of the Java development team. Um. Went on from working really around development tools developer tools for several years and then shifted my focus over to cloud and I spent a lot of time at large companies like oracle and citrix building cloud services and cloud infrastructure and really got exposed. To a lot of the security challenges that are out there in the industry and decided about a year ago that I wanted to really move into the cyber security industry from the inside and so I joined contrast a little over a year ago to head product development. 02:35.60 franksec Nice, fantastic. And and we need we need more more ally in Cyber especially over over these challenging time. But we have a tradition on the show that we give an overview on the industry of what's working. What's not working so what will be your take on on. 02:53.16 Steve Wilson Yeah, so um, with the area of the industry that we're really focused on looking at the security of applications and code. It's a really challenging environment out there I Think what we really see is that. 02:53.40 franksec What's going on. 03:11.40 Steve Wilson Over the past several years. The complexity in software out there means that the number of security vulnerabilities in a typical program is is escalating dramatically as they get larger and more complicated and really the fact is human brains have a hard time. Ah, dealing with the complexities in the number of paths and things that are through the code today and so you know really this industry around application security has developed there to create tools that ah people can use to make their applications more secure. But 1 of the big shifts going on now is really moving from a focus on standalone security teams working to audit applications sort of almost after they're done to really bringing that security mindset into development at the beginning. And really creating a new culture where um, security comes very early in the cycle of what's going on with code development. 04:18.55 franksec Right? And I Ah think I think we move towards that space. But as you rightfully say the number of vulnerability and the number of issues that a lot of organizations are finding are escalating over and over and over. And that's just on application security. But then you know development team and now devops teams are faced with you know the Cloud issue the Cloud misconfiguration the deployment in the Cloud then the container base container Image. You know the landscape is in my opinion becoming quite quite. Ah, intense and it' complicated for developer team and security team to have that broad spectrum of knowledge. But then you take even an executive they need to make decision of what is your target. What? what is security what security looking like or what good looks like. 05:11.36 Steve Wilson Yeah, well I think that in what I'll call the olden days which were really not that long ago in a Pre-cloud world. You could depend a lot more on the idea that many of your applications were hidden behind a firewall that they were. 05:11.59 franksec What's your take on that. 05:29.29 Steve Wilson Not exposed to the internet and thus less valuable in ah in a cloud-based world in a zero trust-based world more and more of your applications really are on the internet and that means that every 1 of these vulnerabilities is a potential place that you could be exploited and. 05:37.96 franksec Um. 05:47.79 Steve Wilson You know when we start working with a new customer and help them start to evaluate their applications. We'll find that that typical applications have dozens of vulnerabilities in them potentially serious ones and then you look at ah at a large corporation. They may have thousands of applications. 06:05.84 franksec Right. 06:07.73 Steve Wilson In their environment. So it's it's not uncommon to see a fortune five hundred or global 2000 company having tens of thousands of discrete vulnerabilities in their software and so from an executive point of view. The question is how do you manage that there's. Ah, sometimes a snap back reaction that says we better stop everything that we're going to that we're doing and and fix this on the other hand. Every company today is a software company. Your competitive advantage is in your software your ability to compete in the market your ability to deliver new services is dependent on that and so the challenge as a leader is how do I balance the real risk. 06:36.69 franksec Right. 06:51.50 Steve Wilson With my my need to compete in the market and deliver new value to my customers. 06:55.30 franksec Right? And you know I like your take I Really like your take on the rest because I think um because there're a lot of tooling around different areas. You know you have Cloud Security Infrastructure security container Security. You know you have your pantasy rapport coming in your read teaming just trying in different things. Your ah security lifecycle tooling that is dust must and you name me rast you know and and and more ah more of those coming and despite that every tool is is doing. 07:21.36 Steve Wilson So. 07:29.34 franksec A different level of of ah scanning and and trying to reduce the false positive I think what we're missing in a lot of program of work and a lot of these organization is the contextualization and and the Breadth of view of ah where are those kind of element deployed. That could potentially ah in my in my humble opinion simplify a lot of those kind of conversations and the conversation that traditionally happened between security team development team and executive because everybody could have an opinion on that while. If we display the complexity of the landscape nobody will be able to inform the opinion unless they're very technical. So. What do you think? steve. 08:12.42 Steve Wilson Yeah, so this this element of risk analysis is is really critical and you know log for J is a really good example of this This is this is an exploit or ah, a vulnerability that has exploits that are incredibly high risk. Right? It's ah it's a 10 out of 10 Cvs Cvss score because it's you know you're you're basically enabling complete remote code execution on your servers and it's really easy to exploit. But when you really go look at it and. 08:32.60 franksec So. 08:46.86 Steve Wilson And we've been looking at this specifically with customers. You know we estimate something like fifty fifty six percent of the Java applications out there are packaging of vulnerable um version of log for j but when you really look at it. It actually matters how you use it? um. 08:55.91 franksec Right. 09:06.14 Steve Wilson Whether your application is vulnerable and so being able to have tools that are able to analyze. Not just do you have 1 of these things the sort of Naive view. But but are you really vulnerable. That's really really critical to you being able to. For example, prioritize the work that you're going to do? What are you going to mitigate first because again, if you have thousands of applications. You know how are you going to do this all at once can't can't do this in a day this is going to be going on honestly for weeks or months. Um, so yeah, being able to really. 09:30.32 franksec Where is still not right. 09:41.79 Steve Wilson Establish risk in an urgent situation like this for triage but then more on a day-to-day basis when you're dealing with an environment where um, you know dozens hundreds or even thousands of software developers continually building New software. How do you evaluate the the risk of different. Um, Conditions vulnerabilities and really decide where you need to make compromises in terms of your development and and really lean into to securing yourself versus continuing to generate that that new business value. 10:15.40 franksec Right? up. Absolutely agree and and I think the other thing that we saw that that was working was also trying to prioritize the things that are externally exposed that is easily attackable and you know every team right now is scrambling and trying to find a way to. As you rightfully say you know if you if you belong to an enterprise that has multiple deployment even your web come could be bulletproof to log for j but maybe if we take a step back? Um I wanted to understand considering you come from that kind of environment in Java in the early days I want to understand. What happened in there. Why why are we facing with ah vulnerability that is so easy to exploit that should be really never been in the place you know something so trivial ascend a string and that string can then execute. Ah whatever rce or remote code execution. And then download whatever payload you can want and want how how are we in that situation in the year twenty twenty twelve 2. 11:19.86 Steve Wilson So um, it's it's really interesting to think back to the early days of java and so much emphasis was on creating it as a secure environment. You know, really Java pioneered these concepts like having the the security manager in the runtime that managed what permissions. 11:29.22 franksec Right. 11:39.81 Steve Wilson Things had but but a lot of that in in the inception of Java was you have to rewind so far to remember that Java was originally intended for environments like set top boxes and running applets in a browser and so the the security manager was for things like making sure that um. 11:50.79 franksec And. 11:58.32 Steve Wilson your your java applet couldn't escape the sandbox and get onto somebody's desktop um the actual security of getting something into the Java runtime environment wasn't what the team was optimizing for originally and so when when you look at this log for j. Vulnerability I think there's a couple of things that come in obviously logging is in some ways the least glamorous thing you know task that you can think of and um, you know that log this log for j library is more than 20 years old it's been 12:25.45 franksec Rise. 12:35.84 Steve Wilson You know it got created then it got donated to apache. It's been in Apache for 20 years now with ah with a very small team of honestly very dedicated folks maintaining it but but it's ah it's a small team with minimal investment and minimal tooling. And while it doesn't seem glamorous. Um, this library has been copied literally millions of times different versions of it at different points in different physical locations. So you know you think about? Okay there's a bug and I want to patch the bug. All right? Well, that's that's 1 challenge but the problem is the the offending code has been copied millions of times around the planet. So. There's there's no single place to fix it on top of that. Um, you know the the. 13:17.52 franksec Drive. 13:26.43 Steve Wilson Confluence of events that create this vulnerability and make it exploitable are pretty insidious in terms of the the snarly code path you have to go through and while the exploit is trivial. Um, the vulnerability is actually really intricate and so you know what that means is the. The first attempt that the team put out at apache to fix the vulnerability. Um it. It didn't even fix it so you know people went out and started patching to a new version of the log for j library and now they're having to go back and do it again and so in in a lot of ways I think what we're going to find is. Is people continuing to hammer on some of this and until we really get to the bottom of it and then we're going to start the long arduous process of patching this um and we have you know. 14:16.18 franksec Um, at scale. 14:19.75 Steve Wilson Certain places where they have tooling in place and they're able to execute very very quickly on it and that's you know 1 of the things we're really proud about at contrast is that I think we have tooling that in some ways was designed for the fact that someday this would happen and and it's been great to work with. Customers and and kind of feel like we're helping them. But so many places don't have that kind of tooling in place they're using. Um you know, free and open source tools to do their software composition analysis that don't have enterprise level management. They're writing scripts trying to figure this out themselves. And then you get all the way to the limit case you know you mentioned something like your webcam could be vulnerable and that's not absurd at all. We've seen out in the industry now very specific attacks where people are targeting things like s and mp where they're actually going out and looking for embedded devices. 15:00.21 franksec Yeah. 15:13.72 Steve Wilson And those embedded devices are going to have in some cases literally no way to update them. 15:19.39 franksec Right? And you know I want to cover this in detail. But before we jump on that we have to we had to have a small section for our sponsors so bear with me a second. 16:16.36 franksec All right bra and and thank you again for up Phoenix or our sponsor and and keeping us running but I wanted to to touch point on this on this particular topic because I remember Jeff ah kind of wrote a white paper like. 6 or 7 years ago and it actually presented it to black cat as well. This is not a new thing. The industry has been screamed about this is something that will happen. This is something that will be out there and and now it suddenly happened and I ah do also subscribe to your view and. To your pain in a way that code has been forked so many times and have been distributed in so many places that it becomes very very complex to fix it and we're never going to know that the the extreme expansion but maybe on on on there the more scary topics that I want. As to maybe debate if that's what was 1 library. What's stopping attacking now or poking at the other side of libraries to discover um, similar log for j kind of problems. What do you think. 17:25.19 Steve Wilson Well look the the way I'd like to say this is this has happened before and it will happen again right? if we if we rewind a few years ago to 2017 the apache struts library had a severe vulnerability in it and that is um. 17:30.97 franksec Um. 17:38.57 franksec Right. 17:44.91 Steve Wilson Ah, a less used library than log for J but the same basic concept is there popular open source library embedded in lots and lots of places with a vulnerability in it that could lead to really severe consequences and. You know what's interesting is the world remembers this vulnerability but they don't remember it as the strut's vulnerability. They remember it as the Equifax breach right? and there were many people that were breached from that. But if you don't remember this 1 about 1 hundred and fifty million people lost. 18:08.30 franksec Ah, right. 18:20.75 Steve Wilson Their their personal financial info from equifax which is 1 of the global credit rating organizations and as a result they they wound up paying four hundred and 25 million dollars in fines for not being secure. Um, but the the interesting thing here is. Um, did the world learn anything from this and they absolutely did right? if you look at the difference in response between the Struts vulnerability and the log for j vulnerability um, 1 of the reasons that Equifax was penalized so heavily. Is they could have done much better. This was for them. Not a zero day vulnerability. It was a disclosed vulnerability. It was well known. There were patches that were available and they simply did not act on it. Um. 19:01.11 franksec Um, is a well known. 19:16.79 Steve Wilson What's interesting here to see the difference. 4 years later is that the industry realized how serious this was um, you know I yeah yeah you know on thursday night last week people started. 19:23.25 franksec Um, enacted fast. 19:33.61 Steve Wilson Exploiting this in minecraft of all places you know minecraft the popular video game. Um, you know famously is written in Java you know I remember a few years ago my daughter went to coding camp over the summer and learns to write her first java programs as Minecraft extensions. So you know. Probably millions of people learned to program by hacking on minecraft and so um, in some ways. It's it's not surprising that that was the not the first place that this was exploited but the the place people realized how serious this was is people were exploiting this by. 19:56.27 franksec Um, has great. 20:05.97 franksec Right. 20:10.39 Steve Wilson Putting messages into the minecraft chat window that was how easy it was to exploit. Um, but that was happening on Thursday and thursday night you know our research team at contrast started getting information about this. Um, you know I heard something about it and I went to bed and I got up at. 5 in the morning the next morning I get up early I'm on the west coast of the us and we have teams in europe so I get up early to talk to them and I had slack messages from our our chief architect that said stevie need to call me right now and I talked to him and he said you know by Friday morning he said. 20:42.78 franksec Um. 20:49.10 Steve Wilson Steve this is the most serious thing I've ever seen. We have to help our customers get in front of this and so you know you started to see the news coming out on Friday people were reacting to it not everywhere. There's it's it's far from perfect and it's. 21:02.89 franksec It was pocket. 21:06.36 Steve Wilson Far from uniform but but the industry is jumping on this and there are let's say the more advanced shops are much better prepared. The tooling is better. It's absolutely better than it was 4 years ago and so we we have moved forward from that. But then your question is will this happen again. Of course it will um the the fact that we still build software where you know you see different different figures but up to 80 percent of the code in a typical business application is open source. 21:26.94 franksec Nope yeah. 21:40.45 Steve Wilson And so really, what people are starting to talk about you know, started before this really going back to solar winds. But the the topic around software supply chain management is now the hot topic and I think that's actually a really good way to phrase it because it makes it a bigger problem than just. 21:52.50 franksec And right. 21:59.78 Steve Wilson Thinking about managing vulnerabilities. It's about understanding where your codes coming from what's the Providence of it and being able to really understand that end to end and I think that's going to be the next step in making this better. 22:12.55 franksec So show. Will we start seeing vul be deploying stock trace. That's gonna be the next 1 gonna get it. Ah am I giving wrong suggestion of the wrong people. Ah. 22:18.64 Steve Wilson Oh my? yeah. 22:28.90 franksec Ah, you know because after after open source destins used kind of to by every single developer on earth and I'm pretty actually some of my friends actually have done this experiment of publishing exploit and poc with vulnerable code in there so you had hackers actually just blindfoldingly. Trusting a piece of software just downloading executing it with boom in there and and a callback home and it was a friendly experiment by Andy hilllabs. But um, it was quite interesting to see how blind trust was deployed on. You know piece of code running on the web that is like going outside and asking candy to a strangerr right. 23:12.17 Steve Wilson Yeah, well the um, you know the the more insidious example of this is something we started to see earlier. This year is a rise in um, a tax that it's going by different names but dependency confusion is 1 of them. 23:29.10 franksec The. 23:31.89 Steve Wilson And when you think about the way that that people's build systems and cicd systems work they're they're constantly going out on the internet and pulling down these packages from massive open source repositories where you actually you know you're you're somewhat hoping that you're getting the right thing. And actually a lot of the ways that these work you're you're only providing a general description of the package that you want and it's trying to find the 1 that's best fit and people have found that they can go and create their own version of popular open source libraries put them up in those repos and have people pull them down and um. 1 of our researchers at contrast went went did a proof of concept with this went and looked for applications that looked like they were exposed to this and actually Microsoft teams wound up being a good example now Microsoft's an investor and a partner. Um. Ah, and we're in their bug bounty Program. So we we did this all above board but we actually created some open source libraries and Microsoft pulled them down and compiled them into into their binary and it was just an example. 24:40.97 franksec Teams. 24:45.22 Steve Wilson Of How even a sophisticated software shop um can be vulnerable to this so you know they've hardened their processes since then but other people have not This is a really new example of ah of a vulnerability out there being able to divert the software supply chain. Um. To you know a Hacker's nefarious ends and so the ability of someone to go and create their own version of an open source library with some nefarious code. You know we've seen this so far largely people doing things like dumping in crypto minorers and and that's well documented. But. 25:21.90 franksec Bri yeah or run somewhere. That's I think I saw I saw a couple of days ago. Ah, payload and conti starting to deploy this as as potentially run some arrow or or run some my payload so we start seeing. 25:24.20 Steve Wilson We know there must be examples of much more defarious usage. Absolutely. 25:41.22 franksec Fundamentally ransome are going towards this and that's that's the other scary part that the industry from the Attacker prospect. This seems to have industrialized the use of this massive scale vulnerability and decimal scary factor that we had just a week or maybe 2 time to actually breathe text vulnerabilit be so time to detection and and and remediation is actually being shorted dramatically I mean our ourtistic goes from roughly 3 to fifteen days to deploy something like this at scale and it's being confirmed basically by this but it's. Think is is a scary factor and then on the other side maybe here more in the u k we saw fundamentally british airways being attacked with a much more malicious code where somebody ah fundamentally hijacked 1 of the developer trusted account and. Injected malicious code e in a library so that's that's even worse you know and I agree with you. It's it double down on the subject of controlling your supply chain but controlling how you pull in things where you're deploying and. In my humble opinion I think we've been. We've been using security in the wrong way right now and we've being putting them in the front foot and firefighting vulnerability on day in and the out and they kind of lost their way by not focusing on systemating and on strategic thing like creating. Ah, proxy for libraries or or analyzing open source of what comes in and out like what the the security team in contrast does and that's how we should be using back security for that instrumental systemic change rather than day in and out management of vulnerability. 27:26.62 Steve Wilson So yeah I mean look I think the the day-to-day management of vulnerability actually to some extent hasn't been done at all in a lot of shops right? It's been um, it's been completely pushed off to a. 27:26.89 franksec What do you think safe. 27:36.95 franksec Ah. 27:43.92 Steve Wilson Ah, periodic scanning based procedure run by the security team where you scan things on a quarterly or even yearly basis and I lived this in my last job it's 1 of the reasons I got excited about about this job opportunity when it came up was I was running a large development team. And the head of engineering came to me and said I need to cancel all the features that I promised for next quarter because the security team just ran a scan and filed a thousand jira tickets. Um, and and now there was this record of this potential vulnerability that we were obliged to deal with and it turned out. Most of them weren't real vulnerabilities almost all of them weren't um, but it wound up being a huge amount of work to so to sift through it on the other hand for for companies that really adopt this devsec ops attitude and get the right tooling in place to enable it. Um, you find a potential vulnerability maybe before you even complete your pull request to put the put the software back and it's just like any other bug if the bug gets into the code base. It's 10 times as expensive to fix it as it was for the developer to fix it on their desktop. Um, if it actually gets out to a customer It's a Hundred times more expensive and you know with security given the stakes. It's much worse than that. So um, the the real shift here is to push so much more of the responsibility down to this. To the developers but also really not make the developers responsible for it because it's hard for developers but to put the right tool chain around them that makes it easy and it really is possible with the modern tools to do that now and that's the big opportunity to change how we do development. 29:35.39 franksec Brian I agree with you. It should be It should be a collaboration between shift left and the copy is on more automation in the place because a lot of this as you rightfully say is still pretty much reactive is still pretty much that debate in Discussion. And then the endless argument between the se security team and the development team saying this is false positive. This is internal is a false positive rather than you know it's accept the risk and is different priorities and stuff like that. So. I think we can do better at thefsecops to actually remove security people on doing consistently these firefighting in this endless debate. Um, and and and automate a lot of the relationship but also the detection of um false positive based on contextual aspect and contextual information. If you can actually exploit it if it's actually visible to attack. Ah then you know we we focus on it because otherwise we're going to be always overflloded by these issues and you know look for js all similar are going to keep on piling up right. 30:42.60 Steve Wilson Absolutely I mean I think we really do have the the tools at our disposal and the processes being developed out there in the industry to to just fundamentally shift this change the game and make this so much more efficient and create. Really much more secure applications as a result. So. 31:00.59 franksec Fantastic! and I guess we we this is just a a nice input to the to the conclusion that is the positive message on our industry. So if you want to double down on that Steve what will be your positive message overall rather than we. We have the 2 and we have the technology and we can rebuild this. Ah. 31:20.62 Steve Wilson Like I think going going back to a little bit earlier I think the good news is you know this has happened before the industry has moved a tremendous distance since the Struts vulnerability for example, um, this really would be much worse. If we weren't in the position that we are now that we had better understanding of the risks better tools better processes. We have the tools out there now widely deployed to understand your your open source footprint. What's vulnerable. Um, we have the tools in place that help people upgrade and fix this. We even have tools today like like rasp tools that can protect you and we've seen evidence that these rash tools were protecting people um before day zero now. So really, we're in a position where we're moving forward. 32:09.23 franksec Um. 32:15.56 Steve Wilson So quickly that look there's no end in sight for this but really, the bar has raised dramatically and if we work together as an industry the next time this happens we'll be even better prepared. 32:27.90 franksec Fantastic. And yeah I agree with you. We've seen an enormous collaboration between teams and information out there. So I Really appreciated that collaboration and and enjoy that seeing that collaboration and the community getting together to to fix. But ah on the conclusion of the show if people want to find more about what you do day in in day out where where is the best place for them to contact you and how they can reach you yet. Stay. 32:53.99 Steve Wilson Yeah, so please so please come over check out what we're doing at the Contrastsecurity Dot Com Website. You can get all the details on all of our commercial tools. Also check out our blog there. There's a link off the front page to some free and open source tools that we've put out to help with log for J in particular so we really want people in the community to engage with us on this also feel free to reach out to me direct on linkedin. 33:23.13 franksec All right brave and everybody. Thank you very much we we understand that everybody is tired and stressed. We really hope that everybody can enjoy christmas at some stage or time and get away from the lock for j unfortunately attack it don't sleep so defend it on. Don't sleep either. But we're gonna get ahead of this together. So this is your host francesco I had the pleasure to talk with Steve wilson the chief product officer for contra security and I wish you everybody to stay safe and have a lovely christmas Thank you.  

  CSCP is bringing back season 1 in a newly remastered version. This is part 2 of the interview with Sam. Sam Stepanyan is an Application Security Architect and Consultant, an OWASP London Chapter Leader, and a WAF Specialist. Sam joins the podcast to discuss many of the opportunities for young aspiring security professionals, the big picture purpose of OWASP, and the first steps to addressing application security This is part 2 with Sam Stepanyan, an Application Security Architect and Consultant, the OWASP London Chapter Leader, and a WAF Specialist. Sam encourages everyone in the cyber community to join a local OWASP chapter, network at conferences, and compete in games. He also shares a horror story and a success story from his career.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:47 Threat modelling 3:30 Pen testing 5:19 Cost of security 5:58 Dependency checker 7:55 GitHub community 12:20 Local chapters 14:45 Conferences, competitions, events 18:02 OWASP Zed Attack Proxy (Zap) 20:01 Positive and horror story in security 24:12 Future of cyber 25:45 Outro    Sam Stepanyan Twitter @securestep9 https://www.linkedin.com/in/samstepanyan/      Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. This is part 1 of the interview with Sam. Sam Stepanyan is an Application Security Architect and Consultant, an OWASP London Chapter Leader, and a WAF Specialist. Sam joins the podcast to discuss many of the opportunities for young aspiring security professionals, the big picture purpose of OWASP, and the first steps to addressing application security   The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:47 Introducing Sam 2:15 Conversation begins 4:10 Positive message 8:10 Purpose of OWASP 10:55 Nettacker 13:40 Asset discovery 15:30 Multi-factor authentication  16:30 Google summer of code 19:49 OWASP top 10 22:46 Capital One and cloud breaches 24:02 Basics of Application Security program 30:00 Outro    Sam Stepanyan Twitter @securestep9 https://www.linkedin.com/in/samstepanyan/      Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. Chani Simms is the Managing Director and Co-Founder of Meta Defense Labs LTD, a consultant, the Founder of SHe CISO, a TEDx Speaker, and an Award-winning Cybersecurity Leader. Chani shares how she prepared for her TedX talk and her thoughts on emotional intelligence and mental health in the workplace.  This is part 2 with Chani Sims. Chani explains what a Virtual CISO does, the importance of basic cyber hygiene, and the initial steps to becoming a cyber security professional. Chani's approach to security is to operate on zero trust.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 0:46 Virtual CISO 5:10 Cyber hygiene 8:55 Starting in cyber 13:24 Assume breach 18:53 Twitter drama 22:10 Closing words 22:50 Out    Chani Simms linkedin.com/in/chani-simms  metadefencelabs.com/    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. This is part 1 of the interview with Chani. Chani Simms is the Managing Director and Co-Founder of Meta Defense Labs LTD, a consultant, the Founder of SHe CISO, a TEDx Speaker, and an Award-winning Cybersecurity Leader. Chani shares how she prepared for her TedX talk and her thoughts on emotional intelligence and mental health in the workplace.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introduction 0:46 Chani's background 3:00 TEDx talk 8:00 Women in cyber and mental health 10:56 SHe CISO 14:00 Self-esteem 16:00 Emotional Intelligence 19:08 Managing emotion 21:20 Outro    Chani Simms linkedin.com/in/chani-simms  metadefencelabs.com/    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. This is part two with Kevin Fielder, a CISO, NED, start-up and board advisor, researcher, and speaker based in the UK. Kevin is a CrossFit athlete who values a healthy work-life balance that allows him time for fitness and family. He answers questions about diversity in the workplace, recruiting, and the biggest challenges in his role.    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Intro 0:47 Crossfit 4:36 Work-life balance 8:58 Remote working 10:50 Cognitive diversity in cyber 16:05 Working with deaf 17:50 Working under stress 20:35 Recruiter 23:50 Biggest challenge in current role 25:26 Final positive message 28:02 Outro    Kevin Fielder https://www.linkedin.com/in/kevinfielder/ Twitter @kevin_fielder    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

Bridging The Gap Between Supply And Demand in S&OP Our special guest this Sunday is Ayman Elrafie, CPIM, CSCP. Ayman is the Supply chain director for Arabia/levant countries at Unilever tea division. He played all kinds of roles in the supply chain end to end from (Make, Source, Deliver, Plan and return). What makes him a special leader is his ability to learn and teach. Besides his treasure of practical experience, he never stops learning academically. He is a keynote speaker who speaks to inspire. Don't miss this amazing episode this Sunday (Bridging the gap between the supply and demand in S&OP) with my cohost Ahmed El Hamamsy Stay tuned for another amazing episode this Sunday. Knowledge you will not find in books. Follow Global S&OP Community

  CSCP is bringing back season 1 in a newly remastered version. This is part 1 of the interview with Kevin. Kevin Fielder is a CISO, NED, start-up and board advisor, researcher, and speaker based in the UK. In part one of the interviews, Kevin discusses his approach to recurring and hiring new talent for junior cyber security roles, managing and leading teams with both junior and senior talent, and his own career trajectory    The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Intro 0:47 Introducing Kevin 2:06 Career in cyber 5:30 Favorite area/role 7:30 Recruiting junior roles 12:00 Balancing junior and senior talent 16:09 Managing teams and technical jargon 21:16 Story leading teams 24:55 Cloud-Native DevOps 28:35 DecSecOps and engagement    Kevin Fielder https://www.linkedin.com/in/kevinfielder/ Twitter @kevin_fielder    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. This is part 2 of the interview with Tanya Janca. In this episode, Tanya shares her passion for WoSec, her decision to leave Microsoft, giving back to the community, encouraging women to get involved in cyber security, and defines DevSecOps.  Tanya Janca is an application security evangelist, a web application penetration tester and vulnerability assessor, trainer, public speaker, ethical hacker, the Co-Leader of the OWASP Ottawa chapter, a best-selling author, and independent consultant, specializing in Cloud Security, DevSecOps, and AppSec.   The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Intro 0:47 WoSec 4:08 Cyber ladies in Israel 13:03 Leaving Microsoft 14:30 Mentoring Monday 17:10 Future of AppSec 24:18 Issues at conferences 27:25 What is DevSecOps 36:35 Final positive message 37:17 Outro    Tanya Janca Twitter @shehackspurple https://wehackpurple.com https://www.linkedin.com/in/tanya-janca/?originalSubdomain=ca https://www.womenofsecurity.com       Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. This is part 1 of the interview with Tanya Janca. Tanya Janca is an application security evangelist, a web application penetration tester and vulnerability assessor, trainer, public speaker, ethical hacker, the Co-Leader of the OWASP Ottawa chapter, a best-selling author, and independent consultant, specializing in Cloud Security, DevSecOps, and AppSec. In part 1 of the conversation, Tanya discusses the importance of professional mentorship, getting women involved in cyber security, conferences, online communities, and overcoming her fear of public speaking.  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Intro 0:47 Introducing Tanya 1:55 Conversation begins 7:08 Women in security 13:35 Conference 17:26 Online community 18:30 Days as a software developer 20:55 Women in OWASP 24:20 Public speaking 26:48 WoSec 27:30 Outro    Tanya Janca Twitter @shehackspurple https://wehackpurple.com https://www.linkedin.com/in/tanya-janca/?originalSubdomain=ca https://www.womenofsecurity.com       Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

Reach to the Consensus S&OP Number Bob Forshay, is a Master instructor in the supply chain who is well recognized globally. He provides courses CPIM, CSCP, CLTD, CLM, CSCA, CSCM, CSCTA to well-known corporations around the globe. Reaching one S&OP number aligned with all functions inside the organization required a huge effort and work. In this episode, we will talk about all the needed work to reach this one number. Stay tuned with Global S&OP Community podcast and with my Cohost Ahmed El Hamamsy. Knowledge you will not find in books.

Host John Kennedy welcomes Dyci Manns Sfregola, CSCP, Founder and Managing Director of New Gen Architects Learn more about your ad choices. Visit megaphone.fm/adchoices

  CSCP is bringing back season 1 in a newly remastered version. This is part 2 of the interview with Jim Manico. Jim and Francesco address some of the criticisms of OWASP, discuss what makes a chapter great, and the future of cyber security.  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Intro 0:27 Fixing the legacy problem 7:00 Critics of OWASP 13:00 OWASP can't be tamed 16:26 Order VS chaos 22:20 What makes a chapter great 24:04 Final positive message 26:18 Closing words 26:54 Outro    Jim Manico Twitter @manicode https://www.linkedin.com/in/jmanico/     Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. Jim Manico is the Founder and Secure Coding Instructor at Manicode Security, a member of OWASP, and an AppSec enthusiast. In part 1 of this lively conversation, they discuss Netflix, automated security, and the complex problem of fixing legacy software.  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:46 Introducing Jim 2:15 Conversation begins 5:15 Painful problem of AppSec 10:10 Security and money 11:20 Security testing 12:05 Privacy laws 14:50 Automated/integrated security 15:45 DevSecOps 18:06 Netflix 19:40 OWASP 20:50 Java 26:10 Outro    Jim Manico Twitter @manicode https://www.linkedin.com/in/jmanico/     Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

Managing Supply chain KPIs is not something easy, especially when you look at it as a full eco-system. A new great episode this Sunday with Samer Madhoun Supply Chain, CIPS Jordan Chair , APICS Master Instructor CSCP,CLTD,SCORP Samer is the Managing Partner of MUHAKAT محاكاة and Board member of United nation global impact Jordan. He has extensive years of experience in the supply chain. He is one of the well-recognized Master instructors with APICS in the middle east including (CSCP, CLTD, SCOR). Stay tuned with Global S&OP Community Episode 20. Don't forget to listen to the previous 19 episodes in the first comment. Knowledge you will not find in books. #community #experience #supplychain #experiencelearning

  CSCP is bringing back season 1 in a newly remastered version. Grant Ongers is on the Global Board of Directors at OWASP Foundation and has spent his entire career in DevSecOps. Grant is also the co-founder of Secure Delivery and speak with Francesco and co-host, Zoe,  about DevSecOps, mentoring, and OWASP. Grant says DevSecOps is actually just DevOps done right  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:46 Introducing Grant 2:00 Conversation 2:35 Positive message 3:45 Career background 5:50 DevSecOps 9:45 CISO and CIO 11:05 Mentoring 15:55 OWASP 20:00 Valuable resources 23:10 Communication 26:00 Joining OWASP and mission 37:40 Closing words 38:15 Outro    Grant Ongers Twitter @rewtd https://www.linkedin.com/in/rewtd/     Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

On this weeks episode of the procurement innovation podcast, Raj Verma is joined by Elba Pareja-Gallagher, CSCP, the sustainability director of stakeholder engagement at UPS to further discuss women in the workforce during the pandemic and beyond. They deep dive into current trends and explore what the future looks like for women in business. As the sustainability director of stakeholder engagement, Elba is responsible for engaging, collaborating, and innovating with all UPS stakeholders to create long-term business value and deliver what matters most to employees, customers, suppliers, and shareholders. This means communicating with investors about UPS's ESG commitments, challenges, initiatives, and progress; inspiring employees to advance UPS's ESG priorities and goals; partnering with sales and marketing teams to share UPS's sustainability leadership and portfolio of sustainability solutions to drive new revenue; working with UPS suppliers to build awareness of sustainability; and increasing the likelihood of employees to recommend UPS as a great place to work. Enjoy this insightful episode and to stay up to date with our weekly episodes, subscribe to our podcast on any of your favorite podcast streaming platforms.

  CSCP is bringing back season 1 in a newly remastered version. This is the second part of the interviews with Vandana Verma, Vandana Verma is a Security Relationship Leader for SNYK, an advocate for women and girls in AppSec, and on the board of OWASP. Francesco and Vandana discuss the best way to communicate the importance of security without using scare tactics and the challenges of working with clients around the world.  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   In part two with Vandana Verma, the conversation continues on mentoring within the AppSec community, involving more women, and communicating the importance of cybersecurity to web designers and coders. Vandana is a Security Architect, an advocate for women and girls in AppSec, and on the board of OWASP.    0:46 Introduction 1:37 Conversation with Vandana 4:00 Streaming meetings 6:00 Spreading the word 9:04 Women in security 12:05 Mentoring in AppSec 11:20 DevSecOps and governance 20:08 Design and automation 24:52 Final positive message 25:54 Closing words 26:30 Outro    Vandana Verma Twitter @InfosecVandana https://www.linkedin.com/in/vandana-verma    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. This is the second part of the interviews with Vandana Verma, Vandana Verma is a Security Relationship Leader for SNYK, an advocate for women and girls in AppSec, and on the board of OWASP. Francesco and Vandana discuss the best way to communicate the importance of security without using scare tactics and the challenges of working with clients around the world.  The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:46 Introduction 2:08 Conversation with Vandana 4:05 Importance of AppSec 8:10 Avoid scare tactics 9:20 Fix bugs early 13:44 Working globally with different cultures and timezones 16:46 Best ways to communicate 18:55 OWASP 22:40 Closing words 23:10 Outro    Vandana Verma Twitter @InfosecVandana https://www.linkedin.com/in/vandana-verma    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. This is the second part of the interviews with Allan Alford, Delivery CISO at NTT data and now CISO at TrustMAPP a cybersecurity startup-like AppSec Phoenix The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register Allan Alford is an experienced CISO living in Texas. In part two, Allan Alford answers listener questions about getting involved in Cybersecurity, his path to becoming a CISO, he lists the pros and cons of earning an MBA, and stresses the importance of networking and mentoring. They also discuss how video gaming and role-playing games can translate to real-life leadership skills.    0:45 Recap of Part 1 1:47 Part 2 with Allan 2:20 Balancing MBA with work and life 3:10 Do you need MBA to be a CISO 7:35 Formal mentoring 11:11 Typical path to CISO 13:55 Certifications 19:28 Curiosity and video games 23:08 Final positive message 25:04 Closing words 25:40 Outro    Allan Alford, CISO, Host of Cyber Ranch Podcast Twitter @AllanAlfordinTX https://allanalford.com/the-cyber-ranch-podcast  https://hackervalley.com/cyberranch/ https://www.linkedin.com/in/allanalford/      Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. This is the first part of 2 interviews with Allan Alford, Delivery CISO at NTT data and now CISO at TrustMAPP a cybersecurity startup like AppSec Phoenix The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register Allan Alford is an experienced CISO living in Texas. In part 1 of Francesco's interview with Allan Alford, they discuss multi-factor authentication, the role of CISO, and getting started in cybersecurity. Logical and critical thinking skills are important to work in tech, but equally so are soft and people skills, like communication, leadership, and public speaking.    1:21 Part 1 with Allan 2:30 Masters 3:16 Advice on security awareness 4:23 Multi-factor authentication 7:35 Consumer pressure for security 8:35 Kinds of CISO 10:50 Communication and leadership skills 15:34 Hiring and learning of the job 17:51 Closing words 18:20 Outro    Allan Alford, CISO, Host of Cyber Ranch Podcast Twitter @AllanAlfordinTX https://allanalford.com/the-cyber-ranch-podcast  https://hackervalley.com/cyberranch/ https://www.linkedin.com/in/allanalford/      Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. This is the second part of 2 interviews with Greg The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register In part 2 of Francesco's interview with Greg van der Gaast, they discuss the challenges of working in the cyber security industry and how communicating more clearly and calmly can solve some of those issues. They speculate why security breaches happen and share the appropriate way to react when they do. Greg van der Gaast is a CISO, the author of "Rethinking InfoSec,” an international speaker, people enthusiast, and is passionate about creating information security programs that work.    1:30 Part 1 with Greg van der Gaast 2:46 Experiences in cyber 7:04 Risk management 10:15 Being personable 11:37 People, process, technology 13:05 Avoid toxic work environments 20:17 Closing words 20:40 Outro    Greg van der Gaast Twitter @SidewaysGreg https://www.linkedin.com/in/gregvandergaast/   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. This is the first part of 2 interviews with Greg The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register Greg van der Gaast is a CISO, the author of "Rethinking InfoSec,” an international speaker, people enthusiast, and is passionate about creating information security programs that work. Francesco and Greg discuss the importance of communication skills and being personable in the tech field. In order to avoid a toxic and hostile work environment, everyone needs to have a better attitude, think human-first, and stay calm.    1:30 Part 1 with Greg van der Gaast 2:46 Experiences in cyber 7:04 Risk management 10:15 Being personable 11:37 People, process, technology 13:05 Avoid toxic work environments 20:17 Closing words 20:40 Outro    Greg van der Gaast Twitter @SidewaysGreg https://www.linkedin.com/in/gregvandergaast/   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

  CSCP is bringing back season 1 in a newly remastered version. This is the second interview with Jane, a returning guest in season 2 The episode is brought you by AppSec Phoenix Ltd with the Phoenix platform you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register Jane Frankland and Francesco continue the conversation about inclusion, diversity, and supporting women in cybersecurity and tech, a male-dominated industry. Jane Frankland is an award-winning cybersecurity entrepreneur, author, consultant, keynote speaker, women's activist, and market influencer  1:30 Part 2 with Jane Frankland 5:36 Listener question— tips for implementing change 11:35 Supporting women in tech 15:08 Doing the right thing 17:55 Creating an appropriate and safe workplace 19:45 HR protects company 23:30 Inclusion of people with intellectual disabilities 26:30 Final positive message 28:23 Closing words 28:50 Outro    Jane Frankland Twitter @JaneFrankland https://jane-frankland.com  https://www.linkedin.com/in/janefrankland/  https://www.youtube.com/user/JaneFranklandTV    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 

I kept asking myself this question, Why companies should spend money and focus on sustainability? Is there any financial benefits from that? Will it improve the top and bottom line sales? All of these questions and more to be answered tonight at 9:00 PM KSA time with one of the thought leaders in the supply chain sustainability Jit Hinchman, M.Eng, M.Sc, CSCP, CLSS. The streaming of our Global S&OP Community will be from my Co-host Ahmed El Hamamsy's profile. See you all tonight. Don't forget to follow our Global S&OP Community every Sunday LinkedIn live. Knowledge you will not find in books. You do make a difference. #leaders #supplychain #entrepreneur #sustainability #leadership #entrepreneurship #success

In this episode of Supply Chain is Boring, host Chris Barnes sits down with Gene Pledger and welcomes him to the podcast. Additional Links & Resources: Learn more about Supply Chain is Boring: https://supplychainnow.com/program/supply-chain-is-boring/ Subscribe to Supply Chain is Boring and other Supply Chain Now programs here: https://supplychainnow.com/subscribe This episode was hosted by Chris Barnes. For additional information, please visit our dedicated sho page at: https://supplychainnow.com/supply-chain-is-boring-28 IxgtOfjZIIRWfhG45FHq

In this interview of Supply Chain is Boring, host Chris Barnes spoke with Raul Soto, to discuss how he is hoping to leverage his experiences in retail on the front lines, military logistics, and new APICS CSCP certification as a foundation for a successful supply chain career. Additional Links & Resources: Learn more about Supply Chain is Boring: https://supplychainnow.com/program/supply-chain-is-boring/ Subscribe to Supply Chain is Boring and all Supply Chain Now programming: https://supplychainnow.com/subscribe This episode was hosted by Chris Barnes. For additional information, please visit our dedicated show page at: https://supplychainnow.com/supply-chain-is-boring-26.

Looking to get your CSCP certification? This episode of Supply Chain is Boring features Christian Warren, recent CSCP certified professional. Learn why you may want or need a CSCP certification and some tips on taking APICS exams. Christian has over 25 years of experience in the consulting, manufacturing, logistics and consumer products industries. He has led organizations that provided project management, lean/six sigma and data analysis/market research services. He has over 15 years of executive leadership experience in 3rd Party Logistics. Christian counts General Motors, Deloitte Consulting and CEVA Logistics among his past employers. He currently works for CH Robinson. Supply Chain is boring is hosted by Chris Barnes. Learn more and listen to other Supply Chain is Boring episodes here: www.supplychainnowradio.com/supply-chain-is-boring

This episode of Supply Chain is Boring features Maryanne Ross. Maryanne has been active in adult education for over 25 years, starting her own training company in October 2001. She is recognized through the APICS Instructor Development Program as a Master Instructor for CPIM and CSCP and a Lead Instructor for Lean Enterprise, Global Sourcing and the Principles Courses. She is also recognized as a Master Instructor of new instructors for all three of the APICS Instructor Training Programs.Maryanne has 18 years of experience in a variety of manufacturing, purchasing and logistics positions, including automotive, medical, consumer goods, electronic and food industries. Maryanne has been an APICS member for over 25 years. She has developed interactive exercises to enhance the entire suite of APICS CSCP and CPIM review courses, and has served as a subject matter expert on the APICS CPIM, CSCP, and Principles content development committees. She has also been instrumental in creating activities and enhancements for the CPIM, Principles and Lean programs. Her passion is stimulating the learning experience for adult learners by creating hands on exercises that engage all learning styles. She is often engaged to deliver 5S and Lean training for Fortune 500 organizations, utilizing their internally developed curriculums, working in union and non-union environments She has trained several thousand participants around the world, working for clients such as Astra Zeneca, Exxon Mobil, AOL, Merck, DuPont, Volvo, Northrop Grumman, Hollister, GE, Fairchild Controls, The Hershey Company, JLG, Manitowoc Crane Group, Wabtec, and the U.S. Department of Veterans Affairs. Supply Chain is boring is hosted by Chris Barnes. Learn more and listen to other Supply Chain is Boring episodes here: www.supplychainnowradio.com/supply-chain-is-boring