Podcasts about Nessus

On this week's show Patrick Gray and Adam Boileau discuss the week's cybersecurity news: Yes, the Trump admin really did just add a journo to their Yemen-attack-planning Signal group The Github actions hack is smaller than we thought, but was targeting crypto Remote code exec in Kubernetes, ouch Oracle denies its cloud got owned, but that sure does look like customer keymat Taiwanese hardware maker Clevo packs its private keys into bios update zip US Treasury un-sanctions Tornado Cash, party time in Pyongyang? This week's episode is sponsored by runZero. Long time hackerman HD Moore joins to talk about how network vulnerability scanning has atrophied, and what he's doing to bring it back en vogue. Do you miss early 2000s Nessus? HD knows it, he's got you fam. This episode is also available on Youtube. Show notes The Trump Administration Accidentally Texted Me Its War Plans - The Atlantic Using Starlink Wi-Fi in the White House Is a Slippery Slope for US Federal IT | WIRED Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories' CI/CD Secrets Exposed GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment (Updated 3/21) Critical vulnerabilities put Kubernetes environments in jeopardy | Cybersecurity Dive Researchers back claim of Oracle Cloud breach despite company's denials | Cybersecurity Dive The Biggest Supply Chain Hack Of 2025: 6M Records Exfiltrated from Oracle Cloud affecting over 140k Tenants | CloudSEK Capital One hacker Paige Thompson got too light a sentence, appeals court rules | CyberScoop US scraps sanctions on Tornado Cash, crypto ‘mixer' accused of laundering North Korea money | Reuters Tornado Cash Delisting | U.S. Department of the Treasury Major web services go dark in Russia amid reported Cloudflare block | The Record from Recorded Future News Clevo Boot Guard Keys Leaked in Update Package Six additional countries identified as suspected Paragon spyware customers | CyberScoop The Citizen Lab's director dissects spyware and the ‘proliferating' market for it | The Record from Recorded Future News Malaysia PM says country rejected $10 million ransom demand after airport outages | The Record from Recorded Future News Hacker defaces NYU website, exposing admissions data on 1 million students | The Record from Recorded Future News Notre Dame uni students say outage creating enrolment, graduation, assignment mayhem - ABC News DNA of 15 Million People for Sale in 23andMe Bankruptcy

planetwaves.substack.com

The Year of the Snake begins at the Aquarius New Moon, Jupiter stations direct, and Saturn and Nessus make their first exact conjunction since 1973. Imbolc (or Candlemas) is Feb. 4.

Aquarius New Moon Galactic Astrology Reading. The New Moon in Aquarius on January 29, 2025 at 9 degrees square Andromeda-Titwain is a INTENSE & REVEALING one! The ruler of the moon is Uranus conjunct Perseus-Capulus. Join Ulrika for this intuitive reading of three galactic energetic galactic themes. #galacticastrology #newmoon #astrology #aquariusnewmoon #multidimensional #starseed #energyreading #astrologyreading #andromeda Check out my new YouTube Membership here: https://www.youtube.com/channel/UCvNGRU3ms6Q6FBI6BdyIHUA/join *Star level - you can submit questions for public Q&A videos I'm planning to record. Only member questions are considered. It can also be questions on your own galactic astrology alignments. All members get a special badge so that I know who you are in the comments :). *Galaxy level - in addition, Galaxy members get access to Members-Only videos. You also get Extra Questions in addition to the 3 questions I share in the public videos to work with. A great opportunity to go deeper with the available energies. *Universe level - Consider yourself a Super-fan! :) This is a way to substantially support the channel. And of course, everything is included. In this video you'll receive the three galactic energetic themes of the Aquarius New Moon: THE VEIL IS COMING DOWN - Andromeda-Titawin, Karma, Varuna, Hekate, Vesta VICTIMHOOD AWARENESS - Eridanus-Archenar, Saturn. Nessus, Orcus, Venus, NorthNode. HUMAN GALACTIC HERITAGE REVIVAL - Lyra Ring Nebula M57, Eros ...and as always the questions at the end :) CLIENT TESTIMONIAL: “Ulrika has an incredible natural gift and ability to meet the client exactly where there at in their Souls Journey. Providing a detailed map of information which allows the client to access their own soul memory to unfold. I feel so blessed to have worked with Ulrika and my reading already has changed my life days after. I can only highly recommend working with Ulrika.” -Anja S. DOWNLOAD the free Galactic Alignments Reference Guide: https://ulrikasullivan.com/galactic-alignments-1 BOOK a READING - ALL LINKS HERE: https://linktr.ee/ulrikasullivan Follow me on social media: http://facebook.com/ulrikasullivancoach http://instagram.com/ulrikasullivan http://pinterest.com/ulrikasullivan https://www.linkedin.com/in/usullivan/ https://twitter.com/SullivanUlrika ------------------------------------------------------------------- Please note: New Light Living podcast is for entertainment purp

Aquarius New Moon Galactic Astrology Reading. The New Moon in Aquarius on January 29, 2025 at 9 degrees square Andromeda-Titwain is a INTENSE & REVEALING one! The ruler of the moon is Uranus conjunct Perseus-Capulus. Join Ulrika for this intuitive reading of three galactic energetic galactic themes. #galacticastrology #newmoon #astrology #aquariusnewmoon #multidimensional #starseed #energyreading #astrologyreading #andromeda Check out my new YouTube Membership here: https://www.youtube.com/channel/UCvNGRU3ms6Q6FBI6BdyIHUA/join *Star level - you can submit questions for public Q&A videos I'm planning to record. Only member questions are considered. It can also be questions on your own galactic astrology alignments. All members get a special badge so that I know who you are in the comments :). *Galaxy level - in addition, Galaxy members get access to Members-Only videos. You also get Extra Questions in addition to the 3 questions I share in the public videos to work with. A great opportunity to go deeper with the available energies. *Universe level - Consider yourself a Super-fan! :) This is a way to substantially support the channel. And of course, everything is included. In this video you'll receive the three galactic energetic themes of the Aquarius New Moon: THE VEIL IS COMING DOWN - Andromeda-Titawin, Karma, Varuna, Hekate, Vesta VICTIMHOOD AWARENESS - Eridanus-Archenar, Saturn. Nessus, Orcus, Venus, NorthNode. HUMAN GALACTIC HERITAGE REVIVAL - Lyra Ring Nebula M57, Eros ...and as always the questions at the end :) CLIENT TESTIMONIAL: “Ulrika has an incredible natural gift and ability to meet the client exactly where there at in their Souls Journey. Providing a detailed map of information which allows the client to access their own soul memory to unfold. I feel so blessed to have worked with Ulrika and my reading already has changed my life days after. I can only highly recommend working with Ulrika.” -Anja S. DOWNLOAD the free Galactic Alignments Reference Guide: https://ulrikasullivan.com/galactic-alignments-1 BOOK a READING - ALL LINKS HERE: https://linktr.ee/ulrikasullivan Follow me on social media: http://facebook.com/ulrikasullivancoach http://instagram.com/ulrikasullivan http://pinterest.com/ulrikasullivan https://www.linkedin.com/in/usullivan/ https://twitter.com/SullivanUlrika ------------------------------------------------------------------- Please note: New Light Living podcast is for entertainment purposes.

Multiple faulty Tenable updates over holiday period cause global Nessus agent failure.Telegram policy shift on law enforcement requests causes cybercrime exodus.

DNA sequencer vulnerabilities, threat actor naming conventions, new CNAs and problems, backdoors are not secrets (again), The RP2350 is hacked!, they know where your car is, treasury department hacked, what if someone hacked license plate cameras? Tenable CEO passes away, and very awkwardly, a Nessus plugin update causes problems, who needs fact-checking anyhow (And how people steal stuff and put it on Facebook), when you are breached, make sure you tell the victims how to be more secure, Salt Typhoon - still no real details other than more people were hacked and they are using the word sanctions a lot, Bitlocker bypassed again, Siri recorded you, and Apple pays, and yes, you can't print on Tuesdays! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-856

DNA sequencer vulnerabilities, threat actor naming conventions, new CNAs and problems, backdoors are not secrets (again), The RP2350 is hacked!, they know where your car is, treasury department hacked, what if someone hacked license plate cameras? Tenable CEO passes away, and very awkwardly, a Nessus plugin update causes problems, who needs fact-checking anyhow (And how people steal stuff and put it on Facebook), when you are breached, make sure you tell the victims how to be more secure, Salt Typhoon - still no real details other than more people were hacked and they are using the word sanctions a lot, Bitlocker bypassed again, Siri recorded you, and Apple pays, and yes, you can't print on Tuesdays! Show Notes: https://securityweekly.com/psw-856

DNA sequencer vulnerabilities, threat actor naming conventions, new CNAs and problems, backdoors are not secrets (again), The RP2350 is hacked!, they know where your car is, treasury department hacked, what if someone hacked license plate cameras? Tenable CEO passes away, and very awkwardly, a Nessus plugin update causes problems, who needs fact-checking anyhow (And how people steal stuff and put it on Facebook), when you are breached, make sure you tell the victims how to be more secure, Salt Typhoon - still no real details other than more people were hacked and they are using the word sanctions a lot, Bitlocker bypassed again, Siri recorded you, and Apple pays, and yes, you can't print on Tuesdays! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-856

DNA sequencer vulnerabilities, threat actor naming conventions, new CNAs and problems, backdoors are not secrets (again), The RP2350 is hacked!, they know where your car is, treasury department hacked, what if someone hacked license plate cameras? Tenable CEO passes away, and very awkwardly, a Nessus plugin update causes problems, who needs fact-checking anyhow (And how people steal stuff and put it on Facebook), when you are breached, make sure you tell the victims how to be more secure, Salt Typhoon - still no real details other than more people were hacked and they are using the word sanctions a lot, Bitlocker bypassed again, Siri recorded you, and Apple pays, and yes, you can't print on Tuesdays! Show Notes: https://securityweekly.com/psw-856

Summary In this episode of the Defensive Security Podcast, hosts Jerry Bell and Andrew Kalat discuss various cybersecurity topics, including a significant incident involving a Tenable plugin update that disrupted Nessus agents worldwide. They delve into the implications of malicious Chrome extensions and sophisticated phishing attacks, particularly focusing on a recent incident involving OAuth trust … Continue reading Defensive Security Podcast Episode 291 →

Experience the transformative energies of the New Moon in Capricorn. This celestial event marks an energetic shift into 2025, encouraging us to align with our long-term goals and embrace systematic progress. We'll explore the powerful stellium of planets and trans-Neptunian objects in Capricorn, signaling a higher octave of transformation. Key aspects like conjunctions with Quaoar, Pholus, Ixion, and Pallas Athena highlight themes of harmony, subconscious change, and creative intelligence, while Neptune's conjunction with the North Node in Pisces invites us to trust our intuition and take inspired action. Blog post: https://www.bodyandsoulapothecary.com/blog/archangelmichael Deep dive into Nessus: https://lisamariehaley.substack.com/p/centaurs-in-astrology Archangel Michael: https://lisamariehaley.substack.com/p/working-with-archangel-michael-in Astrology 101 Course: https://everything-is-energy-community.circle.so/c/astrology-101/

Louise Edington discusses the astrological week ahead, emphasizing the significance of the new moon in Sagittarius and the subsequent square with Saturn, which could bring clarity and patience. She highlights the retrograde of Mercury and the stationing of Mars and Neptune, indicating potential revelations and challenges. Key aspects include Mercury's trine with Chiron, Jupiter's square with Nessus, and Venus's sextile with Neptune. The week culminates with a cazimi of Mercury, potentially revealing significant truths. Louise encourages using tools like muscle testing to discern true information and emphasizes the importance of speaking one's truth. Louise also gives a shout out to @ProfessionalAquarian and @TarotPolitics for their amazing work. And also @JessicaDenson07 for news. Subscribe to Louise's Substack blog for FREE https://cosmicowlastrology.substack.com/ Check out Louise's Amazon store for books and other products I love and recommend! https://www.amazon.com/shop/cosmicowlastrology-louiseedington Work with the Cosmic Owl: Book a consultation. https://bookme.name/louiseedington/astrology-consultation For more from Louise, subscribe to this channel and check the bell to receive notifications AND/OR follow Louise at louiseedington.com or https://www.facebook.com/WildWomanUnleashed/ My fave numerology resource is http://numerology-thenumbersandtheirmeanings.blogspot.com/ This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit cosmicowlastrology.substack.com/subscribe

Louise Edington discusses the astrology of and the significance of December 5-7, highlighting the conjunction of Mercury and the Sun (Cazimi) at 14 degrees Sagittarius, coinciding with the North Node of Uranus and retrograde Jupiter, and square Saturn and Nessus in Pisces. This alignment, known as a mutable T-square, is expected to bring radical changes and breakthroughs. Edington also mentions the impact of Mars stationing retrograde on the North Node of the USA and the conjunction of Venus and Ceres with Pluto and Neptune at zero degrees Aquarius PLUS Neptune stationing Direct square to the Galactic Center. She emphasizes the potential for MAJOR shifts in information, truth, and perception, and encourages viewers to prepare for significant changes. Join the Mercurial Mind Magic Class https://www.louiseedington.com/mercurial-mind-magic-reveal-your-inner-vision Subscribe to Louise's Substack blog for FREE or PAID for daily written updates and more. https://cosmicowlastrology.substack.com/ Check out Louise's Amazon store for books and other products I love and recommend! https://www.amazon.com/shop/cosmicowlastrology-louiseedington Work with the Cosmic Owl: Book a consultation. https://bookme.name/louiseedington/astrology-consultation For more from Louise, subscribe to this channel and check the bell to receive notifications Follow Louise at her website louiseedington.com. Follow on Facebook at https://www.facebook.com/CosmicOwlLouiseEdington/ Louise's fave numerology resource is http://numerology-thenumbersandtheirmeanings.blogspot.com/ This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit cosmicowlastrology.substack.com/subscribe

This episode is recorded in Thessaly, Greece. In ancient times it was considered to be the land of sorcery, witchcraft and healing. In fact, it still feels that way today due to the abundance of healing herbs in the region. Thessaly was the birthplace of the centaurs including Chiron and Pholus, and the God of Medicine Asclepius. When I say 'birthplace' here, I'm referring to the land that dreamed up these mythic figures. The concept of the land dreaming is foreign to the modern mind. And yet, to the ancient mind this is just a matter of course. Different lands have different dreams embedded in them, and therefore dream up different kinds of humans, animals and plant life. In this episode I explore some of these topics with, of course, the help of mythology. Prometheus steals fire from the gods and therefore is a good symbol for that 'higher' way of knowing. Chiron is a centaur, inseparable from nature, and therefore a good symbol for that knowledge that comes from the ground up. It's a tension that I'm sure we all feel on some level. Perhaps we experience it as the instinct vs the mind. The feeling vs the thoughts. The gut sense vs the logic. And it's a tension I feel as I wander the lands of Greece, trying to make contact with the many apparently dead gods.Cover Art: Heracles and Nessus by GiambolognaPodcast Musician: Marlia CoeurPlease consider becoming a Patron to support the show!Go to OnTheSoulsTerms.com for more.

Send us a Text Message.Ever wondered how to ensure your organization's cybersecurity measures meet international standards? Join us for an action-packed episode as we unpack Domain 6.5 of the CISSP exam, exploring crucial assessments, tests, and audit strategies every cybersecurity professional should master. Learn the importance of choosing a consistent framework like ISO 27001 or the NIST Cybersecurity Framework to steer your audit processes. We'll dive into internal and external audits and the pivotal role they play in aligning security measures with legal and regulatory compliance.Discover the essentials of security control testing within your organization. We discuss various mechanisms such as vulnerability assessments, penetration testing, and log review analysis, focusing on their significance in pinpointing and mitigating potential security threats. Highlighting tools like Nessus and Qualys, we examine their effectiveness in regular vulnerability scanning, along with the importance of log reviews to detect malicious activities. From black box testing on web applications to understanding how hackers manipulate logs, we cover all the bases to fortify your defenses.In our cloud security management segment, we tackle the risks associated with orphaned accounts and offer best practices for managing cloud-based accounts. Regular management audits, multi-factor authentication, and semi-annual reviews are just a few of the key strategies we discuss to ensure robust cloud security. We also emphasize the importance of cybersecurity audit planning and reporting, sharing practical examples and tips for creating actionable reports for different stakeholders. Finally, we underline the value of mentorship and the importance of certifications like CISSP for advancing your career in cybersecurity, highlighting the critical role certified professionals play in safeguarding our global economy from cyber threats.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Send us a Text Message.Ever wondered how to fortify your organization against cyber threats? Join Sean Gerber as we uncover the essentials of Domain 6.3 of the CISSP exam, from security assessments to account management and backup verification. Learn about tools like Nessus and Qualys and the role of ethical hacking in identifying vulnerabilities. Discover the critical differences between authenticated and unauthenticated scanning, and how red teams elevate your security measures to the next level.What sets SOC 1, SOC 2, and SOC 3 reports apart, and why do they matter? We break it all down, revealing how these reports demonstrate adherence to security standards. Understand the distinctions between Type 1 and Type 2 reports, with Type 1 focusing on control design and Type 2 evaluating operational effectiveness. Plus, we delve into the fundamentals of account management, emphasizing the importance of integrating with identity and access management programs and conducting routine audits for compliance and security.Don't overlook the critical importance of backup data management and verification. Learn best practices for storing backups—whether on-site, off-site, or in the cloud—and ensure your restoration process is both reliable and efficient. We discuss how regular testing and cost-effective strategies enhance organizational resilience and highlight why training and awareness are crucial for both leadership and employees. Additionally, Sean introduces Reduce Cyber Risk, his consulting business, offering a range of cybersecurity services and valuable resources for those preparing for the CISSP exam.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Capricorn Full Moon Galactic Astrology. The Full Moon at 1 degree on June 21, 2024 is a resilient one opposite Orion-Betelgeuse. The ruler of this Full Moon is Saturn conjunct Nessus, highlighting ancestral karma. Join Ulrika for this intuitive reading of three energetic themes related to the full moon from a galactic perspective. https://ulrikasullivan.com/quantum-galactic 0:00 Introduction - Two Full Moons Capricorn, Saturn conjunct Nessus (7066) Orion Betelgeuse, Release ancestral heritage, True Self Emergence. Saturn Retrograde process until February 2025. 9:14 THEME 1: RESILIENT BIRTH OF THE TRUE YOU - Full Moon role of Shapley Attractor and Super Galactic Center, Relationship perspective expanded, Squares to Neptune 29 degrees, Pegasus-Scheat, Freedom within. Grand Cross. Orion-Betelgeuse and resilience. 14:09 Orion-Betelgeuse - Supernova! 16:53 THEME 2: INNER SPARK IS STRENGTH - Grand Earth Trine, Shapley Attractor, Haumea, Andromeda-Mirach, New Earth energy. Leo-Regulus, Vesta at 0 degree Leo, creative expression. Vesta conjunct Regulus August 25, 2024. Unique inner spark 22:30 Andromeda-Mirach 24:58 THEME 3: SHARE PASSIONS TO INSPIRE OTHERS - Lyra constellation, Quaoar, Mercury conjunct Lyra-Aladfar, music, frequency, spritual practice, Andromeda-Titawin, Spiritual warrior energy. Share to inspire others! 28:35 Lyra-Alathfar and Andromeda-Titawin 30:57 Summary 32:51 Questions for you to work with Download the Galactic Alignments Reference Guide: https://ulrikasullivan.com/galactic-alignments-1 What did you start at the Capricorn New Moon that is culminating now? Watch the New Moon video from Jan 2024: https://youtu.be/aG-ZtS7-CwY SPECIAL OFFERING: Start a daily spiritual practice to STAY GROUNDED and connect with your BODY WISDOM everyday ***Grounding Body Energy Practice***: https://ulrika-sullivan-coaching.aweb.page/p/a0135d7d-12b0-45a3-bc78-9083a58e9e9c Watch the previous video: Gemini New Moon June 6, 2024: https://youtu.be/hQXBNg9FXWg CLIENT TESTIMONIAL: “I looooved your reading so much! It was really exciting to learn about my soul journey and soul essence as well as my strengths and weaknesses and skills that I had developed in the past reincarnations! It also revealed lessons that I have for this incarnation and showed me how some of my soul memories are affecting my life experience now. I was so impressed with your expansive knowledge and wisdom! I love that you use your intuition too. I am so happy we got to meet in Sedona and I truly appreciate your generosity and beautiful heart. Much love dear Ulrika. I hope our paths will cross again.” -Ela Book a galactic astrology reading with Ulrika: https://ulrikasullivan.com/quantum-galactic-booking Get a copy of Ulrika's book: https://www.amazon.com/Wisdom-Beyond-What-You-Know/dp/B09NRK41T6 Ulrika is a certified Quantum Soul Guidance Galactic Astrology Practitioner by Julia Balaz. Take a course with Julia here: https://starseeds.teachable.com/?affcode=236268_ygyugsqo Galactic Astrology podcast playlist: https://www.youtube.com/playlist?list=PLG4N0kp1roSgS-wDNykJpU93BIK4LGTLV Podcast: New Light Living http://ulrikasullivan.com/podcast Visit Ulrika's website: https://ulrikasullivan.com Follow me on social media: http://facebook.com/ulrikasullivancoach http://instagram.com/ulrikasullivan http://pinterest.com/ulrikasullivan https://www.linkedin.com/in/usullivan/ https://twitter.com/SullivanUlrika ------------------------------------------------------------------- Please note: New Light Living podcast is for entertainment purposes only.

Capricorn Full Moon Galactic Astrology. The Full Moon at 1 degree on June 21, 2024 is a resilient one opposite Orion-Betelgeuse. The ruler of this Full Moon is Saturn conjunct Nessus, highlighting ancestral karma. Join Ulrika for this intuitive reading of three energetic themes related to the full moon from a galactic perspective. https://ulrikasullivan.com/quantum-galactic 0:00 Introduction - Two Full Moons Capricorn, Saturn conjunct Nessus (7066) Orion Betelgeuse, Release ancestral heritage, True Self Emergence. Saturn Retrograde process until February 2025. 9:14 THEME 1: RESILIENT BIRTH OF THE TRUE YOU - Full Moon role of Shapley Attractor and Super Galactic Center, Relationship perspective expanded, Squares to Neptune 29 degrees, Pegasus-Scheat, Freedom within. Grand Cross. Orion-Betelgeuse and resilience. 14:09 Orion-Betelgeuse - Supernova! 16:53 THEME 2: INNER SPARK IS STRENGTH - Grand Earth Trine, Shapley Attractor, Haumea, Andromeda-Mirach, New Earth energy. Leo-Regulus, Vesta at 0 degree Leo, creative expression. Vesta conjunct Regulus August 25, 2024. Unique inner spark 22:30 Andromeda-Mirach 24:58 THEME 3: SHARE PASSIONS TO INSPIRE OTHERS - Lyra constellation, Quaoar, Mercury conjunct Lyra-Aladfar, music, frequency, spritual practice, Andromeda-Titawin, Spiritual warrior energy. Share to inspire others! 28:35 Lyra-Alathfar and Andromeda-Titawin 30:57 Summary 32:51 Questions for you to work with Download the Galactic Alignments Reference Guide: https://ulrikasullivan.com/galactic-alignments-1 What did you start at the Capricorn New Moon that is culminating now? Watch the New Moon video from Jan 2024: https://youtu.be/aG-ZtS7-CwY SPECIAL OFFERING: Start a daily spiritual practice to STAY GROUNDED and connect with your BODY WISDOM everyday ***Grounding Body Energy Practice***: https://ulrika-sullivan-coaching.aweb.page/p/a0135d7d-12b0-45a3-bc78-9083a58e9e9c Watch the previous video: Gemini New Moon June 6, 2024: https://youtu.be/hQXBNg9FXWg CLIENT TESTIMONIAL: “I looooved your reading so much! It was really exciting to learn about my soul journey and soul essence as well as my strengths and weaknesses and skills that I had developed in the past reincarnations! It also revealed lessons that I have for this incarnation and showed me how some of my soul memories are affecting my life experience now. I was so impressed with your expansive knowledge and wisdom! I love that you use your intuition too. I am so happy we got to meet in Sedona and I truly appreciate your generosity and beautiful heart. Much love dear Ulrika. I hope our paths will cross again.” -Ela Book a galactic astrology reading with Ulrika: https://ulrikasullivan.com/quantum-galactic-booking Get a copy of Ulrika's book: https://www.amazon.com/Wisdom-Beyond-What-You-Know/dp/B09NRK41T6 Ulrika is a certified Quantum Soul Guidance Galactic Astrology Practitioner by Julia Balaz. Take a course with Julia here: https://starseeds.teachable.com/?affcode=236268_ygyugsqo Galactic Astrology podcast playlist: https://www.youtube.com/playlist?list=PLG4N0kp1roSgS-wDNykJpU93BIK4LGTLV Podcast: New Light Living http://ulrikasullivan.com/podcast Visit Ulrika's website: https://ulrikasullivan.com Follow me on social media: http://facebook.com/ulrikasullivancoach http://instagram.com/ulrikasullivan http://pinterest.com/ulrikasullivan https://www.linkedin.com/in/usullivan/ https://twitter.com/SullivanUlrika ------------------------------------------------------------------- Please note: New Light Living podcast is for entertainment purposes only.

Larry Niven's RIngworld is a masterpiece of classic SciFi. WInner of teh Hugo, Nebula, and Locus awards, this is a favortie of both Tom and Tony. Join us as we revisit Louis Wu, Teela Brown, Speaker-to-animals, and Nessus the mad Puppetteer. How does this story hold up? TTYpodcast.com Thumbingthroughyesterday.com

Descubra as cinco principais ferramentas de segurança cibernética que todo profissional deve dominar! Este vídeo apresenta um guia prático sobre como utilizar o NMAP, Nessus, WireShark, Metasploit e Burp Suite para fortalecer sua defesa cibernética. Com demonstrações passo a passo, você aprenderá como essas ferramentas podem ajudar a identificar vulnerabilidades, monitorar redes e realizar testes de penetração eficazes. Não perca as dicas valiosas que facilitarão seu trabalho em segurança da informação. Quer aprofundar seus conhecimentos em segurança da informação e melhorar suas chances no mercado de trabalho? Baixe gratuitamente o ebook "Conquiste sua Vaga em Segurança da Informação" e obtenha dicas exclusivas sobre entrevistas, descoberta de empregos na área e estudos necessários para se destacar! Acesse https://blueteam-academy.com.br para fazer o download agora mesmo! Links para download das ferramentas mencionadas no vídeo: https://nmap.org/download.html https://www.tenable.com/products/nessus/nessus-professional https://www.wireshark.org/download.html https://www.metasploit.com/download https://portswigger.net/burp/communitydownload

On Mar 10th we have the most Pisces of Pisces New Moons at 20˚ conjunct Saturn, Nessus, Hygeia, and Neptune, square to Vesta and opposing Black Moon Lilith. OVERWHELMING emotion and many fears and ancestral memories arise but you are invited to choose creativity and rebirth. To buy the Tridevia Tarot Deck use this link https://calmoura.com/louiseedington  and the unique Coupon Code: TAROTLOUISE (10% off on all orders on our store) Subscribe to my Substack blog for FREE https://cosmicowlastrology.substack.com/ Check out my Amazon store for books and other products I love and recommend! https://www.amazon.com/shop/cosmicowlastrology-louiseedington Work with the Cosmic Owl: Become a Venus Enchantment Community member to support my work. https://louiseedington.com/venus-enchantment Book a consultation. https://louiseedington.com For more from Louise subscribe to this channel and check the bell to receive notifications AND/OR follow Louise at louiseedington.com or https://www.facebook.com/WildWomanUnleashed/ My fave numerology resource is http://numerology-thenumbersandtheirmeanings.blogspot.com/ --- Send in a voice message: https://podcasters.spotify.com/pod/show/weirdlycosmic/message Support this podcast: https://podcasters.spotify.com/pod/show/weirdlycosmic/support

In this episode, Natasha interview's Melanie Reinhart about the wounded healer and what Chiron has to teach us both personally and collectively. Melanie Reinhart is best known for her book 'Chiron and the Healing Journey', and her work on Chiron and the Centaurs Chariklo, Nessus and Pholus. She is a prize-winning diploma holder of the Faculty of Astrological Studies in the UK (Margaret Hone Award 1979), of whom she is also a patron. She was awarded the prestigious Charles Harvey Award in 2004, given by the Astrological Association of Great Britain for 'exceptional service to astrology'. Her work is an unusual combination of intuition and meticulous research... Melanie was initially self-taught in astrology, immersing herself for many years in the work of Dane Rudhyar. Later she had the privilege of learning from the many gifted astrologers in the rich milieu of London, and that journey continues. Melanie studied Horary astrology with Geoffrey Cornelius (1989-1990), and Deborah Houlding (Practitioner's Certificate 2012). To learn more about or contact Melanie, and for her full bio, visit her website at: https://melaniereinhart.com If you enjoy the show, it's always a big help if you can share it with your own audiences via social media or word of mouth. And if you could please take a second and hit the Subscribe button and turn on Notifications (the little bell next to it) and Like the video, that would be super helpful in getting this show out to more people.Please leave any questions or comments in the comment section or contact VIA:  Instagram ⁠⁠@natasha.andreo⁠⁠Astrology page: ⁠⁠@navigating.magick⁠⁠  ⁠⁠or via her Website here⁠.  Listen, Subscribe and Share via:  ⁠⁠Spotify⁠⁠ ⁠⁠Apple Podcast ⁠⁠⁠  ⁠⁠Youtube⁠⁠ 

Josh and Kurt talk about a grab bag of old technologies that defined the security industry. Technology like SELinux, SSH, Snort, ModSecurity and more all started with humble beginnings, and many of them created new security industries. Show Notes SELinux AppArmor SSH ModSecurity Snort Nmap Nessus What comes after open source

Ready to unlock the secrets of cybersecurity and ace that CISSP exam? Strap in as we delve into the intriguing realm of ISO 27001 standards, exploring their critical role in safeguarding key infrastructure such as our municipal water facilities. Learn how to assess, comply with, and improve upon these standards, and get a sneak peak at potential exam questions you'll find on our website.But it doesn't stop there. We're pushing the envelope further by integrating cloud security assessments into your testing strategies. Get to grips with your cloud service provider's security policies and controls, and understand why legal and regulatory compliance is non-negotiable. Discover valuable tools like Nessus for vulnerability assessments and the importance of black box tests on new web applications. We'll also discuss the crucial role of account management audits and management reviews in ensuring your security policies are not just effective, but adhered to. Stay tuned for a fascinating deep-dive into the world of cybersecurity!Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.

Hear us out. A children's book, a novella, a fictional crime podcast, but make them B2B. Because B2B marketing doesn't have to be a webinar, a blog post, an email newsletter… Every B2B company does those. Today we're challenging you to rise above the noise and make radically different content. In this episode, we're learning from a company that has created B2B content as all three: children's book, novella, and fictional crime podcast. That company is Tenable. We're chatting with their CMO and Chief of Staff, Jérôme Robert, about the art of creating fictional content that feels realistic, lived in, and resonates with your audience while also improving brand affinity. So grab a coffee from your local barista, tip well, and settle in for this episode of Remarkable.About our guest, Jérôme RobertJérôme Robert is CMO and Chief of Staff at Tenable. He previously served as Managing Director of Alsid's U.S. operations. His responsibilities included enabling users to harden their Active Directory and detect attacks. and supporting PSG. Prior to Alsid, he served as SVP of Product and Marketing at EclecticIQ. He has also worked at companies like Orange Cyberdefense and Arkoon Netasq.About TenableTenable® is the Exposure Management company. Approximately 40,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended its expertise in vulnerabilities to deliver the world's first platform to see and secure any digital asset on any computing platform. Tenable customers include approximately 60 percent of the Fortune 500, approximately 40 percent of the Global 2000, and large government agenciesAbout The Hacker ChroniclesThe Hacker Chronicles is a podcast about a barista named Alice who's struggling to make ends meet, and that's when a friend suggests buying a Ransomware-as-a-Service kit. So she starts exploring the Dark Web as a way to make some extra cash and ends up becoming America's most wanted hacker. It's now in its second season, “Digital Nomad”. It stars Chloe Taylor as Alice Mitnick and Michael C. Hall as John Doe. And it's presented by Tenable.What B2B Companies Can Learn From The Hacker Chronicles:Create marketing content in a non-marketing genre. Like a children's book, like a fiction podcast. Because not only will you appeal to marketers, you'll tap into a much broader audience who enjoys the story. Ian says, “What I heard a ton of when we launched season one was, ‘I don't normally listen to podcasts like this, but I binged it with my girlfriend,' or, ‘I listened to the entire thing in the car.' We talked a lot about, ‘How do we make it bingeable?'Ground your fictional characters in a real world. Make your content resonate with your audience by creating hyper realistic scenarios. Accuracy in the details is key. Ian says in creating the storyline, “The characters had to experience the world in a certain way in order for it to feel real. Like, they need to have real stakes. They need to have real relationships. They need to have real pressures.” And Jérôme adds that, “W​hen you see a movie and there's a supposed hacker, but you see their screen and it's a dumb script that they are running that has nothing to do with cyber security, when a cyber security person watches this movie, we're like, ‘This is awful. I can't stand it.' That's exactly what I didn't want. So everything [the main character Alice] does has been thought through and is realistic.” The Hacker Chronicles is based on a lot of real hacks, and so anyone in the cybersecurity industry would believe it.Get rid of ads. Try entertainment instead. Jerome says, “Everybody believes that the opportunity for ads is shrinking dramatically. People don't like interruptions. You have to provide something that is enjoyable. That rewards your audience.” And he said after bringing this up, his team no longer got pushback from the leadership on updating their marketing strategy.Quotes“Tenable was one of the founders of cybersecurity as an industry. And there's a lot of good things that come with that heritage. But there's also the tendency to not try new stuff from a marketing perspective. And there were people at the company when we joined that had an innate desire to challenge that.” - Jérôme Robert“You have to be self-critical about what you're doing all the time. It's not easy, I think, from a brain gymnastics standpoint. It involved a lot of effort, but it's very rewarding. You're very happy when you end up with something that you think cannot be attacked, cannot be challenged. I mean, yeah, they could say they don't like it, but they can't say it's wrong. You have the eureka moment when you think, ‘Yeah, we got it.' It's very cool.”  - Jérôme Robert *”You do something that is fundamentally different from the rest of the industry, you are going to stand out. Which is, as marketers, what we're looking for. But as a company that is managing their risk doing something that makes the company stand out creates mixed feelings. They think, ‘If the outcomes are not what we hoped for it's a huge risk, it could backfire, and you don't have any ROI to put in front of it, so, no, I'm not going to do it.' There's too much risk in being different, somehow. And I think that's totally overstated. I think, notably in an industry where the marketing practices are very mature and very identical from one company to another, there's very, very little downside in standing out, in doing something that is entirely different.” - Jérôme Robert  Time Stamps[0:55] Meet Jérôme Robert, CMO & Chief of Staff at Tenable[1:57] What does Jérôme do at Tenable?[5:45] What is The Hacker Chronicles?[11:26] About the inspiration behind The Hacker Chronicles[17:17] The importance of realism in a fictional piece of content[19:39] How scary is it to make a primer on hacking as a cybersecurity company?[35:30] How do you prove the ROI of content?[40:02] Why does Jérôme have a long-term approach to content like a podcast?[44:40] How does Jérôme tie the podcast back to Tenable customers?LinksListen to The Hacker ChroniclesConnect with Jérôme on LinkedInLearn more about TenableAbout Remarkable!Remarkable! is created by the team at Caspian Studios, the premier B2B Podcast-as-a-Service company. Caspian creates both non-fiction and fiction series for B2B companies. If you want a fiction series check out our new offering - The Business Thriller - Hollywood style storytelling for B2B. Learn more at CaspianStudios.com. In today's episode, you heard from Ian Faison (CEO of Caspian Studios) and Meredith Gooderham (Senior Producer). Remarkable was produced this week by Jess Avellino, mixed by Scott Goodrich, and our theme song is “Solomon” by FALAK. Create something remarkable. Rise above the noise.

In today's episode of Tech Talks Daily, we delve into the labyrinthine world of cybersecurity with none other than Satnam Narang, a Senior Staff Research Engineer at Tenable. As we navigate through an age where digital safety is paramount, Tenable serves as a guardian for approximately 40,000 global organizations, helping them understand and minimize cyber risk. Our discussion covers a multitude of pressing topics—from known vulnerabilities in both UK and global infrastructure to the lurking decade-old bugs that could be the fine line between your safety and a multi-million-pound breach. We explore the urgent need for robust cyber hygiene practices as well as the rising prevalence of social media scams and crypto cyber-attacks. Satnam brings an unparalleled depth of expertise, shedding light on Tenable's pioneering work, including their renowned Nessus® technology.  This episode is particularly timely, considering the recent CISA warnings about new, yet often ancient, Linux vulnerabilities that are actively exploited, presenting considerable risks to federal enterprises. We also delve into the role of open-source libraries in both innovation and the vulnerability landscape. Drawing from real-world examples like the CLOP group's ransomware attack, we discuss how even well-known, old vulnerabilities are proving to be lucrative targets for both average cybercriminals and state actors. Satnam and I share strategies for reducing cyber risk, emphasizing the need for prioritizing vulnerabilities, improving visibility into network assets, and creating an effective incident response playbook.  With cyber threats evolving at an unprecedented pace, this episode serves as an indispensable guide for organizations and individuals alike to bolster their digital fortresses.

To kick off our Hotter Than the Nine Hells series, we take the Hellevator ALL the way down and kick it with our ol' pal Asmodeus in Nessus! Potentially bad news for an Honor Among Thieves sequel Forbes (I know, right?) takes a look at D&D's upcoming official VTT DMs Guild Corner Pick of the Week: Hellbound Heists DnD Lorecast Discord | DnD Lorecast swag Equip your own adventures: D&D 5th Edition Starter Set: https://amzn.to/2WgZX6O  D&D 5th Edition Players Handbook: https://amzn.to/3iRtcH4  D&D 5th Ed Monster's Manual: https://amzn.to/2Eeh8Qp  38 Fantasy Miniatures: https://amzn.to/34kh6kX  Awesome Looking Dice Sets: https://amzn.to/3aHFwpM Links: Fandom University - Sergio's OTHER nerdy podcast! Multi-episodes arcs deep-diving into various nerdy topics **SEASON 1 NOW COMPLETE** NoSleep Podcast - online and on Twitch, a horror fiction podcast Mary helps work on Check out all the socials right here: https://linktr.ee/dndlorecast And send us a note! Email us at dndlorecast@gmail.com  ROBOTSRADIO.net - Smart Shows for Interesting People. Explore all the awesome shows on the network. Robots Radio Network Discord: discord.gg/JXKfVhM  Learn more about your ad choices. Visit megaphone.fm/adchoices

Hey everybody! Episode 108 of the show is out. In this episode, I spoke with Melanie Reinhart. Melanie was recommended to me by a friend of mine, James Robinson, and I'm really grateful that he did. Melanie is an astrologer and I really enjoyed speaking with her. She has a beautiful voice, presence, and wisdom and I think you all will find this a fascinating conversation. We spoke about her early years and interest in astrology, it's history, how it fell out of favor in the West, the mythology of astrology, Chiron and its mythology and meaning, how astrology ties together many disciplines and draws upon much ancient wisdom from around the world, and how astrology can help guide us in the current times we are in. As always, to support this podcast, get early access to shows, bonus material, and Q&As, check out my Patreon page below. Enjoy!This episode is sponsored by Real Mushrooms. As listeners, visit their website to enjoy a discount of 25% off your first order: https://www.realmushrooms.com/universeMelanie Reinhart is best known for her book 'Chiron and the Healing Journey', and her work on Chiron and the Centaurs Chariklo, Nessus and Pholus. She is a prize-winning diploma holder of the Faculty of Astrological Studies in the UK (Margaret Hone Award 1979), of whom she is also a patron. She was awarded the prestigious Charles Harvey Award in 2004, given by the Astrological Association of Great Britain for 'exceptional service to astrology'. Her work is an unusual combination of intuition and meticulous research... Melanie was initially self-taught in astrology, immersing herself for many years in the work of Dane Rudhyar. Later she had the privilege of learning from the many gifted astrologers in the rich milieu of London, and that journey continues. Melanie studied Horary astrology with Geoffrey Cornelius (1989-1990), and Deborah Houlding (Practitioner's Certificate 2012). Melanie has taught for many highly esteemed astrology schools, in the UK and abroad, including the Centre for Psychological Astrology, the London School of Astrology, the Faculty of Astrological Studies, Aula Astrològica de Catalunya, Heaven and Earth Workshops and Astro*Synthesis. She has presented astrological seminars, lectures and experiential programs for local astrology groups in the UK, eight European countries, South Africa, USA, Mexico, Australia, New Zealand, Hong Kong and Taiwan. Currently living in rural Bedfordshire, Melanie maintains a busy consulting practice with an international clientele. This intimate use of astrology as a vehicle for personal guidance is the heart and soul of her astrological work…”To learn more about or contact Melanie, and for her full bio, visit her website at: https://melaniereinhart.comIf you enjoy the show, it would be a big help if you could share it with your own audiences via social media or word of mouth. And please Subscribe or Follow and if you can go on Apple Podcasts and leave a starred-rating and a short review. That would be super helpful with the algorithms and getting this show out to more people. Thank you in advance!For more information about me and my upcoming plant medicine retreats with my colleague Merav Artzi, visit my site at: https://www.NicotianaRustica.orgTo book an integration call with me, visit: https://jasongrechanik.setmore.comSupport this podcast on Patreon:https://www.patreon.com/UniverseWithinDonate directly with PayPal:https://www.paypal.me/jasongrechanikMusic courtesy of: Nuno Moreno (end song). Visit: https://m.soundcloud.com/groove_a_zen_sound and https://nahira-ziwa.bandcamp.com/ And Stefan Kasapovski's Santero Project (intro song). Visit: https://spoti.fi/3y5Rd4Hhttps://www.facebook.com/UniverseWithinPodcasthttps://www.instagram.com/UniverseWithinPodcast

A Virgo Full Moon conjunct asteroid Lilith, opposing centaur Nessus and aspecting Uranus in Taurus is likely to bring earthquakes that reveal abuses of power. At a personal level, if you feel the rug has been pulled out from under your feet it's because something needs to be released big time. Check out the fantastic, focus and mood improving Four Sigmatic Coffee and other products with my discount link. With thanks to my sponsors! Subscribe and save 30% with Discount code: cosmic: https://go.foursigmatic.com/cosmic Also check out my Amazon store for books and other products I love and recommend! https://www.amazon.com/shop/cosmicowlastrology-louiseedington Work with the Cosmic Owl: Become a Venus Enchantment Community member to support my work. https://louiseedington.com/venus-enchantment Book a consultation. https://louiseedington.com For more from Louise subscribe to this channel and check the bell to receive notifications AND/OR follow Louise at louiseedington.com or https://www.facebook.com/WildWomanUnleashed/ 00:00 Intro 01:03 Card 05:54 Reflecting on Pisces New Moon 07:12 Sponser Four Sigmatics 09:07 Chart 15:19 Number 17:42 Chart 31:42 Symbols --- Send in a voice message: https://anchor.fm/weirdlycosmic/message Support this podcast: https://anchor.fm/weirdlycosmic/support

In this episode Brad and Spencer vulnerabilities that are not detected by vulnerability scanning tools such as Nessus and explored several methods that can be used to identify them. While vulnerability scanning is important and effective at identifying known vulnerabilities, they are not so good at detecting unknown or complex vulnerabilities. To address this gap, we discussed several complementary methods that can be used, such as penetration testing, red teaming, fuzzing, and source code review, to identify vulnerabilities and weaknesses that may not be apparent from a vulnerability scan. By incorporating these additional methods into a comprehensive security testing strategy, organizations can gain a better understanding of their security posture and take steps to address vulnerabilities before they can be exploited by attackers.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com

Welcome to the Year of the New Sun! Join us in our read-along of chapters I - X of The Citadel of the Autarch. We talk about Severian's journey beyond the gates of Nessus, and if you'd like to continue the discussion consider joining our Podside Picnic discord. Music by Loot the Body

Welcome to the Year of the New Sun! Join us in our read-along of chapters I - X of The Citadel of the Autarch. We talk about Severian's journey beyond the gates of Nessus, and if you'd like to continue the discussion consider joining our Podside Picnic discord. Music by Loot the Body

Welcome to the Year of the New Sun! Join us in our read-along of chapters XXVI - XXXVIII of The Sword of the Lictor. Listen as we talk about Severian's journey beyond the gates of Nessus, and if you'd like to continue the discussion consider joining our Podside Picnic discord. Music by Loot the Body

About AnaïsAnaïs is a Developer Advocate at Aqua Security, where she contributes to Aqua's cloud native open source projects. When she is not advocating DevOps best practices, she runs her own YouTube Channel centered around cloud native technologies. Before joining Aqua, Anais worked as SRE at Civo, a cloud native service provider, where she helped enhance the infrastructure for hundreds of tenant clusters. As CNCF ambassador of the year 2021, her passion lies in making tools and platforms more accessible to developers and community members.Links Referenced: Aqua Security: https://www.aquasec.com/ Aqua Open Source YouTube channel: https://www.youtube.com/c/AquaSecurityOpenSource Personal blog: https://anaisurl.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at AWS AppConfig. Engineers love to solve, and occasionally create, problems. But not when it's an on-call fire-drill at 4 in the morning. Software problems should drive innovation and collaboration, NOT stress, and sleeplessness, and threats of violence. That's why so many developers are realizing the value of AWS AppConfig Feature Flags. Feature Flags let developers push code to production, but hide that that feature from customers so that the developers can release their feature when it's ready. This practice allows for safe, fast, and convenient software development. You can seamlessly incorporate AppConfig Feature Flags into your AWS or cloud environment and ship your Features with excitement, not trepidation and fear. To get started, go to snark.cloud/appconfig That's snark.cloud/appconfig.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Every once in a while, when I start trying to find guests to chat with me and basically suffer my various slings and arrows on this show, I encounter something that I've never really had the opportunity to explore further. And today's guest leads me in just such a direction. Anaïs is an open-source developer advocate at Aqua Security, and when I was asking her whether or not she wanted to talk about various topics, one of the first thing she said was, “Don't ask me much about AWS because I've never used it,” which, oh my God. Anaïs, thank you for joining me. You must be so very happy never to have dealt with the morass of AWS.Anaïs: [laugh]. Yes, I'm trying my best to stay away from it. [laugh].Corey: Back when I got into the cloud space, for lack of a better term, AWS was sort of really the only game in town unless you wanted to start really squinting hard at what you define cloud as. I mean yes, I could have gone into Salesforce or something, but I was already sad and angry all the time. These days, you can very much go all in-on cloud. In fact, you were a CNCF ambassador, if I'm not mistaken. So, you absolutely are in the infrastructure cloud space, but you haven't dealt with AWS. That is just an interesting path. Have you found others who have gone down that same road, or are you sort of the first of a new breed?Anaïs: I think to find others who are in a similar position or have a similar experience, as you do, you first have to talk about your experience, and this is the first time, or maybe the second, that I'm openly [laugh] saying it on something that will be posted live, like, to the internet. Before I, like, I tried to stay away from mentioning it at all, do the best that I can because I'm at this point where I'm so far into my cloud-native Kubernetes journey that I feel like I should have had to deal with AWS by now, and I just didn't. And I'm doing my best and I'm very successful in avoiding it. [laugh]. So, that's where I am. Yeah.Corey: We're sort of on opposite sides of a particular fence because I spend entirely too much time being angry at AWS, but I've never really touched Kubernetes and anger. I mean, I see it in a lot of my customer accounts and I get annoyed at its data transfer bills and other things that it causes in an economic sense, but as far as the care and feeding of a production cluster, back in my SRE days, I had very old-school architectures. It's, “Oh, this is an ancient system, just like grandma used to make,” where we had the entire web tier, then a job applic—or application server tier, and then a database at the end, and everyone knew where everything was. And then containers came out of nowhere, and it seemed like okay, this solves a bunch of problems and introduces a whole bunch more. How do I orchestrate them? How do I ensure that they're healthy?And then ah, Kubernetes was the answer. And for a while, it seemed like no matter what the problem was, Kubernetes was going to be the answer because people were evangelizing it pretty hard. And now I see it almost everywhere that I turn. What's your journey been like? How did you get into the weeds of, “You know what I want to do when I grow up? That's right. I want to work on container orchestration systems.” I have a five-year-old. She has never once said that because I don't abuse my children by making them learn how clouds work. How did you wind up doing what you do?Anaïs: It's funny that you mention that. So, I'm actually of the generation of engineers who doesn't know anything else but Kubernetes. So, when you mentioned that you used to use something before, I don't really know what that looks like. I know that you can still deploy systems without Kubernetes, but I have no idea how. My journey into the cloud-native space started out of frustration from the previous industry that I was working at.So, I was working for several years as developer advocate in the open-source blockchain cryptocurrency space and it's highly similar to all of the cliches that you hear online and across the news. And out of this frustration, [laugh] I was looking at alternatives. One of them was either going into game development, into the gaming industry, or the cloud-native space and infrastructure development and deployment. And yeah, that's where I ended up. So, at the end of 2020, I joined a startup in the cloud-native space and started my social media journey.Corey: One of the things that I found that Kubernetes solved for—and to be clear, Kubernetes really came into its own after I was doing a lot more advisory work and a lot more consulting style activity rather than running my own environments, but there's an entire universe of problems that the modern day engineer never has to think about due to, partially cloud and also Kubernetes as well, which is the idea of hardware or node failure. I've had middle of the night driving across Los Angeles in a panic getting to the data center because the disk array on the primary database had degraded because the drive failed. That doesn't happen anymore. And clouds have mostly solved that. It's okay, drives fail, but yeah, that's the problem for some people who live in Virginia or Oregon. I don't have to think about it myself.But you do have to worry about instances failing; what if the primary database instance dies? Well, when everything lives in a container then that container gets moved around in the stateless way between things, well great, you really only have to care instead about okay, what if all of my instances die? Or, what if my code is really crappy? To which my question is generally, what do you mean, ‘if?' All of us write crappy code.That's the nature of the universe. We open-source only the small subset that we are not actively humiliated by, which is, in a lot of ways, what you're focusing on now, over at Aqua Sec, you are an advocate for open-source. One of the most notable projects that come out of that is Trivy, if I'm pronouncing that correctly.Anaïs: Yeah, that's correct. Yeah. So, Trivy is our main open-source project. It's an all-in-one cloud-native security scanner. And it's actually—it's focused on misconfiguration issues, so it can help you to build more robust infrastructure definitions and configurations.So ideally, a lot of the things that you just mentioned won't happen, but it obviously, highly depends on so many different factors in the cloud-native space. But definitely misconfigurations of one of those areas that can easily go wrong. And also, not just that you have data might cease to exist, but the worst thing or, like, as bad might be that it's completely exposed online. And they are databases of different exposures where you can see all the kinds of data of information from just health data to dating apps, just being online available because the IP address is not protected, right? Things like that. [laugh].Corey: We all get those emails that start with, “Your security is very important to us,” and I know just based on that opening to an email, that the rest of that email is going to explain how security was not very important to you folks. And it's the apology, “Oops, we have messed up,” email. Now, the whole world of automated security scanners is… well, it's crowded. There are a number of different services out there that the cloud providers themselves offer a bunch of these, a whole bunch of scareware vendors at the security conferences do as well. Taking a quick glance at Trivy, one of the problems I see with it, from a cloud provider perspective, is that I see nothing that it does that winds up costing extra money on your cloud bill that you then have to pay to the cloud provider, so maybe they'll put a pull request in for that one of these days. But my sarcasm aside, what is it that differentiates Trivy from a bunch of other offerings in various spaces?Anaïs: So, there are multiple factors. If we're looking from an enterprise perspective, you could be using one of the in-house scanners from any of the cloud providers available, depending which you're using. The thing is, they are not generally going to be the ones who have a dedicated research team that provides the updates based on the vulnerabilities they find across the space. So, with an open-source security scanner or from a dedicated company, you will likely have more up-to-date information in your scans. Also, lots of different companies, they're using Trivy under the hood ultimately, or for their own scans.I can link a few where you can also find them in a Trivy repository. But ultimately, a lot of companies rely on Trivy and other open-source security scanners under the hood because they are from dedicated companies. Now, the other part to Trivy and why you might want to consider using Trivy is that in larger teams, you will have different people dealing with different components of your infrastructure, of your deployments, and you could end up having to use multiple different security scanners for all your different components from your container images that you're using, whether or not they are secure, whether or not they're following best practices that you defined to your infrastructure-as-code configurations, to you're running deployments inside of your cluster, for instance. So, each of those different stages across your lifecycle, from development to runtime, will maybe either need different security scanners, or you could use one security scanner that does it all. So, you could have in a team more knowledge sharing, you could have dedicated people who know how to use the tool and who can help out across a team across the lifecycle, and similar. So, that's one of the components that you might want to consider.Another thing is how mature is a tool, right? A lot of cloud providers, what they end up doing is they provide you with a solution, but it's nice to decoupled from anything else that you're using. And especially in the cloud-native space, you're heavily reliant on open-source tools, such as for your observability stack, right? Coming from Site Reliability Engineering also myself, I love using metrics and Grafana. And for me, if anything open-source from Loki to accessing my logs, to Grafana to dashboards, and all their integrations.I love that and I want to use the same tools that I'm using for everything else, also for my security tools. I don't want to have the metrics for my security tools visualized in a different solution to my reliability metrics for my application, right? Because that ultimately makes it more difficult to correlate metrics. So, those are, like, some of the factors that you might want to consider when you're choosing a security scanner.Corey: When you talk about thinking about this, from the perspective of an SRE is—I mean, this is definitely an artifact of where you come from and how you approach this space. Because in my world, when you have ten web servers, five application servers, and two database servers and you wind up with a problem in production, how do you fix this? Oh, it's easy. You log into one of those nodes and poke around and start doing diagnostics in production. In a containerized world, you generally can't do that, or there's a problem on a container, and by the time you're aware of that, that container hasn't existed for 20 minutes.So, how do you wind up figuring out what happens? And instrumenting for telemetry and metrics and observability, particularly at scale becomes way more important than it ever was, for me. I mean, my version of monitoring was always Nagios, which was the original Call of Duty that wakes you up at two in the morning when the hard drive fails. The world has thankfully moved beyond that and a bunch of ways. But it's not first nature for me. It's always, “Oh, yeah, that's right. We have a whole telemetry solution where I can go digging into.” My first attempt is always, oh, how do I get into this thing and poke it with a stick? Sometimes that's helpful, but for modern applications, it really feels like it's not.Anaïs: Totally. When we're moving to an infrastructure to an environment where we can deploy multiple times a day, right, and update our application multiple times a day, multiple times a day, we can introduce new security issues or other things can go wrong, right? So, I want to see—as much as I want to see all of the other failures, I want to see any security-related issues that might be deployed alongside those updates at the same frequency, right?Corey: The problem that I see across all this stuff, though, is there are a bunch of tools out there that people install, but then don't configure because, “Oh, well, I bought the tool. The end.” I mean, I think it was reported almost ten years ago or so on the big Target breach that they wound up installing some tool—I want to say FireEye, but please don't quote me on that—and it wound up firing off a whole bunch of alerts, and they figured was just noise, so they turned it all off. And it turned out no, no, this was an actual breach in progress. But people are so used to all the alarms screaming at them, that they don't dig into this.I mean, one of the original security scanners was Nessus. And I seen a lot of Nessus reports because for a long time, what a lot of crappy consultancies would do is they would white-label the output of whatever it was that Nessus said and deliver that in as the report. So, you'd wind up with 700 pages of quote-unquote, “Security issues.” And you'd have to flip through to figure out that, ah, this supports a somewhat old SSL negotiation protocol, and you're focusing on that instead of the oh, and by the way, the primary database doesn't have a password set. Like, it winds up just obscuring it because there is so much. How does Trivy approach avoiding the information overload problem?Anaïs: That's a great question because everybody's complaining about vulnerability fatigue, of them, for the first time, scanning their container images and workloads and seeing maybe even hundreds of vulnerabilities. And one of the things that can be done to counteract that right from the beginning is investing your time into looking at the different flags and configurations that you can do before actually deploying Trivy to, for example, your cluster. That's one part of it. The other part is I mentioned earlier, you would use a security scan at different parts of your deployment. So, it's really about integrating scanning not just once you—like, in your production environment, once you've deployed everything, but using it already before and empowering engineers to actually use it on their machines.Now, they can either decide to do it or not; it's not part of most people's job to do security scanning, but as you move along, the more you do, the more you can reduce the noise and then ultimately, when you deploy Trivy, for example, inside of your cluster, you can do a lot of configuration such as scanning just for critical vulnerabilities, only scanning for vulnerabilities that already have a fix available, and everything else should be ignored. Those are all factors and flags that you can place into Trivy, for instance, and make it easier. Now, with Trivy, you won't have automated PRs and everything out of the box; you would have to set up the actions or, like, the ways to mitigate those vulnerabilities manually by yourself with tools, as well as integrating Trivy with your existing stack, and similar. But then obviously, if you want to have something more automated, if you want to have something that does more for you in the background, that's when you want to use to an enterprise solution and shift to something like Aqua Security Enterprise Platform that actually provides you with the automated way of mitigating vulnerabilities where you don't have to know much about it and it just gives you the solution and provides you with a PR with the updates that you need in your infrastructure-as-code configurations to mitigate the vulnerability [unintelligible 00:15:52]?Corey: I think that's probably a very fair answer because let's be serious when you're running a bank or someone for whom security matters—and yes, yes, I know, security should matter for everyone, but let's be serious, I care a little bit less about the security impact of, for example, I don't know, my Twitter for Pets nonsense, than I do a dating site where people are not out about their orientation or whatnot. Like, there is a world of difference between the security concerns there. “Oh, no, you might be able to shitpost as me if you compromise my lasttweetinaws.com Twitter client that I put out there for folks to use.” Okay, great. That is not the end of the world compared to other stuff.By the time you're talking about things that are critically important, yeah, you want to spend money on this, and you want to have an actual full-on security team. But open-source tools like this are terrific for folks who are just getting started or they're building something for fun themselves and as it turns out, don't have a full security budget for their weird late-night project. I think that there's a beautiful, I guess, spectrum, as far as what level of investment you can make into security. And it's nice to see the innovation continued happening in the space.Anaïs: And you just mentioned that dedicated security companies, they likely have a research team that's deploying honeypots and seeing what happens to them, right? Like, how are attackers using different vulnerabilities and misconfigurations and what can be done to mitigate them. And that ultimately translates into the configurations of the open-source tool as well. So, if you're using, for instance, a security scanner that doesn't have an enterprise company with a research team behind it, then you might have different input into the data of that security scanner than if you do, right? So, these are, like, additional considerations that you might want to take when choosing a scanner. And also that obviously depends on what scanning you want to do, on the size of your company, and similar, right?Corey: This episode is sponsored in part by our friend EnterpriseDB. EnterpriseDB has been powering enterprise applications with PostgreSQL for 15 years. And now EnterpriseDB has you covered wherever you deploy PostgreSQL on-premises, private cloud, and they just announced a fully-managed service on AWS and Azure called BigAnimal, all one word. Don't leave managing your database to your cloud vendor because they're too busy launching another half-dozen managed databases to focus on any one of them that they didn't build themselves. Instead, work with the experts over at EnterpriseDB. They can save you time and money, they can even help you migrate legacy applications—including Oracle—to the cloud. To learn more, try BigAnimal for free. Go to biganimal.com/snark, and tell them Corey sent you.Corey: Something that I do find fairly interesting is that you started off, as you say, doing DevRel in the open-source blockchain world, then you went to work as an SRE, and then went back to doing DevRel-style work. What got you into SRE and what got you out of SRE, other than the obvious having worked in SRE myself and being unhappy all the time? I kid, but what was it that got you into that space and then out of it?Anaïs: Yeah. Yeah, but no, it's a great question. And it's, I guess, also was shaped my perspective on different tools and, like, the user experience of different tools. But ultimately, I first worked in the cloud-native space for an enterprise tool as developer advocate. And I did not like the experience of working for a paid solution. Doing developer advocacy for it, it felt wrong in a lot of ways. A lot of times you were required to do marketing work in those situations.And that kind of got me out of developer advocacy into SRE work. And now I was working partially or mainly as SRE, and then on the side, I was doing some presentations in developer advocacy. However, that split didn't quite work, either. And I realized that the value that I add to a project is really the way I convey information, which I can't do if I'm busy fixing the infrastructure, right? I can't convey the information of as much of how the infrastructure has been fixed as I can if I'm working with an engineering team and then doing developer advocacy, solely developer advocacy within the engineering team.So, how I ultimately got back into developer advocacy was just simply by being reached out to by my manager at Aqua Security, and Itay telling me, him telling me that he has a role available and if I want to join his team. And it was open-source-focused. Given that I started my career for several years working in the open-source space and working with engineers, contributing to open-source tools, it was kind of what I wanted to go back to, what I really enjoy doing. And yeah, that's how that came about [laugh].Corey: For me, I found that I enjoy aspects of the technology part, but I find I enjoy talking to people way more. And for me, the gratifying moment that keeps me going, believe it or not, is not necessarily helping giant companies spend slightly less money on another giant company. It's watching people suddenly understand something they didn't before, it's watching the light go on in their eyes. And that's been addictive to me for a long time. I've also found that the best way for me to learn something is to teach someone else.I mean, the way I learned Git was that I foolishly wound up proposing a talk, “Terrible Ideas in Git”—we'll teach it by counterexample—four months before the talk. And they accepted it, and crap, I'd better learn enough get to give this talk effectively. I don't recommend this because if you miss the deadline, I checked, they will not move the conference for you. But there really is something to be said for watching someone learn something by way of teaching it to them.Anaïs: It's actually a common strategy for a lot of developer advocates of making up a talk and then waiting whether or not it will get accepted. [laugh] and once it gets accepted, that's when you start learning the tool and trying to figure it out. Now, it's not a good strategy, obviously, to do that because people can easily tell that you just did that for a conference. And—Corey: Sounds to me, like, you need to get better at bluffing. I kid.Anaïs: [laugh].Corey: I kid. Don't bluff your way through conference talks as a general rule. It tends not to go well. [laugh].Anaïs: No. It's a bad idea. It's a really bad idea. And so, I ultimately started learning the technologies or, like, the different tools and projects in the cloud-native space. And there are lots, if you look at the CNCF landscape, right? But just trying to talk myself through them on my YouTube channel. So, my early videos on my channel, it's just very much on the go of me looking for the first time at somebody's documentation and not making any sense out of them.Corey: It's surprising to me how far that gets you. I mean, I guess I'm always reminded of that Tom Hanks movie from my childhood Big where he wakes up—the kid wakes up as an adult one day, goes to work, and bluffs his way into working at a toy company. He's in a management meeting and just they're showing their new toy they're going to put out there and he's, “I don't get it.” Everyone looks at him like how dare you say it? And, “I don't get it. What's fun about this?” Because he's a kid.And he wants to getting promoted to vice president because wow, someone pointed out the obvious thing. And so often, it feels like using a tool or a product, be it open-source or enterprise, it is clearly something different in my experience of it when I try to use this thing than the person who developed it. And very often it's that I don't see the same things or think of the problem space the same way that the developers did, but also very often—and I don't mean to call anyone in particular out here—it's a symptom of a terrible user interface or user experience.Anaïs: What you've just said, a lot of times, it's just about saying the thing that nobody that dares to say or nobody has thought of before, and that gets you obviously, easier, further [laugh] then repeating what other people have already mentioned, right? And a lot of what you see a lot of times in these—also an open-source projects, but I think more even in closed-source enterprise organizations is that people just repeat whatever everybody else is saying in the room, right? You don't have that as much in the open-source world because you have more input or easier input in public than you do otherwise, but it still happens that I mean, people are highly similar to each other. If you're contributing to the same project, you probably have a similar background, similar expertise, similar interests, and that will get you to think in a similar way. So, if there's somebody like, like a high school student maybe, somebody just graduated, somebody from a completely different industry who's looking at those tools for the first time, it's like, “Okay, I know what I'm supposed to do, but I don't understand why I should use this tool for that.” And just pointing that out, gets you a response, most of the time. [laugh].Corey: I use Twitter and use YouTube. And obviously, I bias more for short, pithy comments that are dripping in sarcasm, whereas in a long-form video, you can talk a lot more about what you're seeing. But the problem I have with bad user experience, particularly bad developer experience, is that when it happens to me—and I know at a baseline level, that I am reasonably competent in technical spaces, but when I encounter a bad interface, my immediate instinctive reaction is, “Oh, I'm dumb. And this thing is for smart people.” And that is never, ever true, except maybe with quantum computing. Great, awesome. The Hello World tutorial for that stuff is a PhD from Berkeley. Good luck if you can get into that. But here in the real world where the rest of us play, it's just a bad developer experience, but my instinctive reaction is that there's stuff I don't know, and I'm not good enough to use this thing. And I get very upset about that.Anaïs: That's one of the things that you want to do with any technical documentation is that the first experience that anybody has, no matter the background, with your tool should be a success experience, right? Like people should look at it, use maybe one command, do one thing, one simple thing, and be like, “Yeah, this makes sense,” or, like, this was fun to do, right? Like, this first positive interaction. And it doesn't have to be complex. And that's what many people I think get wrong, that they try to show off how powerful a tool is, of like, oh, “My God, you can do all those things. It's so exciting, right?” But [laugh] ultimately, if nobody can use it or if most of the people, 99% of the people who try it for the first time have a bad experience, it makes them feel uncomfortable or any negative emotion, then it's really you're approaching it from the wrong perspective, right?Corey: That's very apt. I think it's so much of whether people stick with something long enough to learn it and find the sharp edges has to do with what their experience looks like. I mean, back when I was more or less useless when it comes to anything that looked like programming—because I was a sysadmin type—I started contributing to SaltStack. And what was amazing about that was Tom Hatch, the creator of the project had this pattern that he kept up for way too long, where whenever anyone submitted an issue, he said, “Great, well, how about you fix it?” And because we had a patch, like, “Well, I'm not good at programming.” He's like, “That's okay. No one is. Try it and we'll see.”And he accepted every patch and then immediately, you'd see another patch come in ten minutes later that fixed the problems in your patch. But it was the most welcoming and encouraging experience, and I'm not saying that's a good workflow for an open-source maintainer, but he still remains one of the best humans I know, just from that perspective alone.Anaïs: That's amazing. I think it's really about pointing out that there are different ways of doing open-source [laugh] and there is no one way to go about it. So, it's really about—I mean, it's about the community, ultimately. That's what it boils down to, of you are dependent, as an open-source project, on the community, so what is the best experience that you can give them? If that's something that you want to and can invest in, then yeah [laugh] that's probably the best outcome for everybody.Corey: I do have one more question, specifically around things that are more timely. Now, taking a quick look at Trivy and recent features, it seems like you've just now—now-ish—started supporting cloud scanning as well. Previously, it was effectively, “Oh, this scans configuration and containers. Okay, great.” Now, you're targeting actually scanning cloud providers themselves. What does this change and what brought you to this place, as someone who very happily does not deal with AWS?Anaïs: Yeah, totally. So, I just started using AWS, specifically to showcase this feature. So, if you look at the Aqua Open Source YouTube channel, you will find several tutorials that show you how to use that feature, among others.Now, what I mentioned earlier in the podcast already is that Trivy is really versatile, it allows you to scan different aspects of your stack at different stages of your development lifecycle. And that's made possible because Trivy is ultimately using different open-source projects under the hood. For example, if you want to scan your infrastructure-as-code misconfigurations, it's using a tool called tfsec, specifically for Terraform. And then other tools for other scanning, for other security scanning. Now, we have—or had; it's going to be probably deprecated—a tool called CloudSploit in the Aqua open-source project suite.Now, that's going to, kind of like, the functionality that CloudSploit was providing is going to get converted to become part of Trivy, so everything scanning-related is going to become part of Trivy that really, like, once you understand how Trivy works and all of the CLI commands in Trivy have exactly the same structure, it's really easy to scan from container images to infrastructure-as-code, to generating s-bombs to scanning also now, your cloud infrastructure and Trivy can scan any of your AWS services for misconfigurations, and it's using basically the AWS client under the hood to connect with the services of everything you have set up there, and then give you the list of misconfigurations. And once it has done the scan, you can then drill down further into the different aspects of your misconfigurations without performing the entire scan again, since you likely have lots and lots of resources, so you wouldn't want to scan them every time again, right, when you perform the scan. So, once something has been scanned, Trivy will know whether the resource changed or not, it won't scan it again. That's the same way that in-classes scanning works right now. Once a container image has been scanned for vulnerabilities, it won't scan the same container image again because that would just waste time. [laugh]. So yeah, do check it out. It's our most recent feature, and it's going to come out also to the other cloud providers out there. But we're starting with AWS and this kind of forced me to finally [laugh] look at it for the sake of it. But I'm not going to be happy. [laugh].Corey: No, I don't think anyone is. It's every time I see on a resume that someone says, “Oh, I'm an expert in AWS,” it's, “No you're not.” They have 400-some-odd services now. We have crossed the point long ago, where I can very convincingly talk about AWS services that do not exist to Amazonians and not get called out for it because who in the world knows what they run? And half of their services sound like something I made up to be funny, but they're very real. It's wild to me that it is a sprawling as it is and apparently continues to work as a viable business.But no one knows all of it and everyone feels confused, lost, and overwhelmed every time they look at the AWS console. This has been my entire career in life for the last six years, and I still feel that way. So, I'm sure everyone else does, too.Anaïs: And this is how misconfigurations happen, right? You're confused about what you're actually supposed to do and how you're supposed to do it. And that's, for example, with all the access rights in Google Cloud, something that I'm very familiar with, that completely overwhelms you and you get super frustrated by, and you don't even know what you give access to. It's like, if you've ever had to configure Discord user roles, it's a similar disaster. You will not know which user has access to which. They kind of changed it and try to improve it over the past year, but it's a similar issue that you face in cloud providers, just on a much larger-scale, not just on one chat channel. [laugh]. So.Corey: I think that is probably a fair place to leave it. I really want to thank you for spending as much time with me as you have talking about the trials and travails of, well, this industry, for lack of a better term. If people want to learn more, where's the best place to find you?Anaïs: So, I have a weekly DevOps newsletter on my blog, which is anaisurl—like, how you spell U-R-L—and then dot com. anaisurl.com. That's where I have all the links to my different channels, to all of the resources that are published where you can find out more as well. So, that's probably the best place. Yeah.Corey: And we will, of course, put a link to that in the show notes. I really want to thank you for being as generous with your time as you have been. Thank you.Anaïs: Thank you for having me. It was great.Corey: Anaïs, open-source developer advocate at Aqua Security. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry, insulting comment that I will never see because it's buried under a whole bunch of minor or false-positive vulnerability reports.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Hello, and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to try to balance the impossible equation of better, faster, and cheaper.  As always, please follow us on LinkedIn, and subscribe if you have not already done so. Shigeo Shingo, who lived from 1909-1990, helped to improve efficiency at Toyota by teaching thousands of engineers the Toyota Production System, and even influenced the creation of Kaizen.  He wrote, "There are four purposes for improvement: easier, better, faster, cheaper. These four goals appear in order of priority." Satya Nadella, the CEO of Microsoft, stated that, “Every company is a software company.  You have to start thinking and operating like a digital company.  It's no longer just about procuring one solution and deploying one solution… It's really you yourself thinking of your own future as a digital company, building out what we refer to as systems of intelligence.” The first time I heard this I didn't really fully understand it.  But after reflection it makes a ton of sense.  For example, let's say your company couldn't send email.  How much would that hurt the business?  What if your company couldn't use Salesforce to look up customer information?  How might that impact future sales?  What if your core financial systems had database integrity issues?  Any of these examples would greatly impact most businesses.  So, getting high-quality software applications that enable the business is a huge win. If every company is a software or digital company, then the CISO has a rare opportunity.  That is, we can create one of the largest competitive advantages for our businesses. What if we could create an organization that builds software cheaper, faster, and better than all of our competitors? Sounds good right?  That is the focus of today's show, and we are going to teach you how to excel in creating a world class organization through a focused program in Secure Software Development.  Now if you like the sound of better, faster, cheaper, as most executives do, you might be thinking, where can I buy that?  Let's start at the back and work our way forward. We can make our software development costs cheaper by increasing productivity from developers. We can make our software development practices faster by increasing convenience and reducing waste. We can make our software better by increasing security. Let's first look at increasing productivity.  To increase productivity, we need to under    stand the Resistance Pyramid.  If you know how to change people and the culture within an organization, then you can significantly increase your productivity.  However, people and culture are difficult to change, and different people require different management approaches. At the bottom of the pyramid are people who are unknowing.  These individuals Don't know what to do.  You can think of the interns in your company.  They just got to your company, but don't understand what practices and processes to follow.  If you want to change the interns, then you need to communicate what is best practice and what is expected from their performance.  Utilize an inquiry approach to decrease fear of not knowing, for example, "do you know to whom I should speak about such-and-such?" or "do you know how we do such-and-such here?"  An answer of "no" allows you to inform them of the missing knowledge in a conversational rather than a directional manner. The middle part of the pyramid is people who believe they are unable to adapt to change.  These are individuals that don't know how to do the task at hand.  Here, communications are important, but also skills training.  Compare your team members here to an unskilled labor force -- they're willing to work but need an education to move forward.  If you give them that, then the unskilled can become skilled. However, if you never invest in them, then you will not increase your company's productivity and lowers your costs. At the Top of the resistance pyramid are the people who are unwilling.  These individuals Don't Want to Change.  We might call these folks the curmudgeons that say we tried it before, and it doesn't work.  Or I'm too old to learn that.  If you want to change these individuals and the culture of an organization, then you need to create motivation. As leaders, our focus to stimulate change will be to focus on communicating, educating, and motivating.  The first thing that we need to communicate is the Why.  Why is Secure Software Development important?  The answer is money.  There are a variety of studies that have found that when software vulnerabilities get detected in the early development processes, they are cheaper than later in the production phases.  Research from the Ponemon Institute in 2017 found that the average cost to address a defect in the development phase was $80, in the build phase was $240, in the QA/Test Phase was $960, and in the Production phase was $7,600.  Think of that difference.  $80 is about 1% of $7,600.  So if a developer finds bugs in the development code then they don't just save their time, they save the time of second developer who doesn't have to do a failed code review, they save the time of an infrastructure engineer who has to put the failed code on a server, they save the time of another tester who has to create regression tests which fail, they save the time of a wasted change approval board on a failed release, and they save the customer representatives time who will respond to customers when the software is detected as having issues.  As you see there's a lot of time to be saved by increasing productivity, as well as a 99% cost savings for what has to be done anyway.  Saving their own time is something that will directly appeal to every development team member. To do this we need to do something called Shift Left Testing.  The term shift left refers to finding vulnerabilities earlier in development.  To properly shift left we need to create two secure software development programs. The first program needs to focus on is the processes that an organization needs to follow to build software the right way.  This is something you have to build in house.  For example, think about how you want software to create a network diagram that architects can look at in your organization.  Think about the proper way to register an application into a Configuration Management Database so that there is a POC who can answer questions when an application is down.  Think about how a developer needs to get a DNS entry created for new websites.  Think about how someone needs to get a website into the various security scanning tools that your organization requires (SAST, DAST, Vuln Management, Container Scanning, etc.)  Think about how developers should retire servers at the end of life.  These practices are unique to your company.  They may require a help desk ticket to make something happen or if you don't have a ticketing system, an email.  We need to document all of these into one place where they can be communicated to the staff members who will be following the processes.  Then our employee has a checklist of activities they can follow.  Remember if it's not in the checklist, then it won't get done.  If it doesn't get done, then bad security outcomes are more likely happen.  So, work with your architects and security gurus to document all of the required practices for Secure Software Development in your company.  You can place this knowledge into a Wikipedia article, a SharePoint site, a Confluence Page, or some kind of website.  Make sure to communicate this frequently.  For example, have the CIO or CISO share it at the IT All Hands meeting.  Send it out in monthly newsletters.  Refer to it in security discussions and architecture review boards.  The more it's communicated the more unknowing employees will hear about it and change their behavior. The second program that you should consider building is a secure code training platform.  You can think of things such as Secure Code Warrior, HackEDU (now known as Security Journey), or Checkmarx Code Bashing.  These secure code training solutions are usually bought by organizations instead of being created in-house.  They teach developers how to write more secure code.  For example, "How do I write JavaScript code that validates user input, sanitizes database queries, and avoids risky program calls that could create vulnerabilities in an application?"  If developers gain an education in secure programming, then they are less likely to introduce vulnerabilities into their code.  Make these types of training programs available to every developer in your company. Lastly, we need to find a way to motivate the curmudgeons.  One way to do that is the following:Let's say you pick one secure coding platform and create an initial launch.  The first two hundred people in the organization that pass the secure developer training get a one-time bonus of $200.  This perk might get a lot of people interested in the platform.  You might even get 10-20% of your organization taking the training in the first quarter of the program.  The second quarter your organization announces that during performance reviews anyone who passed the secure software training will be viewed more favorable than their peers.  Guess what?  You will see more and more people taking the training class.  Perhaps you see that 50% of your developer population becomes certified.  Then the following year you say since so many developers are now certified, to achieve the rank of Senior Developer within the organization, it is now expected to pass this training.  It becomes something HR folks look for during promotion panels.  This gradual approach to move the ball in training can work and has been proven to increase the secure developer knowledgebase. Here's a pro tip:  Be sure to create some kind of badges or digital certificates that employees can share.  You might even hand out stickers upon completion that developers can proudly place on their laptops.  Simple things like this can increase visibility.  They can also motivate people you didn't think would change. Now that we have increased productivity from the two development programs (building software the right way and a secure code training platform), it's time to increase convenience and reduce waste.  Do you know what developers hate?  Well, other than last-minute change requests.  They hate inefficiencies.  Imagine if you get a vulnerability that says you have a bug on line 242 in your code.  So you go to the code, and find there really isn't a bug, it's just a false positive in the tool.  This false bug detection really, well, bugs developers.  So, when your organization picks a new SAST, DAST, or IAST tool, be sure to test the true and false positive rates of the tool.  One way to do this is to run the tools you are considering against the OWASP Benchmark.  (We have a link to the OWASP Benchmark in our show notes.)  The OWASP Benchmark allows companies to test tools against a deliberately vulnerable website with vulnerable code.  In reality, testing tools find both good code and bad code.  These results should be compared against the ground truth data to determine how many true/false positives were found.  For example, if the tool you choose has a 90% True Positive Rate and a 90% False Positive Rate then that means the tool pretty much reports everything is vulnerable.  This means valuable developer time is wasted and they will hate the tool despite its value.  If the tool has a 50% True Positive Rate and a 50% False positive rate, then the tool is essentially reporting randomly.  Once again, this results in lost developer confidence in the tool.  You really want tools that have high True Positive Rates and low False Positive Rates.  Optimize accordingly. Another developer inefficiency is the amount of tools developers need to leverage.  If a developer has to log into multiple tools such as Checkmarx for SAST findings, Qualys for Vulnerability Management findings, Web Inspect for DAST findings, Prisma for Container Findings, Truffle Hog for Secrets scanning, it becomes a burden.  If ten systems require two minutes of logging in and setup each that's twenty minutes of unproductive time.  Multiply that time the number of developers in your organization and you can see just how much time is lost by your team just to get setup to perform security checks.  Let's provide convenience and make development faster.  We can do that by centralizing the security scanning results into one tool.  We recommend putting all the security findings into a Source Code Repository such as GitHub  or GitLab.  This allows a developer to log into GitHub every day and see code scanning vulnerabilities, dependency vulnerabilities, and secret findings in one place.  This means that they are more likely to make those fixes since they actually see them.  You can provide this type of view to developers by buying tools such as GitHub Advanced Security.  Now this won't provide all of your security tools in one place by itself.  You still might need to show container or cloud findings which are not in GitHub Advanced Security.  But this is where you can leverage your Source Code Repository's native CI/CD tooling.  GitHub has Actions and GitLab has Runners.  With this CI/CD function developers don't need to go to Jenkins and other security tools.  They can use a GitHub Actions to integrate Container and Cloud findings from a tool like Prisma.  This means that developers have even fewer tools from CI/CD perspectives as well less logging into security tools.  Therefore, convenience improves.  Now look at it from a longer perspective.  If we get all of our developers integrating with these tools in one place, then we can look in our GitHub repositories to determine what vulnerabilities a new software release will introduce.  This could be reviewed at Change Approval Board.  You could also fast track developer who are coding securely.  If a developer has zero findings observed in GitHub, then that code can be auto approved for the Change Approval.  However, if you have high/critical findings then you need manager approvals first.  These approvals can be codified using GitHub code scanning, which has subsumed the tool Looks Good To Me (LGTM), which stopped accepting new user sign-ups last week (31 August 2022).  This process can be streamlined into DevSecOps pipelines that improve speed and convenience when folks can skip change approval meetings. Another key way we can make software faster is by performing value stream mapping exercises.  Here's an example of how that reduces waste.  Let's say from the time Nessus finds a vulnerability there's actually fifteen steps that need to occur within an organization to fix the vulnerability.  For example, the vulnerability needs to be assigned to the right team, the team needs to look at the vulnerability to confirm it's a legitimate finding, a patch needs to be available, a patch needs to be tested, a change window needs to be available, etc.  Each of these fifteen steps take time and often require different handoffs between teams.  These activities often mean that things sit in queues.  This can result in waste and inefficiencies.  Have your team meet with the various stakeholders and identify two time durations.  One is the best-case time for how long something should go through in an optimal process.  The second is the average time it takes things to go through in the current process.  At the end of it you might see that the optimal case is that it takes twenty days to complete the fifteen activities whereas the average case takes ninety days.  This insight can show you where you are inefficient.  You can identify ways to speed up from ninety to twenty days.  If you can do this faster, then developer time is gained.  Now, developers don't have to wait for things to happen.  Making it convenient and less wasteful through value stream mapping exercises allows your teams to deploy faster, patch faster, and perform faster. OK last but not least is making software better by increasing security.   At the end of the day, there are many software activities that we do which provide zero value to the business.  For example, patching operating systems on servers does not increase sales.  What makes the sales team sell more products?  The answer is more features on a website such as product recommendations, more analysis of the data to better target consumers, and more recommendations from the reporting to identify better widgets to sell.  Now, I know you are thinking, did CISO Tradecraft just say to not patch your operating systems?  No, we did not.  We are saying patching operating systems is not a value-add exercise.  Here's what we do recommend.  Ask every development team to identify what ike patching.  Systems that have a plethora of maintenance activities are wasteful and should be shortlisted for replacement.  You know the ones: solutions still running via on-premises VMWare software, software needing monthly java patching, and software if the wind blows the wrong way you have an unknown error.  These systems are ripe for replacement.  It can also be a compelling sell to executives.  For example, imagine going to the CIO and CEO of Acme corporation.  You highlight the Acme app is run by a staff of ten developers which fully loaded cost us about $250K each.  Therefore, developing, debugging, and maintaining that app costs our organization roughly $2,500,000 in developer time alone plus hosting fees.  You have analyzed this application and found that roughly 80% of the time, or $2,000,000, is spent on maintenance activities such as patching. You believe if the team were to rewrite the application in a modern programming language using a serverless technology approach the team could lower maintenance activities from 80% to 30%.  This means that the maintenance costs would decrease from $2 million to $750K each year.  Therefore, you can build a financial case that leadership fund a $1.25 million initiative to rewrite the application in a more supportable language and environment, which will pay for itself at the end of the second year.  No, I didn't get my math wrong -- don't forget that you're still paying the old costs while developing the new system.) Now if you just did a lift and shift to AWS and ran the servers on EC-2 or ECS, then you still have to patch the instance operating systems, middle ware, and software -- all of which is a non-value add.  This means that you won't reduce the maintenance activities from 80% to 30%.  Don't waste developer time on these expensive transition activities; you're not going to come out ahead.  Now let's instead look at how to make that maintenance go away by switching to a serverless approach.  Imagine if the organization rewrote the VMware application to run on either: A third party hosted SaaS platform such as Salesforce or Office 365 or A serverless AWS application consisting of Amazon S3 buckets to handle front-end code, an Amazon API Gateway to make REST API calls to endpoints, AWS Lambda to run code to retrieve information from a Database, and Dynamo DB to store data by the application This new software shift to a serverless architecture means you no longer have to worry about patching operating systems or middleware.  It also means developers don't spend time fixing misconfigurations and vulnerabilities at the operating system or middleware level.  This means you made the software more secure and gave the developers more time to write new software features which can impact the business profitability.  This serverless approach truly is better and more secure.  There's a great story from Capital One you can look up in our show notes that discusses how they moved from EC-2 Servers to Lambda for their Credit Offers Application Interface.  The executive summary states that the switch to serverless resulted in 70% performance gains, 90% cost savings, and increased team velocity by 30% since time was not spent patching, fixing, and taking care of servers.  Capital One uses this newfound developer time to innovate, create, and expand on business requirements.  So, if you want to make cheaper, faster, and better software, then focus on reducing maintenance activities that don't add value to the business. Let's recap.  World class CISOs create a world class software development organization.  They do this by focusing on cheaper, faster, and better software. To perform this function CISOs increase productivity from developers by creating documentation that teaches developers how to build software the right way as well as creating a training program that promotes secure coding practices.  World Class CISOs increase the convenience to developers by bringing high-confidence vulnerability lists to developers which means time savings in not weeding out false positives.  Developers live in Source Code Repositories such as GitHub or GitLab, not the ten different software security tools that security organizations police.  World Class CISOs remove waste by performing value stream exercises to lean out processes and make it easier for developers to be more efficient.  Finally, World Class CISOs make software better by changing the legacy architecture with expensive maintenance activities to something that is a winnable game.  These CISOs partner with the business to focus on finding systems that when re-architected to become serverless increase performance gains, promote cost savings, and increase developer velocity. We appreciate your time listening to today's episode.  If this sparks a new idea in your head. please write it down, share it on LinkedIn and tag CISO Tradecraft in the comment.  We would love to see how you are taking these cyber lessons into your organization to make better software for all of us. Thanks again for listening to CISO Tradecraft.  This is G. Mark Hardy, and until next time, stay safe out there. References https://www.sixsigmadaily.com/who-was-shigeo-shingo-and-why-is-he-important-to-process-improvement/ https://news.microsoft.com/speeches/satya-nadella-and-chris-capossela-envision-2016/  Galpin, T.J. (1996).  The Human Side of Change: A Practical Guide to Organization Redesign.  Jossey-Bass  https://www.businesscoaching.co.uk/news/blog/how-to-break-down-barriers-to-change  Ponemon Institute and IBM. (2017) The State of Vulnerability Management in the Cloud and On-Premises  https://www.bmc.com/blogs/what-is-shift-left-shift-left-testing-explained/  https://www.securecodewarrior.com/  https://www.securityjourney.com/  https://checkmarx.com/product/codebashing-secure-code-training/  https://owasp.org/www-project-benchmark/  https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security  https://medium.com/capital-one-tech/a-serverless-and-go-journey-credit-offers-api-74ef1f9fde7f 

Welcome to the Year of the New Sun! Join us in our read-along of chapters XVI - XXV of The Sword of the Lictor. Listen as we talk about Severian's journey beyond the gates of Nessus, and if you'd like to continue the discussion consider joining our Podside Picnic discord. Music by Loot the Body

Welcome to the Year of the New Sun! Join us in our read-along of chapters VI - XV of The Sword of the Lictor. Listen as we talk about Severian's journey beyond the gates of Nessus, and if you'd like to continue the discussion consider joining our Podside Picnic discord. Music by Loot the Body

Welcome to the Year of the New Sun! Join us in our read-along of chapters I - V of The Sword of the Lictor. Listen as we talk about Severian's journey beyond the gates of Nessus, and if you'd like to continue the discussion consider joining our Podside Picnic discord. Music by Loot the Body

The guys take a walk through the Botanic Gardens of Nessus with Severian and Agia! The Final Draft features a veritable smorgasbord of drinks, including tea, liqueur, and beers from Untitled Art and Cerebral Brewing. Visit our website at www.iolpodcast.com/ and join the conversation on Twitter @IOLPodcast Support us on Patreon: www.patreon.com/inkingoutloud Send us a tip on Ko-fi: ko-fi.com/inkingoutloud Inking Out Loud is Drew McCaffrey and Rob Santos. Sound engineering by Patrick McCaffrey. Artwork by Danielle "FelCandy" Prosperie. Intro/outro music: "Moonlight" by Jivemind.

Welcome to the Year of the New Sun! Join us in our read-along of chapters XXVI - XXXI of The Claw of the Conciliator. Listen in as we talk about Severian's journey beyond the gates of Nessus, and continue the discussion by joining our Podside Picnic discord. Music by Loot the Body

Welcome to the Year of the New Sun! Join us in our read-along of chapters XXI - XXV of The Claw of the Conciliator. Listen in as we talk about Severian's journey beyond the gates of Nessus, and continue the discussion by joining our Podside Picnic discord. Music by Loot the Body

Welcome to the Year of the New Sun! Join us in our read-along of chapters XVI - XX of The Claw of the Conciliator. Listen in as we talk about Severian's journey beyond the gates of Nessus, and continue the discussion by joining our Podside Picnic discord. Music by Loot the Body

Welcome to the Year of the New Sun! Join us in our read-along of chapters XI - XV of The Claw of the Conciliator. Listen in as we talk about Severian's journey beyond the gates of Nessus, and continue the discussion by joining our Podside Picnic discord. Music by Loot the Body

Welcome to the Year of the New Sun! Join us in our read-along of chapters VI - X of The Claw of the Conciliator. Listen in as we talk about Severian's journey beyond the gates of Nessus, and continue the discussion by joining our Podside Picnic discord. Music by Loot the Body

Welcome to the Year of the New Sun! Join us in our read-along of chapters I - V of The Claw of the Conciliator. Listen in as we talk about Severian's journey beyond the gates of Nessus, and continue the discussion by joining our Podside Picnic discord. Music by Loot the Body

Welcome to the Year of the New Sun! Join us in our read-along of chapters XXVI - XXXV of Shadow of the Torturer. Listen to us talk about Severian's journey through the ancient city-state of Nessus, and continue the discussion by joining our Podside Picnic discord. Music by Loot the Body

Welcome to the Year of the New Sun! Join us in our read-along of chapters XXI - XXVI of Shadow of the Torturer. Listen to us talk about Severian's journey through the ancient city-state of Nessus, and continue the discussion by joining our Podside Picnic discord. Music by Loot the Body

Welcome to the Year of the New Sun! Join us in our read-along of chapters XVI - XX of Shadow of the Torturer. Listen to us talk about Severian's journey through the ancient city-state of Nessus, and continue the discussion by joining our Podside Picnic discord. Music by Loot the Body

Heracles reign of terror continues as he finds yet another woman to marry. This time, he must fight a river and defeat a centaur but not before inadvertently providing the cause of his own mortal demise...CW/TW: far too many Greek myths involve assault. Given it's fiction, and typically involves gods and/or monsters, I'm not as deferential as I would be were I referencing the real thing.Sources: Theoi.com; Pseudo-Apollodorus' Library of Greek Mythology; Ovid's Metamorphoses; Ovid's Heroides; Herakles by Emma Stafford; Early Greek Myths by Timothy Gantz. Attributions and licensing information for music used in the podcast can be found here: mythsbaby.com/sources-attributions. See acast.com/privacy for privacy and opt-out information.