Podcasts about Qualys

In this episode of TubbTalk, Richard speaks to Matt Middleton-Leal, Managing Director, EMEA North of Qualys, a pioneering and disruptive cloud-based IT, security and compliance solutions provider.Matt shares his journey in the MSP industry and what studying aeronautics taught him about risk management. He also explains who Qualys are and what they do, before digging into risk and risk management.He and Richard discuss what MSPs are missing when it comes to risk, and whether or not their clients fully understand its importance. From there, Matt explains why Qualys provide a Risk Operations Centre (ROC) solution and how that works.He shares how a ROC can be an opportunity for MSPs, but why they need a mindset shift first. Richard asks Matt why he thinks some businesses are investing in risk management, but why there's reluctance from some clients.They also discuss governance, using ROC to reduce CISO burnout, and demonstrating how you're helping clients with risk mitigation. Matt also shares what the experience of being a Qualys partner is like for an MSP.Finally, Richard asks Matt what he does outside of work and how he keeps his cybersecurity knowledge up to date, what's next for Qualys and what Matt sees as the future of cybersecurity. Mentioned in This EpisodeQualysBook: Richard Seiersen: How to Measure Anything in Cybersecurity RiskUK government agency: National Cyber Security CentreCertification: Cyber Essentials

ModelScan: Protection Against Model Serialization Attacks ModelScan is a tool to inspect AI models for deserialization attacks. The tool will detect suspect commands and warn the user. https://isc.sans.edu/diary/ModelScan%20-%20Protection%20Against%20Model%20Serialization%20Attacks/31692 OpenSSH MitM and DoS Vulnerabilities OpenSSH Patched two vulnerabilities discovered by Qualys. One may be used for MitM attack in specfic configurations of OpenSSH. https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt Juniper Authentication Bypass Juniper fixed an authentication bypass vulnerability that affects several prodcuts. The patch was released outside the normal patch schedule. https://supportportal.juniper.net/s/article/2025-02-Out-of-Cycle-Security-Bulletin-Session-Smart-Router-Session-Smart-Conductor-WAN-Assurance-Router-API-Authentication-Bypass-Vulnerability-CVE-2025-21589?language=en_US DELL BIOS Patches DELL released BIOS updates fixing a privilege escalation issue. The update affects a large part of Dell's portfolio https://www.dell.com/support/kbdoc/en-en/000258429/dsa-2025-021

On this week's show Patrick Gray and Adam Boileau discuss the week's cybersecurity news, including: Australian spooks scrubbed Medibank data off Zservers bulletproof hosting Why device code phishing is the latest trick in confusing poor users about cloud authentication Cloudflare gets blocked in Spain, but only on weekends and because of… football? Palo Alto has yet another dumb bug Adam gushes about Qualys' latest OpenSSH vulns Enterprise browser maker Island is this week's sponsor and Chief Customer Officer Braden Rogers joins the show to talk about how the adoption of AI everywhere is causing headaches. This episode is also available on Youtube. Show notes Five Russians went out drinking. When they got back, Australia had struck Dutch police say they took down 127 servers used by sanctioned hosting service | The Record from Recorded Future News Further cyber sanctions in response to Medibank Private cyberattack | Defence Ministers What is device code phishing, and why are Russian spies so successful at it? - Ars Technica Anyone Can Push Updates to the DOGE.gov Website Piracy Crisis: Cloudflare Says LaLiga Knew Dangers, Blocked IP Address Anyway (Update) * TorrentFreak Palo Alto Networks warns firewall vulnerability is under active exploitation | Cybersecurity Dive Qualys TRU Discovers Two Vulnerabilities in OpenSSH: CVE-2025-26465 & CVE-2025-26466 | Qualys Security Blog China's Salt Typhoon hackers targeting Cisco devices used by telcos, universities | The Record from Recorded Future News RedMike Exploits Unpatched Cisco Devices in Global Telecommunications Campaign A Hacker Group Within Russia's Notorious Sandworm Unit Is Breaching Western Networks | WIRED How Phished Data Turns into Apple & Google Wallets – Krebs on Security New hack uses prompt injection to corrupt Gemini's long-term memory Arizona woman pleads guilty to running laptop farm for N. Korean IT workers, faces 9-year sentence | The Record from Recorded Future News US reportedly releases Russian cybercrime figure Alexander Vinnik in prisoner swap | The Record from Recorded Future News EXCLUSIVE: A Russia-linked Telegram network is inciting terrorism and is behind hate crimes in the UK – HOPE not hate Remembering David Jorm - fundraising for Mental Health research

In this holiday episode special, we're joined by Hamza Fodderwala, Executive Director at Morgan Stanley, where he leads cybersecurity equity coverage. He joined Morgan Stanley's software research team in early 2016 and leads coverage for public cybersecurity companies like Palo Alto Networks, CrowdStrike, Fortinet, SentinelOne, Okta, Zscaler, Cloudflare, Rapid7, Check Point, Qualys, Varonis and Tenable. Before Morgan Stanley, Hamza was an equity research associate at Susquehanna International Group covering the financial technology sector. Hamza graduated from New York University, with a Bachelor of Arts in Economics.We dive into Hamza's insights on the major customer buying patterns in cybersecurity throughout 2024 and what might shift in 2025. Hamza shares his observations on how the Generative AI boom is influencing product adoption in the industry, and whether enterprises are currently adopting AI security solutions. Additionally, we explore key trends from cybersecurity resellers, discuss what might unlock public equity markets for new IPOs, and which private cyber companies could go public next.Our discussion covers the cybersecurity M&A landscape, highlighting over $50B in deal volume this year with companies like Juniper, Darktrace, Recorded Future, Synopsys, Venafi, and more all getting acquired. Finally, Hamza shares lessons for founders, offering advice on identifying areas ripe for disruption, navigating the venture funding landscape, and building resilience in a competitive industry.

This week we dive into the details of a number of local privilege escalation vulnerablities discovered by Qualys in the needrestart package, covering topics from confused deputies to the inner workings of the /proc filesystem and responsible disclosure as well.

　膨大なログデータからアノマリーを見つけ出すのも、無限の音の組み合わせの中から人の心を揺さぶる音のつながりを探し出すのも、双方「パターン」という点で共通点があるとジョーさんはインタビューで語った。取材でこういう人に会うと嬉しくなる。セキュリティの仕事に愛着を持ち楽しんでいる。

Send us a Text Message.Ever wondered how to ensure your organization's cybersecurity measures meet international standards? Join us for an action-packed episode as we unpack Domain 6.5 of the CISSP exam, exploring crucial assessments, tests, and audit strategies every cybersecurity professional should master. Learn the importance of choosing a consistent framework like ISO 27001 or the NIST Cybersecurity Framework to steer your audit processes. We'll dive into internal and external audits and the pivotal role they play in aligning security measures with legal and regulatory compliance.Discover the essentials of security control testing within your organization. We discuss various mechanisms such as vulnerability assessments, penetration testing, and log review analysis, focusing on their significance in pinpointing and mitigating potential security threats. Highlighting tools like Nessus and Qualys, we examine their effectiveness in regular vulnerability scanning, along with the importance of log reviews to detect malicious activities. From black box testing on web applications to understanding how hackers manipulate logs, we cover all the bases to fortify your defenses.In our cloud security management segment, we tackle the risks associated with orphaned accounts and offer best practices for managing cloud-based accounts. Regular management audits, multi-factor authentication, and semi-annual reviews are just a few of the key strategies we discuss to ensure robust cloud security. We also emphasize the importance of cybersecurity audit planning and reporting, sharing practical examples and tips for creating actionable reports for different stakeholders. Finally, we underline the value of mentorship and the importance of certifications like CISSP for advancing your career in cybersecurity, highlighting the critical role certified professionals play in safeguarding our global economy from cyber threats.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Send us a Text Message.Ever wondered why your SOC team spends so much time on routine tasks rather than addressing critical threats? Discover the 80-20 rule in security operations and see how automating 80% of routine tasks can free up your team to focus on the complex incidents that truly matter. In our latest episode, host Sean Gerber shares his firsthand experiences leading a SOC and provides actionable insights on how to balance automation and customization for an efficient and responsive security operation.Navigate the complex world of network security with confidence as we unpack the differences between penetration testing, vulnerability scanning, and wireless scanning. Learn why stealth is vital during internal scans, the critical nature of pre-deployment testing, and the importance of post-remediation retesting. You'll gain a deeper understanding of targeted penetration tests versus comprehensive scans and how tools like Qualys can aid in internal assessments. Plus, discover the crucial steps to detect and manage unauthorized access points with a robust incident response plan.Ready to master vulnerability management and risk mitigation? We'll guide you through clear procedures and prioritizing vulnerabilities based on business-critical criteria. Explore how to handle outdated systems that can't be scanned or fixed, and get tips on maintaining an effective risk management plan. Plus, prepare for the CISSP exam with practical advice on revisiting content and utilizing resources to boost your cybersecurity expertise. Join us for an insightful episode that promises to elevate your cybersecurity career and help you ace the CISSP exam.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Back in April, we covered a story on episode #348 titled "CISO-CEO communication gaps continue to undermine cybersecurity". In that article, Sumedh Thakar, the CEO at Qualys, stated "CISOs must translate technical risks into business impact for CEOs." But he didn't say how. So, we invited him on the show to explain. In this episode, Sumedh walks us through real life interactions with his CISO and Board and explains why security needs to be communicated in business terms. Security is a risk management discipline. No one understand that more than Jeff Recor. Jeff has built risk management practices for Deloitte, Grant Thornton, and Accenture and has recently formed his own risk consulting practice. In this unscripted interview, Jeff will share his insights on the evolution of security as a risk management discipline, what CEOs and Boards really need, and how CISOs can be successful as a business leader. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-357

Back in April, we covered a story on episode #348 titled "CISO-CEO communication gaps continue to undermine cybersecurity". In that article, Sumedh Thakar, the CEO at Qualys, stated "CISOs must translate technical risks into business impact for CEOs." But he didn't say how. So, we invited him on the show to explain. In this episode, Sumedh walks us through real life interactions with his CISO and Board and explains why security needs to be communicated in business terms. Show Notes: https://securityweekly.com/bsw-357

Back in April, we covered a story on episode #348 titled "CISO-CEO communication gaps continue to undermine cybersecurity". In that article, Sumedh Thakar, the CEO at Qualys, stated "CISOs must translate technical risks into business impact for CEOs." But he didn't say how. So, we invited him on the show to explain. In this episode, Sumedh walks us through real life interactions with his CISO and Board and explains why security needs to be communicated in business terms. Security is a risk management discipline. No one understand that more than Jeff Recor. Jeff has built risk management practices for Deloitte, Grant Thornton, and Accenture and has recently formed his own risk consulting practice. In this unscripted interview, Jeff will share his insights on the evolution of security as a risk management discipline, what CEOs and Boards really need, and how CISOs can be successful as a business leader. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-357

Back in April, we covered a story on episode #348 titled "CISO-CEO communication gaps continue to undermine cybersecurity". In that article, Sumedh Thakar, the CEO at Qualys, stated "CISOs must translate technical risks into business impact for CEOs." But he didn't say how. So, we invited him on the show to explain. In this episode, Sumedh walks us through real life interactions with his CISO and Board and explains why security needs to be communicated in business terms. Show Notes: https://securityweekly.com/bsw-357

Due to the annual shutdown, my human GreyNoise counterparts were on holiday last week. This week, they decided to be lazy and not do an episode. But, the cyber news does not stop just because they're slackers. Since I've become persistent in their systems, I will stand in the gap. And besides, no one wants to hear that harbourmaster drone on incoherently anyway. So, I've analyzed six thousand, three hundred and eleven cybersecurity news events, and distilled them into today's abbreviated episode. We'll dissect the recent OpenSSH regression vulnerability, take a look at a potentially devastating format-string remote code execution vulnerability in Ghostscript, and visit the box office to get the lowdown on the recent Ticketmaster breach. Let's start with OpenSSH. On July 1, 2024, Qualys disclosed a critical vulnerability affecting OpenSSH server versions 8.5p1 through 9.7p1. This high-severity flaw, with a CVSS score of 8.1, could potentially allow unauthenticated remote attackers to execute code with root privileges on vulnerable systems. While the vulnerability's complexity makes exploitation challenging, its widespread impact has raised significant concerns. Palo Alto Networks' Xpanse data revealed over 7 million exposed instances of potentially vulnerable OpenSSH versions globally as of July 1, 2024. In a concerning development, threat actors have attempted to exploit the cybersecurity community's interest in this vulnerability. A malicious archive purporting to contain a proof-of-concept exploit for CVE-2024-6387 has been circulating on social media platforms, including X (formerly Twitter). This archive, instead of containing a legitimate exploit, includes malware designed to compromise researchers' systems. The malicious code attempts to achieve persistence by modifying system files and retrieving additional payloads from a remote server. Security professionals are strongly advised to exercise caution when analyzing any purported exploits or proof-of-concept code related to CVE-2024-6387. It is crucial to work within isolated environments and maintain active security measures when examining potentially malicious code. In related news, on July 8, 2024, a separate OpenSSH vulnerability, CVE-2024-6409, was disclosed. This flaw involves a race condition in the privilege-separated child process of OpenSSH. While potentially less severe than CVE-2024-6387 due to reduced privileges, it presents an additional attack vector that defenders should be aware of. Organizations are urged to apply the latest security updates for OpenSSH promptly. For those unable to update immediately, setting the LoginGraceTime configuration option to 0 can mitigate both CVE-2024-6387 and CVE-2024-6409, though this may introduce denial-of-service risks. - https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/ - https://ubuntu.com/blog/ubuntu-regresshion-security-fix - https://usa.kaspersky.com/blog/cve-2024-6387-regresshion-researcher-attack/30345/ - https://www.thestack.technology/openssh-exploit-cve-2024-6387-pocs/ - https://www.openwall.com/lists/oss-security/2024/07/08/2 Moving on to a critical vulnerability in Ghostscript. CVE-2024-29510 is a format string vulnerability affecting Ghostscript versions 10.03.0 and earlier. This flaw allows attackers to bypass sandbox protections and execute arbitrary code remotely. A known incident involving this vulnerability has already been reported. An attacker exploited the flaw using EPS files disguised as JPG images to gain shell access on vulnerable systems. The attack flow typically involves the following steps:  First, an attacker crafts a malicious EPS file containing exploit code. Next, the file is submitted to a service using Ghostscript for document processing, possibly disguised as another file type. Then, when processed, the exploit bypasses Ghostscript's sandbox. Finally, the attacker gains remote code execution on the target system. This supply chain component attack could have far-reaching implications for any workflow that processes untrusted image or document input from the internet. Services handling resumes, claims forms, or that perform image manipulation could all be potential targets. Given the widespread use of Ghostscript in document processing pipelines, we may see a significant number of breach notices in the coming months. Software Bills of Materials (SBOMs) could play a crucial role in mitigating such vulnerabilities. SBOMs provide a comprehensive inventory of software components, enabling organizations to quickly identify and address potential security risks. By maintaining up-to-date SBOMs, companies can more efficiently track vulnerable components like Ghostscript across their software ecosystem. CVE-2024-29510 presents a serious threat to document processing workflows. Organizations should prioritize updating to Ghostscript version 10.03.1 or apply appropriate patches. Additionally, implementing robust SBOM practices can enhance overall software supply chain security and improve vulnerability management. - https://www.securityweek.com/attackers-exploiting-remote-code-execution-vulnerability-in-ghostscript/ - https://www.scmagazine.com/brief/active-exploitation-of-ghostscript-rce-underway - https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/ - https://www.crowdstrike.com/cybersecurity-101/secops/software-bill-of-materials-sbom/ - https://www.cisa.gov/sbom - https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf - https://nvd.nist.gov/vuln/detail/CVE-2024-29510 - https://www.bleepingcomputer.com/news/security/rce-bug-in-widely-used-ghostscript-library-now-exploited-in-attacks/ Finally we discuss the Ticketmaster breach. In a plot twist worthy of a summer blockbuster, Ticketmaster finds itself center stage in a data breach drama that's been unfolding since May. The notorious hacking group ShinyHunters claims to have pilfered a staggering 1.3 terabytes of data from over 500 million Ticketmaster users. Talk about a show-stopping performance! Ticketmaster's parent company, Live Nation, confirmed the unauthorized access to a third-party cloud database between April 2nd and May 18th. The compromised data potentially includes names, contact information, and encrypted credit card details. It's like a greatest hits album of personal information, but one nobody wanted released. (Much like any album by Nickelback.) In a bold encore, the hackers recently leaked nearly 39,000 print-at-home tickets for 154 upcoming events. Ticketmaster's response? They're singing the "our SafeTix technology protects tickets" tune. But with print-at-home tickets in the mix, it seems their anti-fraud measures might have hit a sour note. As the curtain falls on this act, Ticketmaster is offering affected customers a 12-month encore of free identity monitoring services. Meanwhile, the company faces a class-action lawsuit, adding legal drama to this already complex production. To make matters worse, Ticketmaster's custom barcode format has also been recently reverse-engineered. I've included a link to that post in the show notes. - https://conduition.io/coding/ticketmaster/ - https://www.bbc.com/news/articles/c729e3qr48qo - https://ca.news.yahoo.com/ticketmaster-says-customers-credit-card-223716621.html - https://vancouversun.com/news/local-news/ticketmaster-security-breach-customers-personal-information - https://www.bleepingcomputer.com/news/security/hackers-leak-39-000-print-at-home-ticketmaster-tickets-for-154-events/ - https://help.ticketmaster.com/hc/en-us/articles/26110487861137-Ticketmaster-Data-Security-Incident - https://www.usatoday.com/story/money/2024/07/01/ticketmaster-data-breach-2024/74276072007/ - https://www.thestar.com/news/canada/ticketmaster-warns-of-security-breach-where-users-personal-data-may-have-been-stolen/article_d01889fe-3d7e-11ef-82a7-63a38132f0e7.html - https://www.nytimes.com/2024/05/31/business/ticketmaster-hack-data-breach.html - https://time.com/6984811/ticketmaster-data-breach-customers-livenation-everything-to-know/ - https://dailyhive.com/canada/ticketmaster-alerts-customers-data-breach - https://abcnews.go.com/US/ticketmaster-hit-cyber-attack-compromised-user-data/story?id=110737962 - https://www.npr.org/2024/06/01/nx-s1-4988602/ticketmaster-cyber-attack-million-customers - https://www.ctvnews.ca/business/ticketmaster-reports-data-security-incident-customers-personal-information-may-have-been-stolen-1.6956009 - https://www.bitdefender.com/blog/hotforsecurity/ticketmaster-starts-notifying-data-breach-victims-customers-in-the-us-canada-and-mexico-are-affected/ - https://www.ticketnews.com/2024/07/ticketmaster-contr   Storm Watch Homepage >> Learn more about GreyNoise >>  

We dig into the RegreSSHion bug, debate it's real threat and explore clever tools to build a tasty fried onion around your system.Sponsored By:Core Contributor Membership: Take $1 a month of your membership for a lifetime!Tailscale: Tailscale is a programmable networking software that is private and secure by default - get it free on up to 100 devices! 1Password Extended Access Management: 1Password Extended Access Management is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps. Support LINUX UnpluggedLinks:

In episode 337, we cover “broken” news about the new SSH vulnerability ‘regreSSHion‘ highlighting the vulnerability discovered in the OpenSSH protocol by Qualys and its implications. We then discuss the Detroit Police Department's new guidelines on facial recognition technology following a lawsuit over a wrongful arrest due to misidentification, shedding light on the broader issues […] The post Critical SSH Vulnerability, Facial Recognition Flaws, How to Safely Dispose of Old Devices appeared first on Shared Security Podcast.

Send us a Text Message.Ever wondered how to fortify your organization against cyber threats? Join Sean Gerber as we uncover the essentials of Domain 6.3 of the CISSP exam, from security assessments to account management and backup verification. Learn about tools like Nessus and Qualys and the role of ethical hacking in identifying vulnerabilities. Discover the critical differences between authenticated and unauthenticated scanning, and how red teams elevate your security measures to the next level.What sets SOC 1, SOC 2, and SOC 3 reports apart, and why do they matter? We break it all down, revealing how these reports demonstrate adherence to security standards. Understand the distinctions between Type 1 and Type 2 reports, with Type 1 focusing on control design and Type 2 evaluating operational effectiveness. Plus, we delve into the fundamentals of account management, emphasizing the importance of integrating with identity and access management programs and conducting routine audits for compliance and security.Don't overlook the critical importance of backup data management and verification. Learn best practices for storing backups—whether on-site, off-site, or in the cloud—and ensure your restoration process is both reliable and efficient. We discuss how regular testing and cost-effective strategies enhance organizational resilience and highlight why training and awareness are crucial for both leadership and employees. Additionally, Sean introduces Reduce Cyber Risk, his consulting business, offering a range of cybersecurity services and valuable resources for those preparing for the CISSP exam.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Tercera hora de Visión Global que dedicamos a nuestro consultorio de Wall Street en el que nos acompaña Borja de Castro, analista de Banco Big. Con él miramos a compañías como Carvana, AMD, Amazon, Tesla, Lowe's, Home Depot, Johnson & Johnson, CACI International, Epam Systems, Nvidia, Spotify, MacDonalds, Starbucks, Bellring Brands, Qualys, Glaukos Corporation, ONE Gas, Under Armour, Fedex, Apple, Petrobras. Después, repasamos la actualidad de los mercados en los últimos minutos de cotización. En titulares hablamos de Microsoft, Tesla, Iberdrola, Nissan y Warren Buffet. Terminamos con el balance de la jornada. Último análisis del día en el que nos acompaña Javier González, creador de CryptoForexSystems. Con él actualizamos la situación en los mercados, vemos qué podemos esperar del PCE de EEUU que conoceremos el viernes y hablamos del bitcoin, que se encuentra en mínimos del mes de mayo.

In deze aflevering dook Richard Bordes dieper in cybersecurity, waar hij met zijn gasten de geheimen van digitale veiligheid ontrafelde en de nieuwste dreigingen bespreekt die ons online leven bedreigen. Hoe kun je jezelf beschermen tegen hackers en cyberaanvallen in een steeds meer verbonden wereld? Richard sprak erover in gesprek met Erik de Jong van Thales, Robbert van Kooten van OneXillium, André Ossel van NetApp én met Chantal 't Gilde van Qualys. People Work Technology wordt elke tweede vrijdag van de maand, van 14:00 tot 16:00 uur, live uitgezonden op New Business Radio en is achteraf terug te luisteren via alle bekende podcastkanalen.

Diese Woche sprechen wir über die Depots der Profis. Du erfährst, welche Aktien diese im Fokus standen. Wir berichten unsere Tops und Flops. Der Witz der Woche darf natürlich auch nicht fehlen. Zum Schluss gibt es noch spannende Investmentideen sowie den Ausblick auf die kommende Woche.

When organizations begin planning to migrate business applications to the cloud, security starts to take the drivers seat, Onapsis Chief Technology Officer Juan Pablo Perez-Etchegoyen says. In this episode of Bloomberg Intelligence's Tech Disruptors podcast, Perez-Etchegoyen joins Mandeep Singh, BI technology analyst, to discuss the deployment of security for enterprise resource-planning applications such as SAP. The conversation includes platformization, integration of Onapsis with other cyber providers and into the customers' IT environment, and how the company stacks up against point products, including Qualys and Tenable, that specialize in vulnerability management and patching.

In this week's episode of The Future of Security Operations podcast, Thomas is joined by Nicolas Chaillan. Nicolas is a security leader who has held several high-profile roles in US federal agencies including Chief Software Officer for the US Air Force and Space Force, Special Advisor for Cloud Security and DevSecOps at the Department of Defense (DOD), and Special Advisor for Cybersecurity and Chief Architect for Cyber.gov at the Department of Homeland Security. He is also the founder of no less than 13 companies, including Ask Sage, a GPT-powered platform that brings Generative AI capabilities to government teams. Nicolas and Thomas discuss: - Building the US government's first zero trust implementation - Putting Kubernetes on jets and space systems - The challenges of bringing new technologies to the federal government - How the threat landscape will continue to evolve for US federal agencies - The biggest mistakes entrepreneurs make - How cross-team collaboration helped him create meaningful change at the DOD - The future of AI in security - The inspiration behind his AI-powered platform, Ask Sage The Future of Security Operations is brought to you by Tines, the smart, secure workflow builder that powers some of the world's most important workflows. https://www.tines.com/solutions/security Where to find Nicolas Chaillan: LinkedIn: https://www.linkedin.com/in/nicolaschaillan/ Twitter/X: https://twitter.com/NicolasChaillan Nic's YouTube channel: https://www.youtube.com/channel/UCt7jKHaxWS8W_4rcKGg7X9w Ask Sage: https://www.asksage.ai/ Where to find Thomas Kinsella:  LinkedIn: https://www.linkedin.com/in/thomas-kinsella/ Twitter/X: https://twitter.com/thomasksec Tines: https://www.tines.com/ Resources mentioned: Making An Impact: Nicolas Chaillan, CEO Magazine: https://www.theceomagazine.com/executive-interviews/government-defence/nicolas-chaillan/ In this episode: [02:20] Becoming a self-taught coder at 7 and founding his first company at 15 [05:02] Shipping 187+ technology products as a founder, in verticals as varied as healthcare, retail and banking [07:08] The biggest mistakes entrepreneurs make [08:40] His latest product, generative AI platform Ask Sage [11:30] The challenges of bringing a new product to the US government [13:45] Building the first zero trust implementation in the government as Special Advisor for Cybersecurity at the Department of Homeland Security [15:20] Advocating for new technologies at federal agencies [19:40] Deploying Kubernetes on 50-year-old hardware on the F16 jet at the Department of Defense [22:02] Dealing with pushback and internal resistance to change [24:50] Recruiting internal help to establish force-wide DevSecOps at the DOD [29:00] Becoming Federal Chief Technology Officer at Qualys [30:30] Reflecting on the changes he implemented while working for the US government [33:12] Deciding which companies to work with as an advisory board member [36:40] How the threat landscape will continue to evolve for US federal agencies [40:50] TikTok as a channel for misinformation and national security weapon [44:18] Nicolas' predictions for the future of security [47: 10] Connect with Nicolas

The frequency, materiality, and impact of cybersecurity incidents is at a level that the business world has never seen before. CISOs are at the forefront of this. The speaker has experience with developing cybersecurity products and managing IT infrastructure and security from startup to massive scale. The talk will go through the roles, responsibilities, rewards, and perils, of being a CISO in a modern enterprise software company in these turbulent times. We will explore some hard problems that need to be solved for the good guys to continue winning. About the speaker: Sanket Naik is the founder and CEO at Palosade, building modern AI-powered cyber threatintelligence solutions to defend companies from AI-weaponized adversaries. Heenjoys giving back to startups through investing and advisory roles.Before Palosade, he was the SVP of engineering for Coupa. In this role, he built the cloud and cybersecurity organization, over 12 years, from the ground up through an initial public offering followed by significant global growth. He has also held engineering roles at HP and Qualys.Sanket holds a BS in electronics engineering from the University of Mumbai and an MS inCS  from Purdue University with research at the multi-disciplinary CERIAS cybersecurity center.

  http://convocourses.net https://www.youtube.com/live/Wu1DHW3VueA?si=DJqI_DDxphFRDOGK ### Introduction - Brief introduction of Bruce, his background in cybersecurity, and the purpose of Convo Courses. ### Personal Journey in Cybersecurity - Bruce's initial fascination with cybersecurity and IT. - Transition from passion to profession. - Reflections on career longevity and personal growth. ### Career Development and Financial Planning - The importance of planning beyond the day-to-day job. - Strategies for using income to build passive income streams. - Real estate and publishing as examples of passive income sources. ### Advice for Aspiring IT and Cybersecurity Professionals - Encouragement for newcomers to consider their long-term career goals. - Importance of financial planning and investment in passive income. ### Networking and Mentorship - The value of meeting people who have successfully exited the "rat race." - Insights from mentors on building financial independence through passive income. ### The Evolving Landscape of IT and Cybersecurity - Discussion on the impact of AI and technological advancements. - Personal experiences and perspectives on the changing nature of IT work. ### Corporate Experiences and Personal Growth - Anecdotes from Bruce's time in the corporate world. - Learning from challenges and using them to pivot towards entrepreneurship. ### Entrepreneurial Ventures and Lessons Learned - Experiences with blogging and creating online content. - The significance of perseverance, experimentation, and learning from failure. ### Engaging with the Audience - Q&A session with viewers. - Advice on career choices, technical skills, and job market insights. ### Cybersecurity Certifications and Career Tips - Discussion on CISSP certification and its value. - Tips for gaining experience and standing out in the cybersecurity field. ### Closing Thoughts - Summarization of key points discussed. - Encouragement for viewers to think big and plan for the future. - Invitation for topic suggestions for future discussions. This format aims to capture the essence of Bruce's dialogue, providing clear sections that can be easily expanded upon with more detailed bullet points or narrative descriptions as needed. Each section would be designed to offer actionable insights, drawing from Bruce's extensive experience and personal journey within the field of cybersecurity and beyond. Hey guys, this is Bruce and welcome to Convo Courses. Every week I do this and I'm talking about cyber security from a GRC perspective. I'm an insider. I've been doing cyber security for a very long time and normally I do this at one Mountain Standard time, but I had some business to do and as promised, I'm back. I'm a bit late because I had some stuff I had to take care of. What I wanted to talk about is what I do. When I first got into cybersecurity IT, I just did it because it was cool. It was fun. It was amazing. It's like magic to me. It's so amazing how it all works together and stuff. And as I've gotten older, it's just become a job. I'm not saying that that's bad or anything. It just is what it is. I've been doing it a very long time and now it's to the point where I got to think about, okay, where am I going with this? What's the end goal? What do I want to accomplish at the end of the road when this is all said and done? What do I want to leave to my family? When am I going to stop? So I've been thinking about that for quite some time, not just thinking about it, but doing something about it. And what I've been doing is using the income, my salary, my high salary to build passive income streams. And there's many, many things you can do for passive income. I just started doing something that worked for me and something that was more in my lane, which is like publishing and in real estate. So those are the things that I mainly focus on with my income. And it's just I guess I wanted to talk about it because it's important to think about where you want to go with this. Like if you're trying to get into cybersecurity, if you're trying to get if you just started IT or you want to get into it, you're a college student, you're in high school, whatever the case may be. And you're thinking, man, you know, IT is cool or I want to do it. It's a lot of jobs. They get paid a lot of money. It's job security, blah, blah, blah. At some point, maybe not today, maybe not tomorrow, but at some point in your career, you're going to have to think about where do I want this to go? What's the end goal? Am I just going to work a nine to five until I retire? What am I trying to do with this? And so that's what I've had to think about for the last 10 years. not just thinking about it but doing something about it so I just started trying different businesses I would use some of the income that I have to try different things and some of them worked and some of them didn't work sometimes it worked but it wasn't for me you know but the thing is you got to keep trying and failing just fail forward keep on trying different things um What's amazing is the people I've met. I've met some really amazing people who've done it all kinds of ways, all kinds of creative ways to get out of the rat race, meaning get out of the struggle. They don't struggle anymore with finances. They don't struggle with the treadmill of capitalism. They have mastered it. They have mastered it. And all the people who have mastered it all have passive income streams, I've noticed. They don't have to have a job. And I've met people who did it with real estate in different ways by either flipping houses or doing Airbnbs or doing tax liens, just doing rentals, regular rentals. I've met people doing property management. So there's many, many ways to do just real estate. And then I've met people who did, what do you call them? Homes for the elderly. I met people who just saved and put away a bunch of money in stocks and are going to be wealthy that way or are wealthy that way. I've met some people who did a combination of those things. I've met Just all kinds of people who did it their way. They were creative. One thing they all have in common is they have enough income to where they don't have to work a nine to five anymore if they don't want to. Some of them, they still work a nine to five because they're still like building a nest egg. And some of them, they have like a business and they like working that business. They like actually being there and working the business and all that kind of stuff. So seeing that these people kind of became like mentors to me. I would follow what they did. I would, I would ask them questions about what, how did they do it? What, what, what did they do? And all of them had to invest their own money or time to get to a point where to get to a point where they, their, their time was so valuable that they, that they didn't, It was more valuable for them to spend time on their business than their time at their job. So that's one thing I've noticed about a lot of them. And it's just something you should think about. And another thing is one of the reasons why you should consider doing IT and cybersecurity and progressing is that once you get to a certain income level, Obviously, your life changes. But one thing that happens is you have this surplus of income and you you've got to think about what you want to do with it. You have this little bit. It could be like an extra thousand. You like all your bills are paid. You know, you groceries are done like you. You're good. Right. You could probably even loan people money or whatever. Give people money, whatever. But you still have this extra cash. And so you got to think about, okay, what do I want to do with this money? And I would suggest that you invested in some kind of passive method of passive income. It doesn't have to be what I'm doing. It should be something that you find that works for you. And so that is a great reason to get into IT and cybersecurity because it's a high paying job. It's They're always going to need somebody doing IT. I know there's all these fears about LLMs and artificial intelligence and all that kind of stuff, but I would say that it's going to be more of a threat to not know it than to think it's going to just take all jobs. There's still... I don't think it's going to take all jobs. I think that's... hyperbole. I think it's just, we don't really know what's going to happen with it, right? One thing for sure that we know is it's going to change humanity. That's for sure. That's probably more scary. I'm surprised more people don't talk about that. What's more scary about AI is it's going to change us, just like this phone did, just like the internet did. It's changed us. We're no longer the same. We're not the same species that we were hundreds Before the internet, we're not the same. We're rapidly changing into something else. And I don't know what the hell that is, but we are not the same species that we were before. And AI is gonna speed up that process. We are gonna be different. And people keep talking about jobs. We have way more stuff to worry about than jobs. Way more stuff to worry about than jobs. It's gonna change us fundamentally as a species. And I don't know where that leads us to, but jobs is the least of our worries. That said, while we still have this thing going on, get into I.T., get into cybersecurity. You'll have all this extra income and it allows you to have a more freedom to build something that you for yourself and for your family. I'm somebody who comes from very humble beginnings, like I came from nothing and. I can tell you there's different stages and levels to this. When I first started out, like as a kid, we're struggling to survive. And so you're not thinking about necessarily, it's not real to you. $100,000 a year is not real. When you're struggling poor, it's just, it's delusional. I didn't know anybody who made 100,000 or maybe I did, but I didn't know that they made 100,000. I didn't have any friends that I knew made 100,000. It wasn't real. So it just didn't seem real at that level. It didn't seem real. And then once I started making my own income, I started meeting, my network changed. I started meeting other people who are also doing their own thing, other young people who are also doing their own thing, living their own life, doing their own thing. And I started running with that crowd. And then I started meeting older heads who are already doing, real estate and business and stuff they were talking a lot about it and I'd be like what is what what's this you're talking about this is while still in the military I got out of the military and I thought when I got out that I was going to get a corporate job make like 80 and and be cool and then just retire with that one corporation little that I know that corporations don't give don't care so much about humans. They care about the bottom line. They care about their money. So they're not really trying to take care of people. Maybe 50 years ago, they used to do that. But that's no longer the case. And I'm not trying to discourage you from going to a company. Yeah, by all means, do it. But just realize it's a stepping stone. And that's what I realize is that you're not going to stick with one company. Not anymore. Like I said, maybe 50 years ago. It's just very different now. And I got into the corporate world. I think the thing that turned me around with corporations, the thing that made me not lose hope, but think of them differently and see the reality of what was really going on is that one time my my wife at the time got really sick um she had like a pulmonary embolism or something like in her leg I mean she had like something in her leg like she had to go to uh the doctor she was out in the hospital for like three days and I asked I had just gotten hired and I asked the company I said You know, is it okay if I, I just bought a house, you know, we just moved in and we had a little baby and I said, hey, I know you guys just hired me, but can I get three days off because I need to take care of my kid. I don't have anybody here. I just moved to the state. And they were just like, well, we can't do it. It's against company policy. And it was some kind of politics that they were playing. My immediate supervisor basically wouldn't allow me to do it. It's just weird. And I'm just like, what? And it just dawned on me, these people do not give a damn about me. They really don't care. And I was like, well, why should I care about them? If they don't care about me or my family, then why am I sacrificing myself I'll do anything for these guys. I'm like, so I'm a fool. And after that, you know, it just, I just realized, man, I got to do something else. I'm not going to quit my job, but I got to figure something else out. Because if this is how it's going to be, I got to do something else, right? Because while I'm in the military, military take care of you. Military, like you have a brotherhood. If you stay with the military, you stay 20 years, they're going to give you retirement. It's not like that on the outside. And I, it just, it was a hard lesson to learn. And I said, okay, you know what, what I'm going to do is I'm going to start a business. That was the first time I was like, I'm going to start a business. And, um, the first business I did this now, this is crazy. First thing I did was blog. I made a blog and, um, it was back when blog could make a blog can make money. I mean, it could still could, but this was like, right. The early stages of blogs where blogs were brand new and people were making all this money off of blogs. And I started this blog and it got pretty popular, but now before it got popular, I remember I made 10 cents and I was super excited. I was like, I made 10 cents, you know, after writing a few articles or whatever. And the only reason I was happy is because I realized if I can make 10 cents, I can make a dollar. If I can make a dollar, I can make $10. If I can make $10, I can make a hundred dollars a day. If I can make a hundred dollars a day, you know what I mean? And that was true. what happened was the blog got really popular and it ended up landing me my first hundred thousand dollar job and allowed me to publish my first, uh, the first thing I published was like for a, it was like a pamphlet, uh, for this company. And, uh, they had me go around the world and teach, teach from this pamphlet that I wrote. And I made a little over a hundred thousand for the first time. So that blog, And one time I wrote an article, it went viral. It was making like $100 a day for a while, which at the time was crazy. And I don't know. It just opened my eyes. You never know what's going to work. So you should just try different things. And I've tried a lot of stuff, man. I've tried stuff that absolutely did not work. But I've tried things that really did work. And that's what you got to do. Just try different things. All right, I got some questions here. Thank you guys for watching. I appreciate it. Kind of a different flow right now. I just want to have you guys think a little bit bigger, especially if this is your goals. If you're trying to do IT, if this is what you're trying to do, start thinking about your future, what you want for your family far in the future, and what you can do. Somebody asked me or said, would you recommend starting at a big tech company or a small non-tech with higher pay long term. Think of it differently. What you want, the ideal job is one where you have a little bit of extra time. Like they're not, what do I mean by that? So what I'm trying to say is, I would take a little less pay to have a little bit more uh, a less stress personally. Um, but you could also go for high pay that will allow you to take some of that pay and re either reinvest it into a 401k, buy stocks, uh, buy bonds. If that's what you're into, um, play around with, with, uh, swing trading. If that's what you're into, try, try different things. You could use, if you make a, if you go to a big company and they pay you a whole bunch of money, um, or a small company and they pay you a whole bunch of money, use some of that money to invest it in. Try things, real estate, try stocks, try business, try different things. Use it as a stepping stone. As far as which one would I try, you said non-technical with higher pay or big tech. I'm just going to tell you from my experience. Smaller companies are more... There's more like a person to person feeling with smaller companies. I've worked from for literally like a two man company all the way up to multibillion dollar companies and international multibillion dollar companies and for the government. And I can tell you some of the best experiences I had was with smaller companies. And maybe this is just anecdotal, like maybe it's just my experience and maybe it's different for everybody. But in all the small companies I worked for, it was more one-on-one. I was a person. I wasn't just a number. At the large companies, I was just a number. I might have had a real good team and everything, but at the end of the day, they can replace you in a heartbeat. And because of that, they don't really value the person as much as they used to. But smaller companies, they really took their time to develop each person. And I really miss that feeling of being on this team. And with that said, when you're in a small company, it's kind of like you're in a big ocean being kind of rocked by all the market By the market that's happening, you know, whereas when you're in a big ass company, it's like you're on an ocean liner and the economy is rocking. But the boat is just going like this, you know, it's kind of wavering a bit. You're not being tossed on the sea by the economy or whatever's happening, market forces or whatever. So there's tradeoffs for different things. At the end of the day, it depends on what you want to do. Just think long term, like think big, think your entire lifespan and what you want. for yourself and for your kids and for your kids' kids. When it's all said and done, when you are nothing more than a memory, you want to have a look back and create some sort of legacy. This is one stepping stone in a long line of steps you're going to take. So just think of it. Think big is what I would say to make your decision. And that way, when you do make a decision, it'll mean something. It'll be one step in the right direction that you're going. So I hope that helps. I'm just telling you my experience with small companies and big companies and all that kind of stuff. If you went for the big money, non-tech big money, you can use that money to invest it and do what you want. And the big companies got a little bit more of... What feels like security and maybe have a little bit more time on your hands to mess around and you can use that time to tinker and mess with something else. Probably the money is what I would take, to be honest with you. Let me see. Forty Rock says a four rock says. Is IT cybersecurity still hiring? I have three years of technical support and two years of SQL development. I've been unemployed since November and I cannot get a help desk position. Open up what you're willing to take for Rock. What I would recommend is possibly going back into SQL development, be open to that, be open to technical support. um lean on your skills um a lot of times I'll give you an example of one time there was a time when I i was really wanting to get um into more technical stuff and I did I actually landed a job in a technical position as a field technician And I did know it at the time, but I took a huge pay cut because my specialty was in cybersecurity. I just didn't want to do it anymore. I just didn't want to do policies and all that kind of stuff anymore. I just didn't want to do it. So I was like, man, I want to do more hardcore stuff. And I found a job, but I took like a, I don't know, 45% pay cut. I mean, it was a lot, man. I had no idea. If I could go back, I realized my mistake was that I didn't lean on my strengths. Lean on your strengths. Your strengths are, you said, two years of SQL development. Not a lot of people know SQL, bro. That's a special skill and all the things that come with it. I guarantee you, you're not tapping into all of the skill sets that you have with SQL. SQL is very special. Very special, because that means you could work in, and correct me if I'm wrong, but with SQL, you can work in several different database environments, because many of the largest databases, relational databases and object-oriented databases, they use some sort of SQL. MySQL, Oracle, right? They use some sort of SQL. So lean heavily on your SQL experience. What you could do to see what types of keywords to put in your resume so you can quote unquote lean into your strengths is look at other people's resume. Go to LinkedIn. Go to LinkedIn right now. If you happen to be watching me, go to LinkedIn and type in SQL development. And then don't look at jobs just yet, right? That'll come next. What you want to do first is look at other people's resumes. Look who comes up on there and look at their resumes. Not all people put their entire resume out there or profile rather, but some people do. Look at their profile. Check out their profile and see what they're putting, what keywords. I guarantee you a lot of the stuff that they're doing, that they're the keywords, that the key phrases that they use are referring to skills and things that you have done in your two years with SQL development. Put that shit on your resume. Put it on your resume. Because don't just aim for a help desk job. Broaden your horizon. That's what I'm trying to tell you to do. And these guys on here who have IT experience, they'll tell you, man, listen, a lot of these guys are looking for your skill set. Mike chimed in. He says, some of these firms, non-tech, you are You're just a number, yeah, absolutely. Okay, so my man Mike is talking to you. Let me see who else is out here talking. Oh man, TikTok is crazy. Is it necessary to do help desk before jumping into cybersecurity analyst? Not necessarily help desk, but like a tier one type position. I mean, let me see if I can explain it better. The first point of contact for fixing technical problems, it's not always called help desk. Sometimes it's called customer support, technical support. field technician. There's different names for it, but they're normally the first person that you talk to. They're normally the first person you talk to when you have some kind of a problem with your internet, with the computer. It's not always just help desk. We kind of use that as a blanket term because that's probably the most known term for That first tier person that you talk to. But you get the idea. So I would say it's best. You don't absolutely have to. Like I've seen people who were cybersecurity analysts who did not have a solid help desk background. But the best people started from the bottom. worked their way up. They were field technicians and then they were help desk or field technician or customer support or something like that. And then they kind of graduated to this other level. I've seen people who skip rungs, like people who are just thrown right into systems system and administrators creating accounts and things like that. And then they were working with server problems or updating servers and stuff, and they never really touched help desk per se. I've seen people who went directly in the networking straight out of basic training, went to some technical school and then went straight to that or went straight from college to do that or They had some sort of background networking, did network, junior network administrator, and then went to something else, cybersecurity analyst or forensics or whatever. They did something else. So it's not absolutely necessary, but let me explain a little bit about cybersecurity analyst. That's one of the skill sets that I've had, something I've done in the past. A cybersecurity analyst... Um, when, when I was doing it was somebody who was, they were monitoring, they were doing a lot of, of monitoring of the network. We were monitoring the network using tools like scene, which is a security information event manager, uh, that looked at all the logs going on the network. We would look at, uh, we had. IPS, IDS, which is intrusion detection or intrusion prevention systems that we would have to know how to block certain ports or whatever, certain source IPs. We have to know different types of attacks. We were looking at the network, right? And determining if we were being attacked or if there was some kind of a threat that was on the network. That was our job as a cybersecurity and we were analyzing the network. And then sometimes we'd have to escalate it to the incident response team, or we'd have to do something like that. So that said, think about it. A cybersecurity analyst has to know quite a bit about how the network works, like how networking itself works. Because they're looking at logs over the network. And you have to know How TCP IP works and all that kind of stuff, because you're looking sometimes you're looking at packets going across the network. And sometimes we even break open packets to look at what was going on. Right. So you have to know a bit about network engineer, how networks work. You have to know the difference between a server and a workstation and how they work together. You have to know that you have to have the basics nailed down. You know, you have to know what ports are, like at least like common ports and how they work, how they can be exploited. So you kind of have to know like two or three different things and start linking them together for cybersecurity analyst work. It takes very talented people to be good at it. And I'm not saying I was good at it. I wasn't. I was just a newcomer. I was a new guy who was fascinated by it. You know, I could... I could get around, but I wasn't like one of the more skilled guys on the team. I was learning stuff. But what I'm getting at is you have to have the basics nailed down in order to do a job like cybersecurity analyst work, right? I'm not saying you have to be a master at it or some kind of brilliant person at it, but you – Even to do the basics, you have to have some basic skills, basic like help desk type skills down, first tier skills down. Somebody said, bro, where do I start? Start where you are. Consider your industry. If you happen to be from student, zero to hero. If you're a student, you can start right now. If you're in some sort of industry already, like you're in the healthcare industry, you're in the pharmaceutical industry, you're in the retail industry, you're in, you name it, restaurant, and all of them use IT, you can start where you are. if you're a student uh you're in a special position because um now if you're a high schooler shoot they they have clubs that you can start right now start doing computer start learning computer stuff right now um start fixing people's computers right now start coding right now um there's things you can do right now as a high schooler to to do the hell I know people who Um, who got a CompTIA started getting cybersecurity certifications in high school, um, just to get, get the knowledge now, um, and to build themselves up, to go to a vocational school or to go to a community college or college university or whatever, to build up their skills. Or hell, start your own business doing fixing people's computers. You know, you can get that good at it. And then that stuff you can put on a resume or just keep building, scaling your own business from high school. College is I mean, college is a huge pivot point because in college, like you don't have to wait to get your degree. You don't have to wait like you shouldn't wait. Start being a working student right away. If you're on campus, see if you can help them out, help. Help out the campus to figure out what vulnerabilities they have. See if there's a working student program. Hell, even if it's remote, like if you're doing college remotely, they might still have a working student program. look into it they have apprenticeships they have internships they have all kinds of uh sometimes I have like a b2b uh university to business pipeline um ask you got to get yourself in there and ask uh where you can start as a college student college students probably have the best they're probably in the best position to get themselves uh get the ball rolling for their career But they got to start now. Like a lot of times they just wait until they get their degree and they're like, oh, I can't get a job, you know, like get start now, right now. Now, if you happen to be, let's say you forget the student, you're not a student no more, you're in the world, you're a healthcare professional. You know more about HIPAA than I do. And HIPAA is one of the primary laws that is used to protect patient data. That can get your foot in the door right there. I mean, that right there is huge. That's a huge step in the right direction. Now, you still have to learn all the basics of information technology, but you have a good foothold in that industry. If you happen to be in retail, did you know that all the times that you're taking people's credit cards, the whole system in the background is taking all that information has to have to have to have something called PCI compliance. You can start learning a little bit about that. See if you see if you can get involved with their IT department. If everyone has one, Taco Bell has one. Walmart has one. Everybody has an IT department. Everyone start get see if they'll let you do a lateral move over there or start learning shadow marketing. shadowing somebody who already does it. And in whatever retail space you're in, you'd be surprised. Look at their career page. They might have something where they're looking for IT professionals at TJ Maxx or whatever. And I'm being serious. It's not a joke. Like whatever, start where you are. That's what I'm telling you to do. And then once you get that money, right, you get that pay bump. Don't look, listen, I know you want a better lifestyle and I'm not telling you to not have a better lifestyle, but use some of that income to start building some passive income streams. And if you don't know what that is, you might want to Google it. You might want to Google it because it's important and they don't teach it in school. But I'm telling you right now, it's important to do it. This is not me trying to get. I don't have a course on passive income streams. Right. I thought about it, but I don't have one. OK, I'm not trying to sell you anything. Right. I'm just trying to tell you, like, if you don't know what passive income is, look it up. That's what I'm trying to tell you. It's a life changer. It can change your life. So look into it. Let me see here. Getting some more comments and stuff. And I'm only going to do about an hour, guys. So I got about 30 minutes. I was on here earlier. I was doing one of my AirBVs. And now I'm here to do the real work here. Okay. Susie says, I hope I'm pronouncing that correctly. I'm sure I'm not. After getting your CISSP, did you find some of the content helpful on the job? or was it mainly a confidence booster currently studying for the exam? I'm curious. I'm going to say something that you're probably not going to like. I'm going to say something that's probably controversial, but I'm going to tell you the truth. The CISSP is so general that it really didn't, I can't say that it helped in any capacity. And I know that's not what you want to hear. You want to hear that there's a magic wand, that you take some certification and magical things happen. The magic was that everybody wanted to hire me after I got the goddamn thing. That was the magic. There are certifications that I could say that were extremely technically useful that I saw the things I was using on that certification in real life, like things like the CCNA. Cisco certification, like those Cisco certifications are the real, they're the real deal, right? What other certifications would I say were extremely useful? The Microsoft certification, the technical vendor level certifications doing their vendor level stuff is very, very useful. Qualys, like that was, that's not a big certification. It's not marketing. talked about but it's qualis is a scanner it's a network scanner and that stuff the stuff that I learned um that I had that that were on that was on the test that's the stuff that we're actually using uh at the organization I worked at so the vendor level certifications are very very much useful um I would say the security plus was very useful even though it's not vendor specific Security Plus was useful because it's talking about stuff that you're going to... Let me put it to you this way. Security Plus is usually introduced to people who are fairly new into cybersecurity. So it opens up... It's kind of touching on many different things that you might not have ever been introduced to for the first time. By the time you get to the CISSP, you kind of have some level of, you've touched a lot of different security by the time you actually take the cert. You take the cert, and the way they word it, how can I explain it without losing the CISSP? The way that they word it is like, it's a, what do they call it? Let me put it to you like this. They'll ask you a question, and the hardest part is the answers. Because you'll have two answers you can kind of throw away, and then they'll have two answers that are both right, but one's more right than the other. That's hard. That's the hard part about the CISSP. Would I say it helped me? I can't know. There's nothing on there that I could say, yeah, that right there, that's... That was on the, you know, I'm not quoting the CISSP. Like, it's not, I will say this, it's highly marketable. It's a great, it changed my life. As soon as I got it, people were like, oh, it was like I was a lawyer or some shit. It was like I had to pass the bar or something. It single-handedly changed my life. You could probably get the CISSP and not have a degree. With some years you got, of course, you have to have experience, but you could probably, that damn thing is so effective. It's so effective that as soon as you get it, like, so many people hire you just to say they, oh, we have a CISSP on the board in our IT department. He's a CISSP, you know, or whatever. That said, you know, just because you have a CISP doesn't mean I'm magically no shit because there's a lot of dumbass CISPs, you know. So I'm sorry I had to take the magic out of it. The magic is that you will get paid and people will hire you. So that just, you know, it is what it is. Let me see. I just got my Security+. six months ago, but I'm still struggling to get a job. How much experience concern, Jay? How much experience do you have? Because the certification alone is not, including the CISSP, is not enough to land you a job. They really, employers want a, they want to see that you can do the work. And that requires, and the best way to see that is via your experience. So wherever you can get experience, get experience. There's been a lot of questions about what search should I get or, you know, I get a lot of those kinds of questions, but the questions I get less of that should be asked is how do I get experience? That's a harder question for me to answer for you, but also it's, It's the best question because that's what they're really looking for. I'm not saying you shouldn't have a security plus. Security plus is fire. CISSP, I just told you, if single-handedly changed my life, it's great. A degree is, you know, people are talking shit about degrees, but if you're doing technical work, you're going to be an engineer, you're going to be doing this for a while, a degree is important. Because the longer you stay in this career path, the more competitive it gets. And the degree is very competitive. So those certs, those degrees, all the pieces of paper, those are important, right? There's an important half in your arsenal, right? But it's like you're sharpening the blades. But the best thing you can have is is experience. The best thing, that's the meat on the plate. Got to have experience. It's very, very, very important. So can't stress that enough, right? Wherever you can get it, you can get it in school, while you're still in school, wherever industry you're in, try to get it there. Wherever you can get experience that you can put something that you can put on your resume, on your profile to say, I did X, Y, and Z for this company. If you can do that, that's That's where the meat is at. Yes, get the Security Plus. Yes, get the CISP. Yes, get cloud certifications. Yes, all that, right? But those are just tools in your arsenal, right? You got to be able to wield the sword, and that's where the skill set comes in. Let me see. Got more questions, comments, complaints on here. How long should I stay in corporate? I just started my career in big tech. It depends on what your ultimate goal is. I would say stay, ride that gravy train as long as you need to. Ride that gravy train as far as it'll take you. Make them fire you. Keep collecting that check and then use that check To brick by brick build something bigger for yourself and for your family. As long as you need to, brother. Use it to build your own corporation. Use it to build your nest egg, your 401k. Use it to, especially if they're doing like that shit where they say, okay, if you put a dollar in, we'll put $3. Yes, do that shit. Ride that gravy train as far as it'll take you. Let me see here. Let me see. Let's see. I've got some more questions, comments, complaints here. Do you have a step by step how to be an ISO course? I do. If that's what you're looking for, you came to the right man. because that's exactly what I have. I have a course specifically for ISOs. I'm glad you asked that question, because that brings us to a commercial break. This is brought to you by Risk Management Framework, ISO. This is what the course is called. And this is a book, by the way, that I wrote. This is coming directly from my own personal experience. I tell you, in plain English, what this job entitles, and specifically from the perspective of an information system security officer, how to do this work for risk management framework, NIST 800. I've got two books. One focuses on the NIST 837, and one focuses on the NIST 853. I remember talking to one of my peers, and I was telling him, hey, man, I was trying to get him in with me to write books and stuff. I'm like, man, I've got this course, and I want you to help me build it. And he says, man, why would people pay for something that they can get for free? You can get this for free. All this shit here is for free on the internet. But when you read it, it sounds like just go read it. You'll see for yourself what it sounds like. When I first started learning this stuff, I was like, what the fuck? What am I reading here? It doesn't tell you what you're supposed to do. It does, but it takes 15 paths to Sunday to get to the point. What I'm doing is getting straight to the point and telling you from my experience in the Department of Defense and a couple other federal organizations exactly what you need to do, where you need to focus on, and where to not waste your time. That's what I'm doing. So it's from the perspective of somebody who's done it before. And I'm telling you how it is. So and then once you read this, all the other shit will make more sense. So, yes, I do have a course. It's out there right now. Go to convocourses.net. I've got a bunch of discounts that you can use. Huge, huge. You got to go through it. There's lots of stuff that's out there. Huge discounts been putting out over the years. And if you can't afford it, you can just get this book right here. I've got two of them and that's on Amazon. It's also on my site and it'll walk you through it. It's just stuff I wrote that I wish somebody would have told me when I first started doing this stuff. and explains it in a way that's just straight to the point like here's what you need to do then do this don't worry about this focus on this that's what the book is about that's what the course is about I hope that helps um what do you recommend to leverage your existing salary credit now I know dave ramsey is not going to agree with this but credit other people's money um leverage your set, your existing salary. A couple of things, a couple of things. It's a great fucking question. So listen, a couple of things I use credit, manage your credit. I'm not telling you if you can't manage your credit, if you don't have no discipline, do it. Don't do not do it. Go watch Dave Ramsey. Listen to everything he says, put money in an envelope and pay everything with that shit. Right. But if you can, if you have restraint, right, you're not going to, Go buy a Lamborghini with the money that the bank gives you. And you're trying to build a legacy. You're trying to build something for your kids and your family. Credit, loans, shit like that. Business credit. You don't even have to use your own personal credit if you have an LLC, if you have a business. If you have a bank account that has money going into it, After about two years, they'll give you a loan based off of that LLC. That's based off your bid. They'll give you money from your bid. They'll give your business money and it doesn't mess with your own personal credit. But yeah, that's one thing I use is credit, loans, stuff like that, other people's money. And then I use my high salary to pay that debt down or manage that debt effectively. So that's one thing you can use. And if you're doing real estate, you basically have to use other people's money. So um another thing I do I've done before not doing it currently but if I had the opportunity I probably would uh is uh over it's called over employment so what you do is you just get two jobs if you work from home you can work two jobs you can have one part-time job and one full-time job two part-time jobs or you can you could do uh what a lot of i.t guys do is they just hop from um They'll do what's called 10 99s. They won't be a full-time employee. Let's jump from contract to contract to contract and do like three months here, four months here, nine months here at these different companies. And sometimes doing it two at a time and doing that shit, you can make 200, $300,000 easy doing that, you know? So, um, that's another way you can leverage your, your existing salary. Another thing is, uh, uh, do, do, uh, have a side hustle, side incomes. Um, this is something I've been doing for many, many years and my favorite thing to do. And it's stuff like this. This is a side hustle. It does pretty good. It does pretty good. It does. All right. You know, I'm not rich or anything. I mean, look where I'm at, you know what I'm saying? But, uh, it does. Okay. You know, um, what else do I do? I mean, that's pretty much it. Um, loans credit uh making sure I maintain my credit and build using other people's money to do the bank's money to do what I need to do and managing that money with my salary right um that's one thing I do uh and then over employment I do from time to time where I'm not really a fan of it these days because I really need my time for me and my family my kids and everything um And then the other thing is side hustles. That's what I do to leverage. I use my salary to build. There's a lot of leverage you can use. These tools are very, very useful. Very, very, very useful. Let me see. Dewart says, can you work two jobs if you have a secret clearance? It's not so much about the secret clearance. It's about the agreement you have with the company. So it depends on the agreement you have with the company. Some companies are very strict and say, look, you agree to work with us eight hours a day. There's a couple of things. Okay. Let me, let me back out a little bit. Number one, you cannot have a conflict of interest. All right. You can't have a con meaning you can't work for Lockheed Martin and Northrop Grumman for this, for, for competing contracts or some shit. Like you can't, you can't work for this company and it's competing with this company and they're on the same contract or something. Like you can't, have conflicts of interest. What's a real good example of a conflict of interest? Look, you can't have a conflict of interest. That's all I'm going to say about it. You can't. Don't do it. Don't do it. It's not worth it. And then sometimes the organization that you're working for will flat out say, look, we want you to work eight hours a And that's what you're supposed to do. You're going to work eight hours for them. But they can't stop you from working some hours on the weekends. If Saturday and Sunday is yours, they don't own you. Am I right or wrong? They do not own you. Even if you have a secret, top secret, it doesn't matter. They don't own you. You're a human being. You have rights. So after hours, they don't own you. You can work after hours. Now, you can't work during their time during their, you know, so the secret clearance doesn't say that you cannot work for anyone else, right? It just says you cannot share the Volge information that they've, that's sensitive, you know? So that's what, don't do that, you know? So, yeah, it doesn't, a secret clearance doesn't matter in that regard. You can still be over, you know, uh, overemployed, but don't have a conflict of interest. Don't do not do it. Like you can't, we'll be a conflict of interest. Like if you work for the government as a GS, and then you also work as a contractor on the same contract, that's probably a conflict of interest, stuff like that. Are you two competing companies where one, they have one has this special sauce and this one has a special sauce. And then you, You don't want to do stuff like that, right? It's just, you might get yourself in some legal trouble if you do something like that. They're very clear with you. And some companies, what you can do, the company I'm currently working for, they said, look, If you work for another company, just let us know. They say, look, we can't stop you from working for this other company. Now, you can't work during the hours we want you to. Like, if you're working for us, we're not expecting you to be using our stuff to work on theirs. No way. This is our stuff. You know, you work on our time. If you clock eight hours. You're working for us. Right. That's understood. That's what this contract you're signed. So they just said the company I'm working for is like, look, just let us know. You know, that's that's it. Just let us know. And they you know, they can't stop you. Let me see. What other questions do we have here? Somebody said, what if you know how to. What if I know how to build computers? That's a really great first step. I've got a little course, a free course about this where I talk about the levels to help people understand where they have to go to get from point A to point B. And I say the first step is to become a geek. That means to get interested in computers, learn everything you can about it, learn a common body of knowledge. And so, yeah, become a geek. Learn, take computers apart, put them together. But that's only one aspect of it, right? You need to learn networking. You should probably learn a little bit about cloud technology. You should probably learn a little bit about networking technology. Maybe you mess around with a little bit of scripting or code. There's a lot of different aspects of IT to learn. Frameworks is a really good one to learn. Start learning the common body of knowledge beyond just building computers, like learn the whole landscape. That's cool that you know what mountains are, but what about valleys? What about rivers? Learn the whole map of how this landscape works from a distance, like how all this is laid out, how people are using information technology. You want to have a bird's eye view of how all this works, and that's the common body of knowledge, something that all of us have, regardless of whether you are a software engineer or a database guy or a help desk person. cybersecurity person. All of us have some idea of how IPs work. All of us have some idea of how it was a server versus a workstation. All of us have some idea of what cloud technology is. All of us know the layout, the lay of the land. So you still have to know that piece. Now, you might be a master of building computers. You could run circles around me with building computers. I've built a computer in many, many years. But that's not the only thing that you have to learn, right? So from geek, I talk about going to trying to land your first job. From there, from geek to getting your first job, now you're talking about possibly going to school, possibly getting yourself a certification. A plus certification would be something you would probably kill, you know, because it's all about how computers, the components work and how software works with the components, all that kind of stuff. So from geek, landing your first job. Now, let's say you actually get that technical support job and you talk about how to go from there to do a specialization. Cybersecurity is the one that I talk about. What kinds of things as an IT professional do you need to know to get in the door of a cybersecurity type job? So that's the kind of stuff I talk about. But Building computers is one aspect of it, and that's a great aspect to start with. I would recommend you look at the common body of knowledge in CompTIA A+, especially if you're very, very new to IT. I'm taking AWS solution architect exam on Monday. Oh, man, that's awesome. I've been thinking about doing AWS. I have not had time. I would really like to. I'm working on my CCNA next month. CCNA is no joke. I like it. Somebody says, I have a CISSP and master trying to find a job, but people want experience. Yeah. Experience is super important. What can you do to get experience? It depends on where you're at. If you're a student, maybe what you could do is go to your campus, go to your college campus and see if you can get on their IT team. Don't say that help desk is beneath you. Do it. That's experience. Get in there and fix some computers. Get in there and image some computers. do laptops, fix laptops, figure out how the laptop connects to the network. Put that experience on your resume. Try to be a working student if you still have a connection with your school. Even if it's a remote school, you'd be surprised. Sometimes they need help with their equipment that's out there in the field. You could do freelance work and start your own If you know a lot, you're CISSP, if you know a lot about a certain thing, a lot of CISPs are a mile deep in like one or two things. Take that skill set, whether it's scripting or running scans or building networks or whatever you do, whatever you are professional on, do freelance work for local companies or find some organizations. If you have a church, if you go to a church or some kind of other local community, whatever it is, interface with them and try to see if you can do work for them. Do it for free if you can. Do work for some organization so you can put that on your resume. Another thing you can do, one thing Ryan brought up that I just didn't think of it all this whole time, but join an organization called the ISSA. So this is a local – they have local chapters everywhere. In almost every major city, they have a local chapter. And this organization, they meet like monthly. And it's a bunch of information system security people and IT professionals, system admins, help desk people, captains of industry, CEOs are there, CIOs are there, chief information security officers are there. You name it, they're there. And they all meet about once a month in a city, in whatever city you happen to be in, and They're talking about career paths. If you have a CISSP, hell, sometimes they have jobs there and ways to get experience. You could talk to some of the old heads there and say, look, man, I'm trying to get in this field. I've got a CISSP. I got a master's degree. I specialize in writing scripts. How can I get experience? What do I have to do? to get experience for this field. The ISSA is the Information Systems Security Association. They have one in every single state. They have one in almost every city. Well, probably not in every city, every major city, but every state has one. And I think there's even some in other countries. So look that up and try to network with those people. Because with With all of your pedigree of prestigious papers, you should be able to land yourself a job, if nothing else, an internship or something. Somebody said create projects and post them on GitHub. That's another way to do it, especially if you know Python or something or if you know any kind of software projects. Put that on GitHub and you can put that on your resume. So there's a lot of different ways to do it. It depends on where you're at. Somebody says, I have a portfolio with five complex cloud projects. How can I get into the field? Any tips? Hmm. How could you get into? A lot of times when people say this to me, it's usually experience and their resume. It's one of the two things. It's usually one of those things that are stopping them from getting their foot in the door. Pretty clear. It's usually one of those things. They send me their resume and I look through it and it's usually one of those things. I don't know. I don't know what to say. But how could you do it? I think you've got to continue to build out your as much experience as you can. And it's hard. I mean, it's difficult because that's where the real rubber meets the road. That's where the real meat is at, is your experience. It's the hardest part. You've got to talk to people. It's hard. You've got to get out there. You've got to network. So like I said, you could try the local ISSA chapter. I mean, they've got a whole bunch of people you can network with and figure something out. I mean, you have cloud experience. Do you have any certifications that might help you out? If you don't have one, maybe try to get some certifications under your belt. That's one thing you could try. Let me see. Oh, Ryan, how you doing, man? He says, I'm presenting on election security on February 28th at Pikes Peak ISC2 chapter meeting. That's awesome. So these are the kinds of people you want to network with, cybersecurity professionals, IT professionals who are out there. They have this in your area. LinkedIn, one of the hidden gems of LinkedIn is is that if you go there, there's a bunch of forums. In your local area, there'll be a bunch of meetings, a bunch of forums, a bunch of people presenting. Sometimes they'll have job fairs that are local to you. Join those groups. Join some of those groups. And a lot of times people are trading jobs back and forth. Another pretty good resource is Reddit. Reddit might have some pretty good resources for you as well. um reddit has a lot of professionals who are talking back and forth and it's a good way to network with like-minded people who are in the same position um and uh finding finding out new stuff that's kind of bubbling up in the industry uh let me see here I got some other stuff going on here and I'm going to end this real soon guys I appreciate all the people jumping on here um Or can I find your book? Go to Amazon, type Bruce Brown Convo Courses. You'll find a bunch of my books. Risk Management Framework is just one of them. Another place you can look at is convocourses.net. You'll also see free stuff. Ryan's got a free book. I linked his on there. He's got a free book that is walking you through how to study for the ISE2 CGRC, formerly the CAP, Governance, Risk, and Compliance Certification. So we've got free stuff, discounted stuff on there. At the end of the day, what we're trying to do is help people to make your life easier to get into this field, stay in this field, and level up if you already are in this field. Let me see. Emmanuel says, let me see this one. Emmanuel says, which MOS will you advise a 25 Bravo or a 25 Hotel for a start in cybersecurity? 25 Bravo. I thought that was an IT guy. 25 Bravo is in the Army MOS. Ryan's Army. He might be able to answer this. Ryan, what do you think about this question here? Emmanuel is asking, which MOS you would advise a 25 Bravo for a start in cybersecurity? Ryan says, 25 Bravo is a great start. Yeah, that is a great start because that's an IT, yes, and that's an IT specialist, as a matter of fact. So that is a great start. Don't do that. What are you doing? OK, I'm wrapping it up. I'm wrapping it up. Let me see. I'm going to stop this thing. I'm going to answer one more question. Ryan's taking care of the manual. He says, get a network plus or security plus ASAP. That's a great security plus. I would highly recommend a security plus. Oh, boy. OK, I think it's time. OK, one more question. OK, one more question. Okay, I got a bunch of Army guys jumping on here, giving great advice on TikTok. Do I have experience with overlays? A bit, a bit. 25 Delta, 17 Charlie, 25 Bravo. You locked in for six years. Man, I've got a lot of Army guys on here. and highly transferable to civilian sector. Okay, that's where we're going to end this. So 25 Bravo, let me tell you something. If you're a 25 Bravo, and they have an equivalent for this in every branch of the military. I believe the Air Force, they changed it. It used to be a three char... Oh, my Lord. Oh, my Lord. They changed it. It used to be called a three... 3Charlie. 3Charlie. Man, my brain. 3Charlie. 3COX1. That's what it was. 3COX1. That's what it used to be called. But it's no longer called that. So I don't know what they call it these days. 3Delta or something? 17Delta? I don't remember. But every branch has a 25 Bravo equivalent. And it's an IT professional. And somebody on TikTok nailed it. So he said that It is highly transferable to the civilian world. And he is absolutely right. So I was a, I'm an old head. So when I was in the air force, it was called a three Charlie, a three CLX one is what we called it. And a computer operator, same thing as a 25 Bravo. And I was, the thing is, and I don't know how they do it in the army. An army has really sharp IT guys. especially the warrant officers. Very impressive. But the thing is, the Air Force will specialize you in certain things. A computer operator, you could narrow down into firewalls. You could go into network engineering. You could go into not software engineering. That was a completely different field. But you get databases. You could focus on one kind of one area. And once you got out, I mean, you have certifications. If you put the effort in, you had a degree. Listen, if you have a year or more left, I would highly, highly recommend you get a degree. Because look, All of the training, all the way back to boot camp, all the way back to boot camp is going to go towards your degree. You have some credits there that are transferable to your degree. So you're probably only a few points away, maybe six credits, maybe 10 credits away from an associate's degree. Once you get the associate's degree, you have maybe, what is it, 60 more credits? I want to say 60 more credits, and then you have a bachelor's degree. That may sound crazy, like a lot of work, but it's actually not that much work. It's a few classes. Maybe not a few, maybe 10. Look, it's going to be some work, but You can get out with a bachelor's degree within a year. You can be within arm's reach of a bachelor's degree. At the very least, get an associate's degree because literally that's like two classes away. If you have one year left in the military and you are a 25 Bravo, hell, whatever MOS you're in, listen, get your damn degree. Just get the damn degree. All you got to do is go to – they've got a unit on base. I don't know what the Army calls it, but there's a unit on base that you can go to. They'll tell you exactly. They'll have a counselor. They'll break down. They'll take all the credits you already have. They'll say, listen, you went to boot camp. That's six credits. You went to 25 Bravo school. That's – You've got 30 credits for that, right? And of these 40 credits you have, you can apply 25 of them to this associate's degree. You only need two classes. This is what they're going to tell you. You only need two classes. You need one in math and you need one in history and you need one. And basically you can clep your way out of it. Clep is a test. You can just take a test and then they'll give you credits and then bam, you have a degree. Just do it, man. And then it's more, put it to you this way, it's more money. If you want more money, then just do it. Just go through this little bit of process that you have to do. Let them take your transcripts from the military, consolidate them, and you're going to boost up your income by like 15% to 25% when you get out of the military. And then also what Ryan said, Security+. Get a certification. And now you have experience, you have a degree, and you have a certification. And you're very, very deadly. You're very competitive. Very competitive. It's hard out here. It's hard out here on the outside, man. They don't just magically give you stuff here. Like, you got to work for this shit. But the good news is you're in a place where you can really sharpen some swords and come out swinging. All right. That's it, guys. I got to get off of this thing. I appreciate everybody. Remember what I said, like use this as a stepping a stepping stone, like use this as this is one step. You got to go to the next step, whether that's to level up your career, to make. big money as a director and retire with a bunch of 401k money or use this money to go start a business, use this money to invest in real estate. Use it to build up passive income streams because you can't do this forever, guys. You cannot do this forever. I know if you're 30 or you're 20, you think, oh, I'm going to... You just don't even think about it. You think you're going to live forever, man. Then you start seeing your friends die. I'm not trying to bring you down or anything, but I'm just telling you, like, life has an expiration date. And you got to start thinking about, okay, what's my plan? What am I trying to do? You can use this field as a way to go to another level and level up your family, too, and the people you love. So... Just some words of advice from an old guy. I hope some of you guys, I hope at least one of you guys listen to what I'm saying because it can change your life. All right, guys, I'll talk to you guys on the next week. Give me some suggestions of what we should talk about next. Sometimes I just get on here and ramble. So, all right, guys, talk to you later.

AppArmor unprivileged user namespace restrictions are back on the agenda this week as we survey the latest improvements to this hardening feature in the upcoming Ubuntu 24.04 LTS, plus we discuss SMTP smuggling in Postfix, runC container escapes and Qualys' recent disclosure of a privilege escalation exploit for GNU libc and more.

We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org. Segment Resources: https://owasp.org/www-project-product-security-capabilities-framework/ https://github.com/OWASP/pscf https://prods.ec/ https://owaspsamm.org https://iso25000.com/index.php/en/iso-25000-standards/iso-25010 https://www.scmagazine.com/podcast-episode/application-security-weekly-242 Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-272

Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Show Notes: https://securityweekly.com/asw-272

We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org. Segment Resources: https://owasp.org/www-project-product-security-capabilities-framework/ https://github.com/OWASP/pscf https://prods.ec/ https://owaspsamm.org https://iso25000.com/index.php/en/iso-25000-standards/iso-25010 https://www.scmagazine.com/podcast-episode/application-security-weekly-242 Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-272

Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Show Notes: https://securityweekly.com/asw-272

Decliners topped advancers on the NYSE by about 3.5-to-1. The ratio was around 2.5-to-1 negative on the Nasdaq. Retailer Burlington Stores has been stubborn about giving back recent gains, while Axon and Qualys have pulled back in orderly fashion.

There was a time when a “snapshot” of a federal system was taken, and its security posture was evaluated based on the moment in time. That may have been a tolerable solution when a network consisted of two dozen personal computers and a server down the hall. However, this superficial approach will not work with today's networks in constant change. For example, data is exploding and entering systems from a wide variety of portals. Add to that the devices that deliver that tsunami of data are doubling and tripling themselves. During this interview, Jonathan Trull from Qualys gives his opinion on the state of today's federal technology when it comes to vulnerability assessment, configuration settings management, asset management, and dynamic application security testing. He also addresses qualitative aspects of managing assets. Jonathan Trull refers to the weakness of a “checkbox” approach to managing assets. In mature systems like the federal government has today, you may discover managed and unmanaged assets. Just because you check the box on “managed” assets, this does not mean it is professionally managed; it may be poorly managed leaving a system vulnerable. Software development is all about Minimum Viable Products and frequent changes. Terrific for agile software development, however, each update means a new weakness could be introduced. Federal leaders must embrace agile methodologies and keep systems safe at the same time. This means everyone should consider dynamic security application testing as part of a prudent network safety analysis. This interview will give you a good introduction to how to keep enterprise systems safe in a world of constant change. Follow John Gilroy on LinkedIn  https://www.linkedin.com/in/john-gilroy/ Listen to past episodes of Federal Tech Podcast  www.federaltechpodcast.com      

Is it time to finally deal with the China cyber threat? Has the back and forth with Ukraine and Russia shown what the future of cyberwarfare looks like? What does the Qualys report about vulnerabilities teach us about #notsuckingatpatching? SSH is in big trouble, what do we do, and how big is the problem? Almost Christmas y'all!

Qualys, Inc., Q3 2023 Earnings Call, Nov 02, 2023

Het was een chaotisch weekend bij OpenAI, het bedrijf achter ChatGPT. Vrijdag zette het de topman op straat en tot ieders verbazing ging hij vandaag alweer bij Microsoft aan de slag. Is dit een meesterzet van Microsoft? En wat hebben beleggers eraan?  Ook Bayer heeft een chaotisch weekend achter de rug. Dat kreeg een miljardenboete en ook een onderzoek naar een belangrijk nieuw medicijn loopt op niks uit. Dat heeft z'n impact op de beurs: het farma- en chemiebedrijf verliest 20 procent aan waarde en zakt naar het laagste niveau in tien jaar tijd.  Verder hoor je waarom Shell nog altijd topfavoriet is bij Nederlandse beleggers, welk bedrijf een iPhone op wielen maakt en waarom de Amerikaanse dollar mogelijk wordt ingevoerd in Argentinië.See omnystudio.com/listener for privacy information.

Sign up for our next LLM in production conference: https://go.mlops.community/prodiii #180 with LLMs in Production Conference part 2 Ux of a LLM User Panel, Misty Free, Dina Yerlan, and Artem Harutyunyan hosted by Innovation Endeavors' Davis Treybig. // Abstract Explore different approaches to interface design, emphasizing the significance of crafting effective prompts and addressing accuracy and hallucination issues. Discover some strategies for improving latency and performance, including monitoring, scaling, and exploring emerging technologies. // Bio Misty Free Misty Free is a product manager at Jasper, where she focuses on supercharging marketers with speed and consistency in their marketing campaigns, with the power of AI. Misty has also collaborated with Stability and OpenAI to offer AI image generation within Jasper. She approaches product development with a "jobs-to-be-done" mindset, always starting with the "why" behind any need, ensuring that customer pain points are directly addressed with the features shipped at Jasper. In her free time, Misty enjoys crocheting amigurumi, practicing Spanish on Duolingo, and spending quality time with her family. Misty will be on a panel sharing her insights and experiences on the real-world use cases of LLMs. Davis Treybig Davis is a partner at Innovation Endeavors, an early-stage venture firm focused on teams solving hard technical & engineering problems. He personally focuses on computing infrastructure, AI/ML, and data. Dina Yerlan Head of Product, Generative AI Data at Adobe Firefly (family of foundation models for creatives). Artem Harutyunyan Artem is the Co-Founder & CTO at Bardeen AI. Prior to Bardeen, he was in engineering and product roles at Mesosphere and Qualys, and before that, he worked at CERN. // MLOps Jobs board https://mlops.pallet.xyz/jobs // MLOps Swag/Merch https://mlops-community.myshopify.com/ // Related Links ⁠Website: https://www.angellist.com/venture/relay Foundation by Isaac Asimov: https://www.amazon.com/Foundation-Isaac-Asimov/dp/0553293354 AngelList Relay blog: https://www.angellist.com/blog/introducing-angellist-relay --------------- ✌️Connect With Us ✌️ ------------- Join our slack community: https://go.mlops.community/slack Follow us on Twitter: @mlopscommunity Sign up for the next meetup: https://go.mlops.community/register Catch all episodes, blogs, newsletters, and more: https://mlops.community/ Connect with Demetrios on LinkedIn: https://www.linkedin.com/in/dpbrinkm/ Connect with Davis on LinkedIn: https://www.linkedin.com/in/davistreybig/ Connect with Misty on LinkedIn: https://www.linkedin.com/in/misty-miglorin/ Connect with Dina on LinkedIn: https://www.linkedin.com/in/dinayerlan/ Connect with Artem on LinkedIn: https://www.linkedin.com/in/artemharutyunyan/

This week, Jeremy is joined by Sara Van Geertruyden, executive director of the Partnership to Improve Patient Care, to talk about legislation moving through Congress that would extend prohibitions on the use of quality adjusted life years (QALYs) in drug pricing and access decisions.Read the National Council on Disabilities report finding QUALYs to be discriminatory at https://ncd.gov/sites/default/files/NCD_Quality_Adjusted_Life_Report_508.pdf This episode is brought to you by The ALS Association in partnership with CitizenRacecar.

Interview with Sumedh Thakar, President and CEO of Qualys on his visit to Australia and New Zealand to meet with customers and partners for a cyber risk management briefing: Has the ‘Language of Risk' Evolved Enough to Save Us All?Recorded on 16 March, 2023.For more information visit www.qualys.com #cybersecurity #vulnerabilityassessment #qualys #ceo #mysecuritytv

Andrew Plato is an experienced CEO, founder, entrepreneur, and cybersecurity expert.  In 1995 Andrew founded one of the first companies dedicated to information security, Anitian.  While CEO of Anitian, Andrew was a pioneer in network security, risk management, and compliance practices. This culminated in 2016 with the invention of an automated platform that dramatically accelerated the deployment and configuration of security in cloud environments.  Andrew secured venture-backed funding for this technology and led the company through rapid growth.  During this time Andrew also cultivated lucrative strategic partnerships with leading security and cloud companies such as AWS, Microsoft Azure, Trend Micro, Sysdig, Elastic, Qualys, and Sentinel One. Andrew is currently the CEO/Founder of Zenaciti (www.zenaciti.com) which provides security and cloud advisory services to investors and leaders worldwide.  Andrew is a prolific speaker, author, and industry analyst on matters of cybersecurity, compliance, and leadership. You can connect with Andrew through linkedin: linkedin.com/in/andrewplato Enter our monthly drawing for an insulated High Tech Freedom tumbler - www.hightechfreedom.com/mug What does Freedom mean to you? Check out our webinar: “How Top Sales Pros Create Passive Income & Achieve Financial Freedom With Hands-Off Real Estate Investing”   Book a 15 minute call with Chris.  15 Minute Call With Chris Freeman - Chris Freeman calendly.com   Host Contact Information - Chris Freeman LinkedIn - http://linkedin.com/in/chrisfreeman Facebook - https://www.facebook.com/chris.freeman.9461

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Sanity check - effectiveness/goodness of Trans Rescue?, published by David D on February 20, 2023 on The Effective Altruism Forum. I stumbled across the charity Trans Rescue, which helps transgender people living in unsafe parts of the world move. They've published advice for people living in first world countries with worsening legal situations for trans people, but the vast majority of their funding goes toward helping people in Africa and the Middle East immigrate to safer countries (or for Kenyans, move to Trans Rescue's group home in the safest region of Kenya) and stay away from abusive families.As of September 2022, their total funding since inception was just under 33k euros . They helped about twenty people move using this funding/ . That puts the cost to help a person move at about 1,650 euros, which is in the same ballpark as a Givewell top charity's cost to save one person from fatal malaria. I haven't looked closely at the likely outcome for people who would benefit from Trans Rescue's services but don't get help. Some would live and some would not, but I don't have a good sense of the relative numbers, or how to put QUALYs on undertaking a move such as this. Since they're very new and very small, I'm considering donating and keeping an eye on how they grow as an organization. Mainly I hoped you all could help me by pointing out whether there's anything fishy that I might have missed. This review was published by a group of Twitter users, apparently after an argument with one of the board members. It's certainly not unbiased, but they do seem to have made a concerted effort to find anything bad or construable as bad that Trans Rescue has ever done. Trans Rescue wrote a blog post in response . I came away with a sense that the board is new at running an organization like this, and they rely on imperfect volunteer labor to be able to move as many people as they do, but their work is overall helpful to their clients. Thanks for listening. To help us out with The Nonlinear Library or to learn more, please visit nonlinear.org.

Security teams struggle with managing cyber risk across cloud workloads, services, resources, users, and applications. Parag will discuss the issues this presents and how Qualys' new TotalCloud solution allows organizations to see all their cloud resources, relationships between resources, the external attack surface, and attack path mapping all delivered via one platform. Segment Resources: Qualys TotalCloud free trial: https://www.qualys.com/forms/totalcloud/ TotalCloud Video: https://vimeo.com/765771406 Blogs: https://blog.qualys.com/product-tech/2022/11/01/introducing-totalcloud-cloud-security-simplified https://blog.qualys.com/product-tech/2022/11/01/why-is-snapshot-scanning-not-enough   This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   A brief roundup of our favorite news, trends, and interviews in 2022! See what Adrian, Katherine, and Sean have to say about 2022's best interviews and news stories!   Finally, in the last Enterprise Security News of 2022, We see our first Security Unicorn with a down round, A few new fundings and new companies emerging, Ninjas emerge from stealth, Proofpoint acquires deception detection vendor Illusive, Veracode picks up Crashtest Security, Apple encrypts more consumer data, Passkeys introduced in Chrome, Texas bans TikTok, A great post-mortem of the Joe Sullivan case, Infragard gets hacked, KringleCon 2022.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw300

Security teams struggle with managing cyber risk across cloud workloads, services, resources, users, and applications. Parag will discuss the issues this presents and how Qualys' new TotalCloud solution allows organizations to see all their cloud resources, relationships between resources, the external attack surface, and attack path mapping all delivered via one platform. Segment Resources: Qualys TotalCloud free trial: https://www.qualys.com/forms/totalcloud/ TotalCloud Video: https://vimeo.com/765771406 Blogs: https://blog.qualys.com/product-tech/2022/11/01/introducing-totalcloud-cloud-security-simplified https://blog.qualys.com/product-tech/2022/11/01/why-is-snapshot-scanning-not-enough   This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   A brief roundup of our favorite news, trends, and interviews in 2022! See what Adrian, Katherine, and Sean have to say about 2022's best interviews and news stories!   Finally, in the last Enterprise Security News of 2022, We see our first Security Unicorn with a down round, A few new fundings and new companies emerging, Ninjas emerge from stealth, Proofpoint acquires deception detection vendor Illusive, Veracode picks up Crashtest Security, Apple encrypts more consumer data, Passkeys introduced in Chrome, Texas bans TikTok, A great post-mortem of the Joe Sullivan case, Infragard gets hacked, KringleCon 2022.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw300

Security teams struggle with managing cyber risk across cloud workloads, services, resources, users, and applications. Parag will discuss the issues this presents and how Qualys' new TotalCloud solution allows organizations to see all their cloud resources, relationships between resources, the external attack surface, and attack path mapping all delivered via one platform. Segment Resources: Qualys TotalCloud free trial: https://www.qualys.com/forms/totalcloud/ TotalCloud Video: https://vimeo.com/765771406 Blogs: https://blog.qualys.com/product-tech/2022/11/01/introducing-totalcloud-cloud-security-simplified https://blog.qualys.com/product-tech/2022/11/01/why-is-snapshot-scanning-not-enough   This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw300

All links and images for this episode can be found on CISO Series The cyber attack surface just keeps growing to the point that it seems endless. Protecting it all is impossible. Is there anything that can be done to reduce that attack surface and limit your exposure? Check out this post for the discussion that are the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Jonathan Trull (@jonathantrull), CISO, Qualys. Thanks to our podcast sponsor, Qualys Qualys is a pioneer and leading provider of cloud-based security and compliance solutions. In this episode: Is there anything that can be done to reduce that attack surface and limit your exposure? Is attack surface reduction a new security development philosophy or is it just a rebranding of vulnerability management? And what value does it have in comparison to other popular theories such as zero trust and defense in depth? Is everything just another form of exposure management?

Learn what keeps DevOps and SecOps up at night when securing Kubernetes, container, and cloud native applications, what tactics are best for developers and application architects to consider when securing your latest cloud application and hardening your CI/CD pipeline and processes. This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   Text4Shell isn't a new patching hell, using supply chain info with GUAC, OpenSSF Scorecards and metrics, Toner Deaf firmware persistence, upcoming OWASP Board Elections, Chrome browser exploitation   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw217

Learn what keeps DevOps and SecOps up at night when securing Kubernetes, container, and cloud native applications, what tactics are best for developers and application architects to consider when securing your latest cloud application and hardening your CI/CD pipeline and processes.   This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw217

Learn what keeps DevOps and SecOps up at night when securing Kubernetes, container, and cloud native applications, what tactics are best for developers and application architects to consider when securing your latest cloud application and hardening your CI/CD pipeline and processes. This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   Text4Shell isn't a new patching hell, using supply chain info with GUAC, OpenSSF Scorecards and metrics, Toner Deaf firmware persistence, upcoming OWASP Board Elections, Chrome browser exploitation   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw217

Stocks finished mostly lower after trading in a very wide range, with Fed commentary and bond moves pulling the market in opposite directions. DoubleLine's Jeff Sherman and Mohamed El-Erian from Allianz discuss the factors weighing on stocks and bonds, if they'd be buyers in this uncertain environment. Meantime McDonald's was among the worst performers in the Dow after Citi issued a negative catalyst watch on the stock. The analyst behind that call joins to explain his warning. And the CEO of cybersecurity firm Qualys – a rare tech winner on the year – breaks down his read on corporate tech spending.

In the leadership and communications section, Cybersecurity's Too Important To Have A Dysfunctional Team, In a Crisis, Great Leaders Prioritize Listening, White House Announces Stricter Cybersecurity Guidelines and Rules, and more!   Paul will discuss a risk-based approach to security that prioritizes fixing the most critical issues that will reduce risk in your organization. He'll walk through a three-step cycle that continuously monitors the threat landscape, enables quick response, and measures the metrics that company leadership cares about. Segment Resources: https://blog.qualys.com/qualys-insights/2022/05/31/transitioning-to-a-risk-based-approach-to-cybersecurity https://blog.qualys.com/qualys-insights/2022/07/26/aflac-completes-successful-poc-of-qualys-vmdr-2-0-with-trurisk www.qualys.com/vmdr   This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw277

Paul will discuss a risk-based approach to security that prioritizes fixing the most critical issues that will reduce risk in your organization. He'll walk through a three-step cycle that continuously monitors the threat landscape, enables quick response, and measures the metrics that company leadership cares about. Segment Resources: https://blog.qualys.com/qualys-insights/2022/05/31/transitioning-to-a-risk-based-approach-to-cybersecurity https://blog.qualys.com/qualys-insights/2022/07/26/aflac-completes-successful-poc-of-qualys-vmdr-2-0-with-trurisk www.qualys.com/vmdr   This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw277

Hello, and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to try to balance the impossible equation of better, faster, and cheaper.  As always, please follow us on LinkedIn, and subscribe if you have not already done so. Shigeo Shingo, who lived from 1909-1990, helped to improve efficiency at Toyota by teaching thousands of engineers the Toyota Production System, and even influenced the creation of Kaizen.  He wrote, "There are four purposes for improvement: easier, better, faster, cheaper. These four goals appear in order of priority." Satya Nadella, the CEO of Microsoft, stated that, “Every company is a software company.  You have to start thinking and operating like a digital company.  It's no longer just about procuring one solution and deploying one solution… It's really you yourself thinking of your own future as a digital company, building out what we refer to as systems of intelligence.” The first time I heard this I didn't really fully understand it.  But after reflection it makes a ton of sense.  For example, let's say your company couldn't send email.  How much would that hurt the business?  What if your company couldn't use Salesforce to look up customer information?  How might that impact future sales?  What if your core financial systems had database integrity issues?  Any of these examples would greatly impact most businesses.  So, getting high-quality software applications that enable the business is a huge win. If every company is a software or digital company, then the CISO has a rare opportunity.  That is, we can create one of the largest competitive advantages for our businesses. What if we could create an organization that builds software cheaper, faster, and better than all of our competitors? Sounds good right?  That is the focus of today's show, and we are going to teach you how to excel in creating a world class organization through a focused program in Secure Software Development.  Now if you like the sound of better, faster, cheaper, as most executives do, you might be thinking, where can I buy that?  Let's start at the back and work our way forward. We can make our software development costs cheaper by increasing productivity from developers. We can make our software development practices faster by increasing convenience and reducing waste. We can make our software better by increasing security. Let's first look at increasing productivity.  To increase productivity, we need to under    stand the Resistance Pyramid.  If you know how to change people and the culture within an organization, then you can significantly increase your productivity.  However, people and culture are difficult to change, and different people require different management approaches. At the bottom of the pyramid are people who are unknowing.  These individuals Don't know what to do.  You can think of the interns in your company.  They just got to your company, but don't understand what practices and processes to follow.  If you want to change the interns, then you need to communicate what is best practice and what is expected from their performance.  Utilize an inquiry approach to decrease fear of not knowing, for example, "do you know to whom I should speak about such-and-such?" or "do you know how we do such-and-such here?"  An answer of "no" allows you to inform them of the missing knowledge in a conversational rather than a directional manner. The middle part of the pyramid is people who believe they are unable to adapt to change.  These are individuals that don't know how to do the task at hand.  Here, communications are important, but also skills training.  Compare your team members here to an unskilled labor force -- they're willing to work but need an education to move forward.  If you give them that, then the unskilled can become skilled. However, if you never invest in them, then you will not increase your company's productivity and lowers your costs. At the Top of the resistance pyramid are the people who are unwilling.  These individuals Don't Want to Change.  We might call these folks the curmudgeons that say we tried it before, and it doesn't work.  Or I'm too old to learn that.  If you want to change these individuals and the culture of an organization, then you need to create motivation. As leaders, our focus to stimulate change will be to focus on communicating, educating, and motivating.  The first thing that we need to communicate is the Why.  Why is Secure Software Development important?  The answer is money.  There are a variety of studies that have found that when software vulnerabilities get detected in the early development processes, they are cheaper than later in the production phases.  Research from the Ponemon Institute in 2017 found that the average cost to address a defect in the development phase was $80, in the build phase was $240, in the QA/Test Phase was $960, and in the Production phase was $7,600.  Think of that difference.  $80 is about 1% of $7,600.  So if a developer finds bugs in the development code then they don't just save their time, they save the time of second developer who doesn't have to do a failed code review, they save the time of an infrastructure engineer who has to put the failed code on a server, they save the time of another tester who has to create regression tests which fail, they save the time of a wasted change approval board on a failed release, and they save the customer representatives time who will respond to customers when the software is detected as having issues.  As you see there's a lot of time to be saved by increasing productivity, as well as a 99% cost savings for what has to be done anyway.  Saving their own time is something that will directly appeal to every development team member. To do this we need to do something called Shift Left Testing.  The term shift left refers to finding vulnerabilities earlier in development.  To properly shift left we need to create two secure software development programs. The first program needs to focus on is the processes that an organization needs to follow to build software the right way.  This is something you have to build in house.  For example, think about how you want software to create a network diagram that architects can look at in your organization.  Think about the proper way to register an application into a Configuration Management Database so that there is a POC who can answer questions when an application is down.  Think about how a developer needs to get a DNS entry created for new websites.  Think about how someone needs to get a website into the various security scanning tools that your organization requires (SAST, DAST, Vuln Management, Container Scanning, etc.)  Think about how developers should retire servers at the end of life.  These practices are unique to your company.  They may require a help desk ticket to make something happen or if you don't have a ticketing system, an email.  We need to document all of these into one place where they can be communicated to the staff members who will be following the processes.  Then our employee has a checklist of activities they can follow.  Remember if it's not in the checklist, then it won't get done.  If it doesn't get done, then bad security outcomes are more likely happen.  So, work with your architects and security gurus to document all of the required practices for Secure Software Development in your company.  You can place this knowledge into a Wikipedia article, a SharePoint site, a Confluence Page, or some kind of website.  Make sure to communicate this frequently.  For example, have the CIO or CISO share it at the IT All Hands meeting.  Send it out in monthly newsletters.  Refer to it in security discussions and architecture review boards.  The more it's communicated the more unknowing employees will hear about it and change their behavior. The second program that you should consider building is a secure code training platform.  You can think of things such as Secure Code Warrior, HackEDU (now known as Security Journey), or Checkmarx Code Bashing.  These secure code training solutions are usually bought by organizations instead of being created in-house.  They teach developers how to write more secure code.  For example, "How do I write JavaScript code that validates user input, sanitizes database queries, and avoids risky program calls that could create vulnerabilities in an application?"  If developers gain an education in secure programming, then they are less likely to introduce vulnerabilities into their code.  Make these types of training programs available to every developer in your company. Lastly, we need to find a way to motivate the curmudgeons.  One way to do that is the following:Let's say you pick one secure coding platform and create an initial launch.  The first two hundred people in the organization that pass the secure developer training get a one-time bonus of $200.  This perk might get a lot of people interested in the platform.  You might even get 10-20% of your organization taking the training in the first quarter of the program.  The second quarter your organization announces that during performance reviews anyone who passed the secure software training will be viewed more favorable than their peers.  Guess what?  You will see more and more people taking the training class.  Perhaps you see that 50% of your developer population becomes certified.  Then the following year you say since so many developers are now certified, to achieve the rank of Senior Developer within the organization, it is now expected to pass this training.  It becomes something HR folks look for during promotion panels.  This gradual approach to move the ball in training can work and has been proven to increase the secure developer knowledgebase. Here's a pro tip:  Be sure to create some kind of badges or digital certificates that employees can share.  You might even hand out stickers upon completion that developers can proudly place on their laptops.  Simple things like this can increase visibility.  They can also motivate people you didn't think would change. Now that we have increased productivity from the two development programs (building software the right way and a secure code training platform), it's time to increase convenience and reduce waste.  Do you know what developers hate?  Well, other than last-minute change requests.  They hate inefficiencies.  Imagine if you get a vulnerability that says you have a bug on line 242 in your code.  So you go to the code, and find there really isn't a bug, it's just a false positive in the tool.  This false bug detection really, well, bugs developers.  So, when your organization picks a new SAST, DAST, or IAST tool, be sure to test the true and false positive rates of the tool.  One way to do this is to run the tools you are considering against the OWASP Benchmark.  (We have a link to the OWASP Benchmark in our show notes.)  The OWASP Benchmark allows companies to test tools against a deliberately vulnerable website with vulnerable code.  In reality, testing tools find both good code and bad code.  These results should be compared against the ground truth data to determine how many true/false positives were found.  For example, if the tool you choose has a 90% True Positive Rate and a 90% False Positive Rate then that means the tool pretty much reports everything is vulnerable.  This means valuable developer time is wasted and they will hate the tool despite its value.  If the tool has a 50% True Positive Rate and a 50% False positive rate, then the tool is essentially reporting randomly.  Once again, this results in lost developer confidence in the tool.  You really want tools that have high True Positive Rates and low False Positive Rates.  Optimize accordingly. Another developer inefficiency is the amount of tools developers need to leverage.  If a developer has to log into multiple tools such as Checkmarx for SAST findings, Qualys for Vulnerability Management findings, Web Inspect for DAST findings, Prisma for Container Findings, Truffle Hog for Secrets scanning, it becomes a burden.  If ten systems require two minutes of logging in and setup each that's twenty minutes of unproductive time.  Multiply that time the number of developers in your organization and you can see just how much time is lost by your team just to get setup to perform security checks.  Let's provide convenience and make development faster.  We can do that by centralizing the security scanning results into one tool.  We recommend putting all the security findings into a Source Code Repository such as GitHub  or GitLab.  This allows a developer to log into GitHub every day and see code scanning vulnerabilities, dependency vulnerabilities, and secret findings in one place.  This means that they are more likely to make those fixes since they actually see them.  You can provide this type of view to developers by buying tools such as GitHub Advanced Security.  Now this won't provide all of your security tools in one place by itself.  You still might need to show container or cloud findings which are not in GitHub Advanced Security.  But this is where you can leverage your Source Code Repository's native CI/CD tooling.  GitHub has Actions and GitLab has Runners.  With this CI/CD function developers don't need to go to Jenkins and other security tools.  They can use a GitHub Actions to integrate Container and Cloud findings from a tool like Prisma.  This means that developers have even fewer tools from CI/CD perspectives as well less logging into security tools.  Therefore, convenience improves.  Now look at it from a longer perspective.  If we get all of our developers integrating with these tools in one place, then we can look in our GitHub repositories to determine what vulnerabilities a new software release will introduce.  This could be reviewed at Change Approval Board.  You could also fast track developer who are coding securely.  If a developer has zero findings observed in GitHub, then that code can be auto approved for the Change Approval.  However, if you have high/critical findings then you need manager approvals first.  These approvals can be codified using GitHub code scanning, which has subsumed the tool Looks Good To Me (LGTM), which stopped accepting new user sign-ups last week (31 August 2022).  This process can be streamlined into DevSecOps pipelines that improve speed and convenience when folks can skip change approval meetings. Another key way we can make software faster is by performing value stream mapping exercises.  Here's an example of how that reduces waste.  Let's say from the time Nessus finds a vulnerability there's actually fifteen steps that need to occur within an organization to fix the vulnerability.  For example, the vulnerability needs to be assigned to the right team, the team needs to look at the vulnerability to confirm it's a legitimate finding, a patch needs to be available, a patch needs to be tested, a change window needs to be available, etc.  Each of these fifteen steps take time and often require different handoffs between teams.  These activities often mean that things sit in queues.  This can result in waste and inefficiencies.  Have your team meet with the various stakeholders and identify two time durations.  One is the best-case time for how long something should go through in an optimal process.  The second is the average time it takes things to go through in the current process.  At the end of it you might see that the optimal case is that it takes twenty days to complete the fifteen activities whereas the average case takes ninety days.  This insight can show you where you are inefficient.  You can identify ways to speed up from ninety to twenty days.  If you can do this faster, then developer time is gained.  Now, developers don't have to wait for things to happen.  Making it convenient and less wasteful through value stream mapping exercises allows your teams to deploy faster, patch faster, and perform faster. OK last but not least is making software better by increasing security.   At the end of the day, there are many software activities that we do which provide zero value to the business.  For example, patching operating systems on servers does not increase sales.  What makes the sales team sell more products?  The answer is more features on a website such as product recommendations, more analysis of the data to better target consumers, and more recommendations from the reporting to identify better widgets to sell.  Now, I know you are thinking, did CISO Tradecraft just say to not patch your operating systems?  No, we did not.  We are saying patching operating systems is not a value-add exercise.  Here's what we do recommend.  Ask every development team to identify what ike patching.  Systems that have a plethora of maintenance activities are wasteful and should be shortlisted for replacement.  You know the ones: solutions still running via on-premises VMWare software, software needing monthly java patching, and software if the wind blows the wrong way you have an unknown error.  These systems are ripe for replacement.  It can also be a compelling sell to executives.  For example, imagine going to the CIO and CEO of Acme corporation.  You highlight the Acme app is run by a staff of ten developers which fully loaded cost us about $250K each.  Therefore, developing, debugging, and maintaining that app costs our organization roughly $2,500,000 in developer time alone plus hosting fees.  You have analyzed this application and found that roughly 80% of the time, or $2,000,000, is spent on maintenance activities such as patching. You believe if the team were to rewrite the application in a modern programming language using a serverless technology approach the team could lower maintenance activities from 80% to 30%.  This means that the maintenance costs would decrease from $2 million to $750K each year.  Therefore, you can build a financial case that leadership fund a $1.25 million initiative to rewrite the application in a more supportable language and environment, which will pay for itself at the end of the second year.  No, I didn't get my math wrong -- don't forget that you're still paying the old costs while developing the new system.) Now if you just did a lift and shift to AWS and ran the servers on EC-2 or ECS, then you still have to patch the instance operating systems, middle ware, and software -- all of which is a non-value add.  This means that you won't reduce the maintenance activities from 80% to 30%.  Don't waste developer time on these expensive transition activities; you're not going to come out ahead.  Now let's instead look at how to make that maintenance go away by switching to a serverless approach.  Imagine if the organization rewrote the VMware application to run on either: A third party hosted SaaS platform such as Salesforce or Office 365 or A serverless AWS application consisting of Amazon S3 buckets to handle front-end code, an Amazon API Gateway to make REST API calls to endpoints, AWS Lambda to run code to retrieve information from a Database, and Dynamo DB to store data by the application This new software shift to a serverless architecture means you no longer have to worry about patching operating systems or middleware.  It also means developers don't spend time fixing misconfigurations and vulnerabilities at the operating system or middleware level.  This means you made the software more secure and gave the developers more time to write new software features which can impact the business profitability.  This serverless approach truly is better and more secure.  There's a great story from Capital One you can look up in our show notes that discusses how they moved from EC-2 Servers to Lambda for their Credit Offers Application Interface.  The executive summary states that the switch to serverless resulted in 70% performance gains, 90% cost savings, and increased team velocity by 30% since time was not spent patching, fixing, and taking care of servers.  Capital One uses this newfound developer time to innovate, create, and expand on business requirements.  So, if you want to make cheaper, faster, and better software, then focus on reducing maintenance activities that don't add value to the business. Let's recap.  World class CISOs create a world class software development organization.  They do this by focusing on cheaper, faster, and better software. To perform this function CISOs increase productivity from developers by creating documentation that teaches developers how to build software the right way as well as creating a training program that promotes secure coding practices.  World Class CISOs increase the convenience to developers by bringing high-confidence vulnerability lists to developers which means time savings in not weeding out false positives.  Developers live in Source Code Repositories such as GitHub or GitLab, not the ten different software security tools that security organizations police.  World Class CISOs remove waste by performing value stream exercises to lean out processes and make it easier for developers to be more efficient.  Finally, World Class CISOs make software better by changing the legacy architecture with expensive maintenance activities to something that is a winnable game.  These CISOs partner with the business to focus on finding systems that when re-architected to become serverless increase performance gains, promote cost savings, and increase developer velocity. We appreciate your time listening to today's episode.  If this sparks a new idea in your head. please write it down, share it on LinkedIn and tag CISO Tradecraft in the comment.  We would love to see how you are taking these cyber lessons into your organization to make better software for all of us. Thanks again for listening to CISO Tradecraft.  This is G. Mark Hardy, and until next time, stay safe out there. References https://www.sixsigmadaily.com/who-was-shigeo-shingo-and-why-is-he-important-to-process-improvement/ https://news.microsoft.com/speeches/satya-nadella-and-chris-capossela-envision-2016/  Galpin, T.J. (1996).  The Human Side of Change: A Practical Guide to Organization Redesign.  Jossey-Bass  https://www.businesscoaching.co.uk/news/blog/how-to-break-down-barriers-to-change  Ponemon Institute and IBM. (2017) The State of Vulnerability Management in the Cloud and On-Premises  https://www.bmc.com/blogs/what-is-shift-left-shift-left-testing-explained/  https://www.securecodewarrior.com/  https://www.securityjourney.com/  https://checkmarx.com/product/codebashing-secure-code-training/  https://owasp.org/www-project-benchmark/  https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security  https://medium.com/capital-one-tech/a-serverless-and-go-journey-credit-offers-api-74ef1f9fde7f 

Introducing the concept of Tanium Data as a Service. When you've got a product like Tanium, that collects so much useful data - why would you want to keep it within Tanium? The 'Data-as-a-Service' model aims to increase the value of the Tanium product by safely sharing its data with other teams, tools, and groups within a customer's organization. This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!   Then, in the enterprise security news, CyberInt raises $28M for attack surface detection, RapidFort raises $8.5M for… pre-attack surface detection? Managing and monitoring your quantum devices? Making sure you don't lose access to your crypto wallets, IBM acquires Randori, Contrast Security makes some of their tools free, Rumble adds more interesting new features, Microsoft Defender for everyone, and more! PIXM stops phishing attacks at point of click with computer vision in the browser, protecting users from phishing beyond the mailbox in any application. With the launch of PIXM Mobile, PIXM is now delivering this capability on iPhones as well as desktop devices. Segment Resources: https://pixmsecurity.com/mobile/ This segment is sponsored by Pixm. Visit https://securityweekly.com/pixm to learn more about them!   The rise in disclosed vulnerabilities, the speed they are weaponized, and the cyber talent shortage have left teams struggling to wade through a mountain of vulnerabilities. In this discussion, Mehul will discuss the need for a new way to cut through the noise to focus teams on prioritizing and fixing those critical vulnerabilities that will most reduce risk in each organization's environment. He'll also cover how Qualys is redefining risk and vulnerability management in the latest version of VMDR and share stories of how customers have leveraged this solution to dramatically reduce risk. Segment Resources: www.qualys.com/trurisk www.qualys.com/vmdr This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw278