Podcasts about Sast

village in North Khorasan, Iran

  • 119PODCASTS
  • 1,227EPISODES
  • 48mAVG DURATION
  • 1WEEKLY EPISODE
  • May 19, 2025LATEST
Sast

POPULARITY

20172018201920202021202220232024

Categories



Best podcasts about Sast

Show all podcasts related to sast

Latest podcast episodes about Sast

Global Medical Device Podcast powered by Greenlight Guru
#407: Cybersecurity in MedTech: FDA Compliance, Patient Safety & the Hidden Risks You're Missing

Global Medical Device Podcast powered by Greenlight Guru

Play Episode Listen Later May 19, 2025 42:21 Transcription Available


Christian Espinosa, founder of Blue Goat Cyber and leading voice in medical device cybersecurity, joins Etienne Nichols to unpack the urgent and often misunderstood topic of cybersecurity in MedTech. From FDA's 2023 regulatory overhaul to real-world hacking scenarios that could harm patients, Christian provides practical advice for innovators, RA/QA professionals, and software teams. He also shares why waiting until the last minute on cybersecurity could cost startups millions—or even kill a project entirely.Whether you're a quality professional trying to build compliant systems or an innovator racing toward FDA submission, this episode lays out exactly what you need to know to stay ahead of cyber threats and within regulatory guardrails.Key Timestamps:00:01 – Intro to guest Christian Espinosa and Blue Goat Cyber06:28 – Why medical device cybersecurity is different from traditional IT security11:49 – Real-world hacking example: acne laser device turned skin-burner13:57 – FDA expectations post-September 2023: what changed17:12 – Secure boot: a microcontroller mistake that derailed a launch20:35 – Common cybersecurity vendor mistake MedTech companies make23:40 – SBOM: Software Bill of Materials and why it's legally critical27:58 – Cyberattacks in hospitals: assuming a hostile network35:44 – AI in medical devices: data bias and cybersecurity challenges41:10 – Developers ≠ cybersecurity experts: the training gap nobody talks about45:20 – What RA/QA professionals need to know now49:30 – Why cybersecurity must be iterative, not a final-phase add-on55:20 – Espinosa's final advice for MedTech professionals57:52 – The story behind “Blue Goat Cyber”Standout Quotes:“Cybersecurity for medical devices isn't about data breaches—it's about patient harm. You could paralyze someone or misdiagnose sepsis. This isn't theoretical.”— Christian Espinosa, on the real risks of insecure devices“Most developers don't understand cybersecurity. We assume they do—but that's like expecting an architect to be a locksmith.”— Christian Espinosa, on why so many devices fail security assessmentsTop Takeaways:Cybersecurity isn't just about data—it's about patient safety. From burning skin to missed sepsis diagnoses, vulnerabilities in devices have real-world harm potential.FDA now requires more than just a basic security plan. Post-September 2023 rules mandate testing (SAST, DAST, fuzzing), SBOMs, and risk assessments tied to patient harm.Start cybersecurity planning during the requirements phase. Hardware like microcontrollers must support secure boot and other protections—retrofits can cripple product plans.Iterate cybersecurity like any core development activity. One-time testing near submission is too late; build security into your pipeline just like QA or usability.Traditional cybersecurity vendors aren't enough. Many fail to meet FDA's nuanced expectations for medical devices, causing costly submission rejections.References & Resources:Christian Espinosa on LinkedInBlue Goat CyberEtienne Nichols on LinkedInMedTech 101 – Understanding SBOM (Software Bill of...

Defense in Depth
The CISO's Job Is Impossible

Defense in Depth

Play Episode Listen Later May 15, 2025 33:10


All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Yaron Levi, CISO, Dolby. Joining us is Joey Rachid, CISO, Xerox. In this episode: It's a balancing act Choose to leave the kids' table Your team is essential Don't change CISOs midstream Huge thanks to our sponsor, Blackslash Backslash offers a new approach to application security by creating a digital twin of your application, modeled into an AI-enabled App Graph. It categorizes security findings by business process, filters “triggerable” vulnerabilities, and simulates the security impact of updates. Backslash dramatically improves AppSec efficiency, eliminating legacy SAST and SCA frustration. Learn more at https://www.backslash.security/  

Cloud Security Podcast by Google
EP224 Protecting the Learning Machines: From AI Agents to Provenance in MLSecOps

Cloud Security Podcast by Google

Play Episode Listen Later May 12, 2025 30:40


Guest: Diana Kelley, CSO at Protect AI  Topics: Can you explain the concept of "MLSecOps" as an analogy with DevSecOps, with 'Dev' replaced by 'ML'? This has nothing to do with SecOps, right? What are the most critical steps a CISO should prioritize when implementing MLSecOps within their organization? What gets better  when you do it? How do we adapt traditional security testing, like vulnerability scanning, SAST, and DAST, to effectively assess the security of machine learning models? Can we? In the context of AI supply chain security, what is the essential role of third-party assessments, particularly regarding data provenance? How can organizations balance the need for security logging in AI systems with the imperative to protect privacy and sensitive data? Do we need to decouple security from safety or privacy? What are the primary security risks associated with overprivileged AI agents, and how can organizations mitigate these risks?  Top differences between LLM/chatbot AI security vs AI agent security?  Resources: “Airline held liable for its chatbot giving passenger bad advice - what this means for travellers” “ChatGPT Spit Out Sensitive Data When Told to Repeat ‘Poem' Forever” Secure by Design for AI by Protect AI “Securing AI Supply Chain: Like Software, Only Not” OWASP Top 10 for Large Language Model Applications OWASP Top 10 for AI Agents  (draft) MITRE ATLAS “Demystifying AI Security: New Paper on Real-World SAIF Applications” (and paper) LinkedIn Course: Security Risks in AI and ML: Categorizing Attacks and Failure Modes

Defense in Depth
How Much Should Salespeople Know About Their Product?

Defense in Depth

Play Episode Listen Later May 1, 2025 27:18


All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is Jay Jay Davey, vp of cyber security operations, Planet.  In this episode: Aligning incentives The realities of the job Delivering ROI Holistic cybersecurity Thanks to our sponsor, Backslash Security Backslash offers a new approach to application security by creating a digital twin of your application, modeled into an AI-enabled App Graph. It categorizes security findings by business process, filters “triggerable” vulnerabilities, and simulates the security impact of updates. Backslash dramatically improves AppSec efficiency, eliminating legacy SAST and SCA frustration. Learn more at www.backslash.security.

Defense in Depth
Why Are We Still Struggling to Fix Application Security?

Defense in Depth

Play Episode Listen Later Apr 24, 2025 28:14


All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Eric Gold, chief evangelist, BackSlash. In this episode: Start with the culture Moving AppSec to a higher level A strategy for security Maturing the basics Thanks to our sponsor, Backslash Security Backslash offers a new approach to application security by creating a digital twin of your application, modeled into an AI-enabled App Graph. It categorizes security findings by business process, filters “triggerable” vulnerabilities, and simulates the security impact of updates. Backslash dramatically improves AppSec efficiency, eliminating legacy SAST and SCA frustration.  

Krustpunktā
Krustpunktā diskusija par NATO prasību Latvijai palielināt NBS skaitlisko sastāvu

Krustpunktā

Play Episode Listen Later Mar 12, 2025


NATO prasība Latvijai palielināt NBS skaitlisko sastāvu – par cik un kā tas iespējams? Par to diskusija Krustpunktā, kurā piedalās aizsardzības ministra padomnieks Jevgēnijs Rjaščenko Šaraks, Saeimas Aizsardzības, iekšlietu un korupcijas novēršanas komisijas sekretārs Jānis Skrastiņš, atvaļinātais viceadmirālis Gaidis Andrejs Zeibots un Latvijas Televīzijas raidījuma "De facto" žurnāliste Inga Šņore. Sazināmies arī ar bloga "Vara bungas" autoru un rezerves kapteini Mārtiņu Vērdiņu, kā arī Latvijas Darba devēju konfederācijas ģenerāldirektoru Kasparu Gorkšu.  

Krustpunktā
Krustpunktā diskusija par NATO prasību Latvijai palielināt NBS skaitlisko sastāvu

Krustpunktā

Play Episode Listen Later Mar 12, 2025 52:51


NATO prasība Latvijai palielināt NBS skaitlisko sastāvu – par cik un kā tas iespējams? Par to diskusija Krustpunktā, kurā piedalās aizsardzības ministra padomnieks Jevgēnijs Rjaščenko Šaraks, Saeimas Aizsardzības, iekšlietu un korupcijas novēršanas komisijas sekretārs Jānis Skrastiņš, atvaļinātais viceadmirālis Gaidis Andrejs Zeibots un Latvijas Televīzijas raidījuma "De facto" žurnāliste Inga Šņore. Sazināmies arī ar bloga "Vara bungas" autoru un rezerves kapteini Mārtiņu Vērdiņu, kā arī Latvijas Darba devēju konfederācijas ģenerāldirektoru Kasparu Gorkšu.  

Software Engineering Radio - The Podcast for Professional Software Developers

Tanya Janca, author of Alice and Bob Learn Secure Coding, discusses secure coding and secure software development life cycle with SE Radio host Brijesh Ammanath. This session explores how integrating security into every phase of the SDLC helps prevent vulnerabilities from slipping into production. Tanya strongly recommends defining security requirements early, and discusses the importance of threat modeling during design, secure coding practices, testing strategies such as static, dynamic, and interactive application security testing (SAST, DAST and IAST), and the need for continuous monitoring and improvement after deployment. This episode is sponsored by Codegate.ai

Paul's Security Weekly
The Future of Cyber Regulation in the New Administration - Ilona Cohen, Jenn Gile - ESW #395

Paul's Security Weekly

Play Episode Listen Later Feb 24, 2025 118:52


In this interview, we're excited to have Ilona Cohen to help us understand what changes this new US administration might bring, in terms of cybersecurity regulation. Ilona's insights come partially from her own experiences working from within the White House. Before she was the Chief Legal Officer of HackerOne, she was a senior lawyer to President Obama and served as General Counsel of the White House Office of Management and Budget (OMB). In this hyper-partisan environment, it's easy to get hung up on particular events. Do many of us lack cross-administration historical perspective? Probably. Should we be outraged by the disillusion of the CSRB, or was this a fairly ordinary occurrence when a new administration comes in? These are the kinds of questions I'll be posing to Ilona in this conversation. How the Change Healthcare breach can prompt real cybersecurity change 'Shift Left' feels like a cliché at this point, but it's often difficult to track tech and security movements if you aren't interacting with practitioners on a regular basis. Some areas of tech have a longer tail when it comes to late adopters and laggards, and application security appears to be one of these areas. In this interview, Jenn Gile catches us up on AppSec trends. Segment Resources: Microsoft Defender for Cloud Natively Integrates with Endor Labs 2024 Dependency Management Report How to pick the right SAST tool In the enterprise security news, Change Healthcare's HIPAA fine is vanishingly small How worried should we be about the threat of AI models? What about the threat of DeepSeek? And the threat of employees entering sensitive data into GenAI prompts? The myth of trillion-dollar cybercrime losses are alive and well! Kagi Privacy Pass gives you the best of both worlds: high quality web searches AND privacy/anonymity Thanks to the UK for letting everyone know about end-to-end encryption for iCloud! What is the most UNHINGED thing you've ever seen a security team push on employees? All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-395

Enterprise Security Weekly (Audio)
The Future of Cyber Regulation in the New Administration - Ilona Cohen, Jenn Gile - ESW #395

Enterprise Security Weekly (Audio)

Play Episode Listen Later Feb 24, 2025 118:52


In this interview, we're excited to have Ilona Cohen to help us understand what changes this new US administration might bring, in terms of cybersecurity regulation. Ilona's insights come partially from her own experiences working from within the White House. Before she was the Chief Legal Officer of HackerOne, she was a senior lawyer to President Obama and served as General Counsel of the White House Office of Management and Budget (OMB). In this hyper-partisan environment, it's easy to get hung up on particular events. Do many of us lack cross-administration historical perspective? Probably. Should we be outraged by the disillusion of the CSRB, or was this a fairly ordinary occurrence when a new administration comes in? These are the kinds of questions I'll be posing to Ilona in this conversation. How the Change Healthcare breach can prompt real cybersecurity change 'Shift Left' feels like a cliché at this point, but it's often difficult to track tech and security movements if you aren't interacting with practitioners on a regular basis. Some areas of tech have a longer tail when it comes to late adopters and laggards, and application security appears to be one of these areas. In this interview, Jenn Gile catches us up on AppSec trends. Segment Resources: Microsoft Defender for Cloud Natively Integrates with Endor Labs 2024 Dependency Management Report How to pick the right SAST tool In the enterprise security news, Change Healthcare's HIPAA fine is vanishingly small How worried should we be about the threat of AI models? What about the threat of DeepSeek? And the threat of employees entering sensitive data into GenAI prompts? The myth of trillion-dollar cybercrime losses are alive and well! Kagi Privacy Pass gives you the best of both worlds: high quality web searches AND privacy/anonymity Thanks to the UK for letting everyone know about end-to-end encryption for iCloud! What is the most UNHINGED thing you've ever seen a security team push on employees? All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-395

Paul's Security Weekly TV
Is Shift Left Just Starting to Catch On? And Other AppSec Trends & Insights - Jenn Gile - ESW #395

Paul's Security Weekly TV

Play Episode Listen Later Feb 24, 2025 31:36


'Shift Left' feels like a cliché at this point, but it's often difficult to track tech and security movements if you aren't interacting with practitioners on a regular basis. Some areas of tech have a longer tail when it comes to late adopters and laggards, and application security appears to be one of these areas. In this interview, Jenn Gile catches us up on AppSec trends. Segment Resources: Microsoft Defender for Cloud Natively Integrates with Endor Labs 2024 Dependency Management Report How to pick the right SAST tool Show Notes: https://securityweekly.com/esw-395

Enterprise Security Weekly (Video)
Is Shift Left Just Starting to Catch On? And Other AppSec Trends & Insights - Jenn Gile - ESW #395

Enterprise Security Weekly (Video)

Play Episode Listen Later Feb 24, 2025 31:36


'Shift Left' feels like a cliché at this point, but it's often difficult to track tech and security movements if you aren't interacting with practitioners on a regular basis. Some areas of tech have a longer tail when it comes to late adopters and laggards, and application security appears to be one of these areas. In this interview, Jenn Gile catches us up on AppSec trends. Segment Resources: Microsoft Defender for Cloud Natively Integrates with Endor Labs 2024 Dependency Management Report How to pick the right SAST tool Show Notes: https://securityweekly.com/esw-395

Kāpēc dizains?
Vai zini, ka "Lielā vāze" pie Latvijas Nacionālās bibliotēkas sastāv no divām daļām?

Kāpēc dizains?

Play Episode Listen Later Feb 13, 2025 3:59


Stāsta mākslas zinātniece, mākslas muzeja "Rīgas birža" vadītājas vietniece, izstāžu kuratore Vita Birzaka Vai zini, ka vides objekts "Lielā vāze" pie Latvijas Nacionālās bibliotēkas sastāv no divām daļām? Un vai zini arī to, kur novietota mākslas darba ceturtdaļa? Daudzi noteikti būs pamanījuši majestātisko oranžo vāzi pie Latvijas Nacionālās bibliotēkas ēkas. Tā ir mākslinieka Ojāra Pētersona vides mākslas objekta "Lielā vāze" viena daļa, kura 2014. gada agrā novembra rītā ieņēma vietu pie toreiz tikko atklātās Gaismas pils – mūsu galvenās grāmatu krātuves. Savu "jā" vārdu šim mākslas darbam bibliotēkas ārtelpā teica arī arhitekts Gunārs Birkerts. Vāze ir tikai viens no paliekošos materiālos veidotiem astoņiem vides mākslas objektiem, kas realizēti Borisa un Ināras Teterevu fonda programmas "Māksla publiskajā telpā" ietvaros, sadarbojoties privātai institūcijai un Rīgas pilsētai piecu gadu garumā – no 2013. – 2018. gadam. Joprojām pilsētvidē dzīvo gan Ērika Boža "Soliņi" Bastejkalna virsotnē un Lienes Mackus bronzā atlieta Rīgas ģerboņa lauva atpūtā pie Latvijas Nacionālā Mākslas muzeja pieturas, gan Brigitas Zelčas-Aispures un Sanda Aispura "Klusā daba" un Aigara Bikšes "Meitene ar kurpi" Latvijas Universitātes Botāniskajā dārzā. Savā ziņā unikāla lieta, ņemot vērā, ka joprojām nav konsekventa uz ilgtspējību vērsta kopēja koncepta par mākslu Rīgas publiskajā telpā. Ojāra Pētersona vides objekts "Lielā vāze" ir viens veselums, kas sadalīts divās daļās - ¾ un ¼. Lielākajai daļai pie Nacionālās bibliotēkas precīzi atbilst mazākā pie Rīgas Stradiņa Universitātes Dzirciema ielā, tā simboliski apvienojot abas zināšanu krātuves. Jebkurš domās vāzes daļas var savienot kopā vai, no putna lidojuma kartē skatoties, novilkt starp tām taisnu līniju. Pētersona "Lielo vāzi" iedvesmojis Garlība Merķeļa teksts "Vidzemes senatne", ko pats mākslinieks nodēvējis drīzāk par XVIII gadsimta laikmetīgo mākslu, nevis vēstures liecību par tā laika latviešiem. Merķeļa teksta fragments lasāms uz vāzes keramikas mozaīkas. Uz katras no vairāk nekā 14 000 keramikas plāksnītēm izvietots viens burts no "Vidzemes senatnes" teksta. Lielās vāzes forma un virsmu sedzošā mozaīka ļauj nolasīt antīkās pasaules mantojuma un vēsturiskā uzslāņojuma klātbūtni, savukārt griezuma vietā iestrādātais pelēkais granīts vairāk saistās ar vietējo dabu un kultūru. Kā objekta atklāšanā minēja projekta kuratore Helēna Demakova: "Divdaļīgā "Lielā vāze" nav lieliskā mākslinieka mirkļa kaprīze, bet gan rokraksta iezīme. Lai atceramies kaut vai 2014. gadā Vācijā, Ekernferdē, atklāto skulptūru "Tilts pāri jūrai". Oranžās skulptūras otra daļa atrodas topošā Latvijas Laikmetīgās mākslas muzeja mākslas darbu krātuvē un joprojām gaida iznācienu pilsētvidē." Jāpiezīmē, ka tieši Merķeļa teksta fragmenta publikācija latviešu, angļu, franču, vācu, spāņu un krievu valodā veido mākslas objekta trešo un pēdējo daļu. Ojāra Pētersona dizainā veidotā oranžā grāmata ir pieejama Latvijas bibliotēkās.

Vai zini?
Vai zini, ka "Lielā vāze" pie Latvijas Nacionālās bibliotēkas sastāv no divām daļām?

Vai zini?

Play Episode Listen Later Feb 13, 2025 3:59


Stāsta mākslas zinātniece, mākslas muzeja "Rīgas birža" vadītājas vietniece, izstāžu kuratore Vita Birzaka Vai zini, ka vides objekts "Lielā vāze" pie Latvijas Nacionālās bibliotēkas sastāv no divām daļām? Un vai zini arī to, kur novietota mākslas darba ceturtdaļa? Daudzi noteikti būs pamanījuši majestātisko oranžo vāzi pie Latvijas Nacionālās bibliotēkas ēkas. Tā ir mākslinieka Ojāra Pētersona vides mākslas objekta "Lielā vāze" viena daļa, kura 2014. gada agrā novembra rītā ieņēma vietu pie toreiz tikko atklātās Gaismas pils – mūsu galvenās grāmatu krātuves. Savu "jā" vārdu šim mākslas darbam bibliotēkas ārtelpā teica arī arhitekts Gunārs Birkerts. Vāze ir tikai viens no paliekošos materiālos veidotiem astoņiem vides mākslas objektiem, kas realizēti Borisa un Ināras Teterevu fonda programmas "Māksla publiskajā telpā" ietvaros, sadarbojoties privātai institūcijai un Rīgas pilsētai piecu gadu garumā – no 2013. – 2018. gadam. Joprojām pilsētvidē dzīvo gan Ērika Boža "Soliņi" Bastejkalna virsotnē un Lienes Mackus bronzā atlieta Rīgas ģerboņa lauva atpūtā pie Latvijas Nacionālā Mākslas muzeja pieturas, gan Brigitas Zelčas-Aispures un Sanda Aispura "Klusā daba" un Aigara Bikšes "Meitene ar kurpi" Latvijas Universitātes Botāniskajā dārzā. Savā ziņā unikāla lieta, ņemot vērā, ka joprojām nav konsekventa uz ilgtspējību vērsta kopēja koncepta par mākslu Rīgas publiskajā telpā. Ojāra Pētersona vides objekts "Lielā vāze" ir viens veselums, kas sadalīts divās daļās - ¾ un ¼. Lielākajai daļai pie Nacionālās bibliotēkas precīzi atbilst mazākā pie Rīgas Stradiņa Universitātes Dzirciema ielā, tā simboliski apvienojot abas zināšanu krātuves. Jebkurš domās vāzes daļas var savienot kopā vai, no putna lidojuma kartē skatoties, novilkt starp tām taisnu līniju. Pētersona "Lielo vāzi" iedvesmojis Garlība Merķeļa teksts "Vidzemes senatne", ko pats mākslinieks nodēvējis drīzāk par XVIII gadsimta laikmetīgo mākslu, nevis vēstures liecību par tā laika latviešiem. Merķeļa teksta fragments lasāms uz vāzes keramikas mozaīkas. Uz katras no vairāk nekā 14 000 keramikas plāksnītēm izvietots viens burts no "Vidzemes senatnes" teksta. Lielās vāzes forma un virsmu sedzošā mozaīka ļauj nolasīt antīkās pasaules mantojuma un vēsturiskā uzslāņojuma klātbūtni, savukārt griezuma vietā iestrādātais pelēkais granīts vairāk saistās ar vietējo dabu un kultūru. Kā objekta atklāšanā minēja projekta kuratore Helēna Demakova: "Divdaļīgā "Lielā vāze" nav lieliskā mākslinieka mirkļa kaprīze, bet gan rokraksta iezīme. Lai atceramies kaut vai 2014. gadā Vācijā, Ekernferdē, atklāto skulptūru "Tilts pāri jūrai". Oranžās skulptūras otra daļa atrodas topošā Latvijas Laikmetīgās mākslas muzeja mākslas darbu krātuvē un joprojām gaida iznācienu pilsētvidē." Jāpiezīmē, ka tieši Merķeļa teksta fragmenta publikācija latviešu, angļu, franču, vācu, spāņu un krievu valodā veido mākslas objekta trešo un pēdējo daļu. Ojāra Pētersona dizainā veidotā oranžā grāmata ir pieejama Latvijas bibliotēkās.

The BlueHat Podcast
Automating Dynamic Application Security Testing at Scale

The BlueHat Podcast

Play Episode Listen Later Feb 5, 2025 45:56


In this episode of The BlueHat Podcast, hosts Nic Fillingham and Wendy Zenone are joined by Jason Geffner, Principal Security Architect at Microsoft, to discuss his groundbreaking work on scaling and automating Dynamic Application Security Testing (DAST). Following on from his BlueHat 2024 session, and outlined in this MSRC blog post, Jason explains the key differences between DAST, SAST, and IAST, and dives into the challenges of scaling DAST at Microsoft's enterprise level, detailing how automation eliminates manual configuration and improves efficiency for web service testing.     In This Episode You Will Learn:     Overcoming the challenges of authenticated requests for DAST tools  The importance of API specs for DAST and how automation streamlines the process  Insights into how Microsoft uses DAST to protect its vast array of web services    Some Questions We Ask:    What's a lesson from this work that you can share with those without Microsoft's resources?  Can you explain what the transparent auth protocol is that you mentioned in the blog post?  How is your work reducing the manual effort needed to configure DAST system services?     Resources:       View Jason Geffner on LinkedIn    View Wendy Zenone on LinkedIn    View Nic Fillingham on LinkedIn     Related Blog Post: Scaling Dynamic Application Security Testing (DAST) | MSRC Blog  Related BlueHat Session Recording: BlueHat 2024: S10: How Microsoft is Scaling DAST     Related Microsoft Podcasts:       Microsoft Threat Intelligence Podcast    Afternoon Cyber Tea with Ann Johnson    Uncovering Hidden Risks          Discover and follow other Microsoft podcasts at microsoft.com/podcasts   

What the Dev?
294: From "shift left" to "shift everywhere" (with OpenText Cybersecurity's Dylan Thomas)

What the Dev?

Play Episode Listen Later Feb 4, 2025 13:26


In this episode, we interview Dylan Thomas, senior director of product engineering at OpenText Cybersecurity, about the evolution from shift left to shift everywhere.At the end of 2024, he predicted: "In 2025, DevSecOps will continue evolving beyond the ‘shift-left' paradigm, embracing a more mature ‘shift everywhere' approach. This shift calls on organizations to apply the right tools at the right stages of the DevSecOps cycle, improving efficiency and effectiveness in security practices. Lightweight analysis in IDEs will help developers catch issues early, while automation integrated into pull requests and CI/CD pipelines will ensure a cohesive ‘integrate once' approach for core functions such as SAST, SCA, and increasingly DAST, particularly for API security testing."We interviewed him about his predictions, and talked about: What shift everywhere isWhy people are wanting to transition to this new approachHow to get started with shift everywhere

947 Breakfast Club
Siphiwe Tshabalala & Happy Jele are in studio: The Build Up to the Soweto Derby

947 Breakfast Club

Play Episode Listen Later Jan 31, 2025 19:17


As the FNB Stadium prepares to host another historic Soweto Derby between Kaizer Chiefs and Orlando Pirates, The biggest match of the South African Football calendar takes Centre stage at the weekend as Soweto giants at the calabash. The Soweto Derby between Orlando Pirates and Kaizer Chiefs is scheduled for Saturday, February 1, 2025, at FNB Stadium in Johannesburg. Kick-off is at 15:30 SAST. Gates open at 11:30. In the built to this weekend, we have got…. Orlando Pirates Legend – Happy Jele & Kaizer Chiefs legend – Sphiwe TshabalalaSee omnystudio.com/listener for privacy information.

Sportacentrs.com podkāsts
#6 "eXi": ideālas komandas recepte, cīņa par vietu sastāvā un treneru mīlulīši

Sportacentrs.com podkāsts

Play Episode Listen Later Nov 28, 2024 109:01


Piedāvājam sporta sarunu šova “eXi” sestās sezonas sesto epizodi, kurā bijušie Latvijas sportisti Jānis Sprukts (hokejs), Žanis Peiners (basketbols) un Ansis Medenis (volejbols) tiekas tirdzniecības centrā “Domina Shopping”, lai dalītos stāstos par savu pieredzi dažādās arī šodien aktuālās sporta tēmās.

LTV Ziņu dienests
"Šodienas jautājums": Ko varam sagaidīt no jaunā, tikko apstiprinātā Eiropas Komisijas sastāva?

LTV Ziņu dienests

Play Episode Listen Later Nov 28, 2024 19:21


Studijā Eiropas Parlamenta viceprezidents Roberts Zīle (NA) un Eiropas Parlamenta deputāts Nils Ušakovs (“Saskaņa”).

Afternoon Drive with John Maytham
Dethroned: A documentary unmasking big cat exploitation

Afternoon Drive with John Maytham

Play Episode Listen Later Nov 26, 2024 5:16


John Maytham speaks with Fiona Miles, Director of FOUR PAWS South Africa, about the upcoming screening of Dethroned, a documentary that exposes the exploitation of big cats. Fiona highlights the film's powerful exploration of the global big cat trade and the cruelty of captive breeding. The screening will take place online on 26 November 2024 at 20:00 SAST, and viewers can join at this link. Following the film, there will be a live Q&A with Fiona, Vanessa Amoroso, and director Aaron Gekoski to discuss the urgent need for big cat protection.See omnystudio.com/listener for privacy information.

RecoverU
90 - How can my husband love me, and be a sex/porn addict?

RecoverU

Play Episode Listen Later Nov 20, 2024 41:50


Thank you for listening to this episode! We hope it was helpful and encouraging.    SAST test: https://psychology-tools.com/test/sast   If you are a betrayed partner and would like to connect with Kylene for 1:1 coaching support, please click this link and book a free connection call: https://linktr.ee/KyleneTerhune   Join the free RecoverU Facebook page for betrayed partners: www.facebook.com/groups/recoverU   For addicted spouses check our puredesire.org and soulrefiner.org   Follow Kylene: On TikTok: @KyleneTerhune  On IG: @KyleneTerhune 

Absolute AppSec
Episode 265 - w/ Scott Norberg - Static Analysis

Absolute AppSec

Play Episode Listen Later Oct 31, 2024


Scott Norberg joins Ken Johnson and Seth Law for an episode of Absolute AppSec all about SAST. Scott is an ASP.NET Security Consultant, Author, Researcher and Speaker. In addition to running his Opperis Technologies consultancy, Scott has recently begun working as lead application security architect at CDW. Before that he worked as Lead Application Security engineer at Gallagher and was a Senior Consultant with the AppSec team at Coalfire. He has been a web security specialist for nearly two decades, and holds several certifications, including Microsoft Certified Technology Specialist (MCTS), certifications for ASP.NET and SQL Server, and a Certified Information Systems Security Professional (CISSP) and CCSP certification. He also has an MBA from Indiana University. To find out more about Scott check out his website https://scottnorberg.com/ as well as his 2020 book Advanced ASP NET Core Security Vulnerabilities.

Weekly Chat with Kenny
Who are your emerging competitors and what are the potential threats?

Weekly Chat with Kenny

Play Episode Listen Later Oct 16, 2024 52:08


In this, our final episode of the podcast, we tackle the competition! Be aware of your competition, but don't let them derail you from your goals.The Weekly Chat with Kenny was created as a support mechanism for small business owners during lockdown.Although this is the last podcast, the Weekly Chat will continue LIVE online on Friday mornings at 08h00 SAST. Click the link to join us, it's 100% FREE forever!Join us online on the Weekly Chat with Kenny every Friday morning at 08h00 SAST.Register using this link https://archerinspirations.com/business-coach/weekly-chat/ If you need help to grow your business, contact Kenny on email: kenny@archerinspirations.com

Kā labāk dzīvot
Vientulība: kad tā ir normāla dzīves sastāvdaļa, kad ietekmē veselību

Kā labāk dzīvot

Play Episode Listen Later Oct 10, 2024 47:55


Vai vientulība var ietekmēt cilvēka veselību? Ja jā, tad kādos gadījumos, un vai pastāv kādas kopsakarības, kas liek dažiem cilvēkiem vairāk ciest no vientulības nekā citiem? Raidījumā Kā labāk dzīvot analizē krīzes centra "Skalbes" pārstāves: krīzes tālruņa 116123 projektu vadītāja Kristīne Circene un klīniskā un veselības psiholoģe, Junga analītiķe, atbalsta grupu vadītāja Inese Ruka. Vientulība katru gadu pieaug. Trešdaļa zvanu, ko saņem krīzes centrs "Skalbes", ir saistīta ar vientulību. 41% vīriešu un 59% sieviešu runā par vientulību. Tālejoši tas ietekmē cilvēka psihisko un fizisko veselību. Vientulība nav nekas nenormāls, ja tā ieilgst, jāmeklē palīdzība. "Statistika liecina, ka pēc palīdzības, zvanot uz krīzes tālruni, vēršas sievietes visos vecumos, savukārt vīrieši palīdzību meklē vecumā pēc 35 gadiem, kad jau dzīvē ir kaut kas pieredzēts un viņi nonāk kādās grūtībās. Piemēram, izirst romantiskas attiecības. Mūsu dati liecina, ka viņi to pārdzīvo kā depresīvu stāvokli četras reizes biežāk nekā sievietes, runā par to četras reizes biežāk," atzīst Inese Ruka.

Weekly Chat with Kenny
Which customer groups of yours  are declining and what are you going to do about it?

Weekly Chat with Kenny

Play Episode Listen Later Oct 9, 2024 57:40


Have you noticed a drop in customers from a particular segment? Are you unsure how to address this issue and regain their loyalty? Let's share our experiences and strategies for revitalising declining customer groups.Please feel free to share your insights and ask any questions you may have.Join us online on the Weekly Chat with Kenny every Friday morning at 08h00 SAST.Register using this link https://archerinspirations.com/business-coach/weekly-chat/ If you need help to grow your business, contact Kenny on email: kenny@archerinspirations.com

Weekly Chat with Kenny
What is your biggest challenge when it comes to building lasting relationships with your customers?

Weekly Chat with Kenny

Play Episode Listen Later Oct 1, 2024 57:59


Whether you're a seasoned entrepreneur or just starting out, chances are you've faced challenges in forming strong connections with your clients. Let's share our experiences and learn from each other.What is your biggest challenge when it comes to building lasting relationships with your customers? Please feel free to share your thoughts and experiences.Join us online on the Weekly Chat with Kenny every Friday morning at 08h00 SAST.Register using this link https://archerinspirations.com/business-coach/weekly-chat/ If you need help to grow your business, contact Kenny on email: kenny@archerinspirations.com

Weekly Chat with Kenny
How do you differentiate your product or service from your competitors?

Weekly Chat with Kenny

Play Episode Listen Later Sep 26, 2024 63:01


Stand Out or Be Forgotten: The Art of DifferentiationWelcome to the Weekly Chat with Kenny, where we delve into the challenges and triumphs of entrepreneurship. Today, we're tackling a crucial topic: differentiation. In a saturated market, how do you make your product or service unique and memorable? How do you effectively convey its value to potential customers?Join us as we explore strategies and real-world examples to help you stand out from the crowd and achieve lasting success.Join us online on the Weekly Chat with Kenny every Friday morning at 08h00 SAST.Register using this link https://archerinspirations.com/business-coach/weekly-chat/ If you need help to grow your business, contact Kenny on email: kenny@archerinspirations.com

The RSnake Show
Demo Day - DryRun

The RSnake Show

Play Episode Listen Later Aug 27, 2024 57:06


Today we sat down with James Wickett from DryRun, and Trey and get to see how this innovative startup is using LLMs and deep integrations with Github to automatically find issues.

CISSP Cyber Training Podcast - CISSP Training Program
CCT 159: CISSP Practice Questions - Assess the Effectiveness of Software Security (Domain 8.3)

CISSP Cyber Training Podcast - CISSP Training Program

Play Episode Listen Later Jul 18, 2024 19:02 Transcription Available


Send us a Text Message.Ready to fortify your software development practices against security risks? Join us as we unearth critical strategies for mitigating vulnerabilities in your code. From the seamless integration of Static Application Security Testing (SAST) into your CI/CD pipelines to refactoring code to eliminate buffer overflow issues, this episode is packed with essential insights. Discover the must-have security controls for cloud-based SaaS platforms, such as robust access controls and code obfuscation techniques. We also delve into risk assessment methodologies like FMEA, STRIDE threat modeling, and OWASP's top 10 web application security risks, equipping you with the tools to identify and prioritize threats effectively.But that's not all—our conversation extends into the realm of secure coding best practices within a DevSecOps environment. Timely feedback on vulnerabilities is crucial, and we'll show you how to integrate SAST tools into your continuous integration pipeline effectively. Learn why relying on security through obscurity is a pitfall and why thorough security assessments are vital when outsourcing software development. We emphasize the importance of automated code reviews and proper developer training to enhance software security. Finally, we share a heartfelt segment on the impact of adoption and the invaluable support our non-profit organization offers to adoptive families. Tune in for an episode that blends technical prowess with a commitment to making a positive social impact.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Paul's Security Weekly
Bringing Autonomy to AppSec - Dr. David Brumley - ESW Vault

Paul's Security Weekly

Play Episode Listen Later Jun 20, 2024 32:22


Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren't going to go away with current approaches like SAST and SCA. Why? They are: -40 years old, with little innovation -Haven't solved the problem. In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different: -Prove bugs, rather than trying to list all of them. -Zero false positives, which leads to better autonomy. Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Show Notes: https://securityweekly.com/vault-esw-12

Enterprise Security Weekly (Audio)
Bringing Autonomy to AppSec - Dr. David Brumley - ESW Vault

Enterprise Security Weekly (Audio)

Play Episode Listen Later Jun 20, 2024 32:22


Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren't going to go away with current approaches like SAST and SCA. Why? They are: -40 years old, with little innovation -Haven't solved the problem. In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different: -Prove bugs, rather than trying to list all of them. -Zero false positives, which leads to better autonomy. Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Show Notes: https://securityweekly.com/vault-esw-12

Paul's Security Weekly TV
Bringing Autonomy to AppSec - Dr. David Brumley - ESW Vault

Paul's Security Weekly TV

Play Episode Listen Later Jun 20, 2024 32:22


Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren't going to go away with current approaches like SAST and SCA. Why? They are: -40 years old, with little innovation -Haven't solved the problem. In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different: -Prove bugs, rather than trying to list all of them. -Zero false positives, which leads to better autonomy. Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Show Notes: https://securityweekly.com/vault-esw-12

Enterprise Security Weekly (Video)
Bringing Autonomy to AppSec - Dr. David Brumley - ESW Vault

Enterprise Security Weekly (Video)

Play Episode Listen Later Jun 20, 2024 32:22


Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren't going to go away with current approaches like SAST and SCA. Why? They are: -40 years old, with little innovation -Haven't solved the problem. In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different: -Prove bugs, rather than trying to list all of them. -Zero false positives, which leads to better autonomy. Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Show Notes: https://securityweekly.com/vault-esw-12

Kā labāk dzīvot
Kā orientēties pārtikas produktu sastāvā un kam jāpievērš uzmanība?

Kā labāk dzīvot

Play Episode Listen Later Jun 13, 2024 48:15


Vai mums būtu jāzina, ko ēdam – burtiski? Visi šie kodi, burti un skaitļi – ko tie nozīmē? Par to, kā orientēties pārtikas produktu sastāvā un kam jāpievērš uzmanība, spriežam raidījumā Kā labāk dzīvot. Vērtē diētas ārste, Rīgas Stradiņa universitātes studiju programmu "Uzturs" un "Uzturzinātne" direktore, Latvijas Diētas un uztura speciālistu asociācijas prezidente Lolita Neimane, Latvijas Pārtikas uzņēmumu federācijas pārstāvis Pēteris Liniņš un Veselības ministrijas Sabiedrības veselības departamenta Veselības veicināšanas un atkarību profilakses nodaļas vadītāja Inga Birzniece. Raidījumā diskutējam par pārtikas marķējumi sistēmu „Nutri-Score”, kas radīta Francijā un pēdējā laikā arvien vairāk tiek ieviesta arī Latvijā. Tā sniedz iespēju viegli novērtēt produkta uzturvērtību un salīdzināt dažādus vienas kategorijas produktus, lai veicinātu sabiedrības izpratni par veselīgāku uzturu un palīdzētu izvēlēties. Produkti, kas marķēti ar zaļu krāsu, ir produkti ar augstāku uzturvērtību, savukārt produkti, kas marķēti ar tumši oranžu (vai sarkanu), ir produkti, kas satur lielāku sastāvdaļu daudzumu, kas būtu jāierobežo ikdienas uzturā. Uzklausām arī pircēju domas par to, vai šāda sistēma palīdz izvēlēties veselīgāku pārtiku. Varbūt būtu nepieciešama vēl kāda papildus sistēma, kas norādītu produktu veselīgumu vai tieši pretēji.  

Brakeing Down Security Podcast
Tanya Janca Talks secure coding, Semgrep Academy, and community building, and more!

Brakeing Down Security Podcast

Play Episode Listen Later Jun 1, 2024 87:18


Check out the BrakeSecEd Twitch at https://twitch.tv/brakesec Join the Discord! https://discord.gg/brakesec #youtube VOD (in 1440p): https://www.youtube.com/watch?v=axQWGyd79NM  Questions and topics: Bsides Vancouver discussion Semgrep Community and Academy Building communities What are ‘secure guardrails' Reducing barriers between security and developers How to sell security to devs: “hey, if you want to see us less, buy/use this?” “Security is your barrier, but we have goals that we can't reach without your help.” https://wehackpurple.com/devsecops-worst-practices-artificial-gates/  How are you seeing things like AI being used to help with DevOps or is it just making things more complicated? Not just helping write code, but infrastructure Ops, software inventories, code repo hygiene, etc? OWASP PNW https://www.appsecpnw.org/ Alice and Bob coming next year! Additional information / pertinent LInks (Would you like to know more?): shehackpurple.ca  Semgrep (https://semgrep.dev/) https://aliceandboblearn.com/ https://academy.semgrep.dev/ (free training) Netflix ‘paved roads': https://netflixtechblog.com/how-we-build-code-at-netflix-c5d9bd727f15 https://en.wikipedia.org/wiki/Nudge_theory  https://www.perforce.com/blog/qac/what-is-linting  https://www.youtube.com/watch?v=FSPTiw8gSEU  https://techhq.com/2024/02/air-canada-refund-for-customer-who-used-chatbot/  Show points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb  Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@BrakeSecEd Twitch Channel: https://twitch.tv/brakesec  

Propulsion Swimming Podcast
E198 - Lucy Grieve: Stirling Swimming Success

Propulsion Swimming Podcast

Play Episode Listen Later May 18, 2024 40:22


Following her selection to the Aquatics GB squad for the European Championships 2024 in Belgrade, we speak to University of Stirling Swimming, Lucy Grieve, on this week's episode of the Propulsion Swimming Podcast. We speak to Lucy about her journey for SAST to Stirling, how she and Keanna MacInnes make perfect training partners along with the entire Stirling Squads, and her hopes for this summer's European Champs. AP Race London International - ⁠⁠⁠⁠https://events.aprace.club/events/aprli24/ Hosted on Acast. See acast.com/privacy for more information.

Relating to DevSecOps
Episode: #070: Putting da BOM in SBOM and SCA

Relating to DevSecOps

Play Episode Listen Later May 8, 2024 39:32


Ken and Mike discuss supply chain security, including software composition analysis (SCA) and software bill of materials (SBOM). They highlight the importance of understanding the components that make up your software and the risks associated with using third-party libraries. They also discuss recent supply chain failures, such as the XZ library hack and the SolarWinds attack. The hosts emphasize the need for organizations to stay up to date with software patches and to consider the security of commercial off-the-shelf software. They caution against placing too much focus on any one security tool or approach, including SBOM, and instead advocate for a well-rounded approach to security.

csúnyarosszmajom
#200 - Tevelegóval védekezni a sastámadások ellen

csúnyarosszmajom

Play Episode Listen Later Apr 30, 2024 103:42


Az Octavia nem sedan, meg kell-e büntetni az amnéziás bűnözőt, Steve Jobs vajon Teslával járna-e, miből van a bubble a Bubble Teában, hívnánk-e lakberendezőt, mi értelme van az uszodai lábmosó medencének, melyik sportágban a legkönnyebb kijutni az olimpiára, vajon a műholdkép-elemző szoftverek felismerik a HELP feliratot, miért zúg a hangszóró kikapcsolt számítógép esetén is, miért nincs Budán troli, lehet-e házilag zizit készíteni, kell-e a szexpartnereknek Facebook ismerősnek lenniük, pulcsitól elektrosztatizált testtel konnektorba nyúlni dupla áramütés-e, mitől van a tévében a hangyafoci, lehet-e hidegen enni a főtt ételeket, nyalogatja-e magát a kopasz macska, miért beszélünk álmunkban, mekkora baj lenne egy Budapesten szétzavart LMBTQ konferenciából, több víz van-e a kétpupú teve púpjaiban, miért nem indul újra Puzsér, egy tyúk VR szemüvegben jó drónpilóta lenne-e, a Nemzeti Bank inflációgerjesztő politikája lopás-e, miért lesz mindenki néni vagy bácsi idős korára, melyik gyerekként utált ételt  szerettük meg mostanra? Zenék: Shocking Blue. --- Send in a voice message: https://podcasters.spotify.com/pod/show/csunyarosszmajom/message

CISSP Cyber Training Podcast - CISSP Training Program
CCT 135: Navigating Software Development Security from Design to Deployment (Domain 8)

CISSP Cyber Training Podcast - CISSP Training Program

Play Episode Listen Later Apr 25, 2024 9:17 Transcription Available


Ready to conquer the CISSP exam with flying colors? This week, we've zeroed in on Domain 8 – the soul of software development security! I'm Sean Gerber, your cybersecurity compatriot, and I'm here to guide you through the labyrinth of securing software right from its architectural blueprint to its final lines of code. We kick things off with a bang, dissecting the crucial role of design and architecture in embedding security into your SDLC. It's not just about building software; it's about fortifying it from the foundations!As we navigate through this treasure trove of knowledge, we'll demystify the enigmatic world of application security testing. You'll learn to distinguish your SAST from your DAST, and why a meticulous code review can be your best defense against hidden vulnerabilities. Plus, we decode the wisdom of OWASP, ensuring you're armed with the latest strategies to safeguard your applications against cyber threats. And for those exhilarating runtime challenges? We shine a spotlight on vulnerability scanning – your dynamic sentinel in the ever-evolving battleground of cybersecurity. Join me for an episode that's not just informative, but a strategic playbook for your CISSP triumph!Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Endalínan
232. Þáttur - Styttist í stóra ballið, leikar að æsast

Endalínan

Play Episode Listen Later Apr 24, 2024 71:24


Nú er heldur betur farið að styttast í stóra ballið! Einn leikur eftir í 8 liða úrslitum, þökkum Álftanesi og Hetti fyrir tímabilið og horfum fram á við!

The Secure Developer
Unravelling Trends In Data Security With Danny Allan

The Secure Developer

Play Episode Listen Later Mar 20, 2024 36:58


Episode SummaryAre you curious about the ever-changing landscape of data security? In this episode, we are joined by Danny Allan, the newly appointed Chief Technology Officer at Snyk, to delve into the evolving landscape of data security. In our conversation, we discussed his professional background and how he went from hacking security systems at university to becoming a security expert at Snyk. Hear about his experience in dynamic application security testing and the challenges and opportunities of working for large companies. We unpack how controlling human actions can reduce security vulnerabilities, the nuances of running cloud-hosted services, and how the techniques used for static application security testing have changed. Danny explains the importance of considering security aspects during the early stages of software development and how governance has integrated into data security measures. Gain valuable insights into the ever-changing landscape of data security, AI's potential role in revolutionizing security practices, and much more.Show NotesIn this episode, Guy Podjarny is joined by Danny Allan, the new CTO at Snyk. Danny shares his fascinating career journey that has taken him in and out of the application security space over the past 20+ years.They discuss how application security practices like static analysis (SAST) and dynamic scanning (DAST) have evolved, with SAST becoming much faster and easier to integrate earlier in the development cycle. Danny reflects on what has changed and what has surprisingly stayed the same since his earlier days in AppSec.The conversation digs into the intersections between application security, data security, cloud security, and how these domains are becoming more interconnected as the same teams take on responsibilities across these areas. Danny draws insights from his recent experience at Veeam, highlighting how practices like data immutability and multi-person authorization grew in importance to combat ransomware threats.Looking ahead, Danny and Guy explore the potential impact of AI/ML on application security. From automating threat modeling to personalizing vulnerability findings based on developer interests to generating rules and fixes, Danny sees AI unlocking many opportunities to transform AppSec practices.Overall, this episode provides a unique perspective spanning Danny's 20+ year career in security. His experiences illustrate the evolution of AppSec tooling and processes, the blurring of domains like app/data/cloud security, and how AI could radically reshape the future of application security.LinksVMwareVeeamSnyk - The Developer Security CompanyFollow UsOur WebsiteOur LinkedIn

Sportacentrs.com podkāsts
Klausītava | "Futbolbumbas": viss, kas jāzina par gaidāmo Virslīgas sezonu

Sportacentrs.com podkāsts

Play Episode Listen Later Mar 7, 2024 136:54


"Futbolbumbas" Edmunds Novickis un Arkādijs Birjuks turpina 2021. gadā iesākto tradīciju, kad dažas dienas līdz Futbola Virslīgas sezonas sākumam garajā sarunā apspriežam komandu gatavību tai. Sastāvi, prognozes, sakritības un emocijas.

CISSP Cyber Training Podcast - CISSP Training Program
CCT 119: Practice CISSP Questions – Integrated Product Team (IPT) and Waterfall, Spiral, Agile, Scrum Development (D8.1.2-8.1.5)

CISSP Cyber Training Podcast - CISSP Training Program

Play Episode Listen Later Feb 29, 2024 15:21 Transcription Available


Unlock the secrets to crafting impenetrable software as we delve into Domain 8 of the CISSP exam, where design and architecture reign supreme in the security integration battle. Prepare to have your coding paradigms shifted and your architectural blueprints fortified in this episode, which is nothing short of a cyber-fortification masterclass. We tackle the most critical phase of the SDLC and reveal how a well-laid foundation can make or break your software's defensive capabilities. Whether you're a seasoned professional or just starting, the insights shared here will be the cornerstone of your cyber defense strategy.This week, we're not just passing along knowledge; we're equipping you with the tools to revolutionize your approach to software development and security. We unpack SAST techniques, emphasizing the importance of meticulous code reviews in sniffing out potential vulnerabilities. Additionally, we demystify OWASP, providing a treasure trove of resources for web application security that's ripe for the taking. And if you're intrigued by the concept of integrated product teams, you'll find our exploration into their role in software development to be invaluable. By the end of this podcast, you'll understand why these teams are integral to fostering collaboration and innovation in the pursuit of unbreakable software. Join us on this journey to elevate your CISSP readiness and cybersecurity prowess.Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.

Resilient Cyber
S6E5 - Jeevan Singh - Scaling Application Security

Resilient Cyber

Play Episode Listen Later Jan 26, 2024 36:59


- Let's start off by discussing everyone's favorite topic, vulnerability management. When it comes to AppSec, obviously there's been a big push to "shift security left" which comes with CI/CD pipelines, SAST, DAST, Secrets Scanning, IaC scanning etc. How have you handled scaling AppSec effectively without burdening Dev teams with massive vulnerability lists and being a blocker for production and delivery? - There's a lot of tools to choose from, across a lot of various categories, from source, build and runtime. How have you navigated selecting the right tools for the job? What about actually integrating, tuning and optimizing them when the team is often already stretched thing?- On the tooling front, what has been your experience between vendor tools, vs. OSS options? What are some of the pros and cons you have seen from each?- Behind all the technology is people. How have you approached building your AppSec teams?- There's some nuances between existing team members and building the team. When you begin a new role, how have you approached building rapport among the team, getting trust, understanding historical team and org context and so on?- You seem to continue to find yourself in various leadership roles in AppSec, event after a recent move back to an IC role. Why do you think that is, and what skills have helped you stand out as someone others want to work with, and even for in some cases, as a leader?- What are some of your go-to resources for learning more about AppSec and keeping up to date on such a fast moving and dynamic space?

Reimagining Cyber
Cover All Bases: Application Security Testing - Ep 73

Reimagining Cyber

Play Episode Listen Later Nov 28, 2023 18:27 Transcription Available


In this insightful episode of "Reimagining Cyber," hosts Rob Aragao and Stan Wisseman underscore the criticality of deploying diverse testing methods, including Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST), for a comprehensive assessment and effective mitigation of vulnerabilities in the cyber landscape.The hosts meticulously explore the nuances differentiating SAST and DAST, highlighting that SAST involves meticulous inside-out analysis through source code examination, while DAST employs a strategic outside-in analysis by rigorously testing running applications. Delving into the intricacies, they address challenges related to false positives in static analysis and illuminate coverage issues within dynamic testing methodologies.The conversation seamlessly extends to emphasize the paramount importance of seamlessly integrating security testing into the development workflow, thereby minimizing friction for developers. The hosts delve into the evolving role of developers in the realm of security testing, showcasing a notable shift towards early integration of dynamic tests within the software development lifecycle.Introducing the pivotal concept of Software Composition Analysis (SCA), the hosts accentuate its indispensable role in the identification and management of vulnerabilities stemming from open-source components. They underscore the significance of comprehensive awareness about the components utilized in applications, enabling swift responses to zero-day vulnerabilities and adeptly addressing licensing concerns.Conclusively, the discussion advocates for a holistic approach to application security, encompassing SAST, DAST, and SCA methodologies. The hosts ardently stress the necessity of striking an optimal balance between development velocity and rigorous testing to proactively avert the potential high costs and repercussions associated with security breaches. Stay tuned for actionable insights that empower your cybersecurity strategy!Follow or subscribe to the show on your preferred podcast platform.Share the show with others in the cybersecurity world.Get in touch via reimaginingcyber@gmail.com

The RSnake Show
S07E05 - Navigating AI in Application Security: Insights from Kyle Hankins

The RSnake Show

Play Episode Listen Later Nov 22, 2023 105:42


Plunge into the thrilling world of application security with Kyle Hankins, a seasoned expert in the field. In a riveting conversation, Kyle delves into the intricate dance between red team offense and blue team defense strategies, unraveling how they shape the backbone of robust app security. But here's where it gets even more fascinating – AI's emerging role in this high-stakes domain. With AI being a hotly debated topic in both application and network security, Kyle sheds light on its potential pitfalls and promises. Join us for this deep dive with Kyle Hankins, where we peel back the layers of this complex, ever-evolving landscape.   0:00 Intro 1:09 Kyle's background 6:28 Differences in security testing 8:11 Mobile app testing and SAST 13:02 SAST vs DAST 19:33 Culture change in infosec 21:06 Shifting to the left 23:44 Security an AI 29:25 Reducing time to the X 36:25 AI to estimate more accurate time to fix 39:42 Faster detection rates 40:47 The good and bad with AI predictions 55:22 AI without metacognition and laziness 1:04:28 OWASP LLM Top 10 1:05:53 Whitehouse executive order on AI 1:09:26 Speaking like an LLM 1:14:24 Reducing dwell time 1:19:24 SAST and LLMs 1:22:57 Threat modeling and IAST 1:38:58 Non-determinism and static rules 1:44:56 Outro

Relating to DevSecOps
Episode #060: Precise Angles for Automation in DevSecOps Adventures

Relating to DevSecOps

Play Episode Listen Later Jun 22, 2023 56:48


In this captivating episode of R2DSO hosts Ken and Mike embark on an exploration of security automation in the realms of application and cloud security. With a a keen understanding of the pitfalls, they emphasize the need for precision, consistency, and repeatability. Stepping beyond the traditional confines of scanning, and automation techniques destined for failure, they offer insightful analogies and practical advice, empowering listeners to harness the true power of secure automation. Join this engaging conversation tailored for technical application security enthusiasts and discover the keys to unlock a new era of efficiency and effectiveness.

We Hack Purple Podcast
We Hack Purple Podcast Episode 76 with Anshu Bansal

We Hack Purple Podcast

Play Episode Listen Later May 31, 2023 32:51


In episode 76 of the We Hack Purple Podcast host Tanya Janca brings Anshu Bansal, the CEO of CloudDefense.ai, back onto the show for a second time to discuss “solving problems in application security”. Tanya and Anshu have worked together quite a while, as Tanya has been an advisor at Cloud Defense since it was a drawing on the back of a napkin!We choose this topic because Anshu recently spoke at the OWASP Bay Area meetup chapter, and he told Tanya his talk was about "solving the AppSec problems”. Obviously, she had to hear more about this. They dove into Anshu's definition of false positives (the traditional meaning, plus legit vulnerabilities that aren't reachable or otherwise do not cause business risk), as well as how to prioritize issues in way that makes more sense for the business. He simplified a lot of ideas that sometimes technical folks struggle with, such as how to get your message across to the business so that they agree to fix what matters most.More Anshu!Anshu generously offered to connect with any of our listeners on LinkedIn: https://www.linkedin.com/in/anshubansal/He's part of the Cloud Defense blog https://www.clouddefense.ai/blogThey also have a Newsletter https://www.clouddefense.ai/contactVery special thanks to our sponsor: Semgrep!Semgrep Supply Chain's reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable. Get Your Free Trial Here! Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers a community-created rule set! Check out Semgrep Code HERE Join We Hack Purple!Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

We Hack Purple Podcast
We Hack Purple Podcast Episode 75 with Enno

We Hack Purple Podcast

Play Episode Listen Later May 16, 2023 43:31


In episode 75 of the We Hack Purple Podcast, host Tanya Janca interviews Enno, a security researcher from Semgrep. They discussed all things static analysis, including; how do we come up with SAST rules, what's important to search for, important considerations when writing rules, testing rules before wider roll out, and writing rules specifically for Semgrep.We briefly got into The Official Docs, and content creation for both internal and external use, plus its importance when trying to scale your security efforts.Want more Enno?They can be found here!https://www.linkedin.com/in/enno-liu/https://www.youtube.com/@enncodedhttps://youtu.be/g_Yrp9_ZK2chttps://twitter.com/enncodedThe video by Enno that we discussed can be watched here!https://twitter.com/enncoded/status/1648908623152844801Very special thanks to our sponsor: Day of Shecurity! This annual event advocates for inclusion & diversification of gender in cybersecurity, AND it's very soon. Day one is May 18th (virtual) and day two is May 19th, in person in Redwood City, California, United States. Tickets are FREEEEEEEEE!View the agenda here: https://guides.dayofshecurity.com/view/314270378/If you're not sure, you can see videos from previous events here: https://www.youtube.com/c/DayofShecurity.Join We Hack Purple!Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more! 

Rune Soup
Mayan Healing, Shamanism and Plant Medicine | Rosita Arvigo

Rune Soup

Play Episode Listen Later Feb 23, 2023 63:42


This week we welcome to the show the legendary Rosita Arvigo. Rosita is the author of ten books, she is a naprapathic physician, a herbalist and a specialist in traditional Mayan healing. For decades she has lived in western Belize, operating a healing practice and maintaining an organic farm. During this time she studied under Don Elijio Panti -a powerful and famous shaman then in his nineties. (He lived to 103.) This story is described in her book, Sastún. Rosita joins us today to discuss Mayan healing and shamanism, what it entails, the state it is in today and what we can learn from it. This is a fascinating discussion that we managed to record from regional Belize all the way to Wellington New Zealand -during a cyclone. Enjoy! Show Notes Rosita's website and books. Rosita on Facebook. The Abdominal Therapy Collective. Rosita presenting at the New York Botanical Garden.