Podcasts about security champions

Join G. Mark Hardy in a riveting episode of CISO Tradecraft as he sits down with Dustin Lehr to uncover strategies for creating security champions among developers. Explore effective techniques to inspire culture change, leverage AI tools for security, and discover the difference between leadership and management. This insightful discussion includes actionable steps to establish a robust security champions program, from defining a vision to executing with gamification. Whether you're an aspiring champion or a seasoned cybersecurity leader, this episode is packed with valuable insights to elevate your organization's security practices. Big Thanks to our Sponsors: ZeroPath - https://zeropath.com/ CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!   Transcripts - https://docs.google.com/document/d/1IgPbmnNaEF_1GIQTRxHStOoUKtZM4azH   Learn more about this topic by reading Justin's Website - https://securitychampionsuccessguide.org/ Justin Lehr's Company - https://www.katilyst.com/   Chapters 01:05 Meet Dustin Lair 04:05 Leadership vs. Management 06:17 The Role of Security Champions 17:20 Recruiting Security Champions 24:42 Exploring the Framework: Vision and Goals 26:25 Defining Participants and Their Roles 28:37 Understanding the Current Setting 33:27 Conceptualizing Ideal Actions 35:20 Designing with Gamification in Mind 40:30 Effective Delivery and Continuous Tuning 41:30 Overcoming Challenges and Final Thoughts

Neste episódio do DevSecOps Podcast, exploramos o processo de criação e implementação de um programa de Security Champions dentro das empresas. Discutimos como identificar os colaboradores ideais para assumir esse papel, as melhores estratégias para engajá-los, e quais benefícios um programa bem estruturado pode trazer para a segurança organizacional. Também abordamos dicas práticas para promover uma cultura de segurança entre os times de desenvolvimento e como alinhar o programa aos objetivos de negócio.

Att integrera säkerhet i utvecklingsprocessen genom DevSecOps, med fokus på utbildning, verktyg för sårbarhetsanalys, och förbättrat samarbete mellan säkerhets- och utvecklingsteam. Erik Hjalmarsson, Cloud Architect på Sogeti, med en introduktion till DevSecOps från utvecklingsperspektivet. DevSecOps handlar om att integrera säkerhetsarbetet i den dagliga utvecklingsprocessen. Det innebär ett samarbete och delat ansvar mellan säkerhetsteamet och utvecklingsteamen. Historiskt har det funnits en obalans där ett litet säkerhetsteam har haft ansvaret för alla säkerhetsaspekter, vilket har varit svårt att hantera. Genom DevSecOps kan säkerhetsarbetet bli en naturlig del i alla utvecklingsteam. Genom kontinuerlig utbildning och införandet av tex "Security Champions" i varje team. Security Champions fungerar som evangelister och ansvarar för att sprida kunskap och driva säkerhetsarbetet i teamet. Genom parprogrammering och diskussioner kring säkerhet kan medvetenheten öka naturligt.Verktyg och processer för att implementera DevSecOps. I podden pratar Erik om att det är viktigt att implementera DevSecOps på ett lagom sätt som ger effekt utan att bli för betungande. Erik Hjalmarsson, Jonas Jaani (20:48) Videoversion av avsnittet: https://youtu.be/KA5ax6AEsuw https://youtu.be/KA5ax6AEsuw Länkar / mer information: Bra intro till ämnet: https://github.com/resources/articles/devops/devsecops Rapid Threat modelling: https://github.com/geoffrey-hill-tutamantic/rapid-threat-model-prototyping-docs/blob/master/18x26.Tutamen%20HOWTO-Rapid%20Threat%20Model%20Prototyping.pdf Lättläst intro till RTMP: https://www.infosecinstitute.com/resources/management-compliance-auditing/rapid-threat-model-prototyping-introduction-and-overview/ Whitepaper från oss om DevSecOps: https://app.zagomail.com/forms/preview?id=5914 (function(z,a,g,o) { var o=z.createElement(a); var _=z.getElementsByTagName(a)[0]; o.async=1; o.src=g+'?v='+(~~(new Date().getTime()/1000000)); _.parentNode.insertBefore(o,_); }) (document, 'script', 'https://app.zagomail.com/forms/embed.js'); Alla avsnitt av digitaliseringens podcast Effekten Prenumerera: Apple Podcasts Spotify: https://open.spotify.com/show/5Z49zvPOisoSwhwojtUoCm Är du vår nästa gäst? Maila oss på info@effekten.se

"Want to expand your cybersecurity tream? Do it with a ""Security Champions"" program. Let's find out how with our guest Bonnie Viteri. Your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates. ""How to Really Make Sure that Cybersecurity is Everyone's Job"" (pt 1 & 2) Bonnie Viteri's LinkedIn profile: https://www.linkedin.com/in/bonnie-b-242a0b11b/ "

Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions and the benefits that come from so many people being engaged with security. Segment Resources: OWASP Security Champions Guide - Get Involved! - https://owasp.org/www-project-security-champions-guidebook/#div-getinvolved OWASP Security Champions Guide - LinkedIn page - https://www.linkedin.com/company/owasp-security-champions-guide/ The Security Champions Success Guide - https://securitychampionsuccessguide.org/ "Building a Successful Security Champions Program... What Does it Take?" - https://www.katilyst.com/post/building-a-successful-security-champions-program-what-does-it-take The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-294

Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions and the benefits that come from so many people being engaged with security. Segment Resources: OWASP Security Champions Guide - Get Involved! - https://owasp.org/www-project-security-champions-guidebook/#div-getinvolved OWASP Security Champions Guide - LinkedIn page - https://www.linkedin.com/company/owasp-security-champions-guide/ The Security Champions Success Guide - https://securitychampionsuccessguide.org/ "Building a Successful Security Champions Program... What Does it Take?" - https://www.katilyst.com/post/building-a-successful-security-champions-program-what-does-it-take Show Notes: https://securityweekly.com/asw-294

Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions and the benefits that come from so many people being engaged with security. Segment Resources: OWASP Security Champions Guide - Get Involved! - https://owasp.org/www-project-security-champions-guidebook/#div-getinvolved OWASP Security Champions Guide - LinkedIn page - https://www.linkedin.com/company/owasp-security-champions-guide/ The Security Champions Success Guide - https://securitychampionsuccessguide.org/ "Building a Successful Security Champions Program... What Does it Take?" - https://www.katilyst.com/post/building-a-successful-security-champions-program-what-does-it-take The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-294

Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions and the benefits that come from so many people being engaged with security. Segment Resources: OWASP Security Champions Guide - Get Involved! - https://owasp.org/www-project-security-champions-guidebook/#div-getinvolved OWASP Security Champions Guide - LinkedIn page - https://www.linkedin.com/company/owasp-security-champions-guide/ The Security Champions Success Guide - https://securitychampionsuccessguide.org/ "Building a Successful Security Champions Program... What Does it Take?" - https://www.katilyst.com/post/building-a-successful-security-champions-program-what-does-it-take Show Notes: https://securityweekly.com/asw-294

Dustin Lehr, current director of AppSec at data integration company Fivetran, joins Seth and Ken for a special episode of Absolute AppSec. Dustin has spent years helping improve companies' security cultures industry-wide, through his work co-founding Katilyst Security which focuses on helping companies create security champion programs. Additionally, in that vein, Dustin has created The Security Champion Program Success Guide and heads up the "Let's Talk Software Security" meetup. Before Fivetran, Dustin headed Application Security at Staples. To read some of his thoughts on the benefits of security champions programs as well as advice on setting it up in your organization, you can read his article here hosted on the New Stack: https://securitychampionsuccessguide.org/

Charlie Eisenhood and Josh Mansfield discuss the security threat from the Music City Open before previewing the Champions Cup, where they take a deep dive into player performance at Northwood, make some fun predictions, and lock in their picks.0:00 MCO's Suspension of Play13:30 Champions Cup Preview15:15 Tattar vs Missy, Recent MPO Results28:00 MCO's Poorly Tuned Course32:45 Champions Cup Burning Questions40:10 Surprise Winners, Weather Impacts48:00 Champions Cup Picks

Human risk in cyber security is significant with the majority of successful attacks having some human element. We've all been there with fingers poised over the keyboard to click on that dodgy link or enter personal details that you know you shouldn't. In this episode we speak to Kimberley Graham and Kaye Johnson from Sage about the role of Security Champions in their organisation and how this approach could be adopted by others. We also come back to a favourite topic of innovation and how Security Champions can play a pivotal role in better innovation. Kaye is also a passionate STEM ambassador, another topic touched upon.

W świecie IT, nie ma osób, które budzą wiele emocji, zainteresowania i owiani są większą tajemnicą ... niż bezpiecznicy (no może Agile Coach).  Dlatego, postanowiliśmy przeprowadzić "Wywiad z Bezpiecznikami!"Żeby nie było lipy, zaprosiliśmy nie byle kogo:Andrzeja Dyjaka, który w bezpieczeństwie zjadł zęby na różnych obszarach i różne błędy wyszukał (w tym też takie, o których nie może mówić)Kubę Kałużnego, który dba o bezpieczeństwa w Snowflake a oprócz tego mówi o modelowaniu zagrożeń językiem zwykłych ludzi Wojtka Lesickiego, który między innymi dbał o bezpieczeństwo Waszych zakupów w Allegro.W tym odcinku podcastu "CTO Morning Coffee" skupiamy się na roli bezpieczeństwa w świecie Senior Technical Leaders, w tym CTO. Goście, Kuba, Wotjek i Andrzej, dzielą się swoją wiedzą na temat bezpieczeństwa jako kluczowego elementu jakości w oprogramowaniu. Dyskutują o znaczeniu Security Champions, integracji bezpieczeństwa z procesami inżynieryjnymi, a także o wyzwaniach związanych z komunikacją i kosztami bezpieczeństwa w organizacjach. Odkrywamy, jak bezpieczeństwo wpływa na codzienne operacje i decyzje technologiczne, dostarczając cennych wskazówek dla liderów technicznych. O czym było:Rola bezpieczeństwa w pracy Senior Technical Leaders i CTO.Znaczenie Security Champions w zespołach technicznych.Bezpieczeństwo jako integralny element jakości oprogramowania.Integracja bezpieczeństwa z procesami inżynieryjnymi.Wykorzystanie narzędzi i procesów bezpieczeństwa w codziennym funkcjonowaniu firm.Wpływ bezpieczeństwa na koszty i efektywność organizacyjną.Komunikacja i edukacja w zakresie bezpieczeństwa w organizacjach.Wyzwania związane z pozycjonowaniem i wartością dodaną bezpieczeństwa.============================================= CTO Morning Coffe tworzą:

Brian Lewis is a dynamic technology leader with a robust background in software development and engineering, excelling in goal-setting, cross-team management, and effective communication. Fluent in English and Russian, he passionately advocates for security culture through initiatives like "Security Champions" programs and advising on emerging technologies. Brian's expertise in security analysis, coupled with his commitment to enhancing product security through Responsible Disclosure/Bug Bounty programs and risk assessment education, showcases his pivotal role in shaping secure systems and fostering innovation.Check out our channel for more podcast episodes! Don't forget to follow us on our socials too to learn more tips to START, GROW and SCALE your business.https://blueskybizconsulting.com/  https://www.facebook.com/blueskybizconsulting  https://www.instagram.com/blueskybizconsulting/ Follow him at: LinkedIn: https://www.linkedin.com/in/brianlewis/  Company: https://www.linkedin.com/company/empire-&-great-jones-creative-arts-foundation/ 

Join Travis as he speaks with special guest, Doyle Turner, to discuss devops and how to implement a security champions program to improve security outcomes. We hit a variety of topics including defining security champions, tips for starting your own program, why you should, and much more. If you'd like to support the show, please consider following or subscribing at www.infosecsidekick.com/podcast Get full access to Infosec Sidekick at infosecsidekick.substack.com/subscribe

In episode 74 of the We Hack Purple Podcast, host Tanya Janca talks to guest Ray Espinoza from Inspectiv! During the podcast we honed in on how to build a positive security culture, which has several important ingredients; Security Champions, Empathy, explaining ‘the why', sharing information in both technical and non technical formats, and storytelling! We talked about training, we talked about metrics, we talked about how to get your point across in an effective way, without scaring people's pants off. If you want to hear about creating a successful security champions programs, how to ‘win' more often, and what pitfalls to avoid, this episode is especially helpful!We ended the conversation with several calls to action for audience members abounding including more people in cyber. Young people, old people, new-to-cyber people, every race of people, every gender; we really mean EVERYONE. Ray also (very generously) offered listeners to connect with him online so he could help them find mentors and meet people. This episode was great!A bit more about Ray:Ray Espinoza is Vice President and Chief Information Security Officer at Inspectiv, Inc. With over 15 years of both tactical and security leadership experience, Ray has a proven track record of successfully building effective security programs for top companies that include eBay, Cisco, Amazon and Cobalt.io.Prior to joining Inspectiv, Ray served as VP of Cloud Security at Medallia where he was responsible for developing and executing Medallia's multi-cloud security strategy. Outside of work, Ray is the head strength and conditioning coach and an assistant football coach at Camas High School. Where to find Ray!LinkedIn - https://www.linkedin.com/in/ray-espinoza-b399821/Twitter - https://twitter.com/RayEspinozaSecCauses and Groups Ray (and Tanya) supports:• Raîces Cyber • Black Girls Hack• Black Girls in CyberVery special thanks to our sponsor: Day of Shecurity!  This annual event advocates for inclusion & diversification of gender in cybersecurity, AND it's very soon. Day one is May 18th (virtual) and day two is May 19th, in person in Redwood City, California, United States. Tickets are FREEEEEEEEE! View the agenda here: https://guides.dayofshecurity.com/view/314270378/If you're not sure, you can see videos from previous events here: https://www.youtube.com/c/DayofShecurity.Join We Hack Purple!Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

We dive back into bringing guests onto the show focusing on real problems with real people on the ground. In this episode, we are joined by Hecber Cordova, Director of Cloud Security at RBC. He shares insights around growth into DevSecOps, developing empathy with your engineering teams, creating cloud patterns, paved paths, and building secure architectures from the ground up. If you're interested in hearing from someone who has built strong security cultures in large institutions this is an episode to listen to!Links mentioned on the show:https://cloudseclist.com/https://cloudsecurityforum.slack.com

This episode features an interview with Alvina Antar, CIO at Okta. Alvina leads the Business Technology Organization and is responsible for enabling a smooth customer and employee experience. Prior to joining Okta, she spent 17 years at Dell and served as Zuora's first ever CIO.In this episode, Mike and Alvina discuss identity-first security, automating business processes through AI and ML, and leading by example to achieve a more diverse industry.-----------------“For the longest time we've heard how there's a ton of friction between the CIO and CISO and IT and security teams. Where the security organization is developing strategies and IT hears about it and has to somehow deliver and execute against that strategy without any input around the decisions or choices that are made. And in reality, in order for us to be successful, we really need to operate as one team. And that's exactly what we're doing here. The only way we can really build a security-first culture is if we operate as one team. And not only just between IT and security, it's really building security champions across every part of the business. Every single employee should feel accountable for hardening our security posture.” – Alvina Antar-----------------Episode Timestamps:*(02:37): Alvina's journey to becoming a CIO *(05:01): How Okta uses Okta *(10:38): How Alvina thinks of her role in the current environment*(18:17): Alvina's take on security as a team sport*(22:22): Alvina's advice for speaking to the board about security*(26:29): How Alvina is building a human firewall*(30:31): 2030 Goggles*(33:10): How we can get more diversity in security*(35:29): Quick Hits*(38:09): Mike's takeaways from his conversation with Alvina-----------------Links:Connect with Alvina on LinkedInConnect with Mike Anderson LinkedInwww.netskope.com

Alex leads the Cyber Security Consulting Group, part of Rakuten's Cyber Security Defense Department. The group's dedication is to providing global security services, including security architecture, DevSecOps tooling and integration services, delivery of technical training, and running Rakuten's Security Champion community. His focus is on empowering teams to improve security throughout the development lifecycle.Alex joins us to discuss security champions, a topic near and dear to our hearts. We get into democratizing appsec, the value of security governance and empowerment activities for security champions and the organization, how scope, cost and effort fit, and the ROI of training and security champions. We hope you enjoy this conversation with...Alex Olsen.Visit our website: https://www.securityjourney.com/resources/application-security-podcast FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/channel/UCfrTGqjSsFCQW4k6TueuY-A Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Application Security Podcast is brought to you by Security Journey. Security Journey delivers secure coding training to development teams and those who support them. They help enterprises reduce vulnerabilities through application security education for developers and everyone in the SDLC. TRY OUR TRAINING ➜ https://info.securityjourney.com/try-our-training

Brandon Evans reconnects with former co-worker Marqueze “Q” Sawyers, a Senior Manager of Software Engineering at Asurion, as they chat about moving fast while failing safely while developing cloud-based applications, using tools like GitHub actions to enable security pipelines in a DevSecOps environment, and making security look as cool as it is for Security Champions and engineers.Our Guest - Marqueze SawyersTwitter: https://twitter.com/MarquezeSawyersLinkedIn: https://www.linkedin.com/in/marqueze-sawyers-7a430467/Resources mentioned in this episode:Blacks in TechnologyAsurion Marketing SiteSPONSER NOTE: Support for Cloud Ace podcast comes from SANS Institute. If you like the topics covered in this podcast and would like to learn more about cloud security, SANS Cloud Security curriculum is here to support your journey into building, deploying, and managing secure cloud infrastructure, platforms, and applications. Whether you are on a technical flight plan, or a leadership one, SANS Cloud Security curriculum has resources, training, and certifications to fit your needs. Focus on where the cloud is going, not where it is today. Your organization is going to need someone with hands-on technical experience and cloud security-specific knowledge. You will be prepared not only for your current role, but also for a cutting-edge future in cloud security. Review and Download Cloud Security Resources: sans.org/cloud-security/ Join our growing and diverse community of cloud security professionals on your platform of choice: Discord | Twitter | LinkedIn | YouTube

In this special episode I had the honor of MC'ing a Security Awareness Month online panel for Cadre Information Security and the topic was Human Factors in Cybersecurity. The panelists were Phil Swaim, Mike Davenport, Tim O'Connor and Mike Peterson.  We not only had great discussions on how to build your Security Awareness Program but actions steps you can take right now to create 'Security Champions' in your organization. Talking Points:So how is a Security Awareness Program different from Security Awareness Training?Why would an organization want a Security Awareness Program?Do only larger organizations typically have Security Awareness Programs?Why should Social Media exploits be covered in your program and ultimately your training?What are some of the pitfalls organizations should try to avoid when implementing Security Awareness Programs and training?

A successful bug bounty program can play a pivotal role in the security strategy for a company but defining and running such a program requires structure and maturity within an organisation. Sean Poris, Senior Director of Cyber Resilience at Yahoo knows all about the anchor elements that you need in a bug bounty program and how to drive maturity of such a program. In this fascinating conversation, Sean goes deep into how bug bounties fit into their security philosophy, and how this program has been developed and adapted over time. From there, we turn to the actual structure of the security team, with our guest shedding some light on what is required from the different roles on the teams. He explains what the Deputy Paranoids stay busy with, and how they approach hiring and educating for this position.

In light of National Cybersecurity Awareness Month, BigCommerce Senior Application Security Engineer Francis Dong joins BigCommerce Manager of Product Marketing Airon White on the Make it Big Podcast to explore how businesses can guide their internal and external teams to become security champions. With this year's Cybersecurity Awareness Month theme of “See Yourself in Cyber,” this episode focuses on the human aspect of cybersecurity. At the end of the day, it's ultimately about people. Tune in to learn how you, too, can see yourself in cyber — no matter your role. Explore more BigCommerce cybersecurity resources: BigCommerce Blog BigCommerce Engineering Blog BigCommerce YouTube BigCommerce LinkedIn Security champion training: PentesterLab Secure Code Warrior PortSwigger Web Security Academy Security culture resources: 5 Steps to Engage Your Team in Information Security

TechSpective Podcast Episode 098   In theory, cybersecurity is a top priority for most organizations. The actual execution, on the other hand, often leaves a lot to be desired. Security enablement is essential for moving cybersecurity from an aspirational concept … Astrid Bailey Discusses Security Enablement and Empowering Security Champions Read More » The post Astrid Bailey Discusses Security Enablement and Empowering Security Champions appeared first on TechSpective.

The resounding sentiment from organizations is that there's major tension between development and security teams. This tension makes it nearly impossible for any AppSec program to scale, making reducing this friction mission critical.  To learn how to improve the relationship between developers and security, on today's episode of the Future of AppSec Harshil speaks with Dustin Lehr, Director of Application Security at Fivetran, a Forbes Cloud 100 company that helps companies improve the accuracy of data-driven decisions by continuously synchronizing data from source applications to any destination, allowing analysts to work with the freshest possible data.  Dustin is an accomplished software engineer turned information security leader. Having spent more than a decade as a software engineer, his diverse background and experience has helped him forge close partnerships with development teams, engineering teams, and software security advocates while pursuing the organizational culture shift of building good security habits into daily work.  His approach focuses on communicating the importance of security, instilling a sense of urgency, and motivating the organization to shift their mindset toward “Security by Design” best practices, quality focus, and technical responsibility. Topics: How Dustin's background in software engineering influenced how he approached building Fivetrans AppSec program.   Why empathy is critical to improving the relationship between developers and security teams.  The importance of having an engaged and gamified Security Champions program. Key challenges AppSec teams will face in the coming years and how they can prepare for the future.  Why Dustin created the “Let's Talk Software Security” community.  Resources:  Dustin's “Let's Talk Software Security” Slack community: https://join.slack.com/t/letstalksoftw-64x2506/shared_invite/zt-t3e59aj9-5zNThhcrj4TCd4HJwAoDZA Dustin's current book recommendation: Actionable Gamification: Beyond Points, Badges, and Leaderboards Harshil's conference talk: Democratizing Security: A Story of Security Decentralization

Tanya Janca, also known as @SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security'. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives. https://wehackpurple.com   BrakeSec is: Amanda Berlin @infosystir Brian Boettcher @boettcherpwned Bryan Brake @bryanbrake www.brakeingsecurity.com https://twitch.tv/brakesec  

Today on the Secure Developer we speak with Lena Smart, Chief Information Security Officer (CISO) at MongoDB. Lena has extensive cybersecurity experience and has worked in the security space for over 20 years. We talk with Lena about how she first got started in security, why she gets so much satisfaction from being the first CISO at a company, and what she has loved most about working at MongoDB. In our conversation, we discuss core principles around supply chain security as well as supply chain risk and what these definitions mean for practical applications. We delve into the latest executive order from the current administration and discuss some of Lena's insights on the topic. She explains why the government wants to move into automation and continuous monitoring, as well as what that process will entail. Tuning in you'll learn more about the Information Technology — Information Sharing and Analysis Center (IT-ISAC), why Lena is such a big proponent of theirs, in addition to how they are helping private and public industries work together in a trusted environment. Lena also describes her Security Champions Program and some of the exciting developments that have occurred as a result of the program. To learn more about MongoDB, how to create a thriving security culture, and more, make sure you tune in today!

In this first episode, NextRoll's Product Security Lead Nicolas Valcarcel shares how since he was 15 he wanted to work in security. However, his career path has been far from conventional.  By being part of developer teams in early-stage startups and working hand to hand with founding teams, he has been able to get a grasp on how developers and security teams see the same product in very different ways, and the common friction points that come from their interactions. In this episode, Nico shared his experience and taught us his secret sauce: Advocating for engineering in the security team and advocating for security in the engineering team.   Topics discussed in this episode: Nico's background and how he landed in the application security field. How developers and security people think differently. How to make developers embrace security values. How to approach proof of vulnerability requests. The importance of integrating decision makers in product and application security. Advice for AppSec managers to build strong relationships that work for both, security and engineering teams. What critical skills you need to build an ideal AppSec team. Keys to success in operating a Security Champions program. 3 Pieces of advice for leaders that want to build and scale an AppSec program.

Brenna Leath is currently the Head of Product Security for a data analytics company where she sets the application security strategy for R&D and leads a team of security architects. Brenna originally joined us to talk about EO 14028 and the implications for private sector programs, BUT, we were chatting about security champions and product security leads, and we changed our focus to cover these topics instead. We hope you enjoy this conversation with...Brenna Leath.

The one where we talk about security champions: how it's different from DevOps, why recognition is so critical for success, and how you can get started with championing security.

In this episode of Cyber Security Inside What That Means, Camille talks with Roman Zhukov, Product Security Manager at Intel about Security Champions and their roles in product development. The conversation covers: - What a Security Champion is, and what they do in a product team. -  How the role of a Security Champion has changed over time with new security needs. -  How to encourage Security Champion and cybersecurity training effectively by using the carrot over the stick. -  Who is responsible for what parts of security in product development. ... and more. Don't miss it!   The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.   Here are some key takeaways: - The definition of what a “security champion” is evolves over time. The purpose is to put security first and incorporate it into every part of a company. They educate, they adopt policy, they communicate, and they help enable positive security change. -  A security champion can be a liaison between a product division and a security group. -  Their job is to ensure their team is ready to meet security needs. -  You can be trained to become a security champion, even if it isn't your formal role. They can spread knowledge to teammates. -  This is so important because users often will trust big companies or services to provide security - so much so that they won't do anything in securing themselves. So, we need someone on the product team reminding people of that and making sure security is a first priority. -  Companies that have been doing this a while and have made good strides in security have KPIs for both the business parts and the security parts.  -  Originally, security champions were the bridge between the two departments (security and another like development or IT). The two sides used to battle one another, and a security champion helped them through that. Now, though, they serve more as a person who is encouraging employees to learn and to stay committed to security policy. They don't know as much as someone in the security team, but they can answer questions and relay info.  -  In terms of thinking about the carrot vs. the stick tactic of getting people to think about security and be compliant with requirements, historically security has always used the stick. But what they've found is that the stick (do it because you must) only gets minimal compliance, which isn't enough in today's world. The carrot comes into play with making training fun and desirable to do. Make it a competition, and change your approach to training your personnel in security. -  Having security champions is worth finding resources for. They guide the product team, and help the team to start thinking like a hacker. Try to break the product, and then develop something to prevent that from happening. -  We need more daily security tasks (about 90%) to be completed by the native team with help from a security champion, instead of going to the central security team.    Some interesting quotes from today's episode: “Often the case is that the term security champion is perceived as the specific job, or just even yet another buzzword. But there is not actually one specific definition, it evolves over time.” - Roman Zhukov   “Influencers from these divisions who have to really understand that security is not a feature, but a part of daily life.” - Roman Zhukov   “I think this is the era when security first mindsets start to play.” - Roman Zhukov   “The thing is, security is no longer a product feature or a company's feature. It's part of normal functionality of our organization.” - Roman Zhukov   “I know that the integration of product development life cycles and security development life cycles has been a trend, right? So I think things like that probably help. We kind of back it up so that you're not doing a security review at the very end, pre-ship, and discovering a whole bunch of problems you have to address; you're finding them along the way.” - Camille Morhardt   “Just to realign policy and establish requirements or running your scanning tool is not enough. Why? Because implementing [those] alone, they cannot help to grow security mindsets and to make these cultural shifts.” - Roman Zhukov   “Cybersecurity is widely unfair, right? A hacker needs to succeed only once to get what they want, while a business needs to succeed every day to prevent that from happening.” - Roman Zhukov

Join myself (@shellsharks) and Scott Contini (from https://littlemaninmyhead.wordpress.com) as we discuss cryptography, AppSec, Log4J and more! Show Notes Main Show Little Man In My Head: https://littlemaninmyhead.wordpress.com Java Cryptography Architecture (JCA) Reference Guide - https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html NaCl: Networking and Cryptography library: https://nacl.cr.yp.to Don't Roll Your Own Crypto: https://www.vice.com/en/article/wnx8nq/why-you-dont-roll-your-own-crypto Sony Playstation Hardcoded Key: https://www.engadget.com/2010-12-29-hackers-obtain-ps3-private-cryptography-key-due-to-epic-programm.html Cryptology vs Cryptography vs Cryptanalysis: https://militaryembedded.com/comms/encryption/cryptology-cryptography-and-cryptanalysis Deprecating MD5: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf Ron Rivest: https://people.csail.mit.edu/rivest/ Quantum Cryptography: https://csrc.nist.gov/projects/post-quantum-cryptography AppSec Australia: https://www.meetup.com/en-AU/appsec-australia/ Grover's Algorithm: https://en.wikipedia.org/wiki/Grover%27s_algorithm Internet Communications - TLS: https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/ DevSecOps: Just one definition - https://www.devsecops.org OWASP: https://owasp.org CAPTCHA: https://support.google.com/a/answer/1217728?hl=en reCAPTCHA: https://www.google.com/recaptcha/about/ Analyzing the OWASP Top 10: https://shellsharks.podbean.com/e/analyzing-the-owasp-top-10-2021/ OWASP Top 10: https://owasp.org/www-project-top-ten/ OWASP ASVS: https://owasp.org/www-project-application-security-verification-standard/ SAST: https://www.synopsys.com/glossary/what-is-sast.html Microservices: https://microservices.io DAST: https://www.whitesourcesoftware.com/resources/blog/dast-dynamic-application-security-testing/ OWASP Zap: https://owasp.org/www-project-zap/ SCA: https://www.synopsys.com/glossary/what-is-software-composition-analysis.html Inception: https://www.imdb.com/title/tt1375666/ Checkmarx Codebashing: https://checkmarx.com/product/codebashing-secure-code-training/ Security Champions: https://www.synopsys.com/blogs/software-security/security-champions-program-appsec-culture/ NIST SP 800-63B, Digital Identity Guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html TruffleHog: https://trufflesecurity.com/trufflehog Log4Shell: https://log4shell.com/ CISA on Log4J Issue: https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability Heartbleed: https://heartbleed.com Shellshock: https://nvd.nist.gov/vuln/detail/CVE-2014-6271 The Morris Worm: https://www.fbi.gov/news/stories/morris-worm-30-years-since-first-major-attack-on-internet-110218 ETERNALBLUE: https://nvd.nist.gov/vuln/detail/CVE-2017-0143 WANNACRY: https://www.cisa.gov/uscert/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf Mandiant's Report on Solarwinds Incident: https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor BurpSuite: https://portswigger.net/burp     Postshow Domain Squatting: https://www.godaddy.com/garage/what-is-domain-squatting-and-what-can-you-do-about-it/

Join myself (@shellsharks) and Scott Contini (from https://littlemaninmyhead.wordpress.com) as we discuss cryptography, AppSec, Log4J and more! Show Notes Main Show Little Man In My Head: https://littlemaninmyhead.wordpress.com Java Cryptography Architecture (JCA) Reference Guide - https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html NaCl: Networking and Cryptography library: https://nacl.cr.yp.to Don't Roll Your Own Crypto: https://www.vice.com/en/article/wnx8nq/why-you-dont-roll-your-own-crypto Sony Playstation Hardcoded Key: https://www.engadget.com/2010-12-29-hackers-obtain-ps3-private-cryptography-key-due-to-epic-programm.html Cryptology vs Cryptography vs Cryptanalysis: https://militaryembedded.com/comms/encryption/cryptology-cryptography-and-cryptanalysis Deprecating MD5: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf Ron Rivest: https://people.csail.mit.edu/rivest/ Quantum Cryptography: https://csrc.nist.gov/projects/post-quantum-cryptography AppSec Australia: https://www.meetup.com/en-AU/appsec-australia/ Grover's Algorithm: https://en.wikipedia.org/wiki/Grover%27s_algorithm Internet Communications - TLS: https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/ DevSecOps: Just one definition - https://www.devsecops.org OWASP: https://owasp.org CAPTCHA: https://support.google.com/a/answer/1217728?hl=en reCAPTCHA: https://www.google.com/recaptcha/about/ Analyzing the OWASP Top 10: https://shellsharks.podbean.com/e/analyzing-the-owasp-top-10-2021/ OWASP Top 10: https://owasp.org/www-project-top-ten/ OWASP ASVS: https://owasp.org/www-project-application-security-verification-standard/ SAST: https://www.synopsys.com/glossary/what-is-sast.html Microservices: https://microservices.io DAST: https://www.whitesourcesoftware.com/resources/blog/dast-dynamic-application-security-testing/ OWASP Zap: https://owasp.org/www-project-zap/ SCA: https://www.synopsys.com/glossary/what-is-software-composition-analysis.html Inception: https://www.imdb.com/title/tt1375666/ Checkmarx Codebashing: https://checkmarx.com/product/codebashing-secure-code-training/ Security Champions: https://www.synopsys.com/blogs/software-security/security-champions-program-appsec-culture/ NIST SP 800-63B, Digital Identity Guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html TruffleHog: https://trufflesecurity.com/trufflehog Log4Shell: https://log4shell.com/ CISA on Log4J Issue: https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability Heartbleed: https://heartbleed.com Shellshock: https://nvd.nist.gov/vuln/detail/CVE-2014-6271 The Morris Worm: https://www.fbi.gov/news/stories/morris-worm-30-years-since-first-major-attack-on-internet-110218 ETERNALBLUE: https://nvd.nist.gov/vuln/detail/CVE-2017-0143 WANNACRY: https://www.cisa.gov/uscert/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf Mandiant's Report on Solarwinds Incident: https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor BurpSuite: https://portswigger.net/burp     Postshow Domain Squatting: https://www.godaddy.com/garage/what-is-domain-squatting-and-what-can-you-do-about-it/

This week, Adam and Andy talk about a security champions program. This is a way to bolster the security culture and develop representatives in each business group to understand security initiatives and evangelize them for you at your company. It's also a way to have a inner ring of testers and even possible a talent pipeline. There's a lot to discuss so listen in! ------------------------------------------- Youtube Video Link: https://youtu.be/sbnppJR-eMo ------------------------------------------- Documentation: https://www.darkreading.com/careers-and-people/how-to-implement-a-security-champions-program ------------------------------------------- Contact Us: Website: http://bluesecuritypod.com Twitter: https://twitter.com/bluesecuritypod Instagram: https://www.instagram.com/bluesecuritypodcast/ Facebook: https://www.facebook.com/bluesecpod Twitch: https://www.twitch.tv/bluesecuritypod ------------------------------------------- Andy Jaw Twitter: https://twitter.com/ajawzero LinkedIn: https://www.linkedin.com/in/andyjaw/ Email: andy@bluesecuritypod.com ------------------------------------------- Adam Brewer Twitter: https://twitter.com/ajbrewer LinkedIn: https://www.linkedin.com/in/adamjbrewer/ Email: adam@bluesecuritypod.com --- Send in a voice message: https://anchor.fm/blue-security-podcast/message

All too often, the AppSec team or security team is a person of one. How can you add more people to the team with out a massive increase to the budget?Persuasion!This talk was given at SecTor (Toronto) Nov 2021. Scaling your Team is part of our Application Security Program at Academy.WeHackPurple.Com 

This week, we welcome Ashish Rajan, Head of Security & Podcast Host at Cloud Security Podcast, to discuss Security Champions in an Online First World! Ashish will talk about building a security champion in an online world and how SAST as it stands today will die in the world of DevOps and Cloud. This week in the AppSec News: Malware in the UAParser.js npm package, security vuln in Squirrel scripting language, a blueprint for securing software development, L0phtCrack now open source, appsec videos on Android exploitation, macOS security, & more!   Show Notes: https://securityweekly.com/asw171 Segment Resources: www.cloudsecuritypodcast.tv   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome Ashish Rajan, Head of Security & Podcast Host at Cloud Security Podcast, to discuss Security Champions in an Online First World! Ashish will talk about building a security champion in an online world and how SAST as it stands today will die in the world of DevOps and Cloud. This week in the AppSec News: Malware in the UAParser.js npm package, security vuln in Squirrel scripting language, a blueprint for securing software development, L0phtCrack now open source, appsec videos on Android exploitation, macOS security, & more!   Show Notes: https://securityweekly.com/asw171 Segment Resources: www.cloudsecuritypodcast.tv   Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Ashish will talk about building a security champion in an online world and how SAST as it stands today will die in the world of DevOps and Cloud.   Segment Resources: www.cloudsecuritypodcast.tv   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw171

Ashish will talk about building a security champion in an online world and how SAST as it stands today will die in the world of DevOps and Cloud. Segment Resources: www.cloudsecuritypodcast.tv   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw171

Co-host Scott Wright presents a new framework to help people to become “security champions” in their organization, a discussion about the great Facebook outage of 2021, and details on the Twitch data breach exposing source code and creator payouts. ** Links mentioned on the show ** Scott's Security Champions Webinar https://youtu.be/WH65jch9DKI What Happened to Facebook, […] The post Security Champions Framework, The Great Facebook Outage, Twitch Data Breach appeared first on The Shared Security Show.

Lena Smart is the kind of CISO every organization needs. In 2019, she became MongoDB's first CISO - her third chief security position - and, since joining, she has implemented programs that have transformed the company's security posture and culture. In a conversation with Tessian's CEO Tim Sadler, she reveals how and why launching a security champions program has successfully reduced phishing click-thru rates, minimized threats caused by human error and helped build a stronger security culture to empower employees. She shares her tips on how you can do the same in your company.  Looking for even more Human Layer Security insights? You can sign up to the Tessian newsletter and stay up to date . 

In today's episode of the Secure Developer, Guy Podjarny is joined by Ashish Rajan, who is currently the Global Head of Security for a forward-thinking product company called PageUp in Melbourne, Australia. Ashish has been described as something of a cybersecurity influencer, due in large part to his very successful Cloud Security Podcast, which is on the cusp of hitting the 40,000-download mark. He also has a passion for building communities by speaking and organizing meetups and conferences in the cybersecurity space. In today's conversation, Guy and Ashish talk about the challenges of starting in a new security position when working remotely during the COVID pandemic and how to build trust and validity. Ashish expands on the concept of security champions and why this title can be given to anyone in a company with an interest in incorporating security into their day-to-day tasks, so tune in today for an in-depth discussion on cloud security and what the future holds!

In today's episode, Guy Podjarny talks to Brendan Dibbell, the application security engineer team lead at Toast, a restaurant technology company based in Boston, Massachusetts. Before moving into security, he spent years as a software developer, building mission-critical systems such as identity management, payment processing, and healthcare platforms, but has always been a vocal advocate for security. Brendan shares how they manage cloud security at Toast and what the interaction between the AppSec and the engineering team looks like, and discusses their security champion program, how it differs from the security training for regular developers, and the benefits of having created their own curriculum. Tuning in, listeners will hear how Brendan and his team measure the success of their programs, focusing on the progress rather than on a set of objectives, and talks about what metrics have and have not worked along the way. Later on, our guest explains why interrupting your workflow to solve every little risk that pops up is problematic and why it is far more important to stay focused on the bigger picture while not neglecting to address the smaller issues as you go.

Welcome to the first episode in a series where we reflect on the lessons given to us by our previous guests. This episode is a deep focus on security champions — developers with extra training who provide input from the security side of things. Our first perspective comes from episode 59 featuring Steve White, Field CISO of Pivotal, now a part of VMware. Steve shares his enthusiasm for security champion programs and speaks about their role in helping their teams make incremental security changes. After talking about why we should be moving security into the early development cycle, Steve gives advice on giving developers one security problem to focus on at a time. From Steve, we dive into episode 42 where we spoke to Kate Whalen from The Guardian. She highlights the value of organizing meetings for developers who are interested in security. These spaces, she explains, are for engineers to ask questions and come to an understanding that security is a shared responsibility. Next, we listen to Omer Levi Hevroni from episode 24, who was a maven for Asurion — their version of a security champion. He talks about the productivity challenges of being a security champion and needing to complete your tasks. Mirroring Kate's points, Omer emphasizes the importance of having a community to share your experiences with and how conferences and online channels like Slack can serve this need. Our last perspective is provided by Yashvier Kosaraju from episode 66. Yashvier discusses having a security partner on a security team to complement having a security champion on the development team. We talk about the advantages of this system as it allows you to perform a security review on a project as it's being created, ensuring that timelines aren't affected. Our guest's experiences are filled with insight and wisdom. Tune in for more on how you can develop your own security champion program.

Beskrivelse: I episode 1 har vi vært så heldige å få besøk av Karim El-Melhaoui som jobber som sikkerhetsarkitekt hos oljefondet (NBIM). Vi diskuterer hvorfor Security Champions har vokst frem, hvorfor de trengs og hvordan man innfører Security Champions i egen bedrift/organisasjon. Teknisk nivå: 1/5 Overordnet agenda med tidspunkt: 00:00 - 08:56: Introduksjon av deltakere/tema, definere og forklare "Security Champions" 08:45 - 21:40: Hvorfor Security Champions? 21:40 - 23:28: Kilder og mer informasjon, avslutning Kilder som nevnes/anbefales: - Sikkerhetskonferanser om Security Champions på Youtube, eksempelvis https://www.youtube.com/watch?v=gpGl3guuyDw&t=1648s (Blackhat EU, 2018) - https://owasp.org/ (The Open Web Application Security Project) - The Unicorn Project (Gene Kim, 2019) - The Phoenix Project (Gene Kim, 2014) Medvirkende: - Olav Østbye, Cloudworks - Olav Bø-Hernes, Bouvet - Oleg Andrushko, The Cloud People - Karim El-Melhaoui, Oljefondet (NBIM) Ris og ros? Gi oss gjerne en tilbakemelding, både positive og forbedringspotensiale. Dette kan du gjøre via kontakt oss i menyen på nettsiden vår, CastO3.no Forslag til nye episoder? Skulle du ha noen ønsker/forslag til nye episoder så ta gjerne kontakt med oss på den måten du selv ønsker, se nettsiden vår CastO3.no

I episode 1 har vi vært så heldige å få besøk av Karim El-Melhaoui som jobber som sikkerhetsarkitekt hos oljefondet (NBIM). Vi diskuterer hvorfor Security Champions har vokst frem, hvorfor de trengs og hvordan man innfører Security Champions i egen bedrift/organisasjon. Du kan spille av episoden direkte i nettleseren (se avspillingsboks under bildet) eller spill av episoden på en av plattformene lenket nedenfor (ikoner). Teknisk nivå: 1/5 Overordnet agenda med tidspunkt: 00:00 - 08:56: Introduksjon av deltakere/tema, definere og forklare "Security Champions" 08:45 - 21:40: Hvorfor Security Champions? 21:40 - 23:28: Kilder og mer informasjon, avslutning Kilder som nevnes/anbefales: - Sikkerhetskonferanser om Security Champions på Youtube, eksempelvis https://www.youtube.com/watch?v=gpGl3guuyDw&t=1648s (Blackhat EU, 2018) - https://owasp.org/ (The Open Web Application Security Project) - The Unicorn Project (Gene Kim, 2019) - The Phoenix Project (Gene Kim, 2014) Medvirkende: - Olav Østbye, Cloudworks - Olav Bø-Hernes, Bouvet - Oleg Andrushko, The Cloud People - Karim El-Melhaoui, Oljefondet (NBIM) Ris og ros? Gi oss gjerne en tilbakemelding, både positive og forbedringspotensiale. Dette kan du gjøre via kontakt oss i menyen. Forslag til nye episoder? Skulle du ha noen ønsker/forslag til nye episoder så ta gjerne kontakt med oss på den måten du selv ønsker.

For this episode, we are joined by Yashvier Kosaraju, who manages the product security team at the ever-inspiring Twilio! Yash is here to share a whole load of insights and learnings from his career, with a specific focus on the 'Security Champions' program at his current company and what management means to him coming from a consulting background. We hear from our guest about the unusual path he chose to his career and how an interest in cryptocurrency led him into the security sphere. Yash does a sterling job of unpacking the way the different security teams are laid out at Twilio, their relationships to each other and the developers, and where the lines are drawn. Our guest gives us some insight into the work that he and the team typically do and some examples of their projects and there is also time for some philosophical musings as we talk with Yash about the importance of developer empathy for anyone working in security as well as the high value he places on listening as a means to improvement. The 'champion' concept at Twilio is really inspiring and the conversation covers how this actually works within teams and departments and the incentives and rewards that are offered for better security practices. Listeners can expect to gain access to a high-level and integrated systems approach, something that could be helpful to anyone in the space!

Florian Scharf, Senior Security Officer bei der SIX Group, spricht mit Prof. Dr. Hans-Joachim Hof über die Schwierigkeiten, die bei der Einführung von DevSecOps in einem Unternehmen auftreten können, und erklärt die Dos & Don’ts bei einem Mindset-Wechsel in einer Organisation.

Florian Scharf, Senior Security Officer bei der SIX Group, spricht mit Prof. Dr. Hans-Joachim Hof über die Schwierigkeiten, die bei der Einführung von DevSecOps in einem Unternehmen auftreten können, und erklärt die Dos & Don’ts bei einem Mindset-Wechsel in einer Organisation.

Seth and Ken discuss bug bounties and a recent article on Paypal issues. Joined by Rohan Joshi to discuss building an application security program, QA security testing, and security champions.

Seth and Ken discuss bug bounties and a recent article on Paypal issues. Joined by Rohan Joshi to discuss building an application security program, QA security testing, and security champions.

All links and images can be found on CISO Series (https://cisoseries.com/defense-in-depth-amplifying-your-security-posture/) In security, you never have enough of anything. But the scarecest resource are dedicated security people. When you're running lean, what are some creative ways and techniques to improve overall security? Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Matt Southworth (@bronx), CISO of Priceline. Thanks to this week’s podcast sponsor, SecurityBridge Advanced cybersecurity for SAP, from codebase to production. Powered by anomaly detection, detect threats in real-time so that they can be remediated before any harm is done. Eliminate false-positives and focus on actionable intelligence. Ensure compliance with direction to actual vulnerabilities, with amazing intelligence dashboards guiding remediation. On this episode of Defense in Depth, you'll learn: When you manage too many people you get to a point of saturation. Are you doing security or are you managing people? Core success comes from looking outside your immediate staff for security help. Most common programs are Security Champions and Security Prime. The first are just people outside of the InfoSec team who really want to learn about security, and the Prime players are actually implementing it. Look for ways to reduce overheard in terms of paperwork, meetings, and unnecessary programs. If what you're doing is not helping, stop doing it. Empower individuals to make their own decisions about security without the chain of command of approvals. Avoid giving orders, because once you do you'll always be called into a meeting on that topic. Use artificial intelligence (AI) to take work off of the security operations center (SOC) and incident response team. The "lazy" sysadmin who automates all his tasks is a highly productive member. Communicate to everyone that security requires the entire company's support, not just the security staff. And here's Jan Schaumann's presentation at BsidesNYC 2016 entitled "Defense at Scale". Matt mentioned it on the show.  

Встречайте 96-й выпуск SDCast’а, в котором речь идёт про безопасность разрабатываемых нами приложений. У меня в гостях Юрий Шабалин, ведущий архитектор в компании Swordfish Security. В этом выпуске мы говорим про практики SecDevOps, Application Security и прочие аспекты информационной безопасности программных продуктов. Вместе с Юрой мы попробовали обсудить весь жизненный цикл разработки ПО и как и на каких стадиях можно и нужно внедрять механизмы обеспечения безопасности: что можно сделать на этапе постановки задачи и сбора требований и заканчивая активным и проактивным мониторингом боевых приложений. Юра рассказал про различные классы инструментов, помогающие решать задачи по ИБ, такие как: * SAST (инструменты статического анализа) * SCA/OSA (инструменты контроля рисков компонент с открытым исходным кодом) * DAST/IAST (инструменты динамического/интерактивного анализа) * Инструменты непрерывной интеграции / непрерывного развертывания (CI/CD) * Инструменты дефект-менеджмента Обсудили, как можно безболезненно встраивать эти инструменты в уже существующие процессы CI/CD и как лучше подойти к этим вопросам при запуске нового проекта. Ссылки на ресурсы по темам выпуска: * Базовые уязвимости OWASP Top 10 (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) * Требования OWASP Application Security Verification Standard (https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Downloads) * Как проверять требования (OWASP Testing Guide) (https://github.com/OWASP/OWASP-Testing-Guide-v5) * (https://continuumsecurity.net/bdd-security/)BDD Security (https://continuumsecurity.net/bdd-security/). Неплохая идея, как можно автоматизировать проверку требований * BSIMM. Фреймворк для построения процесса SSDL (https://www.bsimm.com/) * OpenSAMM. Фреймворк для построения процесса SSDL (https://www.opensamm.org/) * Nexus IQ. Платформа для проверки OpenSource Components (https://www.sonatype.com/nexus-iq-server) * Checkmarx SAST. Инструмент SAST (https://www.checkmarx.com/products/static-application-security-testing/) * Appsec Orchestration. Управление и оркестрация процессов SSDL (https://swordfishsecurity.ru/appsechub) * Бэкдор в event-stream (https://habr.com/post/431360/) * Несколько открытых проектов с уязвимостями для обучения: * DVWA (http://www.dvwa.co.uk/) * Juice Shop (https://www.owasp.org/index.php/OWASP_Juice_Shop_Project) * iOS (http://damnvulnerableiosapp.com/) * Android (https://github.com/dineshshetty/Android-InsecureBankv2) * Гайд для Security Champions (security-champions-playbook) (https://github.com/c0rdis/security-champions-playbook) Понравился выпуск? — Поддержи подкаст на patreon.com/KSDaemon (https://www.patreon.com/KSDaemon) а так же ретвитом, постом и просто рассказом друзьям!

Ty Sbano, head of security at Periscope Data, talks about building Security Champions in the world of DevOps.

Друзья, рад представить вам интервью с Александром Лукьянченко и Сергеем Носковым из компании Авито, записанное на прошедшей конференции DevOps Conf Russia 2018. В этом выпуске мы вновь собрались дружной подкастерской компанией вместе с Антоном @golodnyj (https://twitter.com/golodnyj) из «The Art Of Programming» и Иваном @gliush (https://twitter.com/gliush) из «DevZen» и взяли интервью у ребят из Авито. Сергей является инженером по безопасности, а Александр — ведущий разработчик в команде архитектуры. Ребята рассказали про то, как устроена платформа Авито, что под этим подразумевается, и как функционирует. Мы подискутировали о различных DevOps-вопросах, таких как: * межсервисное взаимодействие, * базовые блоки для построения новых сервисов, * коммуникации между командами разработки и расширение знаний, * вопросы безопасности сервисов. Ребята рассказали про то, как эволюционировала их платформа и процессы разработки в контексте информационной безопасности, рассказали про способы обучения и повышения квалификации инженеров, рассказали про Security Champions — кто это и зачем они нужны. Также обсудили мы и различные популярные темы в DevOps-мире: Service Mesh, оркестрацию контейнеров, управление конфигурациями, мониторинг и отладку сервисов. Ссылки на ресурсы по темам выпуска: * Статья Александра «Как запустить Istio, используя Kubernetes в production (https://habr.com/company/avito/blog/419319/)» * Bioyino (https://github.com/avito-tech/bioyino). High performance and high-precision multithreaded StatsD server * Видео доклада Сергея «Управление секретами при помощи Hashicorp Vault (https://www.youtube.com/watch?v=klC4ssaPHZY)» * Различные видео публикации по теме DevOps (https://tech.avito.ru/tags/video/devops) на сайте Avito TECH (https://tech.avito.ru/) Понравился выпуск? — Поддержи подкаст на patreon.com/KSDaemon (https://www.patreon.com/KSDaemon) а так же ретвитом, постом и просто рассказом друзьям!

Security champions are the hands and feet of any well-equipped product security team. Robert and Chris introduce security champions, where to find them, why you need them, and how to set up a beginning champion program from scratch. Here are a few other resources that we’ve written about Security Champions: Do you have Security Champions [...] The post Security Champions (S03E02) – Application Security PodCast appeared first on Security Journey Podcasts.