Podcasts about Security engineering

Red models associated with AI technologies highlight real-world vulnerabilities and the importance of proactive security measures. It is vital to educate users about how to explore the challenges and keep AI systems secure. Today's guest is Dr. Aditya Sood. Dr. Sood is the VP of Security Engineering and AI Strategy at Aryaka and is a security practitioner, researcher, and consultant with more than 16 years of experience. He obtained his PhD in computer science from Michigan State University and has authored several papers for various magazines and journals. In this conversation, he will shed light on AI-driven threats, supply chain risks, and practical ways organizations can stay protected in an ever-changing environment. Get ready to learn how the latest innovations and evolving attack surfaces affect everyone from large companies to everyday users, and why a proactive mindset is key to staying ahead. Show Notes: [01:02] Dr. Sood has been working in the security industry for the last 17 years. He has a PhD from Michigan State University. Prior to Aryaka, he was a Senior Director of Threat Research and Security Strategy for the Office of the CTO at F5. [02:57] We discuss how security issues with AI are on the rise because of the recent popularity and increased use of AI. [04:18] The large amounts of data are convoluting how things are understood, the complexity is rising, and the threat model is changing. [05:14] We talk about the different AI attacks that are being encountered and how AI can be used to defend against these attacks. [06:00] Pre-trained models can contain vulnerabilities. [07:01] AI drift or model or concept drift is when data in the training sets is not updated. The data can be used in a different way. AI hallucinations also can create false output. [08:46] Dr. Sood explains several types of attacks that malicious actors are using. [10:07] Prompt injections are also a risk. [12:13] We learn about the injection mapping strategy. [13:54] We discuss the possibilities of using AI as a tool to bypass its own guardrails. [15:18] It's an arms race using AI to attack Ai and using AI to secure AI. [16:01] We discuss AI workload analysis. This helps to understand the way AI processes. This helps see the authorization boundary and the security controls that need to be enforced. [17:48] Being aware of the shadow AI running in the background. [19:38] Challenges around corporations having the right security people in place to understand and fight vulnerabilities. [20:55] There is risk with the data going to the cloud through the LLM interface. [21:47] Dr. Sood breaks down the concept of shadow AI. [23:50] There are also risks for consumers using AI. [29:39] The concept of Black Box AI models and bias being built into the particular AI. [33:45] The issue of the ground set of truth and how the models are trained. [37:09] It's a balancing act when thinking about the ground set of truth for data. [39:08] Dr. Sood shares an example from when he was researching for his book. [39:51] Using the push and pretend technique to trick AI into bypassing guardrails. [42:51] We talk about the dangers of using APIs that aren't secure. [43:58] The importance of understanding the entire AI ecosystem. Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.  Links and Resources: Podcast Web Page Facebook Page whatismyipaddress.com Easy Prey on Instagram Easy Prey on Twitter Easy Prey on LinkedIn Easy Prey on YouTube Easy Prey on Pinterest Aditya K Sood Aditya K Sood - LinkedIn Aditya K Sood - X Aryaka COMBATING CYBERATTACKS TARGETING THE AI ECOSYSTEM: Assessing Threats, Risks, and Vulnerabilities Empirical Cloud Security: Practical Intelligence to Evaluate Risks and Attacks Empirical Cloud Security: Practical Intelligence to Evaluate Risks and Attacks

⬥GUEST⬥Allie Mellen, Principal Analyst,  Forrester | On LinkedIn: https://www.linkedin.com/in/hackerxbella/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On ITSPmagazine: https://www.itspmagazine.com/sean-martin⬥EPISODE NOTES⬥In this episode, Allie Mellen, Principal Analyst on the Security and Risk Team at Forrester, joins Sean Martin to discuss the latest results from the MITRE ATT&CK Ingenuity Evaluations and what they reveal about detection and response technologies.The Role of MITRE ATT&CK EvaluationsMITRE ATT&CK is a widely adopted framework that maps out the tactics, techniques, and procedures (TTPs) used by threat actors. Security vendors use it to improve detection capabilities, and organizations rely on it to assess their security posture. The MITRE Ingenuity Evaluations test how different security tools detect and respond to simulated attacks, helping organizations understand their strengths and gaps.Mellen emphasizes that MITRE's evaluations do not assign scores or rank vendors, which allows security leaders to focus on analyzing performance rather than chasing a “winner.” Instead, organizations must assess raw data to determine how well a tool aligns with their needs.Alert Volume and the Cost of Security DataOne key insight from this year's evaluation is the significant variation in alert volume among vendors. Some solutions generate thousands of alerts for a single attack scenario, while others consolidate related activity into just a handful of actionable incidents. Mellen notes that excessive alerting contributes to analyst burnout and operational inefficiencies, making alert volume a critical metric to assess.Forrester's analysis includes a cost calculator that estimates the financial impact of alert ingestion into a SIEM. The results highlight how certain vendors create a massive data burden, leading to increased costs for organizations trying to balance security effectiveness with budget constraints.The Shift Toward Detection and Response EngineeringMellen stresses the importance of detection engineering, where security teams take a structured approach to developing and maintaining high-quality detection rules. Instead of passively consuming vendor-generated alerts, teams must actively refine and tune detections to align with real threats while minimizing noise.Detection and response should also be tightly integrated. Forrester's research advocates linking every detection to a corresponding response playbook. By automating these processes through security orchestration, automation, and response (SOAR) solutions, teams can accelerate investigations and reduce manual workloads.Vendor Claims and the Reality of Security ToolsWhile many vendors promote their performance in the MITRE ATT&CK Evaluations, Mellen cautions against taking marketing claims at face value. Organizations should review MITRE's raw evaluation data, including screenshots and alert details, to get an unbiased view of how a tool operates in practice.For security leaders, these evaluations offer an opportunity to reassess their detection strategy, optimize alert management, and ensure their investments in security tools align with operational needs.For a deeper dive into these insights, including discussions on AI-driven correlation, alert fatigue, and security team efficiency, listen to the full episode.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥Inspiring Post: https://www.linkedin.com/posts/hackerxbella_go-beyond-the-mitre-attck-evaluation-to-activity-7295460112935075845-N8GW/Blog | Go Beyond The MITRE ATT&CK Evaluation To The True Cost Of Alert Volumes: https://www.forrester.com/blogs/go-beyond-the-mitre-attck-evaluation-to-the-true-cost-of-alert-volumes/⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast: 

⬥GUEST⬥Allie Mellen, Principal Analyst,  Forrester | On LinkedIn: https://www.linkedin.com/in/hackerxbella/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On ITSPmagazine: https://www.itspmagazine.com/sean-martin⬥EPISODE NOTES⬥In this episode, Allie Mellen, Principal Analyst on the Security and Risk Team at Forrester, joins Sean Martin to discuss the latest results from the MITRE ATT&CK Ingenuity Evaluations and what they reveal about detection and response technologies.The Role of MITRE ATT&CK EvaluationsMITRE ATT&CK is a widely adopted framework that maps out the tactics, techniques, and procedures (TTPs) used by threat actors. Security vendors use it to improve detection capabilities, and organizations rely on it to assess their security posture. The MITRE Ingenuity Evaluations test how different security tools detect and respond to simulated attacks, helping organizations understand their strengths and gaps.Mellen emphasizes that MITRE's evaluations do not assign scores or rank vendors, which allows security leaders to focus on analyzing performance rather than chasing a “winner.” Instead, organizations must assess raw data to determine how well a tool aligns with their needs.Alert Volume and the Cost of Security DataOne key insight from this year's evaluation is the significant variation in alert volume among vendors. Some solutions generate thousands of alerts for a single attack scenario, while others consolidate related activity into just a handful of actionable incidents. Mellen notes that excessive alerting contributes to analyst burnout and operational inefficiencies, making alert volume a critical metric to assess.Forrester's analysis includes a cost calculator that estimates the financial impact of alert ingestion into a SIEM. The results highlight how certain vendors create a massive data burden, leading to increased costs for organizations trying to balance security effectiveness with budget constraints.The Shift Toward Detection and Response EngineeringMellen stresses the importance of detection engineering, where security teams take a structured approach to developing and maintaining high-quality detection rules. Instead of passively consuming vendor-generated alerts, teams must actively refine and tune detections to align with real threats while minimizing noise.Detection and response should also be tightly integrated. Forrester's research advocates linking every detection to a corresponding response playbook. By automating these processes through security orchestration, automation, and response (SOAR) solutions, teams can accelerate investigations and reduce manual workloads.Vendor Claims and the Reality of Security ToolsWhile many vendors promote their performance in the MITRE ATT&CK Evaluations, Mellen cautions against taking marketing claims at face value. Organizations should review MITRE's raw evaluation data, including screenshots and alert details, to get an unbiased view of how a tool operates in practice.For security leaders, these evaluations offer an opportunity to reassess their detection strategy, optimize alert management, and ensure their investments in security tools align with operational needs.For a deeper dive into these insights, including discussions on AI-driven correlation, alert fatigue, and security team efficiency, listen to the full episode.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥Inspiring Post: https://www.linkedin.com/posts/hackerxbella_go-beyond-the-mitre-attck-evaluation-to-activity-7295460112935075845-N8GW/Blog | Go Beyond The MITRE ATT&CK Evaluation To The True Cost Of Alert Volumes: https://www.forrester.com/blogs/go-beyond-the-mitre-attck-evaluation-to-the-true-cost-of-alert-volumes/⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast: 

In this episode, I sit with the Head of Cloud Security Engineering at Check Point Software. Brian McHenry joined Check Point after over a decade and a half at F5 focused on WAF. Brian has been a practitioner, a Sales Engineer, and a Product Manager. Hear why Brian left F5 and joined Check Point and what he started in NY in 2016.

Recap IT is the newest series in Automox's Autonomous IT podcast network, delivering standout moments and highlights from the past month's podcasts and live shows. If you missed a podcast or live show last month, this is the series to get you caught up and informed! Episodes Highlights: (00:32 - 13:28) Autonomous IT Live – Optimize Your Endpoint Management: 3 IT Team Resolutions for 2025, E02 (13:29-15:50) Automox Insiders – Curiosity, Adaptability, and Career Growth with Ryan Jeziorski, E13(15:51-17:07) Hands-On IT – Resilience Rewired: Building Strength and Adaptability in IT, E14(17:08-22:05) Patch [FIX] Tuesday – January 2025 [Experts Analyze New Hyper-V, Active Directory, and macOS Vulnerabilities], E15(22:06-25:09) CISO IT – The CISO Blueprint pt. 1: Why There Are No 'Nos' in IT with Rich Casselberry, E15(25:10-28:51) Product Talk – Agent 2.0, New Linux CVE Data, and the Future of Autonomous Endpoint Management, E13(28:52-31:28) Automate IT – Building Resilient IT Teams and Solutions, E12

In this episode our host Ashish Rajan sat down with Ross Haleliuk, author of Cybersecurity for Builders and creator of the Venture in Security blog, to explore the current state and future of the cybersecurity industry. From understanding the challenges of building a cybersecurity startup to the dynamics of security engineering and market trends for 2025. Ross and Ashish explore why the cybersecurity industry isn't as crowded as it seems and the divide between companies that build in-house security and those that rely on vendors. Ross also unpacks why sales and marketing aren't “dirty words” in cybersecurity, why security engineering is “the present,” and how practitioners can balance business needs with technical aspirations. Guest Socials: ⁠⁠Ross's Linkedin Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp If you are interested in AI Cybersecurity, you can check out our sister podcast - AI Cybersecurity Podcast Questions asked: (00:00) Introduction (05:33) How Venture in Security started? (09:33) Security Engineering in Cybersecurity (18:18) Cybersecurity markets that will be top of mind in 2025 (24:15) GTM for Defender Tools (30:09) Vulnerabilities vs Misconfiguration Tools (37:56) How should product companies think about GTM? (44:27) How to decide between different security tools? (56:36) Cybersecurity for Builders book (01:05:00) The Fun Section Resources shared during the episode: Venture in Security Blog Cyber for Builders Book Challenges in Security Engineering Programs - Rami McCarthy Cybersecurity is not a market for lemons. It is a market for silver bullets The Market for Silver Bullets

Cybersecurity is emerging as a crucial topic. For Taiwan, the island nation finds itself in a unique position, both as a global tech leader and a target in the changing geopolitical landscape. According to a 2021 estimation, Taiwan undergoes 20 to 40 million cyberattacks a month. What can Taiwan do to strengthen its cybersecurity awareness and skills? We hear from Heather Adkins, Google VP of Security Engineering and a founding member of Google's security team. 9:40 - Can anything be done about ransomeware? 12:00 - What makes Taiwan's cybersecurity situation unique? 17:40 - How can Taiwan's civil society and businesses strengthen their cybersecurity resilience? 23:02 - Critical infrastructure: how can we better stress test? 28:25 - What kind of new threats does Generative Artificial Intelligence bring? Host: Kwangyin Liu, Managing Editor of CommonWealth Magazine Guest: Heather Adkins, Google VP of Security Engineering Producer: Weiru Wang ＊Read more about how Taiwan is cracking down on cyberfraud: https://english.cw.com.tw/article/article.action?id=3572 ＊Share your thoughts: bill@cw.com.tw 留言告訴我你對這一集的想法： https://open.firstory.me/user/cledx9shs004801v3cmkogc7e/comments Powered by Firstory Hosting

In this episode of Tech Talks Daily, I explore the evolving landscape of cybersecurity in retail with Veroniki Stamati, Director of Security Engineering and Operations at Tesco. Veroniki's experience spans a variety of industries, including online platforms like PokerStars and Skyscanner, giving her a unique perspective on how technology can drive innovation while ensuring security. Veroniki shares her transition from the travel and entertainment industries to the retail sector, offering insights into how Tesco harnesses technology to protect its vast customer base. She delves into her current role, where she leads a team focused on building secure products, while balancing the need for innovation and security. We discuss Tesco's forward-thinking approach to security, which includes principles like "everything as code" and integrating security within product development and platform delivery. Throughout the conversation, Veroniki sheds light on the most pressing security threats facing the retail industry today, such as data theft, customer-targeted scams, and the impact of regulatory changes. We also touch on the exciting role that generative AI is playing in shaping the future of security operations, especially in data management. Diversity in tech is another key focus. Veroniki highlights Tesco's efforts to increase female representation and foster diversity of thought within security roles. Programs like "train, deploy, hire," along with partnerships with STEM programs and tech colleges, are creating new opportunities for a diverse talent pool to enter the security space.

Security Engineering und Hacking-Wettbewerbe “Capture the Flag”Alles wird digital und für alles gibt es eine App. Bei einer solch rasanten Verbreitung, weckt dies Begehrlichkeiten bei böswilligen Hackern. Was ist also die passende Gegenwehr? Security Engineering! Doch was ist das eigentlich?Wir sprechen mit Frederik Braun, Security Engineering Manager bei Mozilla und zuständig für den Firefox Browser. Er erklärt uns die Gemeinsamkeiten und Unterschiede von Security und Software-Engineering, wie sich der Bereich Security von einer Web-App und einem Browser unterscheidet, wie Security selbst bei Mozilla aussieht, wie Sicherheitslücken mittels Gamification und Capture The Flag Events gefunden und das suchen geübt werden kann und wie du in das Thema Security Engineering einsteigen kannst.Bonus: Hackerpraktika an der Universität BochumDas schnelle Feedback zur Episode:

In this episode of Detection at Scale, Jack speaks to Alessio Faiella, Director of Security Engineering & Security Operations at ThoughtSpot, to discuss building forward-looking security programs for 2024.  Alessio dives into the dynamic and ephemeral nature of modern security environments and the importance of understanding the nuances of the product and user base. He also highlights how ThoughtSpot leverages AI to enhance detection and response capabilities. Additionally, Alessio shares insights on codifying playbooks and prioritizing core focuses to ensure a robust cybersecurity posture.    Topics discussed: The importance of defining clear goals and laying strong foundations for scalable security programs. Emphasizing the need for security teams to deeply understand the product they are defending and the behaviors of its user base. The significance of developing and prioritizing detailed playbooks to guide detection and response efforts effectively. How AI can assist in real-time response, log data parsing, and providing actionable recommendations during security incidents. Identifying and focusing on critical areas like persistence, lateral movement, and data exfiltration to optimize security efforts with limited resources. Techniques for evaluating the success of security playbooks and ensuring they align with the organization's goals and infrastructure. Combining automated processes with human oversight to enhance the efficiency and accuracy of security operations. The difficulties in gathering and integrating data from various sources to enable quick and informed security responses. Crafting security rules that are tailored to the specific needs and priorities of the organization's environment. Advice on maintaining focus and ensuring foundational security practices are in place for a strong and resilient cybersecurity posture.

NSI's Cyber and Tech Center hosted a fireside chat featuring Representative Jay Obernolte (CA-23) and Royal Hansen, Google's Vice President of Privacy, Safety, and Security Engineering, on March 5 from 12:15 to 1:15pm ET on Capitol Hill. Rep. Obernolte was recently announced as the Chairman of the new bipartisan Congressional Task Force on Artificial Intelligence, which is tasked with ensuring America continues to lead the world in AI innovation while considering how to protect the nation against current and emerging threats. Royal is Google's Vice President of Privacy, Safety and Security Engineering, where he leads the central engineering function that builds and scales the foundational technology that keeps billions of people safe online.Rep. Obernolte, and Royal discussed how AI can help defend the nation, including enable cyber defenders to better protect U.S. critical infrastructure from foreign cyber threats and cyber criminals. They will also address how to mitigate potential security risks associated with AI and how the U.S. can fully harness this new technology to empower our nation's cyber defenders. Hosted on Acast. See acast.com/privacy for more information.

Rahil Parikh, manager of Security Engineering and Architecture @ Policygenius, joins Seth Law and Ken Johnson for an episode of Absolute AppSec. Rahil is long-time leader in information security who's managed security teams and application security programs at a range of organizations: Policy Genius, Zinnia, the New York Times, Frame.io (now Adobe), Jet.com (Walmart), and Gotham Digital Science (Aon). He's also organized a major technical symposium (AAHVAN 08) and has generally been strengthening the infosec community for beyond a decade. He joins the podcast for the June 18th show, so be sure to tune in to learn more about his path in the industry and his thoughts on application security, cloud security, and leading teams toward success.

Guests: Kim Wuyts, Manager Cyber & Privacy, PwC Belgium [@PwC_Belgium]On LinkedIn | https://www.linkedin.com/in/kwuyts/On Twitter | https://twitter.com/WuytskiOn Mastodon | https://mastodon.social/@kimwAvi Douglen, CEO / Board of Directors, Bounce Security & OWASPOn LinkedIn | https://www.linkedin.com/in/avidouglen/On Twitter | https://twitter.com/sec_tigger____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this episode of On Location with Sean and Marco, host Sean Martin offers a deep dive into the OWASP AppSec Lisbon event, engaging in a meaningful conversation with Kim Wuyts and Avi Douglen. Sean starts by setting the stage for an insightful discussion focused on privacy, security, and the integration of both in modern application development.Kim Wuyts, a Cyber and Privacy Manager at PwC Belgium, shares her journey from a security researcher to a privacy engineering expert, emphasizing the importance of privacy threat modeling and the intricate balance between security and privacy. She explains how privacy not only strengthens security but also involves complex considerations like legal, ethical, and technological aspects. Kim highlights the need for companies to adopt privacy by design, ensuring data is used with care and transparency, rather than merely being collected and stored.Avi Douglen, Lead Consultant at Bounce Security, brings his experience in threat modeling to the conversation, recounting his learning curve in understanding the depths of privacy beyond mere confidentiality. He speaks about the importance of educating security engineers on privacy considerations and using value-driven security to protect stakeholders' interests. Avi stresses that privacy and security should be integrated from the beginning of the application development process to avoid clashes and ensure robust, privacy-respecting systems.Throughout the discussion, the guests delve into various privacy engineering practices, including data minimization, the handling of meta-information, and the potential conflicts between security requirements and privacy needs. They touch on real-world scenarios where privacy can enhance overall security posture and how privacy engineering aligns with compliance requirements such as GDPR.Sean, Kim, and Avi also explore the concept of architectural data mapping and selecting the right components for privacy. They discuss the evolving skill set required for privacy engineering and how integrating privacy with existing security practices can add significant value to any organization.The episode concludes with a look at the upcoming training session at the OWASP AppSec event in Lisbon, emphasizing the need for a diverse audience, including security engineers, privacy professionals, and developers. This session aims to foster a collaborative environment where participants can expand their knowledge and apply practical privacy by design principles in their work.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugalOn YouTube:

Guests: Kim Wuyts, Manager Cyber & Privacy, PwC Belgium [@PwC_Belgium]On LinkedIn | https://www.linkedin.com/in/kwuyts/On Twitter | https://twitter.com/WuytskiOn Mastodon | https://mastodon.social/@kimwAvi Douglen, CEO / Board of Directors, Bounce Security & OWASPOn LinkedIn | https://www.linkedin.com/in/avidouglen/On Twitter | https://twitter.com/sec_tigger____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this episode of On Location with Sean and Marco, host Sean Martin offers a deep dive into the OWASP AppSec Lisbon event, engaging in a meaningful conversation with Kim Wuyts and Avi Douglen. Sean starts by setting the stage for an insightful discussion focused on privacy, security, and the integration of both in modern application development.Kim Wuyts, a Cyber and Privacy Manager at PwC Belgium, shares her journey from a security researcher to a privacy engineering expert, emphasizing the importance of privacy threat modeling and the intricate balance between security and privacy. She explains how privacy not only strengthens security but also involves complex considerations like legal, ethical, and technological aspects. Kim highlights the need for companies to adopt privacy by design, ensuring data is used with care and transparency, rather than merely being collected and stored.Avi Douglen, Lead Consultant at Bounce Security, brings his experience in threat modeling to the conversation, recounting his learning curve in understanding the depths of privacy beyond mere confidentiality. He speaks about the importance of educating security engineers on privacy considerations and using value-driven security to protect stakeholders' interests. Avi stresses that privacy and security should be integrated from the beginning of the application development process to avoid clashes and ensure robust, privacy-respecting systems.Throughout the discussion, the guests delve into various privacy engineering practices, including data minimization, the handling of meta-information, and the potential conflicts between security requirements and privacy needs. They touch on real-world scenarios where privacy can enhance overall security posture and how privacy engineering aligns with compliance requirements such as GDPR.Sean, Kim, and Avi also explore the concept of architectural data mapping and selecting the right components for privacy. They discuss the evolving skill set required for privacy engineering and how integrating privacy with existing security practices can add significant value to any organization.The episode concludes with a look at the upcoming training session at the OWASP AppSec event in Lisbon, emphasizing the need for a diverse audience, including security engineers, privacy professionals, and developers. This session aims to foster a collaborative environment where participants can expand their knowledge and apply practical privacy by design principles in their work.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugalOn YouTube:

Join host Favour Ojika and expert mentor Damilola Longe as they delve into the fascinating world of AI and security engineering. Discover how cutting-edge technology is safeguarding our digital lives, and gain valuable insights from Damilola's years of experience in the field. Whether you're a tech enthusiast or a budding security professional, this episode promises to be both informative and engaging! --- Send in a voice message: https://podcasters.spotify.com/pod/show/favour-ojika/message

Ben Huber is a security engineer who has worked at companies including Crypto.com and Blackpanda. He joins the podcast to talk about his career, penetration or “pen” testing, attack vectors, security tools, and much more. Gregor Vand is a security-focused technologist, and is the founder and CTO of Mailpass. Previously, Gregor was a CTO across The post Security Engineering with Ben Huber appeared first on Software Engineering Daily.

Ben Huber is a security engineer who has worked at companies including Crypto.com and Blackpanda. He joins the podcast to talk about his career, penetration or “pen” testing, attack vectors, security tools, and much more. Gregor Vand is a security-focused technologist, and is the founder and CTO of Mailpass. Previously, Gregor was a CTO across The post Security Engineering with Ben Huber appeared first on Software Engineering Daily.

There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career. Segment resources: https://kickstartseceng.com A Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome's V8 Sandbox increases defense, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-281

There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career. Segment resources: https://kickstartseceng.com Show Notes: https://securityweekly.com/asw-281

There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career. Segment resources: https://kickstartseceng.com Show Notes: https://securityweekly.com/asw-281

There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career. Segment resources: https://kickstartseceng.com A Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome's V8 Sandbox increases defense, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-281

Google's 'AI Cyber Defense Initiative,' launched at the Munich Security Conference on Feb. 16, signals a belief that the company's experience in deploying AI can help to reverse what it calls the defender's dilemma. In this episode, Heather Adkins, VP, Security Engineering at Google, joins host Steve Morgan to discuss how the initiative will see Google making new commitments to invest in AI-ready infrastructure, as well as releasing release new tools for defenders, alongside new research and security training. • For more on cybersecurity, visit us at https://cybersecurityventures.com.

Closing the cybersecurity gap - acting fast against critical threatsAligning to current compliance standards without the heavy-liftingLeveraging AI-powered tools to maximise your security investmentsThis episode is hosted by Thom Langfordhttps://www.linkedin.com/in/thomlangford/Mike Johnson, Global Cyber Threat & Incident Response Manager, Verifonehttps://www.linkedin.com/in/mike---johnson/Matt Hardy, Head of Security, Liberishttps://www.linkedin.com/in/matthardy67/Kiarash Kia, Founder, Stealth Startuphttps://www.linkedin.com/in/kiarashkia/Dan Crossley, Director, Security Engineering, Vectra.aihttps://www.linkedin.com/in/crossleydaniel

On this week's show Patrick and Adam discuss the week's security news, including: The SSH backdoor that dreams (or nightmares) are made of Microsoft gets a solid spanking from the CSRB Ukraine uses an old Russian WinRAR bug to hack Russia Push-notifications and social-engineering combined-arms vs Apple And much, much more. We have a special guest in this week's show, Andres Freund, the Postgres developer who discovered the backdoor in the xz Linux compression library. This week's show is brought to you by Island, a company that makes a security-focussed enterprise browser. Island's Bradon Rogers is this week's sponsor guest and he'll be joining us to talk about how people are swapping out their Virtual Desktop Infrastructure for enterprise-focussed browsers like theirs. Show notes Risky Biz News: Supply chain attack in Linuxland oss-security - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Tech) on X: "@binitamshah FWIW, I didn't actually start looking due to the 500ms - I started looking when I saw failing ssh logins (by the usual automated attempts trying random user/password combinations) using a substantial amount of CPU. Only after that I noticed the slower logins." / X Andres Freund (Tech) on X: "@riskybusiness Absurdly enough, I was listening to the episode on a cooking break while writing the xz issue up. Couldn't make it up." / X GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) research!rsc: The xz attack shell script DHS report rips Microsoft for ‘cascade' of errors in China hack - The Washington Post Review of the Summer 2023 Microsoft Exchange Online Intrusion Russian researchers say espionage operation using WinRAR bug is linked to Ukraine Recent ‘MFA Bombing' Attacks Targeting Apple Users – Krebs on Security Ransomware gang leaks stolen Scottish healthcare patient data in extortion bid Ross Anderson, professor and famed author of ‘Security Engineering,' passes away

On this week's show Patrick and Adam discuss the week's security news, including: The SSH backdoor that dreams (or nightmares) are made of Microsoft gets a solid spanking from the CSRB Ukraine uses an old Russian WinRAR bug to hack Russia Push-notifications and social-engineering combined-arms vs Apple And much, much more. We have a special guest in this week's show, Andres Freund, the Postgres developer who discovered the backdoor in the xz Linux compression library. This week's show is brought to you by Island, a company that makes a security-focussed enterprise browser. Island's Bradon Rogers is this week's sponsor guest and he'll be joining us to talk about how people are swapping out their Virtual Desktop Infrastructure for enterprise-focussed browsers like theirs. Show notes Risky Biz News: Supply chain attack in Linuxland oss-security - Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Tech) on X: "@binitamshah FWIW, I didn't actually start looking due to the 500ms - I started looking when I saw failing ssh logins (by the usual automated attempts trying random user/password combinations) using a substantial amount of CPU. Only after that I noticed the slower logins." / X Andres Freund (Tech) on X: "@riskybusiness Absurdly enough, I was listening to the episode on a cooking break while writing the xz issue up. Couldn't make it up." / X GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) research!rsc: The xz attack shell script DHS report rips Microsoft for ‘cascade' of errors in China hack - The Washington Post Review of the Summer 2023 Microsoft Exchange Online Intrusion Russian researchers say espionage operation using WinRAR bug is linked to Ukraine Recent ‘MFA Bombing' Attacks Targeting Apple Users – Krebs on Security Ransomware gang leaks stolen Scottish healthcare patient data in extortion bid Ross Anderson, professor and famed author of ‘Security Engineering,' passes away

In this episode of Storm⚡️Watch, we cover a variety of cybersecurity topics, opening with a poignant tribute to Ross J. Anderson. Anderson's legacy is vast, with contributions spanning machine learning, cryptographic protocols, and digital rights advocacy. His seminal textbook, "Security Engineering," has been a cornerstone in the education of many in the field. His passing is a significant loss to the academic and security communities, leaving behind a legacy that will continue to influence for years to come. This week we are also joined by special guest Zach Hanley of Horizon3AI. Hanley shares his journey into cybersecurity and the founding of Horizon3AI, as well as insights into the innovative NodeZero platform. This platform aids organizations in focusing on safety and resilience, a crucial aspect in today's digital landscape. Hanley also discusses the three key challenges outlined in Horizon3AI's 2023 report, "Proactive Cybersecurity Unleashed," providing listeners with a glimpse into the ongoing struggles organizations face in cybersecurity. In the segment "Cyberside Chat: Big (Tech) Trouble In Little China," we cover recent sanctions by the United States Treasury Department on individuals linked to the Chinese hacking group APT31, known for targeting critical U.S. infrastructure. Additionally, we discuss the formation of a Water Sector Cybersecurity Task Force in response to threats from the Chinese hacking group Volt Typhoon, and the implications of China's revised state secrets law for U.S. tech firms operating in China. For those interested in the technical side of cybersecurity, we introduce "vulnerability lookup," a tool for fast vulnerability lookup correlation from different sources. This tool is a rewrite of cve-search and supports independent vulnerability ID management and coordinated vulnerability disclosure (CVD). As usual we wrap up with a roundup of recent tags and active campaigns and discuss the Known Exploited Vulnerabilities (KEV) catalog from CISA. Episode Slides >> Storm Watch Homepage >> Learn more about GreyNoise >>  

The xz backdoor sets the open source community back on its heels. AT&T resets passwords on millions of customer accounts. Researchers track a macOS infostealer. Poland investigates past internal use of Pegasus spyware. The latest Vultur banking trojan grows trickier than ever. We note the passing of a security legend. On our Solution Spotlight, N2K President Simone Petrella talks about “Bits, Bytes, and Loyalty: How to Improve Team Retention” with Yameen Huq of the Aspen Institute. A ghost ship trips Africa's internet.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Solution Spotlight, N2K President Simone Petrella talks about “Bits, Bytes, and Loyalty: How to Improve Team Retention” with Yameen Huq of the Aspen Institute. Selected Reading What we know about the xz Utils backdoor that almost infected the world (Ars Technica) AT&T resets account passcodes after millions of customer records leak online (TechCrunch) Info stealer attacks target macOS users (Security Affairs) Poland launches inquiry into previous government's spyware use (The Guardian) Vultur banking malware for Android poses as McAfee Security app (Bleeping Computer) Ross Anderson, professor and famed author of ‘Security Engineering,' passes away (The Record) A Ghost Ship's Doomed Journey Through the Gate of Tears (WIRED)  Swapping scripts nightmare. (N2K) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

Sharat Nautiyal, Director of Security Engineering, APJ, Vectra AI.Sharat has over 15 years of experience assisting organisations in the areas of security architecture, threat detection and threat hunting. He has a strong focus on leading security engineering, security architecture, and the sales engineering team across APJ.The global cybersecurity landscape is witnessing a concerning surge in threats, and is particularly pronounced in the Asia-Pacific region. With the imminent impact of AI-boosted cyberattacks, cybercriminal tactics like phishing and social engineering are evolving in sophistication. Moreover, the recent uptick in high-severity cyber incidents underscores the urgent need for organisations to bolster their defence strategies. The implementation of comprehensive cybersecurity protocols is paramount for businesses and organisations to effectively mitigate these evolving threats.Vectra AI, Inc. is the leader in hybrid attack detection, investigation and response. The Vectra AI Platform delivers integrated signal across public cloud, SaaS, identity, and data center networks in a single platform. Vectra AI's patented Attack Signal Intelligence empowers security teams to rapidly detect, prioritize, investigate and stop the most advanced hybrid cyber-attacks. With 35 patents in AI-driven detection and the most vendor references in MITRE D3FEND, organizations worldwide rely on the Vectra AI Platform and MDR services to move at the speed and scale of hybrid attackers.Visit Booth 1810 at Milipol APAC 2024, 3 - 5 April at the Sands Expo & Convention Centre, Singapore.#milipol #vectra #mysecuritytv

How can we ensure we drive product security from the get go? How can we provide security assurance throughout the protect detect and response lifecycle of our services and solutions? How can AI empower our defenders? Leaders from Microsoft and Google will share insights on how AI can improve security efficiencies for the entire product lifecycle. We review real world examples from cloud security solution providers that can benefit the broad security community and defenders. Speakers: Heather Adkins, Vice President, Security Engineering, Google Abhilasha Bhargav-Spantzel, Partner Security Architect, Microsoft Aanchal Gupta, CVP, Microsoft Tatyana Sanchez, Content and Programming Coordinator, RSA Conference

Director of Security Engineering at Marqeta and Host of Hacker Valley Studio podcast Chris Cochran describes his transitions throughout the cybersecurity industry, from an intelligence job with the Marine Corps, to starting the intelligence apparatus for the House of Representatives, then on to leading Netflix's threat intelligence capability. Chris points out that when pivoting to different roles and responsibilities, you must rely on your own strengths to move forward and bring value to your work Our thanks to Chris for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Director of Security Engineering at Marqeta and Host of Hacker Valley Studio podcast Chris Cochran describes his transitions throughout the cybersecurity industry, from an intelligence job with the Marine Corps, to starting the intelligence apparatus for the House of Representatives, then on to leading Netflix's threat intelligence capability. Chris points out that when pivoting to different roles and responsibilities, you must rely on your own strengths to move forward and bring value to your work Our thanks to Chris for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Google's 'AI Cyber Defense Initiative,' launched at the Munich Security Conference on Feb. 16, signals a belief that the company's experience in deploying AI can help to reverse what it calls the defender's dilemma. In this episode, Heather Adkins, VP, Security Engineering at Google, joins host Steve Morgan to discuss how the initiative will see Google making new commitments to invest in AI-ready infrastructure, as well as releasing release new tools for defenders, alongside new research and security training. • For more on cybersecurity, visit us at https://cybersecurityventures.com.

On this week's episode of Ask A CISSP, we have a follow-up conversation with Derron King Jr.! We discuss CMMC 2.0 debut, requirements for small to mid-size Prime and Sub-prime contractors and pathways to becoming a Registered Practioner or Assessor. Please LISTEN

David Trejo (@dtrejo@infosec.exchange) and Paul Kuliniewicz, security engineers at Chime join Seth (@sethlaw on x) and Ken (@cktricky) to discuss the ins and outs of challenges and successes in a widely recognized effective product security program. You can start reading up on the Monocle program here: https://medium.com/life-at-chime/monocle-how-chime-creates-a-proactive-security-engineering-culture-part-1-dedd3846127f And part 2 here: https://medium.com/life-at-chime/mitigating-risky-pull-requests-with-monocle-risk-advisor-part-2-7013e1485bf2.

Bu sezon sponsorumuz Sanction Scanner ile tanışın, “Breaking Bad” de gördüğümüz kara para aklama sahnelerini hatırlarsınız. Senede 2 trilyon dolarlık kara para aklanıyor.İşte burada Sanction Scanner'ın yazılımı devreye giriyor. Yapay zeka ve makine öğrenmesi ile desteklenen ürünleri, banka ve benzeri finansal kuruluşlara gerçek zamanlı AML, yani Anti-Money Laundering, taramaları yaparak finansal kuruluşla iş yapmak isteyen kişi ve işlemlerin sıkıntı olup olmadığını analiz ediyor. Sanction Scanner hakkında daha fazla bilgiyi buradan ulaşabilirsin: https://sanctionscanner.com/---Brick Institute eğitimleri, deneyimli eğitmenleri ve seçkin katılımcılarıyla birlikte Ürün Yönetimi Temelleri, Ürün Analitiği ve Ürün Liderliği programları çok yakında başlıyor. Bu eğitimler, gerçek hayat uygulamaları ve vaka çalışmaları üzerine odaklanarak, ürün yönetimi alanında uzmanlaşmak, ürün geliştirme süreçlerini kuvvetlendirmek isteyenler için oluşturuldu.Kontenjan sınırlıdır, bu nedenle hemen www.brick.institute adresinden başvuru yaparak yerinizi garantileyin ve eğitime katılmak için kaydolun!----Üretim Bandı'nın Slack grubu olduğunu biliyor muydunuz? 3000'den fazla ürün yöneticisi, girişimci, yazılımcı, tasarımcının bir arada bulunduğu aktif ürün topluluğuna siz de katılın:>>> uretimbandi.com/slackİki haftada bir yayınladığımız, ürün geliştirmeyle alakalı bültenimizi de aşağıdaki linkten takip edebilirsiniz:>>> uretimbandi.com/bulten----------KONUKUtku Şen:https://www.linkedin.com/in/utkusn/KONUŞULANLAR(00:00) Başlangıç(02:55) Security Engineer Ne Demek?(06:45) Test Yöntemleri(09:27) Kırmızı, mav? Hap??(13:30) Banka güvenliği(15:35) Güvenlik takım yapısı(18:50) Firmalar hangi noktada güvenliğe ihtiyaç duyar?(22:06) Açık ve kapalı kaynak yazılım(26:58) Gündeme yetişmek(31:58) Güvenlikte kariyer patikaları(34:10) İçerik üretimi(39:51) Gelecek planları(42:30) Global Talent Vizesi (UK)(44:30) Nasıl Global Talent Olunur?(50:55) Sosyal Hayat

Philip Martin is the Chief Security Officer for Coinbase, where he is responsible for developing the technology, processes and team that safely store one of the world's largest holdings of cryptocurrency. Prior to Coinbase, Philip built and led the Incident Response and Security Engineering teams at Palantir Technologies, developed new virtual infrastructure at Amazon A9 and spent a decade as a US Army counterintelligence agent in a range of foreign and domestic roles.See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

Podcast: New Cyber Frontier (LS 27 · TOP 10% what is this?)Episode: NCF-334 Security Engineering for Industrial SystemsPub date: 2023-11-13Welcome back, everybody, to NewCyberFrontier. In today's episode, guest Andrew Ginter, Vice President of Industrial Security and Waterfall Security. Mr Ginter is also the author of a book titled, "Engineering Grade OT Security: A Managers Guide." He defines his book as sitting at the intersection of industrial systems and Engineering. These systems could range from inputs and outputs from computer systems such as power plants, Shoe factories, and high-speed passenger train rails. Mr. Ginter explains his book further by saying, "Small Shoe factories and High-speed train rail switches are very different on the Industrial system spectrum. What determines the difference is worst case consequences of compromise." What would be the worst outcome to a Shoe factory versus Passenger Train Rail switches if all commands to computer systems fail? Shoe factories might have to replace all the equipment and a couple million dollars worth of expenses that insurance could cover, but for the switches on a train, if all computer commands fail, this could result in massive casualties and two trains colliding, which insurance can not cover. These are two diverse examples of industrial systems that need to face different approaches to computer systems. Mr Ginter also explains in his book that Engineering Security is a public safety issue with no room for errors. "In recent years, we have been automating everything, which is not always the best option; we must have fail-safes in place with security and protection." We face many problems and cyber attacks in the engineering world that must be considered today. Thank you for watching NewCyberFrontier.The podcast and artwork embedded on this page are from Logic Central Online, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Podcast: New Cyber Frontier (LS 27 · TOP 10% what is this?)Episode: NCF-334 Security Engineering for Industrial SystemsPub date: 2023-11-13Welcome back, everybody, to NewCyberFrontier. In today's episode, guest Andrew Ginter, Vice President of Industrial Security and Waterfall Security. Mr Ginter is also the author of a book titled, "Engineering Grade OT Security: A Managers Guide." He defines his book as sitting at the intersection of industrial systems and Engineering. These systems could range from inputs and outputs from computer systems such as power plants, Shoe factories, and high-speed passenger train rails. Mr. Ginter explains his book further by saying, "Small Shoe factories and High-speed train rail switches are very different on the Industrial system spectrum. What determines the difference is worst case consequences of compromise." What would be the worst outcome to a Shoe factory versus Passenger Train Rail switches if all commands to computer systems fail? Shoe factories might have to replace all the equipment and a couple million dollars worth of expenses that insurance could cover, but for the switches on a train, if all computer commands fail, this could result in massive casualties and two trains colliding, which insurance can not cover. These are two diverse examples of industrial systems that need to face different approaches to computer systems. Mr Ginter also explains in his book that Engineering Security is a public safety issue with no room for errors. "In recent years, we have been automating everything, which is not always the best option; we must have fail-safes in place with security and protection." We face many problems and cyber attacks in the engineering world that must be considered today. Thank you for watching NewCyberFrontier.The podcast and artwork embedded on this page are from Logic Central Online, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Welcome back, everybody, to NewCyberFrontier. In today's episode, guest Andrew Ginter, Vice President of Industrial Security and Waterfall Security. Mr Ginter is also the author of a book titled, "Engineering Grade OT Security: A Managers Guide." He defines his book as sitting at the intersection of industrial systems and Engineering. These systems could range from inputs and outputs from computer systems such as power plants, Shoe factories, and high-speed passenger train rails. Mr. Ginter explains his book further by saying, "Small Shoe factories and High-speed train rail switches are very different on the Industrial system spectrum. What determines the difference is worst case consequences of compromise." What would be the worst outcome to a Shoe factory versus Passenger Train Rail switches if all commands to computer systems fail? Shoe factories might have to replace all the equipment and a couple million dollars worth of expenses that insurance could cover, but for the switches on a train, if all computer commands fail, this could result in massive casualties and two trains colliding, which insurance can not cover. These are two diverse examples of industrial systems that need to face different approaches to computer systems. Mr Ginter also explains in his book that Engineering Security is a public safety issue with no room for errors. "In recent years, we have been automating everything, which is not always the best option; we must have fail-safes in place with security and protection." We face many problems and cyber attacks in the engineering world that must be considered today. Thank you for watching NewCyberFrontier.

This week, we're rewinding to play one of our favorite episodes from the archive! We'll be back with a brand-new episode in two weeks!Today's guest is someone we have wanted to have on the show for a long time, and we are so happy to finally welcome him. Dev Akhawe is the Head of Security at Figma, the first state-of-the-art interface design tool that runs entirely in your browser. Before that, Dev worked at Dropbox, as Director of Security Engineering, leading application security, infrastructure security, and abuse prevention for the Dropbox products. He also holds a Ph.D. in Computer Science from UC Berkeley, where his thesis focused on web application security. In this episode, Dev pulls back the curtain and gives us a look at what security at Figma looks like. The relatively small organization has a culture where the security team earns their trust and works openly. This has resulted in far greater cohesion between the security team and developers. We also hear about Dev's time at Dropbox, and how working on an application with many products exposed him to the gamut of security issues that companies can face. Along with this, we discuss some of the positive changes in how startups are thinking about security, the value of exposing people to different parts of an organization, the place of security champions, and having a curious mindset as a security professional. Dev's approach to security is empathetic, collaborative, and solution-driven, and if you would like to hear more, be sure to tune in today!

In this episode, Ryan and Shannon discuss how Google had to pay Apple's Security Engineering and Architecture (SEAR) team a $15K bug bounty. Please LISTEN

On this week's episode of Ask A CISSP, we have an interview with Derron King Jr.! Please LISTEN

Sergey Stelmakh engages the intriguing question of how to marry innovation (risk taking) with security (risk mitigation), how to build effective teams, and how his life led him down the path into security in engineering-driven companies, such as Head of Security Engineering at Yugabyte, Platform Security Architect at MuleSoft (acquired by Salesforce), Lead Security Architect at Symphony Communications, all from his roots as in mathematics as Assistant Professor at Belarusian State University.

Guest: Kelly Shortridge, Senior Principal Engineer in the Office of the CTO at Fastly Topics:  So what is Security Chaos Engineering? “Chapter 5. Operating and Observing” is Anton's favorite. One thing that mystifies me, however, is that you outline how to fail with alerts (send too many), but it is not entirely clear how to practically succeed with them? How does chaos engineering help security alerting / detection? How chaos engineering (or is it really about software resilience?)  intersects with Cloud security - is this peanut butter and chocolate or more like peanut butter and pickles? How can organizations get started with chaos engineering for software resilience and security? What is your favorite chaos engineering experiment that you have ever done? We often talk about using the SRE lessons for security, and yet many organizations do security the 1990s way. Are there ways to use chaos engineering as a forcing function to break people out of their 1990s thinking and time warp them to 2023? Resources: Video (LinkedIn, YouTube) “Security Chaos Engineering: Sustaining Resilience in Software and Systems” by Kelly Shortridge, Aaron Rinehart “Cybersecurity Myths and Misconceptions” book “Designing Data-Intensive Applications: The Big Ideas Behind Reliable, Scalable, and Maintainable Systems“ book “Normal Accidents: Living with High-Risk Technologies” book “Deploy Security Capabilities at Scale: SRE Explains How” (ep85) “The Good, the Bad, and the Epic of Threat Detection at Scale with Panther” (ep123) “Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?” (ep117) IKEA Effect “Modernizing SOC ... Introducing Autonomic Security Operations” blog

Ross J. Anderson, Professor of Security Engineering at University of Cambridge and University of Edinburgh. He is widely recognized as one of the world's foremost authorities on security. He is one of the pioneers of the economics of information security, peer-to-peer systems, hardware tamper-resistance and API security. Furthermore, he was one of the designers of the international standards for prepayment electricity metering and power line communications, and was one of the inventors of the AES finalist encryption algorithm Serpent. In 2015, he won the Lovelace Medal, Britain's top award in computing. He is a Fellow of the Royal Society and the Royal Academy of Engineering. Prof. Ross J. Anderson leads the Cambridge Cybercrime Centre, which collects and analyzes large datasets about online criminal activity. He is known to all security professionals as the author of the textbook “Security Engineering – A Guide to Building Dependable Distributed Systems”.

Guest: Maxime Lamothe-Brassard,  Founder @ LimaCharlie Topics: What does an engineering-centric approach to cybersecurity mean? What to tell people who want to "consume" rather than "engineer" security? Is “engineering-centric” approach the same as evidence-based or provable?  In practical terms, what does it mean to adopt an "engineering-centric approach" to cybersecurity for an organization?  How will it differ from what we have today? What will it enable? Can you practice this with a very small team? How about a very small team of “non engineers”? You seem to say that tomorrow's cybersecurity will look a lot like software engineering. Where do we draw the line between these two? Resources: Atomic Red Team Sigma rules/content LimaCharlie blog 8 Megatrends drive cloud adoption—and improve security for all The Cybersecurity Defenders Podcast

Ross John Anderson, Professor of Security Engineering at University of Cambridge, discusses software obsolescence with host Priyanka Raghavan. They examine risks associated with software going obsolete and consider several examples of software obsolescence, including how it can affect cars. Prof. Anderson discusses policy and research in the area of obsolescence and suggests some ways to mitigate the risks, with special emphasis on software bills of materials. He describes future directions, including software policy and laws in the EU, and offers advice for software maintainers to hedge against risks of obsolescence.

The Sociotechnical Theory is an organizational theory that emphasizes the importance of both social and technical factors in designing and managing systems. Sociotechnical systems are deeply embedded within society and prone to "hacking", a term meaning to subvert a systematic rules in unintended way.  In his most recent book, "A Hacker's Mind", Bruce Schneier takes hacking beyond computer systems and uses it to analyze the systems that underpin our society.He stops by and we define the true definition of hacking, who has the edge in the endless arms race, revealing who the world's best hackers are, how AI will impact the future of hacking, and the truth about AI democratization. TIMESTAMPS0:02:37 - Exploring the Hacker's Mindset and How to Bend Society's Rules0:04:53 - The Importance of System Hacking in Today's World0:06:42 - The Inevitability of System Hacks and the Impact of AI0:14:41 - Digital Simulation Technology on Policy and Legal Code0:16:21 - Impact of Hacking on Existing Inequalities0:18:21 - Hacking Resources and LoopholesSYMLINKSA Hacker's MindSchneier on Security Blog"Security Engineering" by Ross Anderson"Threats" by Adam ShostackDRINK INSTRUCTIONpicEPISODE SPONSORTuxCareCONNECT WITH USBecome a SponsorSupport us on PatreonFollow us on LinkedInTweet us at @BarCodeSecurityEmail us at info@barcodesecurity.com

This episode features an interview with Andreas Rohr, founding manager and CTO at the German Cyber-Security Organization (DCSO). At DCSO, Andreas is responsible for Innovation and Security Engineering and its Managed Cyber Defense Services. He has over 15 years of experience in IT and cybersecurity, holding management positions in the energy and automotive industries. In this episode, Mike and Andreas discuss aligning with works councils, forging business relationships through transparency, and embedding security into value streams.-----------------“Transparency is key for working with the works council, who are actually not there to prevent security or the company doing the right things, they're there to make sure that the data is not abused against the employees. This is their mission, their task, and it's a valid one." – Andreas Rohrohr-----------------Episode Timestamps:*(02:06): Andreas explains what DCSO is*(09:18): Guideposts DCSO is helping companies align to*(15:45): How Andreas is helping companies navigate the German Works Council*(19:27): Andreas's journey from CISO to CTO*(23:34): Andreas's advice on determining the budget for security*(27:30): How Andreas advises companies on making security part of the fabric of their organization*(34:29): 2030 Goggles*(43:01): Quick Hits-----------------Links:Connect with Andreas on LinkedInConnect with Mike Anderson LinkedInwww.netskope.com

Links: Azure's VP of Security Engineering published a post describing their approach to cloud vulnerabilities Panther deployed Yubikeys internally and blogged about it. LastPass has (yet again) suffered a breach, and published a no-content advisory that TechCrunch took the time to parse through.  Apparently Wiz decided to poke around a bit into IBM "Cloud" and found a bunch of security issues.  Prepare for consolidated controls view and consolidated control findings in AWS Security Hub  Reported ECR Public Gallery Issue From the world of tools: osquery turns your operating system into a database