Podcasts about security journey

In this episode I had a chance to speak with Chris Jordan and Al Wissigner about where a small and medium sized business (SMB) should start their security journey. This is especially important in this day and age of the ever expanding cloud infrastructure and Software as a Service (SaaS) models.  Both of these fine gentlemen work for Fluency and have a TON of experience working SMBs.Talking Points:The idea of bridging the gap between what they want to do and what they can afford to do?Why is it so important for an SMB to understand how to properly do cross-platform?Security companies are generally not targeting SMBsWhy is BEC one of the most important things to do understand?How can a SMB use automation to help offset the lack of a large security team?Episode Charity:October's selected charity is called the Both Hands. Both Hands is an organization that helps local widows with chores/projects that are hard to do on their own, all while raising money for a family to adopt a child.Episode Sponsor:This episode was sponsored by Fluency. Fluency is a modern security operations platform that can handle today's agile environments. They are based out of Rockville, Maryland.

Rob Abel's retirement, Security Journey's SOC 2 Type II compliance, RDE's acquisition of CardCash.com, Florida SouthWestern State College joining Florida Purchasing Group, PepsiCo's establishment of the Growth Office, and Apollo Global Management's majority interest in Composite Advanced Technologies, Inc.

"Cloud security continues to evolve at a rapid pace, and you need to stay abreast of the latest trends and services to ensure that you have the most up to date skills. SANS Fellow Frank Kim hosts this episode of Wait Just an Infosec, talking about the different cloud journeys that you can take.Wait Just an Infosec is produced by the SANS Institute. You can watch the full, weekly Wait Just an Infosec live stream on the SANS Institute YouTube, LinkedIn, Twitter, and Facebook channels on Tuesdays at 10:00am ET (2:00pm UTC). Feature segments from each episode are published in a podcast format on Wednesdays at noon eastern. If you enjoy the Wait Just an Infosec live, weekly show covering the latest cybersecurity trends and news and featuring world-renowned information security experts, be sure and become a member of our community. When you join the SANS Community, you will have access to cutting edge cyber security news, training, and free tools you can't find anywhere else. Learn more about Wait Just an Infosec at sans.org/wjai and become a member of our community at sans.org/join. Connect with SANS on social media and watch the weekly live show: YouTube | LinkedIn | Facebook | Twitter

Join us on TOP CMO, the go-to podcast for marketing enthusiasts and professionals seeking insider knowledge from global Chief Marketing Officers. This episode features Amy Baker, a marketing mastermind who's worked with major players like Proofpoint and Ericsson. Get ready to explore cutting-edge marketing techniques, industry trends, and the essential skills needed to thrive in today's fast-paced digital landscape. Boost your marketing prowess with TOP CMO's exclusive access to the brightest minds in the business. Subscribe and stay ahead of the curve!

As the world's leading resource of independent energy experts and technical advisors, DNV is dedicated to achieving the objectives of the Paris Agreement and helping their clients to transition more quickly to a highly decarbonized energy system.

Steve Lodin, a veteran of the cybersecurity industry, embarks on an ambitious mission to protect millions of identities from hackers while his team strives to maintain high-security standards and compliance with regulators."The more that we can identify, document, and share, the less attacks that are hitting our colleagues and our peers in the industry." - Steve LodinLodin's experience comes with a background in software engineering, system administration, and global IT security. He has worked with General Motors, Ernst and Young, Roche Diagnostics, and Sallie Mae, and has a Master's degree in Computer Science from Purdue University.Steve Lodin had been working with electronics engineering and software engineering since he got his engineering degree. He had a passion for computers and decided to focus on security. He went back to school for a Master's in Computer Science and went on to work at Ernst and Young, Roche Diagnostics, and the world of startups. For the past 10 years, he has been working at Sallie Mae protecting millions of IDs from hackers. With the shift to the cloud, Steve has been advocating for the removal of legacy security debt and providing security opportunities to improve the environment. He is a prominent contributor to the industry, helping to identify and document attacks to protect against them.In this episode, you will learn the following:1. What challenges arise when attempting to secure xIoT devices?2. How can organizations prevent external and internal attack surfaces?3. How can organizations use the cloud to reduce their legacy security debt? Let's get into Things on the IoT Security Podcast!Follow Brian Contos on LinkedIn at https://www.linkedin.com/in/briancontosAnd you can follow John Vecchi at https://www.linkedin.com/in/johnvecchiThe IoT Security Podcast is powered by Phosphorus Cybersecurity. Join the conversation for the IoT Security Podcast — where xIoT meets Security. Learn more at https://phosphorus.io/podcast

Robyn Lundin started working in tech after a coding boot camp as a developer for a small startup. She then discovered her passion for security, pivoted into pentesting for NCC Group, and now works as a Senior Product Security Engineer for Slack. Robyn joins us to discuss the role of penetration testing within the application security realm. Robyn provides actionable guidance you can apply directly to your application pen testing program. We hope you enjoy this conversation with....Robyn Lundin.Visit our website: https://www.securityjourney.com/resources/application-security-podcast FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/channel/UCfrTGqjSsFCQW4k6TueuY-A Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Application Security Podcast is brought to you by Security Journey. Security Journey delivers secure coding training to development teams and those who support them. They help enterprises reduce vulnerabilities through application security education for developers and everyone in the SDLC. TRY OUR TRAINING ➜ https://info.securityjourney.com/try-our-training

Michael Bargury is the Co-Founder and CTO of Zenity, where he helps companies secure their low-code/no-code apps. In the past, he headed security product efforts at Azure, focused on IoT, APIs and IaC. Michael is passionate about all things related to cloud, SaaS and low-code security and spends his time finding ways they could go wrong. He also leads the OWASP low-code security project and writes about it on DarkReading. Michael is a regular speaker at OWASP, BSides and DEFCON conferences. Michael joins us to unpack Low Code / No Code and the new OWASP Top Ten that defines specific risks against Low/No Code. We hope you enjoy this conversation with...Michael Bargury.Visit our website: https://www.securityjourney.com/resources/application-security-podcast FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/channel/UCfrTGqjSsFCQW4k6TueuY-A Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Application Security Podcast is brought to you by Security Journey. Security Journey delivers secure coding training to development teams and those who support them. They help enterprises reduce vulnerabilities through application security education for developers and everyone in the SDLC. TRY OUR TRAINING ➜ https://info.securityjourney.com/try-our-training

Alex leads the Cyber Security Consulting Group, part of Rakuten's Cyber Security Defense Department. The group's dedication is to providing global security services, including security architecture, DevSecOps tooling and integration services, delivery of technical training, and running Rakuten's Security Champion community. His focus is on empowering teams to improve security throughout the development lifecycle.Alex joins us to discuss security champions, a topic near and dear to our hearts. We get into democratizing appsec, the value of security governance and empowerment activities for security champions and the organization, how scope, cost and effort fit, and the ROI of training and security champions. We hope you enjoy this conversation with...Alex Olsen.Visit our website: https://www.securityjourney.com/resources/application-security-podcast FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/channel/UCfrTGqjSsFCQW4k6TueuY-A Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Application Security Podcast is brought to you by Security Journey. Security Journey delivers secure coding training to development teams and those who support them. They help enterprises reduce vulnerabilities through application security education for developers and everyone in the SDLC. TRY OUR TRAINING ➜ https://info.securityjourney.com/try-our-training

Mark Curphey is one of the creators of OWASP from the very early days. Mark worked in the background over the few decades of OWASP but has recently taken more to the spotlight. After running, he was elected and joined the OWASP Board of Directors. This conversation starts with the historical story of Mark and his history with OWASP. Then we jump into the visions for OWASP in the future and the plans in place to reach those goals. We hope you enjoy this conversation with...Mark Curphey.Visit our website: https://www.securityjourney.com/resources/application-security-podcast FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/channel/UCfrTGqjSsFCQW4k6TueuY-A Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Application Security Podcast is brought to you by Security Journey. Security Journey delivers secure coding training to development teams and those who support them. They help enterprises reduce vulnerabilities through application security education for developers and everyone in the SDLC. TRY OUR TRAINING ➜ https://info.securityjourney.com/try-our-training

Tiago Mendo is a co-founder and CTO of Probely. He has extensive experience in pentesting applications, training, and providing all-around security consultancy. Tiago started working with security in the early 2000s, beginning with a tenure of 12 years at Portugal Telecom. While there, he built the web security team and worked with 150+ developers. He holds a Master's in Information Technology/Information Security from Carnegie Mellon University and a CISSP certification. He is also a qualified member of AP2SI, a non-profit organization that promotes Information Security in Portugal, and Co-Leader of the Lisbon OWASP Chapter. He is a frequent speaker at security events, such as Confraria da Segurança da Informação, BSides Lisbon, BSides Kraków and LASCON. Tiago Mendo joins us to discuss OWASP ZAP and DAST scanning at scale. Tiago shares what scanning at scale is, the common challenges development teams must overcome when scanning at scale, and how to overcome them using OWASP ZAP. We hope you enjoy this conversation with ... Tiago Mendo.Visit our website: https://www.securityjourney.com/resources/application-security-podcast FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/channel/UCfrTGqjSsFCQW4k6TueuY-A Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Application Security Podcast is brought to you by Security Journey. Security Journey delivers secure coding training to development teams and those who support them. They help enterprises reduce vulnerabilities through application security education for developers and everyone in the SDLC. TRY OUR TRAINING ➜ https://info.securityjourney.com/try-our-training

J. Wolfgang Goerlich is an Advisory CISO for Cisco Secure. He has been responsible for IT and IT security in the healthcare and financial services verticals. Wolfgang has led advisory and assessment practices for cybersecurity consulting firms. Wolf joins us to talk about some security things that will stretch your mind, like security beyond vulnerabilities, how apps intended functionality can be misused, data privacy, and nudges and behavior science. Wolf challenged my thinking in this episode and pointed out a new area of threat modeling I had never considered. We hope you enjoy this conversation with... J. Wolfgang Goerlich.Visit our website: https://www.securityjourney.com/resources/application-security-podcast FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/channel/UCfrTGqjSsFCQW4k6TueuY-A Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Application Security Podcast is brought to you by Security Journey. Security Journey delivers secure coding training to development teams and those who support them. They help enterprises reduce vulnerabilities through application security education for developers and everyone in the SDLC. TRY OUR TRAINING ➜ https://info.securityjourney.com/try-our-training

Security Journey Co-Founder Chris Romeo is chatting LIVE with the GrepBeat crew this Friday. Chris is a lifelong cybersecurity professional who embarked on an entrepreneurial path. In 2016, he launched the cloud-based platform Security Journey, which teaches developers how to improve security in their own companies. Earlier this year, the company was acquired by Pittsburgh-based HackEDU.

Frank Kim, the Lead for the SANS Cloud Security and Security Leadership curriculums, joins Brandon Evans to discuss how these areas intersect, the role cloud technologies and vendors play in the People, Process, and Technology Framework, why developers who introduce security flaws today can become the security experts of the future, and the importance of staying curious about cloud trends like multicloud and DevOps.Our Guest - Frank KimFrank is the Founder of ThinkSec, a security consulting and CISO advisory firm, as well as a SANS Fellow and lead for both the SANS Cybersecurity Leadership and SANS Cloud Security curricula, overseeing two dozen SANS courses in the two fastest growing curricula. Previously, as CISO at the SANS Institute, Frank led the information risk function for the most trusted source of computer security training and certification in the world. Frank is also the author and instructor of MGT512: Security Leadership Essentials for Managers, MGT514: Security Strategic Planning, Policy, and Leadership, and co-author of SEC540: Cloud Security and DevSecOps Automation.Follow Frank KimTwitter: https://twitter.com/fykimLinkedIn: https://www.linkedin.com/in/frank-kim/Web: https://www.sans.org/profiles/frank-kim/Resources mentioned in this episodeSupport for Cloud Ace podcast comes from SANS Institute. If you like the topics covered in this podcast and would like to learn more about cloud security, SANS Cloud Security curriculum is here to support your journey into building, deploying, and managing secure cloud infrastructure, platforms, and applications. Whether you are on a technical flight plan, or a leadership one, SANS Cloud Security curriculum has resources, training, and certifications to fit your needs.Focus on where the cloud is going, not where it is today. Your organization is going to need someone with hands-on technical experience and cloud security-specific knowledge. You will be prepared not only for your current role, but also for a cutting-edge future in cloud security.Review and Download Cloud Security Resources: sans.org/cloud-security/SPONSER NOTE: Support for Cloud Ace podcast comes from SANS Institute. If you like the topics covered in this podcast and would like to learn more about cloud security, SANS Cloud Security curriculum is here to support your journey into building, deploying, and managing secure cloud infrastructure, platforms, and applications. Whether you are on a technical flight plan, or a leadership one, SANS Cloud Security curriculum has resources, training, and certifications to fit your needs. Focus on where the cloud is going, not where it is today. Your organization is going to need someone with hands-on technical experience and cloud security-specific knowledge. You will be prepared not only for your current role, but also for a cutting-edge future in cloud security. Review and Download Cloud Security Resources: sans.org/cloud-security/ Join our growing and diverse community of cloud security professionals on your platform of choice: Discord | Twitter | LinkedIn | YouTube

Hello, and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to try to balance the impossible equation of better, faster, and cheaper.  As always, please follow us on LinkedIn, and subscribe if you have not already done so. Shigeo Shingo, who lived from 1909-1990, helped to improve efficiency at Toyota by teaching thousands of engineers the Toyota Production System, and even influenced the creation of Kaizen.  He wrote, "There are four purposes for improvement: easier, better, faster, cheaper. These four goals appear in order of priority." Satya Nadella, the CEO of Microsoft, stated that, “Every company is a software company.  You have to start thinking and operating like a digital company.  It's no longer just about procuring one solution and deploying one solution… It's really you yourself thinking of your own future as a digital company, building out what we refer to as systems of intelligence.” The first time I heard this I didn't really fully understand it.  But after reflection it makes a ton of sense.  For example, let's say your company couldn't send email.  How much would that hurt the business?  What if your company couldn't use Salesforce to look up customer information?  How might that impact future sales?  What if your core financial systems had database integrity issues?  Any of these examples would greatly impact most businesses.  So, getting high-quality software applications that enable the business is a huge win. If every company is a software or digital company, then the CISO has a rare opportunity.  That is, we can create one of the largest competitive advantages for our businesses. What if we could create an organization that builds software cheaper, faster, and better than all of our competitors? Sounds good right?  That is the focus of today's show, and we are going to teach you how to excel in creating a world class organization through a focused program in Secure Software Development.  Now if you like the sound of better, faster, cheaper, as most executives do, you might be thinking, where can I buy that?  Let's start at the back and work our way forward. We can make our software development costs cheaper by increasing productivity from developers. We can make our software development practices faster by increasing convenience and reducing waste. We can make our software better by increasing security. Let's first look at increasing productivity.  To increase productivity, we need to under    stand the Resistance Pyramid.  If you know how to change people and the culture within an organization, then you can significantly increase your productivity.  However, people and culture are difficult to change, and different people require different management approaches. At the bottom of the pyramid are people who are unknowing.  These individuals Don't know what to do.  You can think of the interns in your company.  They just got to your company, but don't understand what practices and processes to follow.  If you want to change the interns, then you need to communicate what is best practice and what is expected from their performance.  Utilize an inquiry approach to decrease fear of not knowing, for example, "do you know to whom I should speak about such-and-such?" or "do you know how we do such-and-such here?"  An answer of "no" allows you to inform them of the missing knowledge in a conversational rather than a directional manner. The middle part of the pyramid is people who believe they are unable to adapt to change.  These are individuals that don't know how to do the task at hand.  Here, communications are important, but also skills training.  Compare your team members here to an unskilled labor force -- they're willing to work but need an education to move forward.  If you give them that, then the unskilled can become skilled. However, if you never invest in them, then you will not increase your company's productivity and lowers your costs. At the Top of the resistance pyramid are the people who are unwilling.  These individuals Don't Want to Change.  We might call these folks the curmudgeons that say we tried it before, and it doesn't work.  Or I'm too old to learn that.  If you want to change these individuals and the culture of an organization, then you need to create motivation. As leaders, our focus to stimulate change will be to focus on communicating, educating, and motivating.  The first thing that we need to communicate is the Why.  Why is Secure Software Development important?  The answer is money.  There are a variety of studies that have found that when software vulnerabilities get detected in the early development processes, they are cheaper than later in the production phases.  Research from the Ponemon Institute in 2017 found that the average cost to address a defect in the development phase was $80, in the build phase was $240, in the QA/Test Phase was $960, and in the Production phase was $7,600.  Think of that difference.  $80 is about 1% of $7,600.  So if a developer finds bugs in the development code then they don't just save their time, they save the time of second developer who doesn't have to do a failed code review, they save the time of an infrastructure engineer who has to put the failed code on a server, they save the time of another tester who has to create regression tests which fail, they save the time of a wasted change approval board on a failed release, and they save the customer representatives time who will respond to customers when the software is detected as having issues.  As you see there's a lot of time to be saved by increasing productivity, as well as a 99% cost savings for what has to be done anyway.  Saving their own time is something that will directly appeal to every development team member. To do this we need to do something called Shift Left Testing.  The term shift left refers to finding vulnerabilities earlier in development.  To properly shift left we need to create two secure software development programs. The first program needs to focus on is the processes that an organization needs to follow to build software the right way.  This is something you have to build in house.  For example, think about how you want software to create a network diagram that architects can look at in your organization.  Think about the proper way to register an application into a Configuration Management Database so that there is a POC who can answer questions when an application is down.  Think about how a developer needs to get a DNS entry created for new websites.  Think about how someone needs to get a website into the various security scanning tools that your organization requires (SAST, DAST, Vuln Management, Container Scanning, etc.)  Think about how developers should retire servers at the end of life.  These practices are unique to your company.  They may require a help desk ticket to make something happen or if you don't have a ticketing system, an email.  We need to document all of these into one place where they can be communicated to the staff members who will be following the processes.  Then our employee has a checklist of activities they can follow.  Remember if it's not in the checklist, then it won't get done.  If it doesn't get done, then bad security outcomes are more likely happen.  So, work with your architects and security gurus to document all of the required practices for Secure Software Development in your company.  You can place this knowledge into a Wikipedia article, a SharePoint site, a Confluence Page, or some kind of website.  Make sure to communicate this frequently.  For example, have the CIO or CISO share it at the IT All Hands meeting.  Send it out in monthly newsletters.  Refer to it in security discussions and architecture review boards.  The more it's communicated the more unknowing employees will hear about it and change their behavior. The second program that you should consider building is a secure code training platform.  You can think of things such as Secure Code Warrior, HackEDU (now known as Security Journey), or Checkmarx Code Bashing.  These secure code training solutions are usually bought by organizations instead of being created in-house.  They teach developers how to write more secure code.  For example, "How do I write JavaScript code that validates user input, sanitizes database queries, and avoids risky program calls that could create vulnerabilities in an application?"  If developers gain an education in secure programming, then they are less likely to introduce vulnerabilities into their code.  Make these types of training programs available to every developer in your company. Lastly, we need to find a way to motivate the curmudgeons.  One way to do that is the following:Let's say you pick one secure coding platform and create an initial launch.  The first two hundred people in the organization that pass the secure developer training get a one-time bonus of $200.  This perk might get a lot of people interested in the platform.  You might even get 10-20% of your organization taking the training in the first quarter of the program.  The second quarter your organization announces that during performance reviews anyone who passed the secure software training will be viewed more favorable than their peers.  Guess what?  You will see more and more people taking the training class.  Perhaps you see that 50% of your developer population becomes certified.  Then the following year you say since so many developers are now certified, to achieve the rank of Senior Developer within the organization, it is now expected to pass this training.  It becomes something HR folks look for during promotion panels.  This gradual approach to move the ball in training can work and has been proven to increase the secure developer knowledgebase. Here's a pro tip:  Be sure to create some kind of badges or digital certificates that employees can share.  You might even hand out stickers upon completion that developers can proudly place on their laptops.  Simple things like this can increase visibility.  They can also motivate people you didn't think would change. Now that we have increased productivity from the two development programs (building software the right way and a secure code training platform), it's time to increase convenience and reduce waste.  Do you know what developers hate?  Well, other than last-minute change requests.  They hate inefficiencies.  Imagine if you get a vulnerability that says you have a bug on line 242 in your code.  So you go to the code, and find there really isn't a bug, it's just a false positive in the tool.  This false bug detection really, well, bugs developers.  So, when your organization picks a new SAST, DAST, or IAST tool, be sure to test the true and false positive rates of the tool.  One way to do this is to run the tools you are considering against the OWASP Benchmark.  (We have a link to the OWASP Benchmark in our show notes.)  The OWASP Benchmark allows companies to test tools against a deliberately vulnerable website with vulnerable code.  In reality, testing tools find both good code and bad code.  These results should be compared against the ground truth data to determine how many true/false positives were found.  For example, if the tool you choose has a 90% True Positive Rate and a 90% False Positive Rate then that means the tool pretty much reports everything is vulnerable.  This means valuable developer time is wasted and they will hate the tool despite its value.  If the tool has a 50% True Positive Rate and a 50% False positive rate, then the tool is essentially reporting randomly.  Once again, this results in lost developer confidence in the tool.  You really want tools that have high True Positive Rates and low False Positive Rates.  Optimize accordingly. Another developer inefficiency is the amount of tools developers need to leverage.  If a developer has to log into multiple tools such as Checkmarx for SAST findings, Qualys for Vulnerability Management findings, Web Inspect for DAST findings, Prisma for Container Findings, Truffle Hog for Secrets scanning, it becomes a burden.  If ten systems require two minutes of logging in and setup each that's twenty minutes of unproductive time.  Multiply that time the number of developers in your organization and you can see just how much time is lost by your team just to get setup to perform security checks.  Let's provide convenience and make development faster.  We can do that by centralizing the security scanning results into one tool.  We recommend putting all the security findings into a Source Code Repository such as GitHub  or GitLab.  This allows a developer to log into GitHub every day and see code scanning vulnerabilities, dependency vulnerabilities, and secret findings in one place.  This means that they are more likely to make those fixes since they actually see them.  You can provide this type of view to developers by buying tools such as GitHub Advanced Security.  Now this won't provide all of your security tools in one place by itself.  You still might need to show container or cloud findings which are not in GitHub Advanced Security.  But this is where you can leverage your Source Code Repository's native CI/CD tooling.  GitHub has Actions and GitLab has Runners.  With this CI/CD function developers don't need to go to Jenkins and other security tools.  They can use a GitHub Actions to integrate Container and Cloud findings from a tool like Prisma.  This means that developers have even fewer tools from CI/CD perspectives as well less logging into security tools.  Therefore, convenience improves.  Now look at it from a longer perspective.  If we get all of our developers integrating with these tools in one place, then we can look in our GitHub repositories to determine what vulnerabilities a new software release will introduce.  This could be reviewed at Change Approval Board.  You could also fast track developer who are coding securely.  If a developer has zero findings observed in GitHub, then that code can be auto approved for the Change Approval.  However, if you have high/critical findings then you need manager approvals first.  These approvals can be codified using GitHub code scanning, which has subsumed the tool Looks Good To Me (LGTM), which stopped accepting new user sign-ups last week (31 August 2022).  This process can be streamlined into DevSecOps pipelines that improve speed and convenience when folks can skip change approval meetings. Another key way we can make software faster is by performing value stream mapping exercises.  Here's an example of how that reduces waste.  Let's say from the time Nessus finds a vulnerability there's actually fifteen steps that need to occur within an organization to fix the vulnerability.  For example, the vulnerability needs to be assigned to the right team, the team needs to look at the vulnerability to confirm it's a legitimate finding, a patch needs to be available, a patch needs to be tested, a change window needs to be available, etc.  Each of these fifteen steps take time and often require different handoffs between teams.  These activities often mean that things sit in queues.  This can result in waste and inefficiencies.  Have your team meet with the various stakeholders and identify two time durations.  One is the best-case time for how long something should go through in an optimal process.  The second is the average time it takes things to go through in the current process.  At the end of it you might see that the optimal case is that it takes twenty days to complete the fifteen activities whereas the average case takes ninety days.  This insight can show you where you are inefficient.  You can identify ways to speed up from ninety to twenty days.  If you can do this faster, then developer time is gained.  Now, developers don't have to wait for things to happen.  Making it convenient and less wasteful through value stream mapping exercises allows your teams to deploy faster, patch faster, and perform faster. OK last but not least is making software better by increasing security.   At the end of the day, there are many software activities that we do which provide zero value to the business.  For example, patching operating systems on servers does not increase sales.  What makes the sales team sell more products?  The answer is more features on a website such as product recommendations, more analysis of the data to better target consumers, and more recommendations from the reporting to identify better widgets to sell.  Now, I know you are thinking, did CISO Tradecraft just say to not patch your operating systems?  No, we did not.  We are saying patching operating systems is not a value-add exercise.  Here's what we do recommend.  Ask every development team to identify what ike patching.  Systems that have a plethora of maintenance activities are wasteful and should be shortlisted for replacement.  You know the ones: solutions still running via on-premises VMWare software, software needing monthly java patching, and software if the wind blows the wrong way you have an unknown error.  These systems are ripe for replacement.  It can also be a compelling sell to executives.  For example, imagine going to the CIO and CEO of Acme corporation.  You highlight the Acme app is run by a staff of ten developers which fully loaded cost us about $250K each.  Therefore, developing, debugging, and maintaining that app costs our organization roughly $2,500,000 in developer time alone plus hosting fees.  You have analyzed this application and found that roughly 80% of the time, or $2,000,000, is spent on maintenance activities such as patching. You believe if the team were to rewrite the application in a modern programming language using a serverless technology approach the team could lower maintenance activities from 80% to 30%.  This means that the maintenance costs would decrease from $2 million to $750K each year.  Therefore, you can build a financial case that leadership fund a $1.25 million initiative to rewrite the application in a more supportable language and environment, which will pay for itself at the end of the second year.  No, I didn't get my math wrong -- don't forget that you're still paying the old costs while developing the new system.) Now if you just did a lift and shift to AWS and ran the servers on EC-2 or ECS, then you still have to patch the instance operating systems, middle ware, and software -- all of which is a non-value add.  This means that you won't reduce the maintenance activities from 80% to 30%.  Don't waste developer time on these expensive transition activities; you're not going to come out ahead.  Now let's instead look at how to make that maintenance go away by switching to a serverless approach.  Imagine if the organization rewrote the VMware application to run on either: A third party hosted SaaS platform such as Salesforce or Office 365 or A serverless AWS application consisting of Amazon S3 buckets to handle front-end code, an Amazon API Gateway to make REST API calls to endpoints, AWS Lambda to run code to retrieve information from a Database, and Dynamo DB to store data by the application This new software shift to a serverless architecture means you no longer have to worry about patching operating systems or middleware.  It also means developers don't spend time fixing misconfigurations and vulnerabilities at the operating system or middleware level.  This means you made the software more secure and gave the developers more time to write new software features which can impact the business profitability.  This serverless approach truly is better and more secure.  There's a great story from Capital One you can look up in our show notes that discusses how they moved from EC-2 Servers to Lambda for their Credit Offers Application Interface.  The executive summary states that the switch to serverless resulted in 70% performance gains, 90% cost savings, and increased team velocity by 30% since time was not spent patching, fixing, and taking care of servers.  Capital One uses this newfound developer time to innovate, create, and expand on business requirements.  So, if you want to make cheaper, faster, and better software, then focus on reducing maintenance activities that don't add value to the business. Let's recap.  World class CISOs create a world class software development organization.  They do this by focusing on cheaper, faster, and better software. To perform this function CISOs increase productivity from developers by creating documentation that teaches developers how to build software the right way as well as creating a training program that promotes secure coding practices.  World Class CISOs increase the convenience to developers by bringing high-confidence vulnerability lists to developers which means time savings in not weeding out false positives.  Developers live in Source Code Repositories such as GitHub or GitLab, not the ten different software security tools that security organizations police.  World Class CISOs remove waste by performing value stream exercises to lean out processes and make it easier for developers to be more efficient.  Finally, World Class CISOs make software better by changing the legacy architecture with expensive maintenance activities to something that is a winnable game.  These CISOs partner with the business to focus on finding systems that when re-architected to become serverless increase performance gains, promote cost savings, and increase developer velocity. We appreciate your time listening to today's episode.  If this sparks a new idea in your head. please write it down, share it on LinkedIn and tag CISO Tradecraft in the comment.  We would love to see how you are taking these cyber lessons into your organization to make better software for all of us. Thanks again for listening to CISO Tradecraft.  This is G. Mark Hardy, and until next time, stay safe out there. References https://www.sixsigmadaily.com/who-was-shigeo-shingo-and-why-is-he-important-to-process-improvement/ https://news.microsoft.com/speeches/satya-nadella-and-chris-capossela-envision-2016/  Galpin, T.J. (1996).  The Human Side of Change: A Practical Guide to Organization Redesign.  Jossey-Bass  https://www.businesscoaching.co.uk/news/blog/how-to-break-down-barriers-to-change  Ponemon Institute and IBM. (2017) The State of Vulnerability Management in the Cloud and On-Premises  https://www.bmc.com/blogs/what-is-shift-left-shift-left-testing-explained/  https://www.securecodewarrior.com/  https://www.securityjourney.com/  https://checkmarx.com/product/codebashing-secure-code-training/  https://owasp.org/www-project-benchmark/  https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security  https://medium.com/capital-one-tech/a-serverless-and-go-journey-credit-offers-api-74ef1f9fde7f 

Web3 is a live experiment that is happening now. Around us. To us. By us. How will it affect privacy and security? Let's find out.In this conversation with Black Hat speaker, Nathan Hamiel, we explore the definition and promise of Web3 and its impact — positive and negative — on society.About the Session "From Hackathon to Hacked: Web3's Security Journey": If there's one prediction you can make with certainty, it's that security in the Web3/blockchain space will get a whole lot worse before it gets better. We have the perfect cocktail of inexperience mixed with emerging technology playing out in full public view with large sums at stake and the permanence of immutable transactions. The result is predictable. An environment free from constraints can seem like an innovation paradise, but when the stakes are so high, you have to get everything right the first time because there may not be a next time. We tend to forget that what we see from this space are experiments playing out in production, and the time between exploitation and losing millions of dollars worth of value can be measured in seconds. So, how did we get here? Is it all doom and gloom? What can be done?This talk is a grounded look at the factors contributing to the security failures we've witnessed, free from the hype and hatred associated with the space. We look at the similarities and differences between the development of this new technology and more traditional applications and how some of the attacks manifested. Better testing and tools aren't enough to solve the problem. We discuss actionable steps projects and chains can use today to address these issues and make the ecosystem safer for projects and users.Be sure to catch all of our conversations from Black Hat and DEF CON 2022 at https://www.itspm.ag/bhdc22____________________________GuestNathan HamielSenior Director of Research at Kudelski Security [@KudelskiSec]On LinkedIn | https://www.linkedin.com/in/nathanhamiel/On Twitter | https://twitter.com/nathanhamiel____________________________This Episode's SponsorsCrowdSec | https://itspm.ag/crowdsec-b1vpEdgescan | https://itspm.ag/itspegwebPentera | https://itspm.ag/pentera-tyuw____________________________ResourcesSession | From Hackathon to Hacked: Web3's Security Journey: https://www.blackhat.com/us-22/briefings/schedule/index.html#from-hackathon-to-hacked-webs-security-journey-26692Kudelski Security Research Blog: https://research.kudelskisecurity.com/____________________________For more Black Hat and DEF CON  Event Coverage podcast and video episodes visit: https://www.itspmagazine.com/black-hat-2022-and-def-con-hacker-summer-camp-las-vegas-usa-cybersecurity-event-and-conference-coverageAre you interested in telling your story in connection with Black Hat and DEF CON by sponsoring our coverage?

Web3 is a live experiment that is happening now. Around us. To us. By us. How will it affect privacy and security? Let's find out.In this conversation with Black Hat speaker, Nathan Hamiel, we explore the definition and promise of Web3 and its impact — positive and negative — on society.About the Session "From Hackathon to Hacked: Web3's Security Journey": If there's one prediction you can make with certainty, it's that security in the Web3/blockchain space will get a whole lot worse before it gets better. We have the perfect cocktail of inexperience mixed with emerging technology playing out in full public view with large sums at stake and the permanence of immutable transactions. The result is predictable. An environment free from constraints can seem like an innovation paradise, but when the stakes are so high, you have to get everything right the first time because there may not be a next time. We tend to forget that what we see from this space are experiments playing out in production, and the time between exploitation and losing millions of dollars worth of value can be measured in seconds. So, how did we get here? Is it all doom and gloom? What can be done?This talk is a grounded look at the factors contributing to the security failures we've witnessed, free from the hype and hatred associated with the space. We look at the similarities and differences between the development of this new technology and more traditional applications and how some of the attacks manifested. Better testing and tools aren't enough to solve the problem. We discuss actionable steps projects and chains can use today to address these issues and make the ecosystem safer for projects and users.Be sure to catch all of our conversations from Black Hat and DEF CON 2022 at https://www.itspm.ag/bhdc22____________________________GuestNathan HamielSenior Director of Research at Kudelski Security [@KudelskiSec]On LinkedIn | https://www.linkedin.com/in/nathanhamiel/On Twitter | https://twitter.com/nathanhamiel____________________________This Episode's SponsorsCrowdSec | https://itspm.ag/crowdsec-b1vpEdgescan | https://itspm.ag/itspegweb____________________________ResourcesSession | From Hackathon to Hacked: Web3's Security Journey: https://www.blackhat.com/us-22/briefings/schedule/index.html#from-hackathon-to-hacked-webs-security-journey-26692Kudelski Security Research Blog: https://research.kudelskisecurity.com/____________________________For more Black Hat and DEF CON  Event Coverage podcast and video episodes visit: https://www.itspmagazine.com/black-hat-2022-and-def-con-hacker-summer-camp-las-vegas-usa-cybersecurity-event-and-conference-coverageAre you interested in telling your story in connection with Black Hat and DEF CON by sponsoring our coverage?

In this episode of the Application Security Podcast, Chris Romeo walks through the origin story of Security Journey and shares some experiences taking a security startup from bootstrap to acquisition. Chris talks about how and why he started the company, what defining factors made Security Journey successful and why they're being acquired now. He ends by giving an overview of what to expect from Security Journey moving forward. We hope you enjoy this conversation with…Chris Romeo.Check out these resources for more information about the acquisition!Press Release: https://www.accesswire.com/702562/HackEDU-Acquires-Security-Journey-to-Provide-the-Most-Comprehensive-Application-Security-Training-Offering-Helping-Development-Teams-Deliver-Secure-Code-and-Protect-DataChris's Blog Post: https://www.securityjourney.com/post/hackedu-acquires-security-journeyJoe's Blog Post: https://www.hackedu.com/blog/hackedu-acquires-security-journey-to-create-industry-leading-application-security-offering

1. An Analysis of Open-source Automated Threat Modeling Tools and Their Extensibility from Security into Privacy-https://www.usenix.org/publications/l...We conducted our review of threat modeling tools in three main phases: Tool Discovery, Evaluation Criteria Selection, and Application of Evaluation Criteria.2. In-depth research and trends analyzed from 50+ different concepts as code-https://www.jedi.be/blog/2022/02/23/t...•DevSecOps as code explosion•Data as code •Capturing knowledge as code3. Security Journey Provides Free Application Security Training Environment for OWASP® Members-https://www.securityjourney.com/post/...Security Journey's OWASP dojo will be open and available to all OWASP members starting April 1st. Members can access it in their member portal.4. GitHub - 99designs/aws-vault: A vault for securely storing and accessing AWS credentials in development environments-https://github.com/99designs/aws-vaultAWS Vault is a tool to securely store and access AWS credentials in a development environment.5. Avoiding the top Nginx configuration mistakes (nginx.com)-https://www.nginx.com/blog/avoiding-t...This blog takes a deep look at the 10 of the most common errors, sometimes even committed by NGINX engineers. The article will explain what are the 10 most common mistakes and how to fix them.

As product managers, we're taught to prioritize customer needs above all else. If that's correct, where does threat modeling land in our list of priorities? After all, if we can't provide a secure solution, our users will go elsewhere. Chris Romeo, CEO and co-founder of Security Journey, suggests we “shift left” to get these concepts … The post 82 / Threat Modeling for Product Managers appeared first on ITX Corp..

Protect your open source project from supply chain attacks - https://opensource.googleblog.com/2021/10/protect-your-open-source-project-from-supply-chain-attacks.html?m=1This blog post walks through the quiz questions, answers, and options for prevention, and can serve as a beginner's guide for anyone who wants to protect their open source project from supply chain attacks.Trojan Source Attacks - https://trojansource.codes/Some vulnerabilities are invisible - rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. The attack is to use control characters embedded in comments and strings to reorder source code characters in a way that changes its logic. An Opinionated Guide on How to Reverse Engineer Software, Part 1 - https://margin.re/media/an-opinionated-guide-on-how-to-reverse-engineer-software-part-1.aspx"This is an opinionated guide. After 12 years of reverse engineering professionally, I have developed strong beliefs on how to get good at RE."​AppSec Things to Watch in 2022 - https://www.securityjourney.com/post/appsec-things-to-watch-in-2022It's that time of the year again when everyone under the sun comes up with predictions. We're not fans of predictions, so instead, we give you Security Journey's Application Security Things to Watch in 2022.AWS WAF's Dangerous Defaults - https://osamaelnaggar.com/blog/aws_waf_dangerous_defaults/Any malicious payload that starts after the 8KB limit in a POST request will completely bypass your WAF unless you've explicitly added a rule to block any POST request greater than 8KB in size. Even the simplest SQL injection, the legendary '1=1' can fly right by.

On this episode of Ask A CISO, Raphaël Peyret, Horangi's VP of Product, took the opportunity to ask Jeremy Snyder, a veteran cloud security practitioner, about the evolution of cloud security - how it became what we have today from its early, simpler days. Jeremy also gives us a glimpse of where cloud security is heading and three practical tips on how you can get started on your cloud security journey.

In this episode I share my 4.5 year journey in cyber security. Feel free to connect with me on LinkedIn https://www.linkedin.com/in/ayo-adeojo/

Deneen DeFiore, Vice President and Chief Information Security Officer at United Airlines, joins host Alissa (Dr Jay) Abdullah, PhD, SVP & Deputy CSO at Mastercard, in this episode of the CISO 500. Deneen quickly shares her path to becoming a CISO, discusses how to approach the data security journey, what a "dynamic risk management approach" means, and more. For more on cybersecurity, visit us at https://cybersecurityventures.com Sponsored by Mastercard. https://mastercard.us/en-us.html

Steve Dotson, CISO at Acoustic, discusses tools of the trade to build security programs at high growth technology companies. What does your first 90 days as a security executive look like? How do you get a seat at the table with executives? How do you get a budget approved? How do you build a team? From start-up advisor and investor, CISO, and business executive, Steve's journey has helped him build security teams at organizations as diverse as multi-billion-dollar organizations to start-ups. In this episode of Tuesday Morning Grind, Christian and Steve discuss what it takes to be an effective security executive. About risk3sixty: risk3sixty is a security, privacy, and compliance consulting firm that helps high growth technology organizations build, manage, and assess security and privacy programs. Offering services related to SOC 2, ISO 27001, PCI DSS, HITRUST, Virtual CISO, Privacy Programs (GDPR, CCPA, etc.), Penetration Testing, and a GRC Platform built for cloud technology companies, Phalanx. You can learn more about risk3sixty at www.risk3sixty.com.

VP of Security at SalesLoft, Mike Meyer, provides insight into building a program for a unicorn start-up. SalesLoft has received nearly $250M in funding and was recently valued at over $1.1 Billion. To say their growth has been meteoric is not an exaggeration. During that growth, Mike Meyer has worked to build a security program that can scale with the organization. Under Mike's leadership, SalesLoft has achieved ISO 27001 certification, worked to build trust with clients, and forged relationships across the organization that instill a culture of security. In this episode of Tuesday Morning Grind, Mike shares much of his wisdom in how to build security programs – and why context matters. About risk3sixty: risk3sixty is a security, privacy, and compliance consulting firm that helps high growth technology organizations build, manage, and assess security and privacy programs. Offering services related to SOC 2, ISO 27001, PCI DSS, HITRUST, Virtual CISO, Privacy Programs (GDPR, CCPA, etc.), Penetration Testing, and a GRC Platform built for cloud technology companies, Phalanx. You can learn more about risk3sixty at www.risk3sixty.com.

Dima Kotik is an Application Security Engineer at Security Journey and has been programming in Python for years. As he was working on building out Security Journey's Secure Coding with Python content, he came across the Zen of Python, a set of guidelines for how to program in Python. He wrote a blog post about how to apply application security to the Zen of Python, and then we recorded this interview to talk about the concept in more depth. We hope you enjoy this interview with....Dima Kotik.

Dinesh Sharma, Director of Information Security Governance at Epiq, joins us on the ISO Show today. He discusses ISO 27001, his in-depth experience of this standard, how it's working for Epiq, lessons learned, and how he manages this globally for Epiq Global. We are so excited to interview Dinesh! He has a wealth of experience in terms of implementing frameworks like ISO 27001 and PCI DSS. He's got plenty of experience ranging from developing information security policies, procedures, managing risk assessments, to delivering security training and awareness, and overseeing internal audits. He also has expert experience in security management and governance as his last 15 years focused on information security.   You'll learn about: What Epiq does What it means to be Director of Information Security Governance Setting up a security team and managing it in terms of global responsibilities Continual improvement at Epiq Dispelling ISO 27001 myths What has worked well for Epiq in relation to ISO 27001   First and foremost, let's dive into what Epiq is and does… What does Epiq do? Epiq, primarily based in the U.S, is a global professional services company, operating in approximately 25 countries including Germany, Belgium, India, London and so many more. Epiq primarily provides support to the legal industry (so to law firms and the legal departments within large organisations). Their key service is around E-discovery. This is where there is potentially an investigation, or if two parties are about to enter a litigation. Some processes need to happen around data collection, data review, forensics, processing and document review. Epiq can make all of this so much more efficient and cost-effective for clients! Another core service Epiq provides is court reporting and transcription services. Other services include business transformation services, class-action and a range of other services.   Now, let's find out more about Dinesh's role… Role at Epiq Dinesh is part of the Global information security function at Epiq. They have a dedicated Global information security team to support the business. Dinesh's specific role is to lead the security governance side of things. This means that he manages and helps to define the information security policy set and Information Security Management System (ISMS) within Epiq. He also leads and coordinates the internal security assessments (part of which is internal ISMS audits as well as internal security audits across Epiq). He even reviews and provides input on contracts of clients and vendors around security clauses to ensure they align with the policies of Epiq. His team also delivers staff security awareness and training. Finally, his team manages security certifications including ISO 27001 (very relevant for today!).   So, let's explore how a mature ISMS is managed… How to go about setting up a security team and manage it in terms of global responsibilities? At Epiq they have a dedicated team within their information security function for security operations. This team oversees the security toolset, they monitor the alerts from this toolset, such as their end-point detection and the logging and alerting around network security. This security operations team also takes the lead on defining their processes and handling any security incidents. So, they have a separate team for this specifically. They also have a separate team for security architecture and security engineering. These teams work very closely with the business to make sure that security is considered and embedded within the projects and new offerings Epiq has as a business, as well as developing their tools. So, if Epiq is looking to implement a new security tool, this team will be very involved in looking at the different vendors that provide that offering, how that would be embedded and work within the infrastructure of Epiq, and the environments with which they serve their clients. So, Epiq has got the structure of sub-teams within the security function well defined! Of course, sitting on top of this, Epiq is very fortunate to have some very experienced and very qualified leadership come into that team. The governance and operations side is managed by a gentleman called Jason. He has lots of experience and brings experience from other industries he's worked with. He has a peer called Andrew, who looks after the engineering and architecture side. Epiq also has a new Chief Security Officer (CSO) who is very knowledgeable and savvy. He is doing a really good job of lifting the profile of not only security within the organisation, but also Epiq's security functions. So, they are fortunate to have that leadership as well.   This is fantastic…when organisations are starting with implementing an ISMS, we always find that leadership commitment is so key! It's great to hear that Epiq has got a mature management system yet are still continuing to focus on leadership commitment and bringing that in from various angles across the organisation as well.   In terms of the ISMS then… Epiq has got many other security standards, so what we want to know is how their ISMS helps them to manage all their activities. Well, looking at the requirements of ISO 27001 and setting up an ISMS that works, Dinesh thinks the most important thing it gives an organisation, regardless of what level of maturity it is at, is what the basic components and principles are in terms of a framework that you should be having in place or that you should consider having. This is because if you want to go for certification to ISO 27001, then you must have some of these things in place.   Dinesh very much sees this as a baseline! Once, you establish that baseline and you've got the documentation, the processes which support the documents and the staff in place who can deliver on those processes. You then think…‘what can you do to increase the maturity'? A big part of ISO 27001 is continual improvement. This is something Dinesh thinks is very important and puts a lot of focus on in his role. So, that's all tied with the kind of internal security reviews that they do with the internal assessments that happen. But any feedback they get from the business, or any input or discussions they have with the business which can raise or flag something, e.g., as a potential block, are put onto their continual improvement register to work with the team or the business area. It might be something they have to work on themselves. The important thing is to always look out for these kinds of things. That's why this is a key area of focus for Dinesh, in his role, as he thinks about what can improve each step of the ISMS in Epiq.   However, a lot of companies, once they've completed the assessment, think that's the job done. But you can't put your feet up just yet! This is only the beginning of the journey, which is why Dinesh identifies this as the baseline and the foundation to be used for continual improvement. So, let's look at what Epiq has implemented in relation to continual improvement, which has been above and beyond this baseline.   Epiq and continual improvement Epis has implemented a Critical Asset Reviews. They identified their 15 most critical assets and instead of doing a full security review, they pick the 10 most important controls and other controls they think would deliver the highest level of security if they had it in place. So, they have done a very focused security review, based on risk and what they think their most important assets are. They dig deep into what are the risks and issues and by acting on these, it moves Epiq to another level. Now, let's move onto the part where we dispel myths around ISO standards! Dispelling ISO 27001 myths Dinesh believes that a good understanding of ISO 27001 is needed to know what the standard actually means. There is a difference between being aligned and being certified to ISO 27001. So, an independent review of your ISMS is really important as it shows you haven't just picked and chosen which parts of the core standard you're going to implement. It shows that you've had to do them all and have had that verified and tested. This would provide a level of assurance to your organisation and stakeholders. That's why there is such a big difference between being aligned to the standard and being compliant with it.   Finally, I'm sure our audience would love to know… What has worked well from an information security perspective in relation to ISO 27001? Dinesh identifies the top-level management commitment within a business as the most crucial thing in any implementation of a standard. The business needs to understand the importance of information security. So, everyone needs to be aware of what the benefits are, what's going on and what is important…having this conversation in your business really makes everything easier according to Dinesh. Epiq does this during their management reviews, where all four of their CEOs attend. They take the management review section of ISO 27001 and cover most of it in their quarterly meetings, and because this is visibly supported by their CEO, the business leaders reporting to the CEO and all their directors attend the management reviews as well. So, they all understand what's going on, what's important and what the key risks are from the security team's perspective. Having this conversation just makes everything a lot easier according to Dinesh.   That's it from Dinesh! We hope you enjoyed learning about Epiq's journey…it's inspirational to hear how Epiq is still developing, evolving, improving and still getting such fantastic commitment from the very top as well. It clearly demonstrates Epiq Global's commitment to information security without a shadow of a doubt! Contact details for Dinesh, if you have any enquires or would simply like to connect with him, you can get in contact using one of the ways below: Email: dsharma@epiqglobal.co.uk Website URL : Epiqglobal.com LinkedIn handle: uk.linkedin.com/in/dineshcsharma

On this episode of the Futurum Tech Webcast, Interview Series, I was joined by Dell Technologies' Rick Martinez and John Boyle for a conversation about navigating the hardware security journey. Rick is Senior Distinguished Engineer, Sr. Director at Dell Technologies and John is part of Dell Technologies' Cyber Security and Supply Chain Defense Product Management team. Enterprise-wide security requires a shield, or a security posture, that follows and protects devices throughout all aspects of the hardware journey, encompassing the external supply chain, internal implementation, and ongoing end-user operations and device management. Four Keys to Navigating the Hardware Security Journey Our team at Futurum partnered with Dell Technologies to develop the white paper: Four Keys to Navigating the Hardware Security Journey and this conversation covered some of the key insights in the report. This was a long-term research initiative that began in 2019 and concluded in mid-2020. We wanted to better understand the level and types of threats encountered by companies today, and the measures, practices, and policies those organizations employ to address these threats throughout the entire security journey. Our research included an in-depth study of over 1,000 technology and security pros directly involved in the planning, implementation, management, or operations of security, risk, and compliance activities related to device-level security. The demographics of our survey group included:US Federal Government – 29% State of Local Govt & Education – 30% Defense Industrial Base – 17% Critical Infrastructure Sectors – 22% Commercial Industries, 2% Our conversation in this roundtable discussion centered on the four key insights derived from this research • Understanding you are the target —security threats can come from all directions, both internal and external, malicious or accidental, found in your end-user devices and throughout your partner ecosystem and supply chain. And they can be in software and in hardware. • Security is built from the ground up —and needs to be a foundational part of business operations. Security breaches must be detected to be observed, and organizations with a security framework in place may be better able to identify and stop attacks. • Every security journey needs guardrails and frameworks — 75% of enterprises that utilize a security framework say they have experienced a security breach in the past. Conversely, enterprises that do not utilize a security framework say they have not been breached — ever. • Security paradise is found by the dashboard lights — really! We believe that it's hard to identify what you can't see. When it comes to the enterprise security journey, dashboards are mission critical. What's ahead in the industry as it relates to hardware security and what are security teams focused on? We shared insights around that in our conversation. Rick and John and I wrapped up our conversation sharing thoughts on what executives can do to prepare their businesses for the current threat landscape as well as future changes. They also shared some use case examples of what Dell is doing for customers and how that is working. And we hope you'll download the research report: Four Keys to Navigating the Hardware Security Journey for tons more information and insights to help you plot a strategy for your own enterprise security journey.

This week, we welcome Chris Romeo, CEO at Security Journey, to discuss Things Every Developer Should Know About Security! In the Application Security News, DOMOS 5.8 - OS Command Injection, 4G, 5G networks could be vulnerable to exploit due to ‘mishmash’ of old technologies, Google sets up research grant for finding bugs in browser JavaScript engines, Announcing the launch of the Android Partner Vulnerability Initiative, and more!   Show Notes: https://wiki.securityweekly.com/asw124 Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome Chris Romeo, CEO at Security Journey, to discuss Things Every Developer Should Know About Security! In the Application Security News, DOMOS 5.8 - OS Command Injection, 4G, 5G networks could be vulnerable to exploit due to ‘mishmash’ of old technologies, Google sets up research grant for finding bugs in browser JavaScript engines, Announcing the launch of the Android Partner Vulnerability Initiative, and more!   Show Notes: https://wiki.securityweekly.com/asw124 Visit https://www.securityweekly.com/asw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

All links and images for this episode can be found on CISO Series (https://cisoseries.com/security-is-suffering-from-devops-fomo/) Darn it. DevOps is having this awesome successful party and we want in! We've tried inserting ourselves in the middle (DevSecOps) and we launched a pre-party (shift left), but they still don't like us. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Dayo Adetoye (@dayoadetoye), senior manager - security architecture and engineering, Mimecast. Thanks to our sponsor, Capsule8. Capsule8 is defining modern enterprise protection by providing detection and response for Linux infrastructure in any environment. Capsule8 provides host-based detection and investigatory data for incident response with on-going support. Unlike anyone else, Capsule8 mitigates the financial, scalability and reliability limitations of protecting your Linux infrastructure. On this week’s episode Are we making the situation better or worse? What makes a successful phish? On Sophos' blog Paul Ducklin writes about their most successful phishing emails. Ducklin noted that most of the successful phishes dealt with mundane and undramatic issues that still had a sense of importance. Looking at these examples they do seem to follow a similar pattern of something looking official that is being requested from the company and could you click here to check it out. Is that the majority of what you're testing? If so, what exactly is the value in conducting phishing tests on employees? Can the testing have a negative effect in security or even morale? There’s got to be a better way to handle this What is the right approach to threat modeling? In a blog post, Chris Romeo of Security Journey opines that formal training or tools won't work. Security needs to ask questions of developers about features and then show them how a threat evolves, thus allowing them to ultimately do it themselves. Adam Shostack of Shostack and Associates advocates for formal training. He says Romeo's informal approach to threat modeling sounds attractive, but doesn't work because you're trying to scale threat modeling across developers and if you tell one developer the information it's going to be passed down like a game of telephone where each successive person tells a distorted version of what the last person said. So what's the right approach to building threat models across a DevOps environment? What's Worse?! What's the worst place to find your company assets? Close your eyes and visualize the perfect engagement Shifting Left. DevSecOps, These are the mechanisms that have been used to infuse security into the DevOps supply chain. While noble, both concepts break the philosophy and structure of DevOps which is based on automation, speed, and delivery. But, DevOps is also about delivering quality. So rather than inserting themselves, how does security participate in a way that DevOps already loves? If you haven’t made this mistake, you’re not in security On AskNetSec on reddit, Triffid-oil asked, "What was something that you spent effort learning and later realized that it was never going to be useful?" And let me add to that, it's something either someone told you or you believed for some reason it was critical for your cybersecurity education and you later realized it wasn't valuable at all.

I'm joined by Elite A-List Bodyguard Mason Haynes who has had a security field career that has expanded for over 25 years! He has had the privilege of Bodyguarding many of the top A-List celebrities, has traveled all across the world and has so much vast experience in many facets of the security field. Mason is as well the Founder of the Bodyguard's Against Bullying movement. Was an extreme prestigious honor to gain some of his knowledge and insight! Be safe always!

In this episode, we sit with Jay Kelath, Director for Product Security at Dow Jones. Jay & I spoke about the Dow Jones breach and how things changed from top down in Dow Jones for the better. We spoke about security lost trust of engineering by trusting security vendors and then How security won the trust of engineering back. The teams together were able to build lot of devops friendly security tools which was open sourced for others to reap benefits from it too. ShowNotes for the episode can be found on www.cloudsecuritypodcast.tv Twitter - @kaizenteq @hashishrajan @kelath

Full episode with images and links available at CISO Series (https://cisoseries.com/do-these-jeans-make-my-vulnerabilities-look-too-big/) We're starting to get a little self-conscious that our vulnerabilities are starting to show. People we don't even know are telling us we have them on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Fredrick Lee (AKA "Flee") (@fredrickl), CSO of Gusto. Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization. What's a CISO to do? Chris Romeo, CEO of Security Journey, wrote a post where he asked, "What if I had to develop an application security program with a budget of zero dollars?" What he presented was a means to lean on the OWASP open source community and tools to build an application security program. You're a CISO, what's your take on this? I was chatting with a pentester, Benjamin McEwan, from Scotland, who reaches out to CISOs trying to responsibly disclose, not expose, a credible security vulnerability. It's his effort to get recognized. He's frustrated though in his ability to find permanent work because those hiring only see him as an independent researcher. Is his exercise the right approach? What can a talented security person in his position do to make himself more attractive to CISOs? What's Worse?! We've got a couple of scenarios that shocked our guest at the sheer InfoSec horror. Breathe In, It's Time for a Little Security Philosophy On Quora, a question right out of the Matthew Broderick movie WarGames asks, "If a student hacked into university computers and changed his grade in cyber security to an A, does he actually deserve the A?" Except for one person, everyone said, "No," but for different reasons. Mike, are you saying no, and if so, what reason? What do you think of this pitch? We've got two pitches from vendors this week. One came directly to me. Cloud Security Tip, by Steve Prentice - Sponsored by OpenVPN. The idea behind an Advanced Persistent Threat is both intriguing and a little distracting. It sounds like the title of a Tom Clancy novel – maybe a sequel to Clear and Present Danger. Designed to penetrate a network, operate while hidden for a long time, all the while receiving commands from an outside agent, an APT is more sophisticated than everyday malware and tends to be deployed against large targets.

MASSIVE Depending on where you play in the world and in the country, the private security game is always played a little bit differently. After starting my career on the West Coast in Orange County California, I ventured out to South Florida to be closer to my father and work on building my own empire. This is where I met one of the most genuine, hard-working and respectable men I would ever work or contract with. Marc and I met after I came in at the ground floor all over again and he came from a career in construction. We had to build clout in the security scene bouncing at the hard rock in Fort Lauderdale. Since then both of our journeys have caused us to grow and experienced success exponentially. This interview and conversation between myself and Big Marc T. of MASSIVE PROTECTIVE SERVICES of which he is the CEO is about the journey from working the clubs to working royal families in South Florida. If you're looking for information on how to level up in the private security industry, this interview is for you. We have not reached our apex, zenith or highest levels by any means but we are two gentlemen that are willing to contribute to others by sharing our experiences. We hope you enjoy this conversation no matter where you are in your development as a private security practitioner. A few of the questions asked and topics covered: • Introduction • Marcs story • The dream • Why the security industry • What does executive protection mean to you? • What single principle, value or set of values has contributed to success on your journey the most? • Major choice points on the road to success. • Developmental chapters on the road from bouncer to CEO • Example of a mistake you've learned from in the protection game • Example of proudest moment in this game • A word to club security, nightlife security operators who want to get into executive protection • Most important skill set for success in this industry • Barriers to entry MASSIVE PROTECTIVE SERVICES https://massiveprotectiveservices.com Support the Podcast www.patreon.com/join/ByronR For More www.executiveprotectionlifestyle.com

"Remember, security is EVERYONE'S problem, regardless of what your role is." GBD2. In light of recent data breach and privacy concerns news, Chris Romeo of Security Journey explores why accounting and finance professionals at all levels should be more mindful and aware of cybersecurity threats affecting our data, as well as our clients' data, and how we can start building a security culture.   OUR GUEST Chris Romeo CEO and co-founder of Security Journey, which specialises in online application security training organised as a security belt program. Before Security Journey, Chris was the Chief Security Advocate at a Fortune 100 company with over 60,000 employees where he built the most massive security training program that has ever constructed, industry-wide. He left to found Security Journey and bring the lessons he learned teaching developers about security to the entire industry. Connect with him on LinkedIn at https://www.linkedin.com/in/securityjourney.   DON'T MISS OUT.  Get the latest show every week, automatically and free, at https://www.aicpa-cima.com/disruption.html. Share it easily with colleagues and friends by using the icons on the media player.    TAKE IT FURTHER. Find related CPD/CPE resources at https://www.aicpastore.com/GoBeyondDisruption and https://www.cgmastore.com/GoBeyonddisruption.   STAY CONNECTED. Follow #GoBeyondDisruption, @AICPANews and @CIMA_News on social."  ©2018 Association of International Certified Professional Accountants (AICPA & CIMA). All rights reserved 

Equifax, one of the three major credit bureaus, was hacked - over 143 million U.S. accounts may have been leaked, making them much more vulnerable to identity theft and fraud. In this episode, I help you understand the potential impacts of this breach and give you several important actions you can take to protect yourself, including instituting a credit freeze on your account. Chris Romeo, CEO and Founder of Security Journey will help us understand the severity of this major news story and what we need to do to protect ourselves moving forward! Is there such a thing as a good hacker? We will tackle what it takes to be a hacker - and why you actually might want to become one! Hackers are not all bad guys in hoodies hunched over a laptop. The hacker mentality is much more about a desire to tinker and solve puzzles, just applied to computers - and we need good hackers to help us combat the bad ones. Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring security belt programs to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Security Advocates, empowering engineers to “build security in” to all products at Cisco. He led the creation of Cisco’s internal, end-to-end security belt program launched in 2012. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP. Help me to help you! Visit: https://patreon.com/FirewallsDontStopDragons For Further Insight: Website, www.securityjourney.com Follow on Twitter, @SecurityJourney Facebook, https://www.facebook.com/SecJourney/ Additional Resources: Freeze your credit at all three credit bureaus: Equifax, Experian and TransUnion. Get your free annual credit reports: https://www.ftc.gov/faq/consumer-protection/get-my-free-credit-report

Chris Romeo regales us with tales of safe-cracking robots, demonic car washes, possessed Teslas, and hacking of voting machines! Where did this all happen? At the hacker conferences, of course! We’ll help you understand how hackers really think and what they really do every year in Las Vegas at the DEFCON and BlackHat conferences. Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring security belt programs to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Security Advocates, empowering engineers to “build security in” to all products at Cisco. He led the creation of Cisco’s internal, end-to-end security belt program launched in 2012. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP. For Further Insight: Website, www.securityjourney.com Follow on Twitter, @SecurityJourney Facebook, https://www.facebook.com/SecJourney/ Additional Resources: Hackers: Heroes of the Computer Revolution by Steven Levy WITH HOVER… YOUR PRIVACY IS INCLUDED Get 10% off your first domain name order!

This week, Chris Romeo joins Michael, James and I to talk about changing the security posture of an organization by changing culture. This episode talks through tough issues like incentives, measurements and success factors. This episode with Chris is of particular interest for leaders and those who are working hard to change companies at their core, for the long term.   Chris Romeo's bio: Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring application security awareness to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Secure Development Life Cycle program, empowering engineers to "build security in" to all products at Cisco. He led the creation of Cisco’s internal, end-to-end application security awareness program launched in 2012. Chris has twenty years of experience in security, holding positions in application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications, and is a frequent conference speaker at RSA and AppSec.