Podcasts about senior security engineer

Are you struggling to implement robust container security at scale without creating friction with your development teams? In this episode, host Ashish Rajan sits down with Cailyn Edwards, Co-Chair of Kubernetes SIG Security and Senior Security Engineer, for a masterclass in practical container security. This episode was recorded LIVE at KubeCon EU, London 2025.In this episode, you'll learn about:Automating Security Effectively: Moving beyond basic vulnerability scanning to implement comprehensive automationBridging the Security-Developer Gap: Strategies for educating developers, building trust, fostering collaboration, and understanding developer use cases instead of just imposing rules.The "Shift Down" Philosophy: Why simply "Shifting Left" isn't enough, and how security teams can proactively provide secure foundations, essentially "Shifting Down."Leveraging Open Source Tools: Practical discussion around tools like Trivy, Kubeaudit, Dependabot, RenovateBot, TruffleHog, Kube-bench, OPA, and more.The Power of Immutable Infrastructure: Exploring the benefits of using minimal, immutable images to drastically reduce patching efforts and enhance security posture.Understanding Real Risks: Discussing the dangers lurking in default configurations and easily exposed APIs/ports in container environments.Getting Leadership Buy-In: The importance of aligning security initiatives with business goals and securing support from leadership.Guest Socials: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cailyn's LinkedinPodcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:-⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠If you are interested in AI Cybersecurity, you can check out our sister podcast -⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ AI Cybersecurity PodcastQuestions asked:(00:00) Intro: Container Security at Scale(01:56) Meet Cailyn Edwards: Kubernetes SIG Security Co-Chair(03:34) Why Container Security Matters: Risks & Exposures Explained(06:21) Automating Container Security: From Scans to Admission Controls(12:19) Essential Container Security Tools (Trivy, OPA, Chainguard & More)(19:35) Overcoming DevSecOps Challenges: Working with Developers(21:31) Proactive Security: Shifting Down, Not Just Left(25:24) Fun Questions with CailynResources spoken about during the interview:Cailyn's talk at KubeCon EU 2025

In this episode of The BlueHat Podcast, host Nic Fillingham and Wendy Zenone are joined by Dhiral Patel, Senior Security Engineer at ZoomInfo and one of MSRC's Most Valuable Researchers (MVR). Dhiral shares how a hacked Facebook account sparked his passion for ethical hacking. From web development to penetration testing, Dhiral has become a top bug hunter, landing multiple spots on the MSRC leaderboards. Dhiral reflects on his early MSRC submissions and lessons learned. He also discusses the importance of mastering web security basics, practicing on platforms like TryHackMe and Hack the Box, and staying connected with the bug bounty community.  In This Episode You Will Learn:  The importance of mastering web security basics before diving into bug bounty hunting Why hands-on platforms like TryHackMe and Hack the Box are perfect for beginners Dhiral's journey from blogging to freelancing and security research Some Questions We Ask: How do you balance competition and collaboration in the bug bounty community? Can you explain what clickjacking is and if it still works today? Why did you start with Power BI, and how did it lead to your journey in security?    Resources:      View Dhiral Patel on LinkedIn   View Wendy Zenone on LinkedIn   View Nic Fillingham on LinkedIn    Related Microsoft Podcasts:     Microsoft Threat Intelligence Podcast   Afternoon Cyber Tea with Ann Johnson   Uncovering Hidden Risks   Discover and follow other Microsoft podcasts at microsoft.com/podcasts   The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network. 

UFO Hackers? In this episode, we take a look into the world of UAP and cutting-edge technology with guest Thom Hastings, a Senior Security Engineer. Thom brings a unique perspective on the rapidly evolving field of UAP research, offering insights into the intersections of hacking and data analysis. Join us as we get rebelliously curious. Watch the YouTube interview - https://www.youtube.com/watch?v=q_ibSMUrXU8  Follow Chrissy Newton: Winner of the Canadian Podcast Awards for Best Science Series. YouTube: https://www.youtube.com/channel/UCM32gjHqMnYl_MOHZetC8Eg  Instagram: https://www.instagram.com/beingchrissynewton/  Twitter: https://twitter.com/chrissynewton?lang=en Facebook: https://www.facebook.com/BeingChrissyNewton  Chrissy Newton's Website: https://chrissynewton.com Top Canadian Science Podcast: https://podcasts.feedspot.com/canadian_science_podcasts/     

In this episode of "Screaming in the Cloud," we're making sure things are nice and secure thanks to Ryan Nolette, Senior Security Engineer at AWS Outreach. As a part of the Outreach team, he's responsible for making everyone understand the nuances of AWS's Vulnerability Disclosure Program. Corey and Ryan explore the intricacies of AWS's approach to security, including the emphasis on communication with researchers. You'll also get an overview of what goes into Vulnerability Disclosure Programs and how it courts security researchers over “security researchers.” If there's anything you can take away from this episode, it's that Ryan takes great pride in AWS's commitment to transparency and collaboration when it comes to resolving potential security flaws.Show Highlights(0:00) Intro(0:38) Blackblaze sponsor read(1:06) The role of AWS' security team outreach group(2:21) The nuance of the Vulnerability Disclosure Program(4:05) Will the VDP program replace human interactions(10:08) Response disclosure vs. coordinated disclosure(15:26) The high-quality communication of  the AWS security team(17:33) Gitpod sponsor read(18:45) Security researchers vs. "security researchers"(25:54) What's next for the VDP Program?(29:26) Avoiding "security by obscurity"(32:08) Being intentional with security messaging(36:16) Where you can find more from RyanAbout Ryan NoletteRyan is AWS's Senior Security Engineer for the Outreach Team and CoAuthor of AWS Detective. He has previously held a variety of roles including threat research, incident response consulting, and every level of security operations. With almost 2 decades in the infosec field, Ryan has been on the development and operations side of companies such as Postman, Sqrrl, Carbon Black, Crossbeam Systems, SecureWorks and Fidelity Investments. Ryan has been an active speaker and writer on threat hunting and endpoint securityLinksAWS VDP on HackerOne: hackerone.com/aws_vdpAWS VDP inbox: aws-security@amazon.comLinkedIn: www.linkedin.com/in/cloudy-with-a-chance-of-securityAWS Vulnerability Reporting site: https://aws.amazon.com/security/vulnerability-reporting/Give your feedback on the recently expanded VDP program: https://pulse.aws/survey/MOOFGRLMSponsorsBackblaze: https://www.backblaze.com/Gitpod: gitpod.io

Yan Zhu, Chief Information Security Officer at Brave Software, discusses ways to reduce your risk of getting compromised when browsing the Internet. She also explains how Brave's policy of only collecting the bare necessities not only boosts security but also simplifies legal compliance and keeps your data truly private. Key Takeaways:   Security challenges that are unique to browsers, and how Brave builds your user profile differently using user-first principles How security and policy work together for establishing company culture and best practices that ultimately protect both users and the company The potential of AI in automating security tasks, and the critical importance of user education in this evolving landscape The evolution of HTTPS, passkeys, two-factor authentication, and SIM swapping Guest Bio: Yan Zhu has been the Chief Information Security Officer at Brave Software since 2015. Prior to Brave, Yan was a Senior Security Engineer at Yahoo working on end-to-end email encryption, and a Staff Technologist at the Electronic Frontier Foundation, where she worked on open source projects such as HTTPS Everywhere and Let's Encrypt. She has also served on the W3C Technical Architecture Group and DEF CON talks review board. ------------------------------------------------------------------------------------ About this Show: The Brave Technologist is here to shed light on the opportunities and challenges of emerging tech. To make it digestible, less scary, and more approachable for all! Join us as we embark on a mission to demystify artificial intelligence, challenge the status quo, and empower everyday people to embrace the digital revolution. Whether you're a tech enthusiast, a curious mind, or an industry professional, this podcast invites you to join the conversation and explore the future of AI together. The Brave Technologist Podcast is hosted by Luke Mulks, VP Business Operations at Brave Software—makers of the privacy-respecting Brave browser and Search engine, and now powering AI everywhere with the Brave Search API. Music by: Ari Dvorin Produced by: Sam Laliberte  

In this episode, we sit down with Santiago, a Senior Security Engineer at Canva, to talk about the complexities of building and managing an incident response team, especially in high-growth companies. Santiago shares his experience transitioning from penetration testing to incident response and highlights the unique challenges that come with protecting a rapidly expanding organization. We explore the differences between incident response in high-growth versus established companies, the importance of having the right personnel, and the critical skills needed for effective incident response. Guest Socials:⁠ ⁠⁠⁠⁠Santiago's Linkedin Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp Questions asked: (00:00) Introduction (01:58) A word from our sponsor - SentinelOne (02:48) A bit about Santiago (03:18) What is Incident Response? (04:06) How IR differs in different organisations? (04:48) Red Team vs Incident Response Team (06:17) Challenges for Incident Response in Cloud (07:16) Incident Response in a High Growth Company (07:56) Skillsets required for high growth (09:14) Cloud vs On Prem Incident Response (10:03) Building Incident Response in High Growth Company (11:39) Responding to incidents that are not high risk (14:41) Transition from pentesting to incident responder (17:20) Endpoint vulnerability management at scale (25:32) The Fun Section Resources from the episode: Endpoint Vulnerability Management at Scale

On Episode 40 of the D.C. Debrief, host John Stolnis talks with Joe Carrigan, Senior Security Engineer with Johns Hopkins University Information Security Institute about the House-passed legislation that would ban TikTok in the United States unless the social media company divests itself from the Chinese-owned ByteDance. Also on this week's Debrief: Robert Hur testifies before House committees on Biden classified documents Biden Budget & Trump Entitlements World Threats Hearing Benjamin Netanyahu's job in jeopardy? Korea war games Ken Buck resigns Talk of a national 32-hour work week The future of college athletics Subscribe, rate and review!

Kubernetes security explained : We spoke to Cailyn Edwards, CNCF Ambassador and Senior Security Engineer at Shopify. Interview was recorded at Kubecon NA 2023. We asked her about the complexities of Kubernetes Network Security in a multi-tenant environment. During the interview, she shared the nuances of Kubernetes network security in multi-tenant setups, tools and tactics for securing Kubernetes environments, insights from her journey at Shopify and tips for advancing the security maturity of Kubernetes networks. Thank you to our episode sponsor Vanta - You can check them out at vanta.com/cloud Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠ Questions asked: Questions asked: (00:00) Introduction (02:25) A bit about Cailyn (03:08) How is Kubernetes Networking different? (04:20) Foundational pieces of Kubernetes Networking (06:21) Whats missing in Kubernetes Networking? (07:47) What is Multi Tenancy? (10:20) What are some of the common threat models? (13:16) How are people responding to threats? (14:41) Where to start learning about this? (16:26) Best practices for Kubernetes Networking (18:16) What becomes more important with maturity? (21:14) Resources to learn more about Kubernetes Security (22:30) The Fun Section Resources shared during the episode: Kubernetes Security Checklist - https://kubernetes.io/docs/concepts/security/security-checklist/ Pentesting your own cluster with Liz Rice - https://www.youtube.com/watch?v=fVqCAUJiIn0

MLOps podcast #190 with Ads Dawson, Senior Security Engineer at Cohere, Guarding LLM and NLP APIs: A Trailblazing Odyssey for Enhanced Security. // Abstract Ads Dawson, a seasoned security engineer at Cohere, explores the challenges and solutions in securing large language models (LLMs) and natural language programming APIs. Drawing on his extensive experience, Ads discusses approaches to threat modeling LLM applications, preventing data breaches, defending against attacks, and bolstering the security of these critical technologies. The presentation also delves into the success of the "OWASP Top 10 for Large Language Model Applications" project, co-founded by Ads, which identifies key vulnerabilities in the industry. Notably, Ads owns three of the top 10 vulnerabilities, including Training Data Poisoning, Sensitive Information Disclosure, and Model Theft. This OWASP Top 10 serves as a foundational resource for stakeholders in AI, offering guidance on using, developing, and securing LLM applications. Additionally, the session covers insider news from the AI Village's 'Hack the Future' | LLM Red Teaming event at Defcon31, providing insights into the inaugural Generative AI Red Teaming showdown and its significance in addressing security and privacy concerns amid the widespread adoption of AI. // Bio A mainly self-taught, driven, and motivated proficient application, network infrastructure & cyber security professional holding over eleven years experience from start-up to large-size enterprises leading the incident response process and specializing in extensive LLM/AI Security, Web Application Security and DevSecOps protecting REST API endpoints, large-scale microservice architectures in hybrid cloud environments, application source code as well as EDR, threat hunting, reverse engineering, and forensics. Ads have a passion for all things blue and red teams, be that offensive & API security, automation of detection & remediation (SOAR), or deep packet inspection for example. Ads is also a networking veteran and love a good PCAP to delve into. One of my favorite things at Defcon is hunting for PWNs at the "Wall of Sheep" village and inspecting malicious payloads and binaries. // MLOps Jobs board https://mlops.pallet.xyz/jobs // MLOps Swag/Merch https://mlops-community.myshopify.com/ // Related Links Website: https://github.com/GangGreenTemperTatum OWASP Top 10 for Large Language Model Applications Core Team Member and Founder - https://owasp.org/www-project-top-10-for-large-language-model-applications/CoreTeam Fork for OWASP Top 10 for Large Language Model Applications - https://github.com/GangGreenTemperTatum/www-project-top-10-for-large-language-model-applications Security project: llmtop10.com --------------- ✌️Connect With Us ✌️ ------------- Join our slack community: https://go.mlops.community/slack Follow us on Twitter: @mlopscommunity Sign up for the next meetup: https://go.mlops.community/register Catch all episodes, blogs, newsletters, and more: https://mlops.community/ Connect with Demetrios on LinkedIn: https://www.linkedin.com/in/dpbrinkm/ Connect with Ads on LinkedIn: https://www.linkedin.com/in/adamdawson0/ Timestamps: [00:00] Ads' preferred coffee [00:46] Takeaways [02:52] Please like, share, and subscribe to our MLOps channels! [03:11] Security and vulnerabilities [05:24] Work at Cohere and OWASP [08:11] Previous work vs LLMs Companies [09:46] LLM vulnerabilities [10:38] Good qualities to combat prompt injection problems [13:26] Data lineage [16:03] Red teaming [19:39] Freakiest LLM vulnerabilities [22:17] Severe Autonomy Concerns [25:13] Hallucinations [27:59] Prompt injection [29:15] Vector attacks to be recognized [32:02] LLMs being customed [33:18] Security changes due to maturity [38:17] OWASP Top 10 for Large Language Model Applications [44:31] Gandalf game [46:06] Prompt injection attack [49:46] Overlapping security [53:26] Data poisoning [56:57] Toxic data for LLMs [58:50] Wrap up

This episode is all about what it's like being a Senior Security Engineer for a living.  If you're interested in a career in #cybersecurity and want to know some of the inside scoop on what Rich does on a typical day, here's your chance! Also, if you enjoyed this particular episode, please let us know! We can make it a regular thing to interview other technology professionals to learn more about their work and what it's like! #security Would you rather watch the video podcast? Find it here: https://youtu.be/fHmvLUuQLK4**Join this channel to get access to perks!**

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers. Buy here: https://subscription.packtpub.com/book/security/9781801076715 Amazon Link: https://packt.link/megan Youtube VOD: https://www.youtube.com/watch?v=p1_jQa9OQ2w   Show Topic Summary: Megan Roddie is currently working as a Senior Security Engineer at IBM. Along with her work at IBM, she works with the SANS Institute as a co-author of FOR509, presents regularly at security conferences, and serves as CFO of Mental Health Hackers. Megan has two Master's degrees, one in Digital Forensics and the other in Information Security Engineering, along with many industry certifications in a wide range of specialties. When Megan is not fighting cybercrime, she is an active competitor in Muay Thai/Kickboxing. She is a co-author of “Practical Threat Detection Engineering” from Packt publishing, on sale now in print and e-book. Buy here: https://subscription.packtpub.com/book/security/9781801076715   https://packt.link/megan ← Amazon redirect link that publisher uses if you want something easier on the notes   Questions and topics: Of the 3 models, which do you find you use more and why? (PoP, ATT&CK, kill chain) What kind of orgs have ‘detection engineering' teams? What roles are involved here, and can other teams (like IR) be involved or share a reverse role there? Lab setup requires an agent… any agent for ingestion or something specific?  How does Fleet or data ingestion work for Iot/Embedded device testing? Anything you suggest? How important is it to normalize your log output for ingestion? (app, web, server all tell the story) Additional information / pertinent LInks (Would you like to know more?): Unified Kill Chain: https://www.unifiedkillchain.com/ ATT&CK: https://attack.mitre.org/  D3FEND matrix BrakeSec show from 2021: https://brakeingsecurity.com/2021-023-d3fend-framework-dll-injection-types-more-solarwinds-infections  Pyramid of Pain: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html https://www.securitymagazine.com/articles/98486-435-million-the-average-cost-of-a-data-breach  https://medium.com/@gary.j.katz (per Megan, ‘it's basically Chapter 11 of the book') Show points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: @bryanbrake on Mastodon.social, Twitter, bluesky Brakesec Website: https://www.brakeingsecurity.com Twitter: @brakesec  Youtube channel: https://youtube.com/c/BDSPodcast Twitch Channel: https://twitch.tv/brakesec

“When a customer compares between vendors, the one with an ISO certification is going to have an edge.”We've covered the concept of compliance frameworks in previous episodes, but now we're taking a deep dive into what it takes to obtain a specific certification: ISO 27001.If you've ever wondered about the benefits of ISO compliance and the potential challenges you may face during the certification process, you're in the right place.In this conversation, Marie Joseph, Senior Security Solutions Engineer at Trava, and Anh Pham, Senior Security Engineer at Trava, discuss the benefits that ISO compliance brings not only to your organization, but also to your stakeholders and customers.What you'll learn in this episode:ISO 27001 is an international standard for managing your security.ISO certification gives you a competitive advantage over your competitors and builds customer confidence.It's crucial to budget enough time and bandwidth to work on ISO certification.Don't stress about doing things perfectly. Use a checklist to stay organized through the process and you should be good to go.Starting with ISO certification can give you a head start on other compliance frameworks you may want to pursue in the future.Things to listen for:[02:00] What ISO 27001 is and how it fits into a broader cybersecurity strategy[05:00] The benefits of achieving ISO 27001 certification[08:00] What to expect during the certification process[11:00] Anh and Marie's advice for organizations considering ISO 27001 certificationConnect with the Guests:Marie Joseph's LinkedInConnect with the host:Jara Rowe's LinkedInConnect with Trava:Website www.travasecurity.com Blog www.travasecurity.com/blogLinkedIn @travasecurityYouTube @travasecurity

In this episode, host Raghu Nandakumara sits down with Ryan Fried, Senior Security Engineer at Brooks Running, to discuss the role of cybersecurity in the manufacturing and retail sectors, building a successful Zero Trust program, and the difference between being compliant and being secure. --------“How can we go towards Zero and, I'll say, Zero-ish Trust? Actual Zero Trust is really hard to do, and I think it's really intimidating...But, for instance, what we're talking about is micro-segmentation from a Zero Trust perspective, what is the best bang for our buck that we're gonna get with being the least disruptive?” - Ryan Fried--------Time Stamps* (06:31) Mapping out your risk exposure* (10:44) Striking a balance between good security and “good enough”* (13:03) Compliance in less regulated industries* (17:22) Being compliant vs. being secure* (24:22) Zero-ish Trust in action--------SponsorAssume breach, minimize impact, increase resilience ROI, and save millions in downtime costs — with Illumio, the Zero Trust Segmentation company. Learn more at illumio.com.--------LinksConnect with Ryan on LinkedIn

Guest: Chris John Riley, Senior Security Engineer and a Technical Debt Corrector  @ Google  Topics: We've heard of MVP, what is MVSP or Minimal Viable Secure Product? What problem is MVSP trying to solve for the industry, community, planet, etc? How does MVSP actually help anybody? Who is the MVSP checklist for? Leaders or engineers? How does MVSP differ from compliance standards like ISO 27001, or even SOC 2? How does Google use MVSP? Has it improved our security in some way? How to balance the dynamic nature of security with minimal security basics? The working group has recently completed a control refresh for 2022, what are some highlights?  Resources: Mvsp.dev  SLSA Levels MVSP (Minimum Viable Secure Product) Compliance “Phantoms in the Brain” book ”Strengthen Basic Security Hygiene With a Two-Pronged Security Architecture Approach” FIRST Impressions podcast  

Guest: Derya Yavuz, Senior Security Engineer at Praetorian [@praetorianlabs]On LinkedIn | https://www.linkedin.com/in/derya-yavuz/Host: Phillip WylieOn ITSPmagazine  

Guest: Derya Yavuz, Senior Security Engineer at Praetorian [@praetorianlabs]On LinkedIn | https://www.linkedin.com/in/derya-yavuz/Host: Phillip WylieOn ITSPmagazine  

In this episode, Zeeshan Khadim, Head of Security at Panther Labs, discusses how to improve security adoption by building security into an engineer's workflow. Key Takeaways: Security and privacy are part of the core product, not an overhead Security implications from the design phase Empower users to start with security in mind Make sure you triage before involving other teams Understand what the “Crown Jewels” are to put things in perspective Treat the root cause and not the symptom Instead of alerting in production, leverage the tools to warn for issues sooner When it comes to tooling, ask what capabilities the team is missing Moving away from plug and play Managing your resources Pushing work left is too easy…don't About today's guest: Zeeshan Khadim is the Head of Security at Panther Labs. With over 13 years of professional experience, Zeeshan has worked with global companies, including his last roles as the Security Engineering Manager at Facebook HQ and Senior Security Engineer at Google HQ. Zeeshan did his Bachelor's in Computer Systems from GIKI, Pakistan, and Masters in Computers & Information Sciences from the University of Delaware. LinkedIn: https://www.linkedin.com/in/zeeshanalikhadim/ ___ Thank you so much for checking out this episode of The Tech Trek, and we would appreciate it if you would take a minute to rate and review us on your favorite podcast player. Want to learn more about us? Head over at https://www.elevano.com Have questions or want to cover specific topics with our future guests? Please message me at https://www.linkedin.com/in/amirbormand (Amir Bormand)

Let's meet James Hartin, Point of Rental's "new" Senior Security Engineer!

In this episode of The Gate 15 Interview, Andy Jabbour speaks with Amanda Berlin and Megan Roddie, cybersecurity leaders & mental health hackers, and they've got their hands in a lot more too!  Amanda is the Lead Incident Detection Engineer at Blumira and has worked in I.T. for almost her entire adult life. Before working at Blumira, Amanda's responsibilities have included infrastructure security, network hardware and software repair, email management, network/server troubleshooting and installation, purple teaming with a focus on phishing employees and organizational infrastructure as well as teaching employees about security and preventing exploits. She currently serves as the Chief Executive Officer for Mental Health Hackers and is the co-host of the Brakeing Down Security Podcast (BrakeSec Podcast, @brakesec)!  Megan is a Senior Security Engineer at IBM, Co-Author of SANS FOR509 and has worked in cybersecurity since graduating from Sam Houston State University (and while she was still a student!). Previous roles have been with the Texas Department of Public Safety, Recon InfoSec, and with IBM's X-Force. She currently serves as the Chief Financial Officer for Mental Health Hackers. Megan is also a Muay Thai fighter and coach.  Follow Mental Health Hackers on Twitter! @HackersHealth Follow Amanda on Twitter at @InfoSystir and on LinkedIn and follow Blumira on Twitter! Follow Megan on Twitter at @megan_roddie and on LinkedIn.  In the discussion we address:  Amanda & Megan's backgrounds and origin stories  Awesome tips for breaking into security!  DEFCON and how to score a free breakfast at DEFCON!!  Mental Health Hackers  The Brakeing Down Security podcast  Muay Thai, Musicals, Apples & Bannanas!  Fruits, music and so much more!  A few references mentioned in or relevant to our discussion include:  Mental Health Hackers website  Mental Health Hackers on Twitter! @HackersHealth  Amanda on Twitter at @InfoSystir and on LinkedIn.  Megan on Twitter at @megan_roddie and on LinkedIn.  Tom Williams on Twitter: @ginger_hax  Amanda's InfoSec Staples tweet - https://twitter.com/infosystir/status/972906318875983873?s=21&t=CCp0CmDgDcZXQVWtnpEXEA Blackhat USA 2022 - https://www.blackhat.com/us-22/defcon.html?_mc=sem_bhus_sem_bhus_x_tspr_Google_defcon30_bhusagcompetitvedefcon30_2022&gclid=Cj0KCQjwn4qWBhCvARIsAFNAMihsrClH8Aygi2UnTsbSus3teDdktlK2NiamBzyAORwM5nHcaE4pynwaArHkEALw_wcB  DEFCON 30 - https://defcon.org 10th Annual Brazilian Jiu-Jitsu Smackdown. A Brazilian Jiu-Jitsu event for information security professionals hosted by Jeremiah Grossman during Black Hat and Defcon - https://www.eventbrite.com/e/10th-annual-brazilian-jiu-jitsu-smackdown-tickets-348058561527 Amanda's Book! Defensive Security Handbook: Best Practices for Securing Infrastructure (1st Edition) - https://www.amazon.com/Defensive-Security-Handbook-Practices-Infrastructure/dp/1491960388 Megan's SANS Course! FOR509 Course Update - Introducing Google Workspace, the Multi-Cloud Intrusion Challenge - https://www.sans.org/blog/for509-course-update---introducing-google-workspace-the-multi-cloud-intrusion-challenge-and-more/

This week, in our first segment, we welcome Prashasth Baliga, Senior Security Consultant at Palo Alto Networks to talk about Security Orchestration and Automation Simplified! Then, Ryan Fried, Senior Security Engineer at Brooks Running, joins for an interview about Getting Value from SOAR beyond Phishing Workflows! Finally, in the Enterprise Security News, Veza raises $110M for Data Security, Traceable raises $60M for API Security, 10 other security startups get funded, Synopsis buys Whitehat for $330M, HackerOne approves a PullRequest, Bright Security acquires WeHackPurple, LexusNexis acquires BehaviorSec, JupiterOne continues to release some compelling books, the DevSecOps evolution, the future of Product-Led Growth, & more! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw272

This week, in our first segment, we welcome Prashasth Baliga, Senior Security Consultant at Palo Alto Networks to talk about Security Orchestration and Automation Simplified! Then, Ryan Fried, Senior Security Engineer at Brooks Running, joins for an interview about Getting Value from SOAR beyond Phishing Workflows! Finally, in the Enterprise Security News, Veza raises $110M for Data Security, Traceable raises $60M for API Security, 10 other security startups get funded, Synopsis buys Whitehat for $330M, HackerOne approves a PullRequest, Bright Security acquires WeHackPurple, LexusNexis acquires BehaviorSec, JupiterOne continues to release some compelling books, the DevSecOps evolution, the future of Product-Led Growth, & more! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw272

Andrea Carcano, Nozomi Network e Alberto Onetti, Mind the BridgeAndrea Carcano, è un esperto e leader internazionale nella sicurezza delle reti industriali, nell'intelligenza artificiale e nell'apprendimento automatico. Ha co-fondato Nozomi Networks nel 2013 con l'obiettivo di fornire una soluzione di sicurezza informatica e visibilità operativa di nuova generazione per le reti di controllo industriale.In qualità di Chief Product Officer, Andrea definisce la visione dei prodotti Nozomi Networks ed è la voce del cliente all'interno dell'organizzazione. In questo ruolo attinge alla sua esperienza nel mondo reale come Senior Security Engineer presso Eni, una multinazionale del petrolio e del gas, così come alla sua ricerca accademica.Con una passione per la sicurezza informatica iniziata al liceo, Andrea ha continuato a studiare le sfide uniche della protezione dei sistemi di controllo industriale. Il suo dottorato di ricerca Laureato in Informatica presso l'Università degli Studi dell'Insubria, si è concentrato sullo sviluppo di software in grado di rilevare le intrusioni nei sistemi di controllo delle infrastrutture critiche. Il suo Master in Informatica presso la stessa istituzione prevedeva la creazione di malware progettato per sfruttare la mancanza di sicurezza in alcuni protocolli SCADA e l'analisi delle conseguenze.Andrea ha pubblicato numerosi articoli accademici, tra cui uno che descrive un primo esempio di malware che prende di mira i sistemi SCADA. App, link e siti utili Nozominetworks Nozominetworks Andrea Carcano Alberto Onetti chiarmain di Mind The Bridge. Con lo sguardo rivolto al futuro e diviso tra Europa e Stati Uniti, Alberto lavora per creare un ponte tra tecnologia e business. Dal 2009 è Presidente della californiana Mind the Bridge. Nel 2014 Alberto è stato selezionato dalla Commissione Europea per guidare per conto di Mind the Bridge Startup Europe Partnership (SEP), la prima piattaforma integrata di open innovation per connettere grandi aziende con startup. Da anni, Alberto supporta aziende leader a livello mondiale a progettare e implementare efficaci strategie di open innovation. Alberto Onetti è un imprenditore seriale con un background in strategia e finanza. Tra le altre startup, ha fondato Funambol, una società di mobile cloud mobile con Headquarters in Silicon Valley e R&D e Operations in Europa. Alberto è Professore Ordinario di Imprenditorialità e Management presso l'Università degli Studi dell'Insubria ed autore di oltre 100 pubblicazioni. È spesso invitato come keynote e panelist alle principali conferenze e forum internazionali. E' editorialista, tra le altre testate, per Sifted (Financial Times) ed EconomyUp. Mind the Bridge è una società di consulenza globale specializzata sull'open innovation. Con headquarters a San Francisco e sedi a Los Angeles, Seoul, Barcellona, Milano, Londra supporta le più grandi aziende multinazionali nello scouting di startup e scaleup a livello globale e nella valutazione, definizione e implementazione di programmi di accelerazione, intrapreneurship, venture building e CVC. Annualmente, insieme a ICC, organizza i Corporate Startup Stars Awards, l'equivalente degli "Oscar" nel campo dell'open innovation, per identificare le aziende che al mondo sono più efficaci ed efficienti nella collaborazione con le startups.

Andrea Carcano, è un esperto e leader internazionale nella sicurezza delle reti industriali, nell'intelligenza artificiale e nell'apprendimento automatico. Ha co-fondato Nozomi Networks nel 2013 con l'obiettivo di fornire una soluzione di sicurezza informatica e visibilità operativa di nuova generazione per le reti di controllo industriale.In qualità di Chief Product Officer, Andrea definisce la visione dei prodotti Nozomi Networks ed è la voce del cliente all'interno dell'organizzazione. In questo ruolo attinge alla sua esperienza nel mondo reale come Senior Security Engineer presso Eni, una multinazionale del petrolio e del gas, così come alla sua ricerca accademica.Con una passione per la sicurezza informatica iniziata al liceo, Andrea ha continuato a studiare le sfide uniche della protezione dei sistemi di controllo industriale. Il suo dottorato di ricerca Laureato in Informatica presso l'Università degli Studi dell'Insubria, si è concentrato sullo sviluppo di software in grado di rilevare le intrusioni nei sistemi di controllo delle infrastrutture critiche. Il suo Master in Informatica presso la stessa istituzione prevedeva la creazione di malware progettato per sfruttare la mancanza di sicurezza in alcuni protocolli SCADA e l'analisi delle conseguenze.Andrea ha pubblicato numerosi articoli accademici, tra cui uno che descrive un primo esempio di malware che prende di mira i sistemi SCADA. App, link e siti utili Nozominetworks Nozominetworks Andrea Carcano Alberto Onetti chiarmain di Mind The Bridge. Con lo sguardo rivolto al futuro e diviso tra Europa e Stati Uniti, Alberto lavora per creare un ponte tra tecnologia e business. Dal 2009 è Presidente della californiana Mind the Bridge. Nel 2014 Alberto è stato selezionato dalla Commissione Europea per guidare per conto di Mind the Bridge Startup Europe Partnership (SEP), la prima piattaforma integrata di open innovation per connettere grandi aziende con startup. Da anni, Alberto supporta aziende leader a livello mondiale a progettare e implementare efficaci strategie di open innovation. Alberto Onetti è un imprenditore seriale con un background in strategia e finanza. Tra le altre startup, ha fondato Funambol, una società di mobile cloud mobile con Headquarters in Silicon Valley e R&D e Operations in Europa. Alberto è Professore Ordinario di Imprenditorialità e Management presso l'Università degli Studi dell'Insubria ed autore di oltre 100 pubblicazioni. È spesso invitato come keynote e panelist alle principali conferenze e forum internazionali. E' editorialista, tra le altre testate, per Sifted (Financial Times) ed EconomyUp. Mind the Bridge è una società di consulenza globale specializzata sull'open innovation. Con headquarters a San Francisco e sedi a Los Angeles, Seoul, Barcellona, Milano, Londra supporta le più grandi aziende multinazionali nello scouting di startup e scaleup a livello globale e nella valutazione, definizione e implementazione di programmi di accelerazione, intrapreneurship, venture building e CVC. Annualmente, insieme a ICC, organizza i Corporate Startup Stars Awards, l'equivalente degli "Oscar" nel campo dell'open innovation, per identificare le aziende che al mondo sono più efficaci ed efficienti nella collaborazione con le startups.

Security as a field is constantly evolving. As a result, it requires a high degree of awareness, including staying up to date with the latest developments in potential new threats. It was the challenge of working in security that drew Patrick O'Doherty to the field in the first place. Today on the show, we speak with Patrick about his time as a Senior Security Engineer at Intercom, his current role at Oso as an Engineer, and what he has discovered on his security journey. Patrick shares what he learned while being part of the security solutions team at Intercom and how they built common infrastructure and coding patterns. We also discuss the role of empathy in security, why it's essential for your goals to be aligned with the people you're trying to help, and why we should all work to be more aware of third-party threat exposures. Tune in today!

Guest Contacts:https://twitter.com/lnxg33khttps://www.linkedin.com/in/ahmedshawky-/Interviewer:https://www.linkedin.com/in/amr-fathi/Prepared By:https://www.linkedin.com/in/0xmohammed/ The post 26 Ahmed Shawky – Cofounder @CyberDefenders & Senior Security Engineer @IBM first appeared on Nakerah Network.

If you were building a detection program today, what would be your top resources to start with? As we head into a cloud-based future, the ability of handling increased data sets becomes crucial, teams need to have processes in place that cover the entire detection lifecycle, and develop skills necessary to help build, grow and improve a successful detection program. In today's episode, we had an insightful conversation with Snowflake's Global Threat Intelligence and Detection Engineering Leader, Haider Dost and Senior Security Engineer, Daniel Wyleczuk-Stern where we discovered why data and being able to query that data is a critical first step. Topics discussed in this episode: Haider's and Daniel's background in security. The precursors and skills necessary to becoming an engineer. A high level approach to building strong detection teams. The importance of collecting and correlating log sources for a proper incident response. How to be proactive when building your detection baseline. What a detection lifecycle process is and why every team should have one. What the biggest challenges of building a detection program are. Why it's critical that responders or analysts have a sense of ownership on the detections that are being built. How security teams at Fortune 500 and Silicon Valley companies differ from each other.

Ruslan Habalov has a computer science background with a focus on code analysis and is interested in scalable solutions to challenging security problems. His security research covered an exploitable remote code execution bug in PHP used against a popular platform in a bug-bounty context as well as side-channel attacks against browsers. As a machine learning enthusiast he's looking for options to unite the best of both worlds.He is currently working as a Senior Security Engineer at Google.Ruslan started the Vulncode-DB project which is a crowd-sourced platform providing vulnerable code for corresponding real world vulnerabilities.For more SecTools podcast episodes, visit https://infoseccampus.com

Nearly every computer that runs Windows has Active Directory (AD). This structure helps organizations manage user identities, privileges, and much more. The power that AD has means threat actors are often targeting it to execute attacks. Our guest for the episode is Christopher Keller, who is Senior Security Engineer at Tenable. We cover the common mistakes admins make with AD, how hackers take advantage, and what companies can do to improve.

https://go.dok.community/slack https://dok.community/ ABSTRACT OF THE TALK Prima and Tammy join us to discuss the bridges between Security and SRE. How can these two teams work best together? What can they learn from each other? Prima is a Security Engineer and Tammy is a Site Reliability Engineer. They are both Australians living in the USA with 10+ years of experience each working in tech. TALK TAKEAWAYS 1.You'll learn tips for SRE and Security teams to work together 2.You'll learn what SREs can learn from Security and vice versa 3.You'll learn about the new field of DevSecOps and how it can help your organisation improve BIO Tammy Bryant Butow is a principal SRE at Gremlin, where she works on chaos engineering—the facilitation of controlled experiments to identify improvements. Gremlin's enterprise Chaos Engineering platform makes it easy to build more reliable applications in order to prevent outages, innovate faster, and earn customer trust. Previously, Tammy led SRE teams at Dropbox responsible for the databases and storage systems used by over 500 million customers and was an IMOC (incident manager on call), where she was responsible for managing and resolving high-severity incidents across the company. She has also worked in infrastructure engineering, security engineering, and product engineering. Tammy is the cofounder of Girl Geek Academy, a global movement to teach one million women technical skills by 2025. Tammy is an Australian and enjoys riding bikes, skateboarding, snowboarding, and surfing. She also loves mosh pits, crowd surfing, metal, and hardcore punk. Prima is a seasoned Security professional who has worked in a variety of industries such as Consumer Tech, Oil & Gas, Media, and Fin-tech. She is a Senior Security Engineer on the SIRT team at Segment where she enjoys creating automation tooling for Incident Response and occasionally dabbles in Security DevOps. She loves sharing her experiences with the industry and has spoken at many meetups and conferences globally including, but not limited to, Agile India 2020, MacDevOpsCon Vancouver 2019, and Grace Hopper Conference 2017.

In this episode I have a special co-host, Alex O'Meera to help me interview my guest, Jim Jakary about Security Operation Center (SOC) as a Service. Alex is a newly minted Senior Security Engineer for Spectrum Health (congrats!) and Jim is an Account Executive for Expel. This was the first remote broadcast in a long time and definitely contained lots of #RealTalk!Talking Points:We already have a security program, what can SOCaaS do to further help?Should be looking at metrics to help guide you?Can SOCaaS help your program with alert fatigue?Can a mature VM program help setup your SOC as a Success?Do you have the tools in place to help setup your SOC as a Success?Podcast Sponsor:This episode is sponsored by Expel, Expel is a Security Operations Center as a Service company that is based out of Herdon Virginia.  As always proceeds from the sponsorship will go to charities in West Michigan.

Mimecast recently released their annual State of Email Security report, which reveals enterprises faced unprecedented cybersecurity risk, including increasing attack volume, the pandemic-driven digital transformation of work, and generally deficient cyber preparedness and training. The Mimecast report revealed that 61% of organizations were infected with ransomware in 2020. It also found that 79% suffered disruption or financial loss due to cyber preparedness shortcomings. Jeremy Ventura, Senior Security Engineer at Mimecast, discusses the report's findings and the current threat landscape along with the problems organizations face today. We also discuss what organizations can do to combat threats like ransomware. Jeremy also talks about the importance of email and web security and security awareness training, which the report highlights a lack of. About Mimecast Mimecast (NASDAQ: MIME) was born in 2003. Each day, they take on cyber disruption for tens of thousands of customers around the globe and never giving up on tackling their biggest security challenges together. The company built an intentional and scalable design ideology that solves the number one cyberattack vector – email. The company continuously invests to thoughtfully integrate brand protection, security awareness training, web security, compliance and other essential capabilities. Mimecast protects large and small organizations from malicious activity, human error and technology failure; and to lead the movement toward building a more resilient world.  

Anne Marie Zettlemoyer is Vice President of Security Engineering and Divisional Security Officer at MasterCard. She’s a mentor to many cybersecurity practitioners and a visiting fellow at the National Security Institute at George Mason University As far back as elementary school, making sure everyone was treated properly and respected was important for Anne. In college, despite not knowing the first thing about cycling Anne’s determination to do the right thing led her to participate in a 600-mile charity ride to raise money for research towards a vaccine against HIV.  Anne Marie started in Business and holds an MBA in Organizational Behavior and Corporate Strategy, she started on the business side and worked under many titles like Analyst, Controller, Auditor, and Strategist. About 12 or 13 years ago she fell in love with Security because it speaks to her mission of protecting and defending others.   Ron shares about how mentors have helped him learn cybersecurity and asks Anne Marie about when she’s helped others climb the security mountain. Anne Marie recalls being the only woman presenter at a Cybersecurity conference and receiving a certain lack of respect until she demonstrated exactly how much expertise and experience she had. She spoke to some other women in attendance and encouraged them to apply themselves in the same field assuring them that they could also succeed, two years later one of the people she encouraged had become Senior Security Engineer. Chris asks about what it means to her to be able to show up with others now and whether she had someone like that for her own journey. Anne Marie shares about having to fight for everything herself. She expands that talent, grit, and many things are distributed throughout humanity but opportunity isn’t equally distributed. Anne Marie believes that those with the capability to find those who simply need an opportunity and lift them up have a certain responsibility to do so. That they can lift up those who will also lift up others. Ron asks Anne Marie about what it takes to make a great leader and supporter today. Anne Marie speaks a bit about leading from quiet influence and measures success more by effectiveness. The conversation shifts to how trust is needed when working to communicate risk and security decisions depending on who you’re working with as not everyone will share the same perspectives and backgrounds. Chris asks Anne Marie for a piece of advice for someone who may need someone to show up and protect them and she urges us to try new things, learn new things, expand our own possibilities. Anne Marie speaks about how showing up and trying to reach out can be enough to open new doors. 1:01 — Welcome back to the Hacker Valley Studio our guest this episode is Anne Marie Zettlemoyer. 2:43 —  Anne’s amazing fluency in business and how she fell in love with security. 4:37 — The call Anne feels to respect others and make sure they’re respected.  6:48 — The causes to fight for even without complete preparation for the journey ahead. 8:58 — The extremes of a ride to do the right thing, and a helping hand to get you up a mountain. 11:30 — How you can never know the power of showing up for yourself. 13:30 — The power of showing up for others and being the only woman there. 15:34 — Two years after being the only woman cybersecurity presenter at a conference 19:04 — Anne shares about having to fight for everything herself.  20:30 — The responsibility for those that have the heart to find and uplift others. 22:00 — The conversation moves to topics about networking and great leadership. 24:00 — Why having a sense of humility is necessary for a leader and building a network. 25:30 — Learning to not re-invent the wheel. 27:20 — Creating a rounded perspective to build comprehensive solutions. 28:50 — Why you need trust from the folks you’re trying to protect. 31:00 — Advice for someone listening that needs someone to protect or stand up for them. 32:45 — Trying new things one step at a time can be enough. Links You can find Anne Marie Zettlemoyer on her Linkedin or her Twitter    Learn more about Hacker Valley Studio. Support Hacker Valley Studio on Patreon. Follow Hacker Valley Studio on Twitter. Follow hosts Ron Eddings and Chris Cochran on Twitter. Learn more about our sponsor AttackIQ and enroll in The AttackIQ Academy!

In this episode I get a chance to speak with Dave Stycos who is a Senior Security Engineer for Spectrum Health.  Dave was part of the Security Operation Center that helped thwart a Wannacry attack on a major healthcare system in West Michigan.  We talk about what a day in the SOC looks like and what is going through the SOC analyst's mind during an active incident.Talking Points:What does a typical day look like? Is it like it is in Hollywood movies?What are some of the tools that you use everyday?What is the hardest part of your job?What is the coolest experience?Is there a fundamental difference between incident like 'Red October' and the HVAC incident that Jim talked about at Cloud Con last year?

Kamil Potrec is a Senior Security Engineer at Snyk, working on security around Kubernetes and cloud platforms. He joins the show to discuss how to think about securing your infrastructure, the different arts (and colors) of offensive and defensive security, and what not to lose sleep over. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week Episode 23, with Andrew Philips and Lars Wander A pile of mail and a bike News of the week Red Hat OpenShift 4.7 is GA Fairwinds Insights 3.0 Envoy zero-day patched Istio security bulletin Sysdig contributes Falco modules to the CNCF StorageOS raises $10m in Series B Platform9 raises $12.5m in Series D CNCF relaunches Kubernetes Community Day with KCD Africa and Bengaluru Links from the interview Offensive unit in American Football Hand-egg Red and blue teams Unreal Tournament Capture the flag Kubernetes secrets Design document Encrypting secrets at the application layer Antivirus software Tracer-tee SolarWinds attack Reflections on Trusting Trust by Ken Thompson left-pad deleted from NPM Snyk Open Source The open source parts Snyk vulnerability database MITRE CVE database Kubernetes security at Snyk Deploy only trusted containers to GKE Application threat modeling Kubernetes security best practices, including security context, AppArmor, gVisor etc CVE-2020-8554: man-in-the-middle attack using ExternalIP services CVE-2020-14386: packet socket vulnerability with user namespaces enabled Earlier related work: CVE-2017-7308 and CVE-2016-8655 Project Zero writeup Rewrite it in Rust! Kamil Potrec on LinkedIn

We go down the rabbit hole with Lance Vick, Senior Security Engineer at Polychain Capital. We take a deep dive into the dark side of hacking, how we can avoid the next SolarWinds attack, and the difference between privacy and anonymity.

In this episode of Semaphore Uncut, Justin Cormack, Senior Security Engineer at Docker and member of the Technical Oversight Committee at CNCF, shares insights from the security industry. We talk about why it’s important to think about what could go wrong when building software, how hackers are now exploiting vulnerabilities before shipping your code to production, and what companies can really do and use to secure their products.Key takeaways:Security – a matter of software qualityThe threat modeling practice – understanding the potential security threatsUsing the experience of expertsSupply-chain securitySecurity integration into CI/CD pipelinesImportant vs. overhyped practices in the security industryAbout Semaphore UncutIn each episode of Semaphore Uncut, we invite software industry professionals to discuss the impact they are making and what excites them about the emerging technologies.

INTSIGHTS - Capire una minaccia informatica e i suoi rischi: ecco come fare Contenuto sponsorizzato Questo podcast di Radio IntSights, realizzato con i supporto di Radio IT, entra nel dettaglio della Cyber Threat Intelligence e ti aiuta a capire subito la portata e i rischi di una minaccia informatica. Il dettaglio è affidato ad Antonio Iannuzzi e ad Andrea Bellinzaghi, che di IntSights sono rispettivamente Sales Director e Senior Security Engineer per il Sud Europa, Medioriente e Svizzera. Sono loro a raccontarci tutto sulla piattaforma ETP sviluppata dall'azienda e guidata dalla Cyber Threat Intelligence. Già da questo elemento si intuisce che la piattaforma lavora secondo i principi dell'Intelligenza Artificiale e dell'apprendimento automatico, ai quali unisce un fattore che resta decisivo per l'efficacia degli strumenti informatici e digitali: il fattore umano. Buon ascolto! Altri contenuti su www.radioit.it

Cybersecurity has been the wild west of the digital age so why not start using canaries in the coal mines? Brian catches up with Huntress Labs, Senior Security Engineer, Dave Kleinatland and Sales Manager, David Alcaraz-Duran to get an update on some cool new tools they have launched this summer and more they hope to have deployed before the end of the year. We always enjoy a chat with our friends at Huntress…As discussed in this Webcast, their resources page can be found here – Security Assets & Tools and a few events where you can connect with them this summer. Huntress Founders Talk Security in this Monthly Webinar www.tradecrafttuesday.com  The CyberCall - With Andrew Morgan, Huntress, Perch Security and TruMethods.  https://www.crowdcast.io/e/cybercall

Cybersecurity has been the wild west of the digital age so why not start using canaries in the coal mines? Brian catches up with Huntress Labs, Senior Security Engineer, Dave Kleinatland and Sales Manager, David Alcaraz-Duran to get an update on some cool new tools they have launched this summer and more they hope to […] The post Ransomware Canaries appeared first on IOT Security Services Association.

Wendy Zenone quit her job as an aesthetician at 38, learnt to code and has progressed to working at her dream company, Netflix.We have a fun chat discussing Wendy's journey from a very non IT role, learning to code, being a mom, landing her first job in security to where she is today.Wendy shares her experience, tips for others wanting to move into the industry as well as advice on interviewing and the value of perseverance.

In this working from home edition of the Get Cyber Resilient Show, Garret O'Hara chats with Craig Ford, author of ‘A Hacker I Am' and Senior Security Engineer at Davichi Computer Services. Craig and Gar speak about careers in cyber security including what employers look for, mentoring and diversity in the industry, along with current cyber threats and how to get back to basics. #getcyberresilient #cyberresilience Related links: Craig's Book: https://www.amazon.com.au/Hacker-I-Am-Craig-Ford/dp/0648693910 For the latest cyber news and insights head to www.getcyberresilient.com

The SecureWorld Sessions is a cybersecurity podcast that gives you access to people and ideas that impact your career and help you secure your organization. In this episode, we talk to Ryan Mostiller, Senior Security Engineer at Penske Automotive Group, about how Blue Teams can help secure the organization and get credit for doing it. Plus, details on a new initiative in response to the coronavirus (COVID-19): announcing the SecureWorld Remote Sessions. RESOURCE LINKS: NEW SecureWorld Remote Sessions: https://www.secureworldexpo.com/resources?cat=remote-sessions Trend Micro 2019 Security Roundup Report : https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/the-sprawling-reach-of-complex-threats Ryan Mostiller: https://www.linkedin.com/in/ryanmostiller/

In this episode, Julie Gunderson talks with Bea Hughes, Senior Security Engineer and Sarai Rosenberg, Insecurity Princess; both from PagerDuty, about all things security.

Did you get more staff for heartbleed? How about Shellshock or the OPM breach? Neither did we. The threat landscape is growing faster than ever and we need to cover more bases without more people. Enter Splunk Phantom: automation and integration for the masses. This session will help you understand what you need to build an effective Phantom ecosystem. I will go over initial strategies, real world examples, and use cases, and we will also take a glance at some more robust development projects that show the power of Phantom's extensibility. Speaker(s) Mhike Funderburk, Senior Security Engineer, Stage 2 Security Brandon Robinson, Senior Security Architect, Stage 2 Security Luke Summers, Cyber Security Engineer, Stage 2 Security Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1949.pdf?podcast=1577146225 Product: Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

Did you get more staff for heartbleed? How about Shellshock or the OPM breach? Neither did we. The threat landscape is growing faster than ever and we need to cover more bases without more people. Enter Splunk Phantom: automation and integration for the masses. This session will help you understand what you need to build an effective Phantom ecosystem. I will go over initial strategies, real world examples, and use cases, and we will also take a glance at some more robust development projects that show the power of Phantom's extensibility. Speaker(s) Mhike Funderburk, Senior Security Engineer, Stage 2 Security Brandon Robinson, Senior Security Architect, Stage 2 Security Luke Summers, Cyber Security Engineer, Stage 2 Security Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1949.pdf?podcast=1577146216 Product: Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

Did you get more staff for heartbleed? How about Shellshock or the OPM breach? Neither did we. The threat landscape is growing faster than ever and we need to cover more bases without more people. Enter Splunk Phantom: automation and integration for the masses. This session will help you understand what you need to build an effective Phantom ecosystem. I will go over initial strategies, real world examples, and use cases, and we will also take a glance at some more robust development projects that show the power of Phantom's extensibility. Speaker(s) Mhike Funderburk, Senior Security Engineer, Stage 2 Security Brandon Robinson, Senior Security Architect, Stage 2 Security Luke Summers, Cyber Security Engineer, Stage 2 Security Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1949.pdf?podcast=1577146239 Product: Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

Buzz Aldrin talks about the Apollo program on Twitter celebrating 50 years of the moon landing (0:00), Tribe questions to "AJ on the moon" (7:46), Sean Meaner, Senior Security Engineer at CT Information Security, talk about the FaceApp that is potentially a harmful Russian program (13:03), Dumb Ass News - chicken nuggets in bra (22:51), Hugh Keefe and Tara Knight talk about high profile court cases in the news (26:28), Jimmy Koplik counts down the Top 20 artists he's booked the most in his career (35:52), How many times did AJ say "right" during the Jimmy Koplik call? (48:17), and Dumb Ass News - moron drives into a river, but her interview with local news afterwards is what makes her today's dumb ass (55:39).

Mike Hodges is a Senior Security Engineer at Red Ventures leading Red Team Operations and Incident Response. He comes from a background of application development and penetration testing consulting. Currently, his focus is on developing evasive offensive capabilities and fighting off the ever-present imposter syndrome brought on by working in InfoSec.

Nenad Stojanovski and Andrew Hoying join Mark and Melanie this week to discuss Forseti - open source tools for Google Cloud Platform security. Nenad Stojanovski Staff Security Engineer, Spotify Andrew Hoying Andrew Hoying is a Senior Security Engineer at Google. His goal is to ensure all services built by Google and running on Google Cloud Platform have the same, or better, security assurances as services running in any other environment. He is also a top contributor to the Forseti Security open-source project, helping enterprises monitor and secure their GCP environments. Cool things of the week Shopify's Infrastructure Collaboration with Google blog Kubernetes Engine Private Clusters now available in beta blog Easy HPC clusters on GCP with Slurm blog Understand your spending at a glance with Google Cloud Billing reports beta blog Interview Forseti Security site docs github Google Cloud Shell site docs Forseti Security Question of the week How do I automatically scan the Docker images in your Google Cloud Repository for known vulnerabilities? Scanning Vulnerabilities in Docker images blog Container Registry Vulnerability Scanning docs Where can you find us next? Melanie will be speaking about AI at Techtonica on April 11th, and April 14th will be participating in a panel on Diversity and Inclusion at the Harker Research Symposium

DEF CON 101: The Panel. Mike Petruzzi (wiseacre), Senior Cyber Security Penetration Tester Nikita Kronenberg Not a Security Researcher, DEF CON PushPin Plug Russ Rogers Chief of Operations, DEF CON DEF CON has changed for the better since the days at the Alexis Park. It has evolved from a few speaking tracks to an event that still offers the speakers, but also Villages, where you can get hands-on experience and Demo Labs where you can see tools in action. Of course, there is still the entertainment and Contest Area, as well as, Capture The Flag. There is so much more to DEF CON than there was in the past and it is our goal to help you get the best experience possible. In addition to introducing each of the different aspects and areas of DEF CON, we have a panel of speakers that will talk about how they came to be part of DEF CON and their personal experiences over the years. Mike Petruzzi has been hacking managers for over 25 years. Mike is a Senior Cyber Security Penetration Testing Specialist working at various Federal Civil Agencies for the last 15 years. Yup, that's the title he was given. Naturally, he got all his IT experience as the result of selling beer, wine and liquor. He has tricked everyone into believing that he can do anything at all. Twitter: @wiseacre_mike Nikita works full time for DEF CON doing stuff, and things. She is DEF CON’s administrator, director of the CFP review board, speaker liaison, workshop manager, and overall cat herder. Helping out over the past decade she has been involved in some capacity for over a dozen departments, activities, contests, and events. She provides annoyance, planning, and support in many ways, thus dubbed the “administrator of chaos”. If you hate the schedule, or are mad your talk was rejected, you can blame her. Nikita likes to think of herself as approachable, and loves to make people feel welcome at DEF CON, despite having R.B.F. Her hardest job yet was writing a serious third person bio. Twitter: @niki7a PushPin is an uptight, perfectionist, who is very rarely content working with idiots and enjoys his Jell-O Pudding cups. He can neither confirm nor deny working for any of the three letter agencies that oversee WMDs, high energy weapons [LASERS, YO], and play around with other countries. It is literally impossible to see him without his laptop at any given time during the day and has been told frequently to put it away in public; otherwise, you’ll find him at work devoid of any form of social life. I hate you all, seriously.. Twitter: @X72 Plug is a Mexican immigrant that immigrated to the States at age 18. While learning to read English found a 2600 magazine that lead him to his first LA2600 meeting in 1998, from that point forward he has been a computer security enthusiast. Over the years he has worked a System's Administrator with a focus in security, eventually moving full time to work in information security. Plug currently works as a Senior Security Engineer securing the network of a prominent finance and foreign exchange company. He is also working on a volunteer project to teach 5th graders basic computer security skills. In his free time he enjoys playing with synthesizers and modular systems, when possible he volunteers his time to computer security events. This is Russ’ 17th year as a DEF CON goon, and he has over 25 years experience in hacking. Russ first learned to program around the 1982 timeframe, when he received a Timex Sinclair, which used only programs keyed in via BASIC. He’s been involved in a numbers of aspects of DEF CON over the years, including the vendors, contests, DEF CON Groups, security, Hardware Hacking Village, and planning. Russ currently works a the Chief of Operations, where he depends heavily upon the other experienced hackers and goons that help run the world’s largest hacker conference.

In this episode What exactly is "GRR"? What sorts of things can GRR do? What is a hunt, and how does it scale across tens of thousands of machines? How does GRR "hide" from malware? How does GRR keep some of the great power it has from being abused? Automating and integrating GRR with external sources and tools Features, functions, capabilities and some magic from Greg The future features, requests, and direction of GRR   Guest Greg Castle - Greg has 10 years experience working in computer security. In his current role as Senior Security Engineer at Google, he is a developer and user of the open-source GRR live-forensics system. He also has strong interest and involvement in OS X security, having been responsible for the security of Google's OS X fleet for two years. His pre-Google job roles have included pentester, incident responder, and forensic analyst. Links Grr Rapid Response - https://code.google.com/p/grr/

Andy Ellis is Akamai's Chief Security Officer, responsible for overseeing the security architecture and compliance of the company's massive, globally distributed network. He is the designer and patentholder of Akamai's SSL acceleration network, as well as several of the critical technologies underpinning the company's Kona Security Solutions. Greg is an Intern with Security Weekly and a Senior Security Engineer for a financial services firm. Greg specializes in Vulnerability management, penetration testing and security architecture. He's on tonight to cover his blog post on Windows Software Restriction Policies.

Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: * Port scanning and attacking intranet devices using JavaScript * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites. T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology."

"Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You’ll see: * Port scanning and attacking intranet devices using JavaScript * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (http://www.whitehatsec.com), where he is responsible for web application security R&D and industry evangelism. As an well-known and internationally recognized security expert, Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writing, and interviews have been published in dozens of publications including USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites. T.C. Niedzialkowski is a Senior Security Engineer at WhiteHat Security in Santa Clara, California. In this role, he oversees WhiteHat Sentinel, the company's continuous vulnerability assessment and management service for web applications. Mr. Niedzialkowski has extensive experience in web application assessment and is a key contributor to the design of WhiteHat's scanning technology."

Input validation is an important part of security, but it's also one of the most annoying parts. False positives and false negatives force us to choose between convenience and security-but do we have to make that choice? Can't we have both? In this talk two University of Iowa researchers will present new methods of input validation which hold promise to give us both convenience _and_ security. A basic understanding of SQL and regular expressions is required. Robert J. Hansen: B.A. in Computer Science from Cornell College, 1998. Graduate student at the University of Iowa, 2003-2005, researching secure voting systems with Prof. Doug Jones. Senior Security Engineer at Exemplary Technologies, 2000; Cryptographic Engineer at PGP Security, 2000-2001. Meredith L. Patterson: B.A. English (Linguistics) from the University of Houston, 2000. M.A. Linguistics from the University of Iowa, 2003. Graduate student at the University of Iowa, 2003-2005, studying data mining with Prof. Hwanjo Yu. Bioinformatics intern at Integrated DNA Technologies, 2003-2005.

Input validation is an important part of security, but it's also one of the most annoying parts. False positives and false negatives force us to choose between convenience and security-but do we have to make that choice? Can't we have both? In this talk two University of Iowa researchers will present new methods of input validation which hold promise to give us both convenience _and_ security. A basic understanding of SQL and regular expressions is required. Robert J. Hansen: B.A. in Computer Science from Cornell College, 1998. Graduate student at the University of Iowa, 2003-2005, researching secure voting systems with Prof. Doug Jones. Senior Security Engineer at Exemplary Technologies, 2000; Cryptographic Engineer at PGP Security, 2000-2001. Meredith L. Patterson: B.A. English (Linguistics) from the University of Houston, 2000. M.A. Linguistics from the University of Iowa, 2003. Graduate student at the University of Iowa, 2003-2005, studying data mining with Prof. Hwanjo Yu. Bioinformatics intern at Integrated DNA Technologies, 2003-2005.

Large-scale collaborative applications are characterized by a large number of users and other processing end entities that are distributed over geographically disparate locations. Therefore, these applications use messaging infrastructures that scale to the application needs and enable users to process messages without concern for message transmission and delivery. Widespread use of these infrastructures is hindered by the need for scalable security services; viz., services for confidentiality, integrity, and authentication. Current solutions for providing security for these systems use trusted servers (or a network of servers), which consequently bear significant trust liabilities of maintaining confidentiality, integrity, and authentication of messages and keys that are processed by the servers. In this talk we look at current approaches for secure messaging in three commonly used messaging infrastructures: email, group communication, and publish/subscribe. We then show how novel encryption techniques can be used to minimize trust liabilities in these infrastructures in a scalable manner. We are in the process of developing prototypes of our solutions. We will discuss the prototype designs and present some initial experimentation results. About the speaker: Dr. Himanshu Khurana received his MS from the University of Maryland in 1999, and his PhD from the University of Maryland in 2002. He worked as a postdoctoral research at the Institute for Systems Research, University of Maryland from 2002 to 2003. Dr. Khurana is currently a Senior Security Engineer at the National Center for Supercomputing Applications. His research interests are in network and distributed system security, and he is currently working on projects in secure messaging, dynamic coalitions, web services, and wireless sensor networks. While at the University of Maryland he led the prototype development of tools for secure dynamic coalitions, which were selected for the Joint Warrior Integration Demonstration (JWID) in 2004.