POPULARITY
10 episodes with software assurance
9 episodes with software assurance
6 episodes with software assurance
3 episodes with software assurance
2 episodes with software assurance
2 episodes with software assurance
3 episodes with software assurance
2 episodes with software assurance
Ken and Mike discuss supply chain security, including software composition analysis (SCA) and software bill of materials (SBOM). They highlight the importance of understanding the components that make up your software and the risks associated with using third-party libraries. They also discuss recent supply chain failures, such as the XZ library hack and the SolarWinds attack. The hosts emphasize the need for organizations to stay up to date with software patches and to consider the security of commercial off-the-shelf software. They caution against placing too much focus on any one security tool or approach, including SBOM, and instead advocate for a well-rounded approach to security.
We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level. A the end we will cover how you can engage with the SAMM community and provide an overview of what happened at our latest SAMM User Day which happened on May 27th. Segment Resources: https://owaspsamm.org/ https://github.com/OWASPsamm https://app.slack.com/client/T04T40NHX/C0VF1EJGH -https://www.youtube.com/channel/UCEZDbvQrj5APg5cEET49A_g https://twitter.com/OwaspSAMM https://www.linkedin.com/company/18910344/admin/ Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-asw-6
We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level. A the end we will cover how you can engage with the SAMM community and provide an overview of what happened at our latest SAMM User Day which happened on May 27th. Segment Resources: https://owaspsamm.org/ https://github.com/OWASPsamm https://app.slack.com/client/T04T40NHX/C0VF1EJGH -https://www.youtube.com/channel/UCEZDbvQrj5APg5cEET49A_g https://twitter.com/OwaspSAMM https://www.linkedin.com/company/18910344/admin/ Show Notes: https://securityweekly.com/vault-asw-6
We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level. A the end we will cover how you can engage with the SAMM community and provide an overview of what happened at our latest SAMM User Day which happened on May 27th. Segment Resources: https://owaspsamm.org/ https://github.com/OWASPsamm https://app.slack.com/client/T04T40NHX/C0VF1EJGH -https://www.youtube.com/channel/UCEZDbvQrj5APg5cEET49A_g https://twitter.com/OwaspSAMM https://www.linkedin.com/company/18910344/admin/ Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/vault-asw-6
We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level. A the end we will cover how you can engage with the SAMM community and provide an overview of what happened at our latest SAMM User Day which happened on May 27th. Segment Resources: https://owaspsamm.org/ https://github.com/OWASPsamm https://app.slack.com/client/T04T40NHX/C0VF1EJGH -https://www.youtube.com/channel/UCEZDbvQrj5APg5cEET49A_g https://twitter.com/OwaspSAMM https://www.linkedin.com/company/18910344/admin/ Show Notes: https://securityweekly.com/vault-asw-6
It's a BIG news episode this week, as Leo Laporte and Paul Thurrott discuss the sudden departure of Panos Panay from Microsoft to Amazon. Did he jump or get pushed out of the company? Leo and Paul also dive into a massive leaked memo about Microsoft's Xbox roadmap and plans over the next 10 years. Other topics include Microsoft's upcoming event focused on AI integration across products like Windows, Office 365, and Surface, as well as online account consolidation and Google's Takeout service. We're down a Panay After his curiously off-kilter performance at Build 2023 this past May, Microsoft reveals that it is parting ways with Panos Panay. Are these things related? He's landing at Amazon devices, which makes sense given David Limp is retiring Multiple Microsoft executives and employees have reached out privately about this Comparisons to Terry Myerson's exit Blockbuster Xbox leak Major Xbox leak reveals Xbox Series X|S mid-season upgrades, next-gen console, new controller, and more This is one of the top three Microsoft leaks that's happened in Paul's nearly 30 years of covering this company An analysis of just one of the documents in this leak reveals an incredible amount of strategy information for the next 10 years And one about the reaction to the PS5 reveal Microsoft's upcoming AI event Expectations for this event, the kick-off for Microsoft's full-on client AI push Sub-analysis: This could be Microsoft CTO Kevin Scott's "Ray Ozzie moment." There's a profile of this mostly unknown in the WSJ Intel announces NPU-powered Core Ultra CPUs - off schedule? Related to the MSFT event? Bing Chat gains two new mobile integrations Paint keeps getting AI features. Remember when Paint was the laughing stock of Windows 11 apps? Windows No new builds (of substance, there was an RP build). Windows Photos, Snipping Tool, and Phone Link are all getting new features in Insider. Is Microsoft finally taking its in-box apps seriously (again)? Google extends the support lifecycle for ChromeOS, solving the single biggest criticism of this platform. This is problematic for Microsoft Microsoft 365 EU will reject Microsoft's offer to unbundle Teams from Microsoft 365 Surface Surface Laptop Studio 2 and Laptop Go 3 leak. They will likely be announced at the special event Xbox Microsoft announces more Xbox Game Pass titles for September Bethesda's The Elder Scrolls VI will be an Xbox exclusive. Tips and picks Tip of the week: Consolidate and organize your online accounts App pick of the week: Google Takeout Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: nureva.com/twit Miro.com/podcast
It's a BIG news episode this week, as Leo Laporte and Paul Thurrott discuss the sudden departure of Panos Panay from Microsoft to Amazon. Did he jump or get pushed out of the company? Leo and Paul also dive into a massive leaked memo about Microsoft's Xbox roadmap and plans over the next 10 years. Other topics include Microsoft's upcoming event focused on AI integration across products like Windows, Office 365, and Surface, as well as online account consolidation and Google's Takeout service. We're down a Panay After his curiously off-kilter performance at Build 2023 this past May, Microsoft reveals that it is parting ways with Panos Panay. Are these things related? He's landing at Amazon devices, which makes sense given David Limp is retiring Multiple Microsoft executives and employees have reached out privately about this Comparisons to Terry Myerson's exit Blockbuster Xbox leak Major Xbox leak reveals Xbox Series X|S mid-season upgrades, next-gen console, new controller, and more This is one of the top three Microsoft leaks that's happened in Paul's nearly 30 years of covering this company An analysis of just one of the documents in this leak reveals an incredible amount of strategy information for the next 10 years And one about the reaction to the PS5 reveal Microsoft's upcoming AI event Expectations for this event, the kick-off for Microsoft's full-on client AI push Sub-analysis: This could be Microsoft CTO Kevin Scott's "Ray Ozzie moment." There's a profile of this mostly unknown in the WSJ Intel announces NPU-powered Core Ultra CPUs - off schedule? Related to the MSFT event? Bing Chat gains two new mobile integrations Paint keeps getting AI features. Remember when Paint was the laughing stock of Windows 11 apps? Windows No new builds (of substance, there was an RP build). Windows Photos, Snipping Tool, and Phone Link are all getting new features in Insider. Is Microsoft finally taking its in-box apps seriously (again)? Google extends the support lifecycle for ChromeOS, solving the single biggest criticism of this platform. This is problematic for Microsoft Microsoft 365 EU will reject Microsoft's offer to unbundle Teams from Microsoft 365 Surface Surface Laptop Studio 2 and Laptop Go 3 leak. They will likely be announced at the special event Xbox Microsoft announces more Xbox Game Pass titles for September Bethesda's The Elder Scrolls VI will be an Xbox exclusive. Tips and picks Tip of the week: Consolidate and organize your online accounts App pick of the week: Google Takeout Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: nureva.com/twit Miro.com/podcast
It's a BIG news episode this week, as Leo Laporte and Paul Thurrott discuss the sudden departure of Panos Panay from Microsoft to Amazon. Did he jump or get pushed out of the company? Leo and Paul also dive into a massive leaked memo about Microsoft's Xbox roadmap and plans over the next 10 years. Other topics include Microsoft's upcoming event focused on AI integration across products like Windows, Office 365, and Surface, as well as online account consolidation and Google's Takeout service. We're down a Panay After his curiously off-kilter performance at Build 2023 this past May, Microsoft reveals that it is parting ways with Panos Panay. Are these things related? He's landing at Amazon devices, which makes sense given David Limp is retiring Multiple Microsoft executives and employees have reached out privately about this Comparisons to Terry Myerson's exit Blockbuster Xbox leak Major Xbox leak reveals Xbox Series X|S mid-season upgrades, next-gen console, new controller, and more This is one of the top three Microsoft leaks that's happened in Paul's nearly 30 years of covering this company An analysis of just one of the documents in this leak reveals an incredible amount of strategy information for the next 10 years And one about the reaction to the PS5 reveal Microsoft's upcoming AI event Expectations for this event, the kick-off for Microsoft's full-on client AI push Sub-analysis: This could be Microsoft CTO Kevin Scott's "Ray Ozzie moment." There's a profile of this mostly unknown in the WSJ Intel announces NPU-powered Core Ultra CPUs - off schedule? Related to the MSFT event? Bing Chat gains two new mobile integrations Paint keeps getting AI features. Remember when Paint was the laughing stock of Windows 11 apps? Windows No new builds (of substance, there was an RP build). Windows Photos, Snipping Tool, and Phone Link are all getting new features in Insider. Is Microsoft finally taking its in-box apps seriously (again)? Google extends the support lifecycle for ChromeOS, solving the single biggest criticism of this platform. This is problematic for Microsoft Microsoft 365 EU will reject Microsoft's offer to unbundle Teams from Microsoft 365 Surface Surface Laptop Studio 2 and Laptop Go 3 leak. They will likely be announced at the special event Xbox Microsoft announces more Xbox Game Pass titles for September Bethesda's The Elder Scrolls VI will be an Xbox exclusive. Tips and picks Tip of the week: Consolidate and organize your online accounts App pick of the week: Google Takeout Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: nureva.com/twit Miro.com/podcast
It's a BIG news episode this week, as Leo Laporte and Paul Thurrott discuss the sudden departure of Panos Panay from Microsoft to Amazon. Did he jump or get pushed out of the company? Leo and Paul also dive into a massive leaked memo about Microsoft's Xbox roadmap and plans over the next 10 years. Other topics include Microsoft's upcoming event focused on AI integration across products like Windows, Office 365, and Surface, as well as online account consolidation and Google's Takeout service. We're down a Panay After his curiously off-kilter performance at Build 2023 this past May, Microsoft reveals that it is parting ways with Panos Panay. Are these things related? He's landing at Amazon devices, which makes sense given David Limp is retiring Multiple Microsoft executives and employees have reached out privately about this Comparisons to Terry Myerson's exit Blockbuster Xbox leak Major Xbox leak reveals Xbox Series X|S mid-season upgrades, next-gen console, new controller, and more This is one of the top three Microsoft leaks that's happened in Paul's nearly 30 years of covering this company An analysis of just one of the documents in this leak reveals an incredible amount of strategy information for the next 10 years And one about the reaction to the PS5 reveal Microsoft's upcoming AI event Expectations for this event, the kick-off for Microsoft's full-on client AI push Sub-analysis: This could be Microsoft CTO Kevin Scott's "Ray Ozzie moment." There's a profile of this mostly unknown in the WSJ Intel announces NPU-powered Core Ultra CPUs - off schedule? Related to the MSFT event? Bing Chat gains two new mobile integrations Paint keeps getting AI features. Remember when Paint was the laughing stock of Windows 11 apps? Windows No new builds (of substance, there was an RP build). Windows Photos, Snipping Tool, and Phone Link are all getting new features in Insider. Is Microsoft finally taking its in-box apps seriously (again)? Google extends the support lifecycle for ChromeOS, solving the single biggest criticism of this platform. This is problematic for Microsoft Microsoft 365 EU will reject Microsoft's offer to unbundle Teams from Microsoft 365 Surface Surface Laptop Studio 2 and Laptop Go 3 leak. They will likely be announced at the special event Xbox Microsoft announces more Xbox Game Pass titles for September Bethesda's The Elder Scrolls VI will be an Xbox exclusive. Tips and picks Tip of the week: Consolidate and organize your online accounts App pick of the week: Google Takeout Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: nureva.com/twit Miro.com/podcast
It's a BIG news episode this week, as Leo Laporte and Paul Thurrott discuss the sudden departure of Panos Panay from Microsoft to Amazon. Did he jump or get pushed out of the company? Leo and Paul also dive into a massive leaked memo about Microsoft's Xbox roadmap and plans over the next 10 years. Other topics include Microsoft's upcoming event focused on AI integration across products like Windows, Office 365, and Surface, as well as online account consolidation and Google's Takeout service. We're down a Panay After his curiously off-kilter performance at Build 2023 this past May, Microsoft reveals that it is parting ways with Panos Panay. Are these things related? He's landing at Amazon devices, which makes sense given David Limp is retiring Multiple Microsoft executives and employees have reached out privately about this Comparisons to Terry Myerson's exit Blockbuster Xbox leak Major Xbox leak reveals Xbox Series X|S mid-season upgrades, next-gen console, new controller, and more This is one of the top three Microsoft leaks that's happened in Paul's nearly 30 years of covering this company An analysis of just one of the documents in this leak reveals an incredible amount of strategy information for the next 10 years And one about the reaction to the PS5 reveal Microsoft's upcoming AI event Expectations for this event, the kick-off for Microsoft's full-on client AI push Sub-analysis: This could be Microsoft CTO Kevin Scott's "Ray Ozzie moment." There's a profile of this mostly unknown in the WSJ Intel announces NPU-powered Core Ultra CPUs - off schedule? Related to the MSFT event? Bing Chat gains two new mobile integrations Paint keeps getting AI features. Remember when Paint was the laughing stock of Windows 11 apps? Windows No new builds (of substance, there was an RP build). Windows Photos, Snipping Tool, and Phone Link are all getting new features in Insider. Is Microsoft finally taking its in-box apps seriously (again)? Google extends the support lifecycle for ChromeOS, solving the single biggest criticism of this platform. This is problematic for Microsoft Microsoft 365 EU will reject Microsoft's offer to unbundle Teams from Microsoft 365 Surface Surface Laptop Studio 2 and Laptop Go 3 leak. They will likely be announced at the special event Xbox Microsoft announces more Xbox Game Pass titles for September Bethesda's The Elder Scrolls VI will be an Xbox exclusive. Tips and picks Tip of the week: Consolidate and organize your online accounts App pick of the week: Google Takeout Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: nureva.com/twit Miro.com/podcast
Wes Miller, Research VP at Directions on Microsoft, joins Corey on Screaming in the Cloud to discuss the various intricacies and pitfalls of Microsoft licensing. Wes and Corey discuss what it's like to work closely with a company like Microsoft in your day-to-day career, while also looking out for the best interest of your mutual customers. Wes explains his history of working both at and with Microsoft, and the changes he's seen to their business models and the impact that has on their customers. About WesWes Miller analyzes and writes about Microsoft security, identity, and systems management technologies, as well as Microsoft product licensing.Before joining Directions on Microsoft in 2010, Wes was a product manager and development manager for several Austin, TX, start-ups, including Winternals Software, acquired by Microsoft in 2006. Prior to that, Wes spent seven years at Microsoft working as a program manager in the Windows Core Operating System and MSN divisions.Wes received a B.A. in psychology from the University of Alaska Fairbanks.Links Referenced: Directions on Microsoft Website: https://www.directionsonmicrosoft.com/ Twitter: https://twitter.com/getwired LinkedIn: https://www.linkedin.com/in/wmiller/ Directions on Microsoft Training: https://www.directionsonmicrosoft.com/training TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud, I'm Corey Quinn. So, I write a newsletter called Last Week in AWS, which has always felt like it's flying a little bit too close to the sun just because having AWSes name in the title of what I do feels like it's playing with copyright fire. It's nice periodically to talk to someone—again—who is in a similar boat. Wes Miller is a Research VP at Directions on Microsoft. To be clear, Directions on Microsoft is an analyst firm that talks primarily about Microsoft licensing and is not, in fact, part of Microsoft itself. Have I disclaimed that appropriately, Wes?Wes: You have. You have. And in fact, the company, when it was first born, was actually called Microsoft Directions. And they had a reasonably good relationship with Microsoft at the time and Microsoft cordially asked them, “Hey, could you at least reverse that so it corrects it in terms of trademark.” So yes, we're blessed in that regard. Something you probably would never get away with now, but that was 30 years ago.Corey: [laugh]. And now it sounds like it might as well be a product. So, I have to ask, just because the way I think of you is, you are the folks to talk to, full stop, when you have a question about anything that touches on Microsoft licensing. Is that an accurate depiction of what it is you folks do or is that just my particular corner of the world and strange equivalence that gets me there?Wes: That is our parts of the Venn diagram intersecting because that's what I spend a lot of time talking about and thinking about because I teach that with our company founder, Rob Horwitz. But we also spend an inordinate amount of time taking what Microsoft is talking about shipping, maybe servicing, and help customers understand really, as we say, the ‘So, what?' What does this mean to me as a customer? Should I be using this? Should I be waiting? Should I upgrade? Should I stay? Those sorts of things.So, there's a whole roadmapping side. And then we have a [laugh]—because licensing doesn't end with a license, we have a whole side of negotiation that we spend a lot of time, we have a dedicated team that focuses on helping enterprise agreement customers get the most successful deal for their organization, basically, every three years.Corey: We do exactly that with AWS ourselves. I have to ask before we dive into this. In the early days, I felt like I had a much better relationship with Microsoft. Scott Guthrie, the head of Azure, was on this show. A number of very highly placed Microsoft folks were here. And over the years, they more or less have stopped talking to me.And that leaves me in a position where all I can see is their actions and their broad public statements without getting any nuance or context around any of it. And I don't know if this is just a commentary on human nature or me in particular, but I tend to always assume the worst when things like that happen. So, my approach to Microsoft has grown increasingly cynical over the years as a result. That said, I don't actually have an axe to grind with them from any other perspective than as a customer, and occasionally that feels like ‘victim' for a variety of different things. What's your take on Microsoft as far as, I guess, your feelings toward the company?Wes: So, a lot of people—in fact, it used to be more so, but not as much anymore, people would assume I hate Microsoft or I want to demonize Microsoft. But the irony actually is, you know, I want people to remember I worked there for seven-and-a-half years, I shipped—I was on the team that shipped Windows XP, Server 2003, and a bunch of other products that people don't remember. And I still care about the company, but the company and I are obviously in different trajectories now. And also, my company's customers today are also Microsoft's customers today, and we actually have—our customers—our mutual customers—best interest in mind with basically everything we do. Are we helping them be informed? Are we helping them color within the financial lines?And sometimes, we may say things that help a customer that aren't helping the bottom line or helping a marketing direction and I don't think that resonates well within Microsoft. So sure, sometimes we even hear from them, “Hey, it'd be great if you guys might want to, you know, say something nice once in a while.” But it's not necessarily our job to say nice things. I do it once in a while. I want to note that I said something nice about AAD last week, but the reality is that we are there to help our mutual customers.And what I found is, I have found the same thing to be true that you're finding true that, unfortunately, outbound communications from them, in particular from the whole company, have slowed. I think everybody's busier, they've got a very specific set of directions they're going on things, and as a result, we hear very little. And even getting, trying to get clarification on things sometimes, “Did we read that right?” It takes a while, and it has to go through several different rungs of people to get the answer.Corey: I have somewhat similar relationships over the years with AWS, where they—in many cases, a lot of their executives prefer not to talk to me at all. Which again, is fair. I'm not—I don't require any of them to do it. But there's something in the Amazonian ethos that requires them to talk to customers, especially when customers are having a rough time. And I'm, for better or worse, the voice of the customer.I am usually not the dumbest person in the universe when it comes to trying to understand a service or make it do something that, to me, it seems that it should be able to do. And when I actually start having in-depth conversations, people are surprised. “Wow, you were super pleasant and fun to work with. We thought you were just going to be a jerk.” It's, yeah, it turns out I don't go through every meeting like it's Twitter. What a concept.Wes: Yeah, a lot of people, I've had this happen for myself when you meet people in person, when they meet your Twitter persona, especially for someone who I think you and I both come across as rather boisterous, gregarious, and sometimes people take that as our personas. And I remember meeting a friend in the UK for the first time years ago, he's like, “You're very different in person.” I'm like, “I know. I know.”Corey: I usually get the, “You're just like Twitter.” In many respects, I am. Because people don't always see what I'm putting down. I make it a point to be humorous and I have a quick quip for a lot of things, but it's never trying to make the person I'm engaging with feel worse for it. And that's how I work.People are somewhat surprised when I'm working in client meetings that I'm fun and I have a similar sense of humor and personality, as you would see on Twitter. Believe it or not, I haven't spent all this time just doing a bit. But they're also surprised that it tends to drive toward an actual business discussion.Wes: Sure.Corey: Everything fun is contextual.Wes: Absolutely. That's the same sort of thing we get on our side when we talk to customers. I think I've learned so much from talking with them that sometimes I do get to share those things with Microsoft when they're willing to listen.Corey: So, what I'm curious about in the context of Microsoft licensing is something that, once again, it has intruded upon my notice lately with a bunch of security disclosures in which Microsoft has said remarkably little, and that is one of the most concerning things out there. They casually tried to slide past, “Oh, yeah, we had a signing key compromised.” Which is one of those, “Oh, [laugh] and by the way, the building's on fire. But let's talk about our rent [unintelligible 00:07:44] for the next year.” Like, “Whoa, whoa, whoa. Hold on. What?”That was one of those horrifying moments. And it came out—I believe I learned about this from you—that you needed something called E3 licensing—sorry, E5 licensing—in order to look at those audit logs, where versus E3, which sounded like the more common case. And after a couple of days of, “Explain this,” Microsoft very quickly wound up changing that. What do all these things mean? This is sort of a foreign concept to me because AWS, for better or worse, does not play games with licensing in the same way that Microsoft does.Wes: Sure. Microsoft has, over the years, you know, they are a master of building suites. This is what they've done for over 30 years. And they will build a suite, they'll sell you that suite, they'll come back around in three to six years and sell you a new version of that suite. Sometimes they'll sell you a higher price version of that suite, et cetera.And so, you'll see products evolve. And did a great podcast with my colleagues Rob and Mary Jo Foley the other day where we talked about what we've seen over the last, now for me, 11 years of teaching boot camps. And I think in particular, one of the changes we have seen is exactly what you're being exposed to on the outside and what a lot of people have been complaining about, which is, products don't sit still anymore. So, Microsoft actually makes very few products today. Almost everything they sell you is a service. There are a handful of products still.These services all evolve, and about every triennium or two—so every three to six years—you'll see a price increase and something will be added, and a price increase and something will be added. And so, all this began with the BPOS, the first version of Office 365, which became Office 365 E3, then Microsoft 365 E3 then Microsoft 365 E5. And for people who aren't in the know, basically, that means they went from Office as a subscription to Office, Windows, and a bunch of management tools as a subscription, to E5, basically, it took all of the security and compliance tools that many of us feel should have been baked into the fundamentals, into E3, the thing that everybody buys, what I refer to still today as the hero SKU and those security and compliance fundamentals should have been baked in. But no, in fact, a lot of customers when this AAD issue came out—and I think a lot discovered this ad hoc for the same reason, “Hey, we've been owned, how far back in the logs can we look?” And the answer is, you know, no farther than 90 days, a lot of customers hit that reality of, what do you mean we didn't pay for the premium thing that has all the logging that we need?Corey: Since you sat on this for eight months before mentioning it to us? Yeah.Wes: Exactly, exactly. And it's buried. And it's one of those things that, like, when we teach the licensing boot camp, I specifically call out because of my security background, it's an area of focus and interest to me. I call out to customers that a lot of the stuff we've been showing you has not questionable valuable, but kind of squishy value.This piece right here, this is both about security and compliance. Don't cheap out. If you're going to buy anything, buy this because you're going to need it later. And I've been saying that for, like, three years, but obviously only the people who were in the boot camp would hear that and then shake their head;, “Why does it have to be this difficult?” But yeah. Everything becomes a revenue opportunity if it's a potential to upsell somebody for the next tier.Corey: The couple of times I've been asked to look at Azure bills, I backed away slowly as soon as I do, just because so much of it is tied to licensing and areas that are very much outside of my wheelhouse. Because I view, in the cloud context, that cost and architecture tend to be one of the same. But when you bolt an entire layer of seat licensing and what this means for your desktop operating systems on as well as the actual cloud architecture, it gets incredibly confusing incredibly quickly. And architectural advice of the type that I give to AWS customers and would give to GCP customers is absolutely going to be harmful in many respects.I just don't know what I don't know and it's not an area that interests me, as far as learning that competency, just to jump through hoops. I mean, I frankly used to be a small business Windows admin, with the products that you talked about, back when XP and Server 2003 and a few others, I sort of ruled the roost. But I got so tired of surprise audit-style work. It felt like busy work that wasn't advancing what I was trying to get done in any meaningful way that, in a fit of rage, one day, I wound up exploring the whole Unix side of the world in 2006 and never went back.Wes: [whispering] That's how it happened.Corey: Yep.Wes: It's unfortunate that it's become so commonplace, but when Vista kind of stalled out and they started exploring other revenue opportunities, you have Vista Ultimate Enterprise, all the crazy SKUing that Vista had, I think it sort of created a mindset within the company that this is what we have to do in order to keep growing revenue up and to the right, and you know, shareholder value be the most important thing, that's what you've got to do. I agree entirely, though, the biggest challenge I could see for someone coming into our space is the fact that yes, you've got to understand Azure, Azure architecture, development architecture, and then as soon as you feel like you understand that, somebody comes along and says, “Well, yeah, but because we have an EA, we have to do it this way or we only get a discount on this thing.” And yeah, it just makes things more cumbersome. And I think that's why we still see a lot of customers who come to our boot camps who are still very dedicated AWS customers because that's where they were, and it's easier in many regards, and they just want to go with what they know.Corey: And I think that that's probably fair. I think that there is an evolution that grows here that I think catches folks by surprise. I'm fortunate in that my Microsoft involvement, if we set things like GitHub aside because I like them quite a bit and my Azure stuff as well—which is still small enough to fit in the free tier, given that I use it for one very specific, very useful thing—but the rest of it is simply seat licenses for Office 365 for my team. And I just tend to buy the retail-priced one on the internet that's licensed for business use, and I don't really think about it again. Because I don't need, as you say, in-depth audit logs for Microsoft Word. I really don't. I'm sorry, but I have a hard time believing that that's true. But something that immediately crops up when you say this is when you talk about E3 versus E5 licensing, is that organization-wide or is that on a per-seat basis?Wes: It's even worse than that. It usually comes down to per-user licensing. The whole world used to be per device licensing in Microsoft and it switched to per user when they subscript-ified everything—that's a word I made up a while ago—so when they subscript-ified everything, they changed it over to per user. And for better or worse, today, you could—there's actually four different tiers of Microsoft 365. You could go for any one of those four for any distinct user.You could have one of them on F1, F3, E3, and E5. Now, if you do that, you create some other license non-compliance issues that we spend way too much time having to talk about during the boot camp, but the point is, you can buy to fit; it's not one-size-fits-all necessarily. But you run into, very rapidly, if you deploy E5 for some number of users because the products that are there, the security services and compliance services ironically don't do license compliance in most cases, customers can actually wind up creating new license compliance problems, thereby basically having to buy E5 for everybody. So, it's a bit of a trapdoor that customers are not often aware of when they initially step into dabbling in Microsoft 365 E5.Corey: When you take a look at this across the entire board, what is your guidance to customers? Because honestly, this feels like it is a full-time job. At scale, a full-time job for a department simply keeping up with all of the various Microsoft licensing requirements, and changes because, as you say, it's not static. And it just feels like an overwhelming amount of work that to my understanding, virtually no other vendor makes customers jump through. Sure there's Oracle, but that tends to be either in a database story or a per developer, or on rare occasions, per user when you build internal Java apps. But it's not as pervasive and as tricky as this unless I'm missing something.Wes: No, you're not. You're not missing anything. It's very true. It's interesting to think back over the years at the boot camp. There's names I've heard that I don't hear anymore in terms of companies that were as bad. But the reality is, you hear the names of the same software companies but, exactly to your point, they're all departmental. The people who make [Roxio 00:16:26] still, they're very departmentalized. Oracle, IBM, yeah, we hear about them still, but they are all absolutely very departmentalized.And Microsoft, I think one of the reason why we do get so many—for better or worse, for them—return visitors to our licensing boot camps that we do every two months, is for that exact reason, that some people have found they like outsourcing that part of at least trying to keep up with what's going on, what's the record? And so, they'll come back every two, three, or four years and get an update. And we try to keep them updated on, you know, how do I color within the lines? Should it be like this? No. But it is this way.In fact, it's funny, I think back, it was probably one of the first few boot camps I did with Rob. We were in New York and we had a very large customer who had gotten a personalized message from Microsoft talking about how they were going to simplify licensing. And we went to a cocktail hour afterwards, as we often do on the first day of the boot camp, to help people, you know, with the pain after a boot camp, and this gentleman asks us well, “So, what are you guys going to do once Microsoft simplifies licensing?” And Rob and I just, like, looked at each other, smiled, looked back at the guy, and laughed. We're like, “We will cross that bridge when we get to it.”Corey: Yeah, people ask us that question about AWS billing. What if they fix the billing system? Like, we should be so lucky to live that long.Wes: I have so many things I'd rather be doing. Yes.Corey: Mm-hm. Exactly. It's one of those areas where, “Well, what happens in a post-scarcity world?” Like, “I couldn't tell you. I can't even imagine what such a thing would look like.”Wes: Exactly [laugh]. Exactly.Corey: So, the last time we spoke way back, I think in 2019, Microsoft had wound up doing some unfortunate and fairly underhanded-appearing licensed changes, where it was more expensive to run a bunch of Microsoft things, such as server software, most notably SQL Server, on clouds that were not Azure. And then, because you know, you look up the word chutzpah in the dictionary, you'll find the Microsoft logo there in response, as part of the definition, they ran an advertising campaign saying that, oh, running many cloud workloads on Azure was five times cheaper than on AWS. As if they cracked some magic secret to cloud economics. Rather than no, we just decided to play dumb games that win worse prizes with cloud licensing. How did that play out?Wes: Well, so they made those changes in October of 2019, and I kind of wish they'd become a bigger deal. And I wish they'd become a bigger deal earlier so that things could have been, maybe, reversed when it was easier. But you're absolutely right. So, it—for those who don't know, it basically made licensing changes on only AWS, GCP, and Alibaba—who I never had anybody ask me about—but those three. It also added them for Azure, but then they created loopholes for themselves to make Azure actually get beneficial licensing, even better than you could get with any other cloud provider [sigh].So, the net takeaway is that every Microsoft product that matters—so traditionally, SQL Server, Windows Server, Windows client, and Office—is not impossible to use on AWS, but it is markedly more expensive. That's the first note. To your point, then they did do that marketing campaign that I know you and I probably had exchanges about at the time, and it drove me nuts as well because what they will classically do is when they tout the savings of running something on Azure, not only are they flouting the rules that they created, you know, they're basically gloating, “Look, we got a toy that they didn't,” but they're also often removing costs from the equation. So, for example, in order for you to get those discounts on Azure, you have to maintain what's called Software Assurance. You basically have to have a subscription by another name.If you don't have Software Assurance, those opportunities are not available to you. Fine. That's not my point. My point is this, that Software Assurance is basically 75% of the cost of the next version. So, it's not free, but if you look at those 5x claims that they made during that time frame, they actually were hand-waving and waving away the [assay 00:20:45] costs.So, if you actually sat down and did the math, the 5x number was a lie. It was not just very nice, but it was wrong, literally mathematically wrong. And from a—as my colleague likes to say, a ‘colors person,' not a numbers person like me, from a colors person like me, that's pretty bad. If I can see the error and your math, that's bad math.Corey: It just feels like it's one of those taxes on not knowing some of the intricacies of what the heck is going on in the world of Microsoft licensing. And I think every sufficiently complex vendor with, shall we say, non-trivial pricing dimensions, could be accused of the same thing. But it always felt particularly worrisome from the Microsoft perspective. Back in the days of BSA audits—which I don't know at all if they're still a thing or not because I got out of that space—every executive that I ever spoke to, in any company lived in fear of them, not because they were pirating software or had decided, “You know what? We have a corporate policy of now acting unethically when it comes to licensing software,” but because of the belief that no matter what they came up with or whatever good faith effort they made to remain compliant, of course, something was not going to work the way they thought it would and they were going to be smacked with a fine. Is that still the case?Wes: Absolutely. In fact, I think it's worse now than it ever was before. I will often say to customers that you are wildly uncompliant while also being wildly overcompliant because per your point about how broad and deep Microsoft is, there's so many products. Like, every company today, every company that has Project and Visio still in place today, that still pays for it, you are over-licensed. You have more of it than you need.That's just one example, but on the other side, SQL Server, odds are, every organization is subtly under-licensed because they think the rule is to do this, but the rules are actually more restrictive than they expect. So, and that's why Microsoft is, you know, the first place they look, the first rug they look under when they do walk in and do an audit, which they're entitled to do as a part of an organization's enterprise agreement. So BSA, I think they do still have those audits, but Microsoft now they have their own business that does that, or at least they have partners that do that for them. And places like SQL Server are the first places that they look.Why? Because it's big, found money, and because it's extremely hard to get right. So, there's a reason why, when we focus on our boot camps, we'll often tell people, you know, “Our goal is to save you enough money to pay for the class,” because there's so much money to be found in little mistakes that if you do a big thing wrong with Microsoft software, you could be wildly out of compliance and not know about it until Microsoft-or more likely, a Microsoft partner—points it out to you.Corey: It feels like it's an inevitability. And, on some level, it's the cost of doing business. But man, does that leave a sour taste in someone's mouth.Wes: Mm-hm. It absolutely does. It absolutely does. And I think—you know, I remember, gosh, was it Munich that was talking about, “We're going to switch to Linux,” and then they came back into the fold. I think the reality is, it absolutely does put a bad taste.And it doesn't leave customers with good hope for where they go from here. I mean, okay, fine. So, we got burned on that thing in the Microsoft 365 stack. Now, they want us to pay 30 bucks for Copilot for Microsoft 365. What? And we'd have no idea what they're even buying, so it's hard to give any kind of guidance. So, it's a weird time.Corey: I'm curious to see what the ultimate effect of this is going to be. Well, one thing I've noticed over the past decade and change—and I think everyone has as well—increasingly, the local operating system on people's laptops or desktops—or even phones, to some extent—is not what it once was. Increasingly, most of the tools that I find myself using on a daily basis are just web use or in a browser entirely. And that feels like it's an ongoing problem for a company like Microsoft when you look at it through the lens of OS. Which at some level, makes perfect sense why they would switch towards everything as a service. But it's depressing, too.Wes: Yeah. I think that's one of the reasons why, particularly after Steve left, they changed focus a lot and really begin focusing on Microsoft 365 as the platform, for better or worse. How do we make Microsoft 365 sticky? How do we make Office 365 sticky? And the thing about, like, the Microsoft 365 E5 security stuff we were talking about, it often doesn't matter what the user is accessing it through. The user could be accessing it only through a phone, they could be a frontline worker, they could be standing at a sales kiosk all day, they could be using Office every single day, or they could be an exec who's only got an iPad.The point is, you're in for a penny, in for a pound at that point that you'll still have to license the user. And so, Microsoft will recoup it either way. In some ways, they've learned to stop caring as much about, is everyone actively using our technology? And on the other side, with things like Teams, and as we're seeing very, very slowly, with the long-delayed Outlook here, you know, they're also trying to switch things to have that less Win32 surface that we're used to and focus more on the web as well. But I think that's a pretty fundamental change for Microsoft to try and take broadly and I don't anticipate, for example, Office will ever be fully replaced with a fat client like it has on Windows and the Mac OS.Corey: Yeah, part of me wonders what the future that all looks like because increasingly, it feels more than a little silly that I'm spending, like, all of this ever-increasing dollar figure on a per-seat basis every year for all of Microsoft 365. Because we don't use their email system. We don't use so much of what they offer. We need basically Word and Excel and once in a blue moon PowerPoint, I guess. But that's it. Our fundamental needs have not materially shifted since Office 2003. Other than the fact that everything uses different extensions now and there's, of course, the security story on top of it, too. We just need some fairly basic stuff.Wes: And I think that's the case for a lot of—I mean, we're the exact same way at Directions. And I think that's the case for a lot of small and even into mid-size companies. Microsoft has traditionally with the, like, Small Business Premium, they have an offering that they intentionally only scale up to 300 people. And sometimes they'll actually give you perks there that they wouldn't give away in the enterprise suite, so you arguably get more—if they let you have it, you get more than you would if you've got E5. On the other side, they've also begun, for enterprises, honing in on opportunities that they may have historically ignored.And when I was at Microsoft, you'd have an idea, like, “Hey, Bob. I got an idea. Can we try to make a new product?” He's like, “Okay, is it a billion-dollar business?” And you get waved away if it wasn't all a billion-dollar business. And I don't think that's the case anymore today, particularly if you can make the case, this thing I'm building makes Microsoft 365 sticky or makes Azure sticky. So, things like the Power Platform, which is subtly and slowly replacing Access at a minimum, but a lot of other tools.Power BI, which has come from behind. You know, people would look at it and say, “Oh, it's no Excel.” And now it, I think, far exceeds Excel for that type of user. And Copilot, as I talked about, you know, Microsoft is definitely trying to throw things in that are beyond Office, beyond what we think of as Microsoft. And why are they doing that? Because they're trying to make their platform more sticky. They're trying to put enough value in there so you need to subscribe for every user in your organization.And even things, as we call them, ‘Batteries not Included' like Copilot, that you're going to buy E5 and that you're still going to have to buy something else beyond that for some number of users. So, you may even have a picture in your head of how much it's going to cost, but it's like buying a BMW 5 Series; it's going to cost more than you think.Corey: I wish that there were a better path forward on this. Honestly, I wish that they would stop playing these games, let you know Azure compete head-to-head against AWS and let it win on some of its merits. To be clear, there are several that are great. You know, if they could get out of their own way from a security perspective, lately. But there seems to be a little appetite for that. Increasingly, it seems like even customers asking them questions tends to hit a wall until, you know, a sitting US senator screams at them on Twitter.Wes: Mm-hm. No, and then if you look carefully at—Microsoft is very good at pulling just enough off of the sweater without destroying the sweater. And for example, what they did, they gave enough away to potentially appease, but they didn't actually resolve the problem. They didn't say, “All right, everybody gets logging if they have Microsoft 365 E3,” or, “Everybody gets logging, period.” They basically said, “Here's the kind of logging you can get, and we're going to probably tweak it a little bit more in the future,” and they will not tweak it more in the future. If anything, they'll tighten it back up.This is very similar to the 2019 problem we talked about earlier, too, that you know, they began with one set of rules and they've had to revisit it a couple of times. And most of the time, when they've had an outcry, primarily from the EU, from smaller cloud providers in the EU who felt—justifiably—that Microsoft was being not—uncompetitive with Azure vis-à-vis every other cloud provider. Well, Microsoft turned around and last year changed the rules such that most of these smaller cloud providers get rules that are, ehh, similar to what Azure can provide. There are still exclusives that only Azure gets. So, what you have now is basically, if you're a customer, the best set and cheapest set is with Azure, then these smaller cloud providers give you a secondary—it's close to Azure, but still not quite as good. Then AWS, GCP, and Alibaba.So, the rules have been switched such that you have to know who you're going to in order to even know what the rules are and to know whether you can comply with those rules with the thing you want to build. And I find it most peculiar that, I believe it was the first of last month that Microsoft made the change that said, “You'll be able to run Office on AWS,” which was Amazon WorkSpaces, in particular. Which I think is huge and it's very important and I'm glad they made this change, but it's weird because it creates almost a fifth category because you can't run it anywhere else in Amazon, like if you were spinning something up in VMware on Amazon, but within Amazon WorkSpaces, you can. This is great because customers now can run Office for a fee. And it's a fee that's more than you'd pay if you were running the same thing on Microsoft's cloud.But it also was weird because let's say Google had something competitive in VDI, but they don't really, but if they had something competitive in VDI, now this is the benefit that Amazon has that's not quite as good as what Microsoft has, that Google doesn't get it at all. So, it's just weird. And it's all an attempt to hold… to both hold a market strategy and an attempt to grow market share where they're still behind. They are markedly behind in several areas. And I think the reality is, Amazon WorkSpaces is a really fine offering and a lot of customers use it.And we had a customer at our last in-person boot camp in Atlanta, and I was really impressed—she had been to one boot camp before, but I was really impressed at how much work she'd put into making sure we know, “We want to keep using Amazon WorkSpaces. We're very happy with it. We don't want to move anywhere else. Am I correct in understanding that this, this, this, and this? If we do these things will be aboveboard?” And so, she knew how much more she'd have to pay to stay on Amazon WorkSpaces, but it was that important to the company that they'd already bet the farm on the technology, and they didn't want to shift to somebody else that they didn't know.Corey: I'm wondering how many people have installed Office just through a standard Microsoft 365 subscription on a one-off Amazon WorkSpace, just because they had no idea that that was against license terms. I recall spinning up an Amazon WorkSpace back when they first launched, or when they wound up then expanding to Amazon Linux; I forget the exact timeline on this. I have no idea if I did something like that or not. Because it seems like it'd be a logical thing. “Oh, I want to travel with just an iPad. Let me go ahead and run a full desktop somewhere in the cloud. Awesome.”That feels like exactly the sort of thing an audit comes in and then people are on the hook for massive fines as a result. It just feels weird, as opposed to, there are a number of ways to detect you're running on a virtual machine that isn't approved for this. Stop the install. But of course, that doesn't happen, does it?Wes: No. When we teach at the boot camp, Rob will often point out that, you know, licensing is one of the—and it's true—licensing is one of the last things that comes in when Microsoft is releasing a product. It was that way when he was at the company before I was—he shipped Word 1.0 for the Mac, to give you an idea of his epoch—and I was there for XP, like I said, which was the first version that used activation—which was a nightmare—there was a whole dedicated team on. And that team was running down to the wire to get everything installed.And that is still the case today because marketing and legal make decisions about how a product gets sold. Licensing is usually tacked on at the very end if it gets tacked on at all. And in fact, in a lot of the security, compliance, and identity space within Microsoft 365, there is no license compliance. Microsoft will show you a document that, “Hey, we do this,” but it's very performative. You can't actually rely on it, and if you do rely on it, you'll get in trouble during an audit because you've got non-compliance problems. So yeah, it's—you would hope that it keeps you from coloring outside the lines, but it very much does not.Corey: It's just a tax on going about your business, in some ways [sigh].Wes: Exactly. “Don't worry, we'll be back to fix it for you later.”Corey: [laugh]. I really appreciate your taking the time to go through this with me. If people want to learn more, where's the best place for them to keep up with what you're up to?Wes: Well, obviously, I'm on Twitter, and—oh, sorry, X, whatever.Corey: No, we're calling it Twitter.Wes: Okay, I'm on—I'm on—[laugh] thank you. I'm on Twitter at @getwired. Same alias over on [BlueSky 00:35:27]. And they can also find me on LinkedIn, if they're looking for a professional question beyond that and want to send a quiet message.The other thing is, of course, go to directionsonmicrosoft.com. And directionsonmicrosoft.com/training if they're interested in one of our licensing boot camps. And like I said, Rob, and I do those every other month. We're increasingly doing them in person. We got one in Bellevue coming up in just a few weeks. So, there's opportunities to learn more.Corey: Excellent. And we will, of course, put links to that in the [show notes 00:35:59]. Thank you so much for taking the time to chat with me again, Wes. It's appreciated.Wes: Thank you for having me.Corey: Wes Miller, Research VP at Directions on Microsoft. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry, insulting comment that will no doubt be taken down because you did not sign up for that podcasting platform's proper license level.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
In this episode, Sandra Rodriguez, an analyst at Axendia, dives deep into the complexities of Computer Systems Validation (CSV) versus Computer Software Assurance (CSA) in the MedTech sector. She discusses the FDA's draft guidance from September 2022, the industry's response, and the practical applications of it all. The conversation also covers the evolution of software validation processes, the cost of system implementation, and the importance of critical thinking in Quality System Regulations. The impact of AI on Quality Assurance, the changing dynamics of the CSA Modern Validation, and the role of Software Assurance in the life sciences industry are also discussed.Some of the highlights of today's show include:The evolution of software validation processes, the cost of implementing a system in the life sciences industry, and the role of critical thinking in Quality System Regulations.FDA's draft guidance from September 2022, the industry's response, and its practical implementationsThe cultural shift and challenges that accompany the transition to CSA Modern Validation.The evolving relationship between life science companies and their technology vendors and how it can bring value to the organizationThe pivotal role of Computer Software Assurance (CSA) in the life sciences industry, including the unintended consequences Cybersecurity and how the FDA is looking to adopt this approach across multiple agenciesHow companies can stop spending resources on testing every feature and functionThe industry's shift towards automation and data-driven processesThe use of the word “validation” vs. “assurance”Links:Medical Device International ConsortiumCase for Quality Working GroupsFDA CSA Draft GuidanceEtienne Nichols LinkedInGG AcademyOmnibus BillQuotes: “Keep in mind if you talk software validation to anyone outside of life sciences, they're going to glaze over. Validation is not used. Software validation is not used outside of this industry.”“You could tell a lot about potential changes to a draft guidance based on the number of times you see certain things show up as a comment.”“Now look, if everything is high risk, then you didn't do a risk assessment, just like if everything's a high priority, you haven't prioritized anything.”
Welcome to Automating Quality, the Life Sciences centric show that bridges the gap between automation and quality management systems. Philippe Gaudreau, CEO at SOLABS is your host for this episode! Our guest today is Joseph Silvia, Director, Software Quality Training and Instructor at Oriel STAT A MATRIX. Joe shares his expertise on the Case for Quality, what to focus on first when implementing a quality system and the differences between Computer Software Validation (CSV) and Computer Software Assurance (CSA), and more! Key Takeaways 02:17 Introducing today's guest: Joseph Silvia, Director of Software Quality Training and Instruction and Lead Auditor at Oriel Stat A Matrix 03:33 What is the Case for Quality? 05:23 Joseph discusses the importance of having quality at the core of what you do as opposed to adding it as an afterthought 07:44 What is the first thing you should focus on when implementing a quality system? 10:55 Philippe shares his experience on implementing QM10 at SOLABS as part of our quality practices 12:53 The difference between Computer Software Validation (CSV) and Computer Software Assurance (CSA) and how this is impacting risk management 17:38 Thanking Joseph and our listeners for today's episode! Contact Joseph at jsilvia@orielstat.com or on LinkedIn Oriel STAT A MATRIX: www.orielstat.com Reach out to us at solabs-podcast@solabs.com
Episode 005: Harsh Thakkar (@harshvthakkar) interviews Rohit Tyagi (@rohittyagi7), President of Sagax Team.Rohit shares his transition from working in life sciences companies to building Sagax Team as a quality assurance and lab informatics consulting practice with 50+ consultants.Rohit and Harsh discuss common mistakes life science companies make with software validation, managing changes and releases to SaaS systems, and leveraging vendor expertise to reduce cycle times for implementing laboratory and manufacturing systems.Rohit wraps up the episode by sharing his thoughts on top traits to look for when hiring talent and the importance of training for employees.-----Links:* US FDA Computer Software Assurance (CSA) Guidance* How Sagax Team can help with your IT projects* Do you love LS 360 and want to see Harsh's smiling face? Subscribe to our YouTube channel.------Show Notes:(2:18) - Common software validation mistakes(9:22 ) - Rohit's take on CSA(17:41) - Hiring people with no life sciences experience(24:29) - Managing SaaS releases each year(31:10) - Top traits to look for when hiring consultants----For more, check out the podcast website - www.lifesciencespod.com
A risk-based approach to Computerized System Validation has been around for over 20 years, so what's the hype about CSA? Join us in this episode as we are joined by our amazing guest, Dr. Bob McDowall, to explore this question.Bob McDowall is an analytical chemist with 50 years of experience including 15 years working in the pharmaceutical industry and 29 years as a consultant to the industry and suppliers to the industry. He has been involved with the validation of computerized systems for over 35 years and is the author of the second edition of a book on the validation of chromatography data systems published in 2017 and a book on data integrity for regulated laboratories in 2019.Bob is the writer of the Questions of Quality (LC-GC Europe) and Focus on Quality (Spectroscopy) columns. One such column in September 2021 was entitled Does CSA Mean Complete Stupidity Assured? It is available online at: https://www.spectroscopyonline.com/view/does-csa-mean-complete-stupidity-assured-*Disclaimer: Podcast guest participated in the podcast as an individual subject matter expert and contributor. The views and opinions they share are not necessarily shared by their employer. Nor should any reference to specific products or services be interpreted as commercial endorsements by their current employer.This is a production of ProcellaRX
FEATURED VOICES IN THIS EPISODEDan GuidoDan Guido is the CEO of Trail of Bits, a cybersecurity firm he founded in 2012 to address software security challenges with cutting-edge research. In his tenure leading Trail of Bits, Dan has grown the team to 80 engineers, led the team to compete in the DARPA Cyber Grand Challenge, built an industry-leading blockchain security practice, and refined open-source tools for the endpoint security market. In addition to his work at Trail of Bits, he's active on the boards of four early-stage technology companies. Dan contributes to cybersecurity policy papers from RAND, CNAS, and Harvard. He runs Empire Hacking, a 1,500-member meetup group focused on NYC-area cybersecurity professionals. His latest hobby coding project -- AlgoVPN -- is the Internet's most recommended self-hosted VPN. In prior roles, Dan taught a capstone course on software exploitation at NYU as a faculty member and the Hacker in Residence, consulted at iSEC Partners (now NCC Group), and worked as an incident responder for the Federal Reserve System.Evan SultanikEvan Sultanik is a Principal Computer Security Researcher at Trail of Bits. A computer scientist with extensive experience both in industry (as a software engineer) and academia, Evan is an active contributor to open source software. He is author of more than two dozen peer-reviewed academic papers, and is particularly interested in intelligent, distributed/peer-to-peer systems. Evan is editor of and frequent contributor to the International Journal of PoC||GTFO. Trent BrunsonTrent is a Principal Security Engineer and Research Practice Manager at Trail of Bits. He has worked in computer security since 2012 as a researcher and engineer at Assured Information Security in Rome, NY, and at the Georgia Tech Research Institute, where he served as the Threat Intelligence Branch Chief and the Associate Division Chief of Threat Intelligence & Analytics. Trent received his Ph.D. in computational physics from Emory University in Atlanta in 2014, and his dissertation work applied the renormalization group and Monte Carlo methods to study exact results on complex networks.Host: Nick SelbyAn accomplished information and physical security professional, Nick leads the Software Assurance practice at Trail of Bits, giving customers at some of the world's most targeted companies a comprehensive understanding of their security landscape. He is the creator of the Trail of Bits podcast, and does everything from writing scripts to conducting interviews to audio engineering to Foley (e.g. biting into pickles). Prior to Trail of Bits, Nick was Director of Cyber Intelligence and Investigations at the NYPD; the CSO of a blockchain startup; and VP of Operations at an industry analysis firm. Production StaffStory Editor: Chris JulinAssociate Editor: Emily HaavikExecutive Producer: Nick SelbyExecutive Producer: Dan GuidoRecordingRocky Hill Studios, Ghent, New York. Nick Selby, EngineerPreuss-Projekt Tonstudio, Salzburg, Austria. Christian Höll, EngineerRemote recordings: Whistler, BC (Nick Selby); Queens, NY (Emily Haavik)Edited and Mastered by Chris JulinTrail of Bits supports and adheres to the Tape Syncers United Fair Rates CardMusicDispatches From Technology's Future, the Trail of Bits theme, Chris JulinCANTO DELLE SCIACALLE, Cesare PastanellaSHALLOW WATER - REMIX, Omri Smadar, Yehezkel Raz, Sivan TalmorALL IN YOUR STRIDE, ABELET IT RISE, Divine Attraction ROAD LESS TRAVELED, The David Roy CollectiveKILLING ME SOFTLY, Ty SimonTECH TALK, Rex BannerLOST ON EARTH, Marek JakubowiczSCAPES, Gray NorthReproductionWith the exception of any Copyrighted music herein, Trail of Bits Season 1 Episode 0; Immutable © 2022 by Trail of Bits is licensed under Attribution-NonCommercial-NoDerivatives 4.0 International. This license allows reuse: reusers may copy and distribute the material in any medium or format in unadapted form and for noncommercial purposes only (noncommercial means not primarily intended for or directed towards commercial advantage or monetary compensation), provided that reusers give credit to Trail of Bits as the creator. No derivatives or adaptations of this work are permitted. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/. Referenced in this EpisodeIn “Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers,” Evan Sultanik, Trent Brunson, and nine other engineers on the Trail of Bits Research and Engineering and Software Assurance teams report their findings from the year-long project to examine Blockchain centrality. Fluxture is a free and open source software crawling framework for Blockchains and peer-to-peer systems that Trail of Bits created to assist with the work described in this episode. We also link to the free and open source recursive dependency graphing tool It-Depends, which we will discuss in depth in the upcoming podcast episode that's creatively titled, It-Depends. The Are Blockchains Decentralized paper cites more than 30 academic and commercial research papers. There is literature about how malicious Tor exit nodes surveil and inject attacks into Tor-users' traffic. You may also read comments about exit node manipulation by Tor network maintainers. One report states that On February 2, 2021, a single, malicious actor was able to fully manage 27 percent of Tor's exit capacity.The reports “How Malicious Tor Relays are Exploiting Users in 2020 (Part I)" hypothesized that the entity behind a range of malicious tor relays would not to stop its activities anytime soon; the follow-up, "Tracking One Year of Malicious Tor Exit Relay Activities" continues the discussion. Meet the Team:CHRIS JULINChris Julin has spent years telling audio stories and helping other people tell theirs. These days he works as a story editor and producer for news outlets like APM Reports, West Virginia Public Broadcasting, and Marketplace. He has also taught and mentored hundreds of young journalists as a professor. For the Trail of Bits podcast, he serves as story and music editor, sound designer, and mixing and mastering engineer.EMILY HAAVIKFor the past 10 years Emily Haavik has worked as a broadcast journalist in radio, television, and digital media. She's spent time writing, reporting, covering courts, producing investigative podcasts, and serving as an editorial manager. She now works as an audio producer for several production shops including Us & Them from West Virginia Public Broadcasting and PRX, and APM Reports. For the Trail of Bits podcast, she helps with scripting, interviews, story concepts, and audio production.
Featured Voices in this Episode:Trent BrunsonTrent Brunson is a Principal Security Engineer and Research Practice Manager at Trail of Bits. He has worked in computer security since 2012 as a researcher and engineer at Assured Information Security in Rome, NY, and at the Georgia Tech Research Institute, where he served as the Threat Intelligence Branch Chief and the Associate Division Chief of Threat Intelligence & Analytics. Dan GuidoDan Guido is the CEO of Trail of Bits, a cybersecurity firm he co-founded in 2012 to address software security challenges with cutting-edge research. In his tenure leading Trail of Bits, Dan has grown the team to more than 80 engineers, led the team to compete in the DARPA Cyber Grand Challenge, built an industry-leading blockchain security practice, and refined open-source tools for the endpoint security market. In addition to his work at Trail of Bits, he runs Empire Hacking, a 1,500-member meetup group focused on NYC-area cybersecurity professionals. His latest hobby coding project, AlgoVPN, is the Internet's most recommended self-hosted VPN.Suha HussainSuha Hussain is a software security engineer who specializes in machine learning assurance. Her work also involves data privacy, program analysis, and applied cryptography. She's currently an intern at Trail of Bits, where she's worked on projects such as PrivacyRaven and Fickling. She's also pursuing a BS in Computer Science at Georgia Tech.Sam AlwsSam Alws is a computer science student at Vanderbilt University, hoping to take part in shaping the future of tech. He was a Trail of Bits wintern and also previously interned at Bloomberg LP. He serves as a volunteer software developer for Change++, writing code for charities, and spent two years with Project Spark, designing a programming curriculum for schools in India.Nick Selby (Host)An accomplished information and physical security professional, Nick leads the Software Assurance practice at Trail of Bits, giving customers at some of the world's most targeted companies a comprehensive understanding of their security landscape. He is the creator of the Trail of Bits podcast, and does everything from writing scripts to conducting interviews to audio engineering to Foley (e.g. biting into pickles). Prior to Trail of Bits, Nick was Director of Cyber Intelligence and Investigations at the NYPD; the CSO of a blockchain startup; and VP of Operations at an industry analysis firm. Production StaffStory Editor: Chris JulinAssociate Editor: Emily HaavikExecutive Producer: Nick SelbyExecutive Producer: Dan GuidoRecordingRecorded at Rocky Hill Studios, Ghent, NY - Nick Selby, Engineer22Springroad Tonstudio, Übersee, Germany - Volker Lesch, EngineerRemote recordings: New York, NY; Brooklyn, NY; Virginia; Atlanta, GA (Emily Haavik); Silver Spring, MD (Jason An). Trail of Bits supports and adheres to the Tape Syncers United Fair Rates Card.Edited by Emily Haavik and Chris JulinMastered by Chris Julin Special ThanksDominik CzarnotaJosselin FeistMusicTRAIL OF BITS THEME: DISPATCHES FROM TECHNOLOGY'S FUTURE, Chris JulinELEMENT, Frank BentleyFOUR AM, Curtis ColeDRIVING SOLO, Ben FoxOPEN WINGS, Liron MeyuhasSHAKE YOUR STYLE, Stefano MastronardiTHE QUEEN, Jasmine J. WalkerILL PICKLE, Phil DavidPIRATE BLUES, Leon LaudenbackSCAPES, Gray NorthReproductionWith the exception of any Copyrighted music herein, Trail of Bits Season 1 Episode 2; Internships and Winternships © 2022 by Trail of Bits is licensed under Attribution-NonCommercial-NoDerivatives 4.0 International. This license allows reuse: reusers may copy and distribute the material in any medium or format in unadapted form and for noncommercial purposes only (noncommercial means not primarily intended for or directed towards commercial advantage or monetary compensation), provided that reusers give credit to Trail of Bits as the creator. No derivatives or adaptations of this work are permitted. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/. Referenced in this Episode:Learn more about the work done by Trail of Bits interns over the years on the company blog.Apply for an internship or winternship at https://www.trailofbits.com/careersSuha Hussain and lead engineer Evan Sultanik describe the Fickling project: Never a Dill Moment: Exploiting Machine Learning Pickle Files. The Python manual refers specifically to the security issues discussed in this episode: "The pickle module is not secure. Only unpickle data you trust... It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never unpickle data that could have come from an untrusted source, or that could have been tampered with."Read more about PrivacyRaven and watch Suha's video introducing the project: PrivacyRaven Has Left the NestSam Alws describes his journey to speed up Echidna: Optimizing a Smart Contract FuzzerFor those interested in CTFs, especially for those who seek to start their own, Trail of Bits has posted a CTF Field Guide in the company github repository. It contains details on past CTF challenges, guidance to help you design and create your own toolkits, and case studies of attacker behavior – both in the real world, and in past CTF competitions. Each lesson is supplemented by links to supporting reference materials.Check out the AngstromCTF site here: angstromctf.comAnd here's the Montgomery Blair High School Cybersecurity Club's github repository: github.com/blairsecThe Blair students you met in this podcast were Jason An, Clarence Lam, Harikesh Kailad and Patrick Zhang. Meet the Team:Chris JulinChris Julin has spent years telling audio stories and helping other people tell theirs. These days he works as a story editor and producer for news outlets like APM Reports, West Virginia Public Broadcasting, and Marketplace. He has also taught and mentored hundreds of young journalists as a professor. For the Trail of Bits podcast, he serves as story and music editor, sound designer, and mixing and mastering engineer.Emily HaavikFor the past 10 years Emily Haavik has worked as a broadcast journalist in radio, television, and digital media. She's spent time writing, reporting, covering courts, producing investigative podcasts, and serving as an editorial manager. She now works as an audio producer for several production shops including Us & Them from West Virginia Public Broadcasting and PRX, and APM Reports. For the Trail of Bits podcast, she helps with scripting, interviews, story concepts, and audio production.
FEATURED VOICES IN THIS EPISODEDan GuidoDan Guido is the CEO of Trail of Bits, a cybersecurity firm he founded in 2012 to address software security challenges with cutting-edge research. In his tenure leading Trail of Bits, Dan has grown the team to 80 engineers, led the team to compete in the DARPA Cyber Grand Challenge, built an industry-leading blockchain security practice, and refined open-source tools for the endpoint security market. In addition to his work at Trail of Bits, he's active on the boards of four early-stage technology companies. Dan contributes to cybersecurity policy papers from RAND, CNAS, and Harvard. He runs Empire Hacking, a 1,500-member meetup group focused on NYC-area cybersecurity professionals. His latest hobby coding project -- AlgoVPN -- is the Internet's most recommended self-hosted VPN. In prior roles, Dan taught a capstone course on software exploitation at NYU as a faculty member and the Hacker in Residence, consulted at iSEC Partners (now NCC Group), and worked as an incident responder for the Federal Reserve System.Nat ChinNat Chin is a security engineer 2 at Trail of Bits, where she performs security reviews of blockchain projects, and develops tools that are useful when working with Ethereum. She is the author of solc-select, a tool to help switch Solidity versions. She worked as a smart contract developer and taught as a Blockchain Professor at George Brown College, before transitioning to blockchain security when she joined Trail of Bits.Opal WrightOpal Wright is a cryptography analyst at Trail of Bits. Two of the following three statements about her are true: (a) she's a long-distance unicyclist; (b) she invented a public-key cryptosystem; (c) she designed and built an award-winning sex toy.Jim MillerJim Miller is the cryptography team lead at Trail of Bits. Before joining Trail of Bits, Jim attended graduate programs at both Cambridge and Yale, where he studied and researched both Number Theory and Cryptography, focusing on topics such as lattice-based cryptography and zero-knowledge proofs. During his time at Trail of Bits, Jim has led several security reviews across a wide variety of cryptographic applications and has helped lead the development of multiple projects, such as ZKDocs and PrivacyRaven.Josselin FeistJosselin Feist is a principal security engineer at Trail of Bits where he participates in assessments of blockchain software and designs automated bug-finding tools for smart contracts. He holds a Ph.D. in static analysis and symbolic execution and regularly speaks at both academic and industrial conferences. He is the author of various security tools, including Slither - a static analyzer framework for Ethereum smart contracts and Tealer - a static analyzer for Algorand contracts.Peter GoodmanPeter Goodman is a Staff Engineer in the Research and Engineering practice at Trail of Bits, where he leads all de/compilation efforts. He is the creator of various static and dynamic program analysis tools, ranging from the Remill library for lifting machine code into LLVM bitcode, to the GRR snapshot/record/replay-based fuzzer. When Peter isn't writing code, he's mentoring a fleet of interns to push the envelope. Peter holds a Master's in Computer Science from the University of Toronto.Host: Nick SelbyAn accomplished information and physical security professional, Nick leads the Software Assurance practice at Trail of Bits, giving customers at some of the world's most targeted companies a comprehensive understanding of their security landscape. He is the creator of the Trail of Bits podcast, and does everything from writing scripts to conducting interviews to audio engineering to Foley (e.g. biting into pickles). Prior to Trail of Bits, Nick was Director of Cyber Intelligence and Investigations at the NYPD; the CSO of a blockchain startup; and VP of Operations at an industry analysis firm.Production StaffStory Editor: Chris JulinAssociate Editor: Emily HaavikExecutive Producer: Nick SelbyExecutive Producer: Dan GuidoRecordingRocky Hill Studios, Ghent, New York. Nick Selby, EngineerPreuss-Projekt Tonstudio, Salzburg, Austria. Christian Höll, EngineerRemote recordings:Whistler, BC, Canada; (Nick Selby) Queens, NY; Brooklyn, NY; Rochester, NY (Emily Haavik);Toronto, ON, Canada. TAPES//TYPES, Russell W. Gragg, EngineerTrail of Bits supports and adheres to the Tape Syncers United Fair Rates CardEdited by Emily Haavik and Chris JulinMastered by Chris JulinMusicDISPATCHES FROM TECHNOLOGY'S FUTURE, THE TRAIL OF BITS THEME, Chris JulinOPEN WINGS, Liron MeyuhasNEW WORLD, Ian PostFUNKYMANIA, Omri Smadar, The Original OrchestraGOOD AS GONE, INSTRUMENTAL VERSION, Bunker Buster ALL IN YOUR STRIDE, AbeBREATHE EASY, Omri SmadarTREEHOUSE, LingerwellLIKE THAT, Tobias BergsonSCAPES, Gray NorthReproductionWith the exception of any Copyrighted music herein, Trail of Bits Season 1 Episode 0; Immutable © 2022 by Trail of Bits is licensed under Attribution-NonCommercial-NoDerivatives 4.0 International. This license allows reuse: reusers may copy and distribute the material in any medium or format in unadapted form and for noncommercial purposes only (noncommercial means not primarily intended for or directed towards commercial advantage or monetary compensation), provided that reusers give credit to Trail of Bits as the creator. No derivatives or adaptations of this work are permitted. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.Meet the Team:CHRIS JULINChris Julin has spent years telling audio stories and helping other people tell theirs. These days he works as a story editor and producer for news outlets like APM Reports, West Virginia Public Broadcasting, and Marketplace. He has also taught and mentored hundreds of young journalists as a professor. For the Trail of Bits podcast, he serves as story and music editor, sound designer, and mixing and mastering engineer.EMILY HAAVIKFor the past 10 years Emily Haavik has worked as a broadcast journalist in radio, television, and digital media. She's spent time writing, reporting, covering courts, producing investigative podcasts, and serving as an editorial manager. She now works as an audio producer for several production shops including Us & Them from West Virginia Public Broadcasting and PRX, and APM Reports. For the Trail of Bits podcast, she helps with scripting, interviews, story concepts, and audio production.
A prescriptive open source software security maturity model designed to guide strategies tailored to an organization's specific risks.
A prescriptive open source software security maturity model designed to guide strategies tailored to an organization's specific risks.
Join us from a beach in San Diego, California, at the KENX Computer Systems Validation and Software Assurance conference. In this episode, Dori is joined by industry colleague and subject matter expert, Rohit Tyagi, President and CEO of Sagax Team.They discuss some of the presentations and topics that have been covered at the KENX conference this year, as well as general thoughts, challenges, and successes that folks are currently experiencing related to CSV modernization and CSA adoption strategies.Please listen to get all their insights, but please don't forget to rate and subscribe wherever you get your podcasts. Also, please reach out to Rohit and Sagax team via the LinkedIn profiles and URLs below:Sagax Team Website: https://www.sagaxteam.com/Rohit's LinkedIn: https://www.linkedin.com/in/247results/?miniProfileUrn=urn%3Ali%3Afs_miniProfile%3AACoAAACDuxYBeNHQ7o6FuO-IhNvldXFdFjGNUig *Disclaimer: Podcast guest participated in the podcast as an individual subject matter expert and contributor. The views and opinions they share are not necessarily shared by their employer. Nor should any reference to specific products or services be interpreted as commercial endorsements by their current employer.This is a production of ProcellaRX
This week, Stacey presents the 2021 IVT Awards and interviews the recipients of each award. The awards being presented are Author of the Year for the Journal of GXP Compliance, Author of the Year for the Journal of Validation Technology, Podcast of the Year, Speaker of the Year for Validation Week, Speaker of the Year for Compounding Pharmacy Compliance, Speaker of the Year for Computer Systems Validation and Software Assurance, and the prestigious Chapman Award. During this presentation, you will hear from Ron Schardong, Valarie King-Bailey, Richard Wedlich, Kurt Moyer, Steve Thompson, Dr. Ross Caputo, and Dr. Paul Pluta. The team at IVT Network, together with our Esteemed Advisory Board, are proud to announce the recipients of the 2021 IVT Awards. These annual awards recognize the outstanding authors, speakers, podcast guests, and presenters, who keep our audience informed and forward-thinking. Nominees for the author of the year (both JVT and GXP) are selected by their peers, based on articles published and topics covered, which have been integral to learning and knowledge share across industries throughout the year. The podcast of the year is presented to the individual or panel receiving the greatest number of downloads and listens. Finally, our speakers of the year are selected by vote from attendees of the sessions as the most impactful and engaging in their presentations for the associated event. Voices in Validation brings you the best in validation and compliance topics. Voices in Validation is brought to you by IVT Network, your expert source for life science regulatory knowledge. For more information on IVT Network, check out their website at http://ivtnetwork.com.
גיא לא היה זמין להקליט תוכנית. אז הפעם אביתר קרני יחליף אותו, ואיתן יעשה את עיקר הדיבורים! לינקים רלוונטיים להיום: GroupBy - Voting is Open until September 8 Microsoft at the Data Platform Virtual Summit 2021 Move SQL Server licenses without Software Assurance to Azure Dedicated Hosts General availability: Change performance tiers for Azure Premium SSDs with no downtime How to add “created” and “updated” timestamps without triggers | sqlsunday.com Your database connection deserves a name - Andy Grunwald Docker Desktop on Windows 10 for SQL Server : Step by Step Today's Madeira Toolbox round-up: Decrypt All Encrypted Objects in Server.sql Hypothetical Indexes - Example Usage.sql fix_all_orphan_users.sql Madeira Experts Telegram Group
We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level. A the end we will cover how you can engage with the SAMM community and provide an overview of what happened at our latest SAMM User Day which happened on May 27th. Segment Resources: - https://owaspsamm.org/ - https://github.com/OWASPsamm - https://app.slack.com/client/T04T40NHX/C0VF1EJGH -https://www.youtube.com/channel/UCEZDbvQrj5APg5cEET49A_g - https://twitter.com/OwaspSAMM - https://www.linkedin.com/company/18910344/admin/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw154
We will provide a short introduction to OWASP SAMM, which is a flagship OWASP project allowing organizations to bootstrap and iteratively improve their secure software practice in a measurable way. Seba will explain the SAMM model, consisting of 15 security practices. Every security practice contains a set of activities, structured into 3 maturity levels. The activities on a lower maturity level are typically easier to execute and require less formalization than the ones on a higher maturity level. A the end we will cover how you can engage with the SAMM community and provide an overview of what happened at our latest SAMM User Day which happened on May 27th. Segment Resources: - https://owaspsamm.org/ - https://github.com/OWASPsamm - https://app.slack.com/client/T04T40NHX/C0VF1EJGH - https://www.youtube.com/channel/UCEZDbvQrj5APg5cEET49A_g - https://twitter.com/OwaspSAMM - https://www.linkedin.com/company/18910344/admin/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw154
Was genau ist die Microsoft Software Assurance und welche Features bietet sie? Unsere Microsoft-Expertinnen Corinna Weny und Rebecca Stockinger geben in diesem kurzen Info-Podcast einen Überblick über die Vorteile der MS-Zusatzlizenz.
In this episode with Amit Banerjee, you will review new Software Assurance core benefits for high availability and disaster recovery can make running SQL Server on Azure virtual machine cheaper than before. You will also see how all SQL Server releases can benefit from the FREE passive replica cores and help bring down the cost of running SQL Server on an Azure virtual machine.[00:00] Introduction[01:15] Azure Hybrid Benefit[02:42] High Availability and Disaster Recovery SA Benefit[03:36] Always on AD for SQL Server on Azure VMs[05:22] Distributed AG for SQL Server on Azure VMs[06:08] SQL Server Failover Cluster Instances[09:55] Sneak peek of what's nextResources:New high availability and disaster recovery benefits for SQL ServerSQL Server 2019 Licensing GuideSQL Server Licensing: High Availability and Disaster Recovery Benefits
In this episode with Amit Banerjee, you will review new Software Assurance core benefits for high availability and disaster recovery can make running SQL Server on Azure virtual machine cheaper than before. You will also see how all SQL Server releases can benefit from the FREE passive replica cores and help bring down the cost of running SQL Server on an Azure virtual machine.[00:00] Introduction[01:15] Azure Hybrid Benefit[02:42] High Availability and Disaster Recovery SA Benefit[03:36] Always on AD for SQL Server on Azure VMs[05:22] Distributed AG for SQL Server on Azure VMs[06:08] SQL Server Failover Cluster Instances[09:55] Sneak peek of what's nextResources:New high availability and disaster recovery benefits for SQL ServerSQL Server 2019 Licensing GuideSQL Server Licensing: High Availability and Disaster Recovery Benefits
In this episode, Stacey hosts a panel discussion on computer software assurance. Stacey is joined by industry experts, Raechelle Raimondo, Ken Shitamoto, Pritam Khade, and Senthil Gurumoorthi, to talk about the upcoming guidelines from the FDA on computer software assurance, testing requirements, IT automation, risk, quality culture, and critical thinking mindset in the industry. Raechelle Raimondo - Raechelle has more than 20 years of experience working for large/global corporations, small businesses and start-up companies. A proven history of implementing global systems utilizing a risk based systems lifecycle (SLC) approach and managing teams to support multiple projects, including forecasting and managing budgets. Strengths include leadership, portfolio/program management, delivering results, managing multiple priorities, effecting change, building teams, problem-solving, using interpersonal skills to build effective relationships, and understanding the link between technology & business needs to deliver compliant solutions that optimize processes & efficiencies. Ken Shitamoto - Ken Shitamoto leads the IT quality engineering function at Gilead Sciences, which performs software quality assurance (testing), validation, and infrastructure qualification. He is a multi-disciplined professional with extensive experience in quality engineering, quality management, project management, and software development. He has been in the biopharmaceutical space since 1993 and has worked both on the manufacturer, vendor, and consulting sides of the business. Additionally, he has also performed over 100 GXP computer systems compliance audits globally. He holds a BA Molecular Cell Biology and MS Computer Science and from UC Berkeley and San Jose State University respectively. He is an avid supporter of the American Lung Association, and Ken and his daughter have raised over 130K dollars to fight lung disease. Pritam Khade - Pritam is a Director of Global Quality Compliance at Allergan Inc. Senthil Gurumoorthi – Senthil is a Director of IT Services at Gilead Sciences. Voices in Validation brings you the best in validation and compliance topics. Voices in Validation is brought to you by IVT Network, your expert source for life science regulatory knowledge. For more information on IVT Network, check out their website at http://ivtnetwork.com.
In this video, you will learn how to deploy recommended HADR architectures using Azure as a DR center with the best TCO using Software Assurance.[00:00] Intro[00:31] Licensing for HA/DR when using Azure as a disaster recovery site[01:42] Operations allowed on secondaries[02:01] Architecture with Azure for disaster recovery[03:30] Setting up an Azure SQL VM for disaster recovery[04:38] Summary Learn more at https://aka.ms/sqlserver2019licenseguide?WT.mc_id=dataexposed-c9-niner and https://techcommunity.microsoft.com/t5/sql-server/optimize-tco-with-new-sql-server-software-assurance-benefits-for/ba-p/1123731?WT.mc_id=dataexposed-c9-niner.
In this video, you will learn how to deploy recommended HADR architectures using Azure as a DR center with the best TCO using Software Assurance.[00:00] Intro[00:31] Licensing for HA/DR when using Azure as a disaster recovery site[01:42] Operations allowed on secondaries[02:01] Architecture with Azure for disaster recovery[03:30] Setting up an Azure SQL VM for disaster recovery[04:38] Summary Learn more at https://aka.ms/sqlserver2019licenseguide?WT.mc_id=dataexposed-c9-niner and https://techcommunity.microsoft.com/t5/sql-server/optimize-tco-with-new-sql-server-software-assurance-benefits-for/ba-p/1123731?WT.mc_id=dataexposed-c9-niner.
In this video, you will learn how to deploy recommended HADR architectures with the best TCO using Software Assurance.[00:00] Intro[00:32] Reminder of benefits for HA/DR[01:11] Common scenarios[02:14] Operations allowed on passive secondaries[03:28] Operations not allowed on passive secondaries[03:49] Application of SA benefits in more complex setup[05:50] Summary Learn more at https://aka.ms/sqlserver2019licenseguide?WT.mc_id=dataexposed-c9-niner and https://techcommunity.microsoft.com/t5/sql-server/optimize-tco-with-new-sql-server-software-assurance-benefits-for/ba-p/1123731?WT.mc_id=dataexposed-c9-niner.
In this video, you will learn how to deploy recommended HADR architectures with the best TCO using Software Assurance.[00:00] Intro[00:32] Reminder of benefits for HA/DR[01:11] Common scenarios[02:14] Operations allowed on passive secondaries[03:28] Operations not allowed on passive secondaries[03:49] Application of SA benefits in more complex setup[05:50] Summary Learn more at https://aka.ms/sqlserver2019licenseguide?WT.mc_id=dataexposed-c9-niner and https://techcommunity.microsoft.com/t5/sql-server/optimize-tco-with-new-sql-server-software-assurance-benefits-for/ba-p/1123731?WT.mc_id=dataexposed-c9-niner.
In this video, you will learn how you can get a better TCO for recommended SQL Server HADR architectures with your Software Assurance benefits. [00:00] Intro[00:30] Deploying SQL Server in High Availability / Disaster Recovery configuration[01:36] HA and DR benefits introduced in November 2019[02:15] Applying HA / DR benefits to typical HA/DR configuration[04:22] Contrasting licesing before and after November 2019[04:59] Application to older versions of SQL Server and various architectures[05:31] SummaryLearn more at https://aka.ms/sqlserver2019licenseguide?WT.mc_id=dataexposed-c9-niner and https://techcommunity.microsoft.com/t5/sql-server/optimize-tco-with-new-sql-server-software-assurance-benefits-for/ba-p/1123731?WT.mc_id=dataexposed-c9-niner.
In this video, you will learn how you can get a better TCO for recommended SQL Server HADR architectures with your Software Assurance benefits. [00:00] Intro[00:30] Deploying SQL Server in High Availability / Disaster Recovery configuration[01:36] HA and DR benefits introduced in November 2019[02:15] Applying HA / DR benefits to typical HA/DR configuration[04:22] Contrasting licesing before and after November 2019[04:59] Application to older versions of SQL Server and various architectures[05:31] SummaryLearn more at https://aka.ms/sqlserver2019licenseguide?WT.mc_id=dataexposed-c9-niner and https://techcommunity.microsoft.com/t5/sql-server/optimize-tco-with-new-sql-server-software-assurance-benefits-for/ba-p/1123731?WT.mc_id=dataexposed-c9-niner.
In this video, you will learn about how to license a Big Data Cluster in SQL Server 2019. The video also talks about the Software Assurance benefits that are available for Big Data Cluster deployments.[00:00] Intro[00:30] What is SQL Server big data cluster?[01:45] Architecture for big data cluster and benefits[03:33] Licensing SQL Server big data cluster[04:40] Scaling out (expanding horizontally)[05:27] Benefits of Software Assurance for big data cluster licensing[07:59] SummaryLearn more at: https://www.microsoft.com/en-us/sql-server/sql-server-2019 and https://techcommunity.microsoft.com/t5/sql-server/optimize-tco-with-new-sql-server-software-assurance-benefits-for/ba-p/1123731?WT.mc_id=dataexposed-c9-niner.
In this video, you will learn about how to license a Big Data Cluster in SQL Server 2019. The video also talks about the Software Assurance benefits that are available for Big Data Cluster deployments.[00:00] Intro[00:30] What is SQL Server big data cluster?[01:45] Architecture for big data cluster and benefits[03:33] Licensing SQL Server big data cluster[04:40] Scaling out (expanding horizontally)[05:27] Benefits of Software Assurance for big data cluster licensing[07:59] SummaryLearn more at: https://www.microsoft.com/en-us/sql-server/sql-server-2019 and https://techcommunity.microsoft.com/t5/sql-server/optimize-tco-with-new-sql-server-software-assurance-benefits-for/ba-p/1123731?WT.mc_id=dataexposed-c9-niner.
News from: Simon Beck, Encana, Sumo Logic, Ping Identity, Convercent, CyberGRX, VMWare, Webroot, DarkOwl, Swimlane, Red Canary, Automox, Optiv and a lot more! Snow murals in Silverthorne? We’ve got that Colorado is the best state for female entrepreneurs. Encana is moving their HQ to Denver, with a new name. Colorado has some great places to work. It also has a new CTO. Privacy rules are an opportunity for many companies. DarkOwl talks internet freedom in Russia. Swimlane reminds us that Windows 7 is end of life. Red Canary educates us. What should we do about nation state threats. Optiv teams up with Veracode for a new service. Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com This week’s news: Join the Colorado = Security Slack channel British artist Simon Beck creates giant snow mural in Silverthorne Colorado is the top state for women entrepreneurs Encana shareholders approve company's new name and Denver headquarters 100 Best Places To Work In Colorado 2020 | Built In Colorado Colorado names Alex Pettit new chief technology officer - Denver Business Journal Project HOPE Suggests No Hope for Internet Freedom in Russia — DarkOwl - Darknet Big Data You don’t have Windows 7 in your environment, do you? | Swimlane Uncompromised: An AutoIT worm living off the land Automox - State-Sponsored Cyber Attack Risk: What You Need to Know in 2020 Optiv - Optiv and Veracode to Bolster Application Security at Development Stage with Software Assurance as-a-Service Job Openings: Ping Identity - Sr Director, Cloud Operations Ping Identity - Security Intern ShapeShift - Security Engineer Conga - Information Security Risk & Compliance Specialist Nelnet - CyberSecurity Engineer Western Union - Detection Engineer, Cyber Security Bank of America - Adaptive Threat Replication Engineer Funding Circle - Security Risk & Assurance Specialist Sunflower Bank - IT Risk Management Specialist City and County of Broomfield - IT Security Analyst Upcoming Events: This Week and Next: CSA - January Chapter Meeting - 1/21 ISSA C.Springs - January Chapter Meetings - 1/21-22 ISC2 Pikes Peak - January Chapter Meeting - 1/22 SecureSet - Capture the Flag for Beginners - 1/24 ISSA C.Springs - Mini Seminar - 1/25 CTA - SCALED AGILE FRAMEWORK (SAFE®) DEVOPS: IMPROVING TIME-TO-MARKET WITH THE SCALED AGILE FRAMEWORK - 1/27 REGIS CYBER SUMMIT: STRONGER TOGETHER - 1/28 Denver IAPP KnowledgeNet Social Event - 1/29 SecureSet - Movie Night: Hackers! - 1/31 Other Notable Upcoming Events RIMS 2020 - 5/3-6 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0
On today’s episode, Stacey Bruzzese welcomes Steve Thompson, Director Computer Quality Assurance for Science 37.Stacey and Steve talk about a variety of topics:Why is the FDA’s Case for Quality which launched in 2011 just now being implemented on a more widespread level?What challenges are posed by implementation?Steve walks through the core components of the Case for QualityAlthough it will roll out as a voluntary pilot program, what does Steve see as the progression over the coming months and years?Mr. Thompson has over 20 years’ experience in life science working in Quality Assurance and Information Technology functions that span GxP regulations, both domestic and international. Steve has worked for start-ups and large multinational companies that includes biotechnology, pharmaceutical, medical device, and cloud-based Software-as-a-Service (SaaS) solution providers. He is a published author, was certified as a PDA Systems Auditor in 2003, and received a Bachelor of Science, Computer Information Systems, in 1986.Voices in Validation brings you the best in validation and compliance topics. Voices in Validation is brought to you by IVT Network, your expert source for life science regulatory knowledge. For more information on IVT Network, check out their website at http://ivtnetwork.com.
The Software Assurance Framework (SAF) is a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain. The SAF can be used to assess an acquisition program’s current cybersecurity practices and chart a course for improvement, ultimately reducing the cybersecurity risk of deployed, software-reliant systems. In this podcast, Dr. Carol Woody discusses the selection of metrics for measuring the software assurance of a product as it is developed and delivered to function in a specific system context.
Yes, I know, I made up a new term, "Currentcy". I am sure there is a better word for what I am thinking, but I have already typed this one, and changing it at this stage of the game, would simply require too much effort. But probably not as much effort as writing this whole paragraph to justify it, but now I've gone and done that, so there is really no going back now. So let's talk about Currentcy. The other side of the Mirror I have been spouting off quite a bit lately, about the evolution of Microsoft Business Applications, and partners needing to get up-to-speed. No small topic to be sure, and one that will be crucial to Microsoft's success with growing our mutual customer base. What I have not spoken about as much, is the view of all of this massive "change", from the existing customers standpoint. It seems they are not nearly as excited as we are. Congratulations! You've been force upgraded from Hamburger to Lobster! But I'm allergic to shellfish! The concept of keeping instances current, and ultimately everyone on the same version, has clear value to Microsoft and its Partners. With the rapid advancement of the platform, supporting old versions is just not an area where any of us wants to invest our precious time and resources. I mean, we're in a damn race here... against... well... everybody. For new customers, the "story" looks pretty amazing, for existing customers... not so much. I feel the earth move under my feet When Microsoft launched Dynamics CRM Online back in 2011, a fair number of customers jumped on the bandwagon. The growth trajectory has been pretty steady since. Customers paid us, and other partners, a lot of money to customize their instances to fit their needs over the years. But I don't know that enough of them grasped the difference between on-premise vs. SaaS, beyond the subscription vs. perpetual cost aspects. I don't think they fully appreciated what "out of their control" means. Many customers invested large sums of money, building mission critical applications, on top of a tectonic plate. This is not a Microsoft issue, it is a SaaS issue, and the entire world is racing to SaaS as fast as they can. Businesses today, will need to have flexible knees. Buyer's Remorse You know that feeling you get, when you see the new model of your 3 year-old car, at a stoplight? Wow! They completely redesigned it! It looks so modern; faster and more powerful, yet with better gas mileage, and the new tech they added is incredible. Suddenly looking back at your car, it seems like a piece of shit, even though you were perfectly happy with it.... yesterday! That's it, I'm trading it in on a new one. But wait a minute, I am upside-down on mine... damn, I'm stuck. Maybe in a year or two... This is where a segment of on-premise customers are sitting today. They are envious of the features, but have not yet recovered their prior investments. It takes a pretty confident person to march into their bosses office and ask for more money, when they said "This is all we will ever need" the last time they asked. Just Stay On-Premise? That is certainly an option, and one that many are electing apparently. You already own the software, it's functioning adequately for your business, and you spent a buttload of money getting it the way you want... so why are Microsoft and your partner hammering you to move to the cloud all the time? Is there really a compelling reason? A reason that is compelling enough to jump from the static world of on-premise, to the continuous motion word of SaaS? It depends. Don't you hate when people say that? You just want a black and white, yes or no answer, but instead you get an "It Depends". Maybe we should review the pros of each, which also are mostly the cons of the other. Pro On-Premise You own the software, unless you also purchased Software Assurance, your ongoing cost to Microsoft is zippo. If it ain't broke, don't fix it. After all the pain and expense of getting it exactly "right" for your organization, the system is finally running like a well-oiled machine, and will continue to do so for the foreseeable future. There is a person, or persons, who are being paid to keep that system humming, and they have job security. If something goes haywire, you have direct access to the database as an option to fix it. You can write SSRS reports using SQL, since you can access it directly You finally got all of your finicky integrations working. You can utilize a large amount of cheap additional storage. Its works fast, even with lousy, or no internet connection. You can continue to use the "Classic UI" indefinitely. Some third-party solutions you depend on don't have a SaaS version. Plus 50 more reasons that are unique to you. Pro SaaS All future development of any consequence by Microsoft, will be on the SaaS products. You are not "Frozen in Time". Scale up and down as needed without buying infrastructure that sits idle. Servers will always be patched as soon as possible, meaning the security will be at least as good as on-premise and probably a lot better. Disaster Recovery is baked in. Create Customer, Partner or Community facing web portals. Consistent and known back-end, to simplify partner development and support. Advanced AI capabilities and Relationship Insights Dynamics 365 for Marketing, Field Service and Project Service Automation capabilities. Access to the full suite of Citizen Developer "Power Platform" tools, so you are not completely hostage to your partner, or the one person on your staff who built everything. Never have to Upgrade again... Period. Microsoft support has full telemetry on your SaaS instances allowing then to more quickly fix your issues. The same telemetry allows Microsoft to fix issues before you are even aware of them. Depending on your size, Microsoft will foot the bill to move your ass over. Plus 50 more reasons that are unique to you. I have to give credit to several MVPs who helped me flesh out the above lists, Nick Doelman, Mike Ochs, Aiden Kaskela, Joel Lindstrom and Andrew Butenko. The Price of Currentcy Back to the topic of this post, as I think about it, there is obviously a cost to keeping current, but there is also a cost to not keeping current. Some of these costs have nothing to do with Microsoft, but rather are specific to your own industry, competition or customer expectations. For example, let's say that you and your primary competitor, are both using Dynamics on-premise. You hear through the grapevine, that your competitor is moving to the SaaS version. Would that concern you? I would venture to guess that your on-premise system aligns to the description often provided by the leader of the Dynamics Engineering team, James Phillips, as a "Forms over Data, reporting system". As long as your competition was limited to the same capabilities, no problem. But what if they add everything under the Pro SaaS column above to their arsenal? Uhoh! Maybe you want to explore doing this first! Let's assume you are on the SaaS version... and for those that aren't, this will be a peek at what they get to deal with. Updates every six months. That sounds scary as hell! It is scary, and it is bumpy, but getting less so with each update. Updates bring new capabilities, and if you are on-premise you might not know what those are, but you don't necessarily have to activate them immediately. In theory, new "potentially disruptive" features and capabilities are off by default, so you should not have to worry about your users running around like the house is on fire every six months. I say "in theory", because some things will not be off by default, or they won't stay off indefinitely. Updates are probably the biggest issue that we all need to worry about. They will add some angst to your life every six months, even if they go perfectly smoothly. If they don't, then you will find yourself scrambling for a little while grabbing the loose wires and reconnecting them. You should also prepare to be frustrated, when Microsoft makes available a robust new feature in an update, that you just paid dearly to have custom developed. Maybe you can ask your developer for a refund. The real price of currentcy, is "Change Management", a term that seems to have risen in prominence with the SaaS revolution. In the on-premise world, it reared its head every several years, or for some customers, once a decade. In the SaaS world it is now a minimum every six months, and maybe more often than that. "Change Management" is a bitch. The biggest appeal to moving to SaaS, are the promised gains in productivity, efficiency, engagement, analytics, etc., but none of those are automatically "realized", they are just made "available". In fact, Change Management is such a big topic, I think I'll save it for another post.
In this podcast, Dr. Carol Woody discusses opportunities and risks in cybersecurity engineering, software assurance, and the resulting CERT Cybersecurity Engineering and Software Assurance Professional Certificate. The courses for this certificate program focus on software-reliant systems engineering and acquisition activities. The goal of the program is to infuse an awareness of cybersecurity (and an approach to identifying security requirements, engineering risk, and supply chain risk) early in the lifecycle. Listen on Apple Podcasts.
Diva Tech Talk interviewed Dr. Rita Barrios, Chair for the Department of CyberSecurity and Information Systems, and Associate Professor, at the University of Detroit, Mercy (http://www.udmercy.edu/) graduating approximately 150 trained technology professionals each year. Rita said: “My Dad was always my biggest supporter.” The 7th child of 8 siblings in her “very strict” family, Rita admitted that she was “a little on the geeky side” in her high school years. She entered the Detroit College of Business, specializing in accounting, but dropped it in favor of a technology major. She got married, and gave birth to a daughter during her senior year of college. Rita’s several internships during that senior year (when her daughter was 6 months old) were at the Grand Trunk Western Railroad (gtw.railfan.net/), a wholly owned subsidiary of the Canadian National Railway (https://www.cn.ca/). After graduation, she became a full-time employee as a junior programmer. Grand Trunk’s IT department was eventually bought by Compuware (www.compuware.com). Rita was promoted from junior programmer to project manager (“a huge leap”). Her first large challenge was a two-year international EDI (Electronic Data Interchange) project among three cross-border entities, automating the manifest for U.S. Customs to enable trains to cross borders without stopping. She credited her immediate management for empowering this next career phase. “Anything we needed, they made sure we had.” The secret to the success of that project was digging into the details rather than becoming overwhelmed by the totality of the undertaking. “I took it a bite (byte) at a time!” Rita’s next step was as a Compuware contractor to Ford Credit (https://www.ford.com/finance) to maintain their legacy information systems, going from programmer to senior DBA. Rita also obtained her Masters of Science in Information Systems, Software Assurance at the University of Detroit, Mercy; then later completed her PhD in information science, with a focus on security assurance and cybersecurity at Nova Southeastern University (http://www.nova.edu/). “An opportunity came where I could move to academia,” Rita said. “ That’s how I landed at Detroit, Mercy.” Additionally, she received certifications from Johns Hopkins Bloomberg University, School of Public Health in data specialization, and a certificate in criminal justice and law enforcement from the FBI Detroit Citizens Academy. A single mom for 14 years, Rita is justifiably proud of her two children. “I have a daughter, now working on her PhD in Material Engineering. And I have a son, going into digital media and graphics arts.” Rita is also excited about her own cybersecurity field. “We teach is how to do investigations, how to do digital forensics/hacking. We partner with the Criminal Justice Program because you cannot have a crime without some digital piece to it, these days, and look at it from the criminal point of view. We also partner with the law school, talking about cyberlaw. “ Rita’s specialty has spun off into a side business. She runs an IT training and education consultancy, RitaBarr LLC (www.ritabarr.com) specializing in corporate IT training, and also partners with Mackinac Investigators on digital forensics investigations. “At some point, I would like to grow the business.” Ever-ambitious, Rita is also looking forward to moving to the “business side” of academia, at some point. Along the way, Rita said that “I have always been the only female in the room.” As an example, “I presented research at the Department of Defense to a bunch of military people, who were all guys. Coming up through IT, I was the only female, but I have never felt like the only female. I was never discriminated against.” This feeling changed though “when I went to the University.” There she experienced “over-talking, interruption, all of it. I have been told by my colleagues that I better ‘know my place, young lady, ’ ” she lamented. Rita recommended her approach to deal with this negative phenomenon. “I am very professional. I go into a very robotic mode, very stoic. I lay out the facts with no emotion. I plan to say.“ Rita’s focused leadership lessons/advice currently include: “Spend time to get to know people. Find out their strengths, and where they belong.” “Bring the best people around you; then get out of their way.” “If you think about it --- that the project’s too big --- you will not achieve what you want to achieve. So, whatever comes, just take it in.” “Stay flexible. There is nothing you can’t overcome; nothing is impossible.” And summing up: “There are no shortcuts.” For Rita, success is always about hard work. For the full blog write up, make sure to check us out on online at www.divatechtalk.com, on Twitter @divatechtalks, and on Facebook at https://www.facebook.com/divatechtalk. Follow our show and tell us what you like with an online review.
Since its debut on Jeopardy in 2011, IBM’s Watson has generated a lot of interest in potential applications across many industries. As detailed in this podcast, Mark Sherman recently led a research team investigating whether the Department of Defense could use Watson to improve software assurance and help acquisition professionals assemble and review relevant evidence from documents. Specifically, Sherman and his team examined whether typical developers could build an IBM Watson application to support an assurance review. Listen on Apple Podcasts.
Software is a growing component of modern business- and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions also increase. Traditional security-engineering approaches rely on addressing security risks during the operation and maintenance of software-reliant systems. The costs required to control security risks increase significantly when organizations wait until systems are deployed to address those risks. Field experiences of technical staff at the SEI indicate that few programs currently implement effective cybersecurity practices early in the acquisition lifecycle. Recent Department of Defense directives are beginning to shift programs’ priorities regarding cybersecurity. As a result, researchers from the CERT Division of the SEI have started cataloging the cybersecurity practices needed to acquire, engineer, and field software-reliant systems that are acceptably secure. In this podcast, Carol Woody and Christopher Alberts introduce the prototype Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain. The SAF can be used to assess an acquisition program’s current cybersecurity practices and chart a course for improvement, ultimately reducing the cybersecurity risk of deployed software-reliant systems. Listen on Apple Podcasts.
Effective cybersecurity engineering requires the integration of security into the software acquisition and development lifecycle. For engineering to address security effectively, requirements that establish the target goal for security must be in place. Risk management must include identification of possible threats and vulnerabilities within the system, along with the ways to accept or address them. There will always be cyber security risk, but engineers, managers, and organizations must be able to plan for the ways in which a system should avoid as well as recognize, resist, and recover from an attack. In this podcast Nancy Mead and Carol Woody discuss their new book, Cyber Security Engineering: A Practical Approach for Systems and Software Assurance, which introduces a set of seven principles that address the challenges of acquiring, building, deploying, and sustaining software systems to achieve a desired level of confidence for software assurance. Listen on Apple Podcasts.
Modern society is deeply and irreversibly dependent on software systems of remarkable scope and complexity in areas that are essential for preserving our way of life. Software assurance is critical to ensuring our confidence in these systems and that they are free from vulnerabilities, function in the intended manner, and provide security capabilities appropriate to the threat environment. In this podcast, Dr. Nancy Mead discusses how, with support from the Department of Homeland Security, SEI researchers developed software assurance curricula and programs for graduate, undergraduate, and community colleges. Listen on Apple Podcasts.
Software vulnerabilities are defects or weaknesses in a software system that, if exploited, can lead to compromise of the control of a system or the information it contains. The problem of vulnerabilities in fielded software is pervasive and serious. In 2012, SEI researchers began investigating vulnerabilities reported to the SEI's CERT Division and determined that a large number of significant and pernicious software vulnerabilities likely had their origins early in the software development lifecycle in the requirements and design phases.In this podcast, SEI researchers Mike Konrad and Art Mansion discuss a project that was launched to investigate design-related vulnerabilities and quantify their effects. Listen on Apple Podcasts.
The first SAMM (Software Assurance Maturity Model) will be held in Dublin, Ireland on March 27 - 28, 2015. I spoke with Seba Deleersnyder, co-ordinator of the summit to find out his goals for the SAMM project as well as the his hopes for the summit. About Seba Deleersnyder As security project leader, application security specialist, trainer and trusted advisor for our customers, I have a track record of delivering information security projects. I specialise in Web & Mobile Application Security, combining both my broad software development and ICT security experience.
Security vulnerabilities are defects that enable an external party to compromise a system. Our research indicates that improving software quality by reducing the number of errors also reduces the number of vulnerabilities and hence improves software security. Some portion of security vulnerabilities (maybe over half of them) are also quality defects. Can quality defect models that predict quality results be applied to security to predict security results? Simple defect models focus on an enumeration of development errors after they have occurred and do not relate directly to operational security vulnerabilities, except when the cause is quality related. In this podcast, Carol Woody and Bill Nichols discuss how a combination of software development and quality techniques can improve software security. Listen on Apple Podcasts.
From the braking system in automobiles to the software that controls aircraft, safety-critical systems are ubiquitous. Showing that such systems meet their safety requirements has become a critical area of work for software and systems engineers. The SEI is addressing this issue with a significant research program into assurance cases. In this podcast, the first in a series on assurance cases and confidence, Charles Weinstock introduces the concept of assurance cases and discusses how they can be used to assure that complex software-based systems meet certain kinds of requirements such as safety, security, and reliability. Listen on Apple Podcasts.
It was once said that the last time one had full control of their software was right before they released it. This is ever more important as organizations move applications and services into a public cloud to support a mobile lifestyle. Clouds have been described as “a safe and secure private cloud”, “a semi-trusted partner cloud”, or “a wild wild west full and open public cloud”. It’s typically toward the latter in which the industry has been moving. Because of this, one must understand their Attack Surface and threat environment to ensure that they have focused on “building security in” to their application.
It was once said that the last time one had full control of their software was right before they released it. This is ever more important as organizations move applications and services into a public cloud to support a mobile lifestyle. Clouds have been described as "a safe and secure private cloud", "a semi-trusted partner cloud", or "a wild wild west full and open public cloud". It's typically toward the latter in which the industry has been moving. Because of this, one must understand their Attack Surface and threat environment to ensure that they have focused on "building security in" to their application. About the speaker: Randall Brooks, Engineering Fellow, Raytheon, has more than 15 years of experience in Cybersecurity with expertise in Software Assurance (SwA) and secure development life cycles (SDLC). He has been awarded three US patents on Intrusion Detection and Prevention, and three US andone UK patent(s) on Cross Domain solutions. He is also a CISSP, CSSLP, ISSEP, ISSAP and an ISSMP. He is a graduate of Purdue University with a Bachelors of Science from the School of Computer Science. He represents Raytheon within the U.S. International Committee for Information Technology Standards Cyber Security 1 (CS1). E-mail: brooks@raytheon.com
There is a long history of supply chain management, from which many related policies, practices, processes, and enabling artifacts have been developed and employed by those business enterprises that acquire hardware and software components from a third party. Traditionally, Supply Chain Risk Management (SCRM) has been the focal point of supply chain practices and has focused on business and contractual issues, although recent efforts have increasingly included engineering expertise for product quality evaluations. This presentation advocates the introduction of a security assurance dimension to the SCRM process. It does not, however, propose the addition of an independent, parallel track of SCRM process for security assurance evaluation, but rather practical steps for augmenting those SCRM processes that already exist. Just as is the case in legacy SCRM, the cyber dimension of SCRM is based on assessing and balancing risk vs. cost. The goal is to minimize the added costs associated with improved information assurance by efficiently incorporating relevant practices industry, government, and academia to provide a security assurance dimension into the supply chain process. SCRM-relevant industry and government practices will be presented in this paper in such a way that supply chain staff can easily make use of them, even without a background in information security. Also, it will be clearly noted when subcontract management, information assurance engineering, or other business or technical expertise may be needed to complement traditional supply chain activities in the pursuit of cyber-based SCRM. Points of discussion common to both hardware and to software component acquisition will include: 1. Acquirer business risk 2. End customer mission criticality and mission assurance 3. Subcontract management 4. Supplier secure development assessment 5. Supplier management practices for their suppliers 6. Supplier business assessment 7. Product assessment Points of discussion peculiar to hardware component acquisition will include: 1. Quality vs. counterfeiting vs. malicious alteration 2. ASICS, FPGAs, and microprocessors 3. Information storage in volatile memory 4. Information storage in non-volatile memory and permanent disk storage Points of discussion peculiar to software component acquisition will include: 1. COTS, contracted software, open source, and freeware 2. Software pedigree and provenance 3. License management of open source
There is a long history of supply chain management, from which many related policies, practices, processes, and enabling artifacts have been developed and employed by those business enterprises that acquire hardware and software components from a third party. Traditionally, Supply Chain Risk Management (SCRM) has been the focal point of supply chain practices and has focused on business and contractual issues, although recent efforts have increasingly included engineering expertise for product quality evaluations.This presentation advocates the introduction of a security assurance dimension to the SCRM process. It does not, however, propose the addition of an independent, parallel track of SCRM process for security assurance evaluation, but rather practical steps for augmenting those SCRM processes that already exist.Just as is the case in legacy SCRM, the cyber dimension of SCRM is based on assessing and balancing risk vs. cost. The goal is to minimize the added costs associated with improved information assurance by efficiently incorporating relevant practices industry, government, and academia to provide a security assurance dimension into the supply chain process.SCRM-relevant industry and government practices will be presented in this paper in such a way that supply chain staff can easily make use of them, even without a background in information security. Also, it will be clearly noted when subcontract management, information assurance engineering, or other business or technical expertise may be needed to complement traditional supply chain activities in the pursuit of cyber-based SCRM.Points of discussion common to both hardware and to software component acquisition will include:1. Acquirer business risk2. End customer mission criticality and mission assurance3. Subcontract management4. Supplier secure development assessment5. Supplier management practices for their suppliers6. Supplier business assessment7. Product assessmentPoints of discussion peculiar to hardware component acquisition will include:1. Quality vs. counterfeiting vs. malicious alteration2. ASICS, FPGAs, and microprocessors3. Information storage in volatile memory4. Information storage in non-volatile memory and permanent disk storagePoints of discussion peculiar to software component acquisition will include:1. COTS, contracted software, open source, and freeware2. Software pedigree and provenance3. License management of open source About the speaker: Mr. Brooks, a twelve year Raytheon employee, is an Engineering Fellow in the Cyber Defense Solutions business area in Largo, FL. He is a recipient of the Raytheon Excellence in Technology Meritorious and Distinguished Awards. He has developed and submitted 4 patents on Intrusion Detection and Prevention design and implementation with 3 Patents awarded. He is also a Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Systems Security Professional (CISSP), Information Systems Security Engineering Professional (ISSEP), Information Systems Security Architecture Professional (ISSAP), and an Information Systems Security Management Professional (ISSMP). He is a graduate of Purdue University with a Bachelors of Science from the School of Computer Science.
Knowledge about software assurance is essential to ensure that complex systems function as intended. Related Course Secure Coding in C and C++ Listen on Apple Podcasts.
This Software Assurance (SwA) is a slightly different spin on the SwA presentation and discussion. The need for measurable SwA, for the purposes of presenting and assurance "case" and explained with a practitioner's point of view. Current pursuits and practices are shared with the context of what is needed from the SwA industry.
This Software Assurance (SwA) is a slightly different spin on the SwA presentation and discussion. The need for measurable SwA, for the purposes of presenting and assurance "case" and explained with a practitioner's point of view. Current pursuits and practices are shared with the context of what is needed from the SwA industry. About the speaker: Joe Judge is an Lead Infosec Engineer/Scientist in the Center for Integrated Intelligence Systems' (CIIS) Air Force and COCOM department. His research and project tasking are for the improvement of Information Assurance (IA) practices in USAF Airborne Networks acquisition, development and engineering.
© 2020-2025 Ivy Podcast Discovery LLC
