The protection of computer systems from theft or damage
POPULARITY
In the Elixir Wizards season 15 premiere, host Charles Suggs is joined by Holden Oullette, Senior Security Software Engineer at Netflix and maintainer of Sobelow, to talk about how security is evolving in the Elixir ecosystem. We discuss how certain features of the Elixir programming language (like functional patterns and server-side rendering) provide natural immunity against some common vulnerabilities, and what that means as the language continues to grow. Holden shares how tools like Sobelow are adapting and how new technologies like LLMs and Elixir's type system may help to strengthen security practices. We cover supply chain risks, ecosystem-level responsibility and reputation management, and how initiatives like AEGIS are prepping the community for more widespread adoption. We wrap with practical tips for teams to be more security-minded throughout the software development lifecycle without slowing everything down. Key topics discussed in this episode: How Elixir's design influences secure-by-default development Security tradeoffs between server-side and client-heavy architecture Supply chain risks and what the ecosystem is doing to prepare Static analysis with tools like Sobelow and AST-based pattern matching Where LLMs fit into modern security workflows The role of Elixir's upcoming type system in improving tooling Securing CI/CD pipelines and production environments Balancing development speed with security requirements Dependency management and vulnerability monitoring The AEGIS Initiative and ecosystem-wide security efforts Links mentioned: Holden's GitHub https://github.com/houllette Elixir Programming Language https://elixir-lang.org/ Security-focused static analysis for the Phoenix Framework https://github.com/nccgroup/sobelow Code Security for Builders https://semgrep.dev/ Erlang Ecosystems Foundation https://erlef.org/ Phoenix Framework https://www.phoenixframework.org/ WebSockets https://hexdocs.pm/phoenix_live_view/Phoenix.LiveView.Socket.html https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API Open Worldwide Application Security Project https://owasp.org/ https://github.com/elixir-ecto/ecto Log4j Vulnerability https://www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know React2Shell Vulnerability https://www.finra.org/guidance/guidance/cybersecurity-advisory-react2shell The Heartbleed Bug https://www.heartbleed.com/ Elixir Type System https://hexdocs.pm/elixir/main/gradual-set-theoretic-types.html Holden Oullette “Securing the Future: A Roadmap to Making Elixir the Safest Language” ElixirConf 2024 https://youtu.be/gpvKxS6sY8Y Aegis Initiative: Supply Chain Security & Compliance Initiative https://security.erlef.org/aegis/ OIDC Tokens https://openid.net/ Anthropic's Claude Mythos & Cybersecurity https://red.anthropic.com/2026/mythos-preview/ Igniter Code Generation Framework https://github.com/ash-project/igniter https://smartlogic.io/podcast/elixir-wizards/s13-e01-igniter-code-generation-zach-daniel/ Secure-by-default open source software https://www.chainguard.dev/ https://www.docker.com/ https://github.com/dependabot https://docs.aws.amazon.com/apigatewayv2/latest/api-reference/apis-apiid-models.html https://nixos.org/ https://smartlogic.io/podcast/elixir-wizards/s14-e08-nix-for-elixir-apps/ https://fedoraproject.org/ https://kubernetes.io/ https://netflix.github.io/chaosmonkey/ https://netflixtechblog.com/all?topic=chaos-monkeySpecial Guest: Holden Oullette.
This interview was recorded for the GOTO Book Club.http://gotopia.tech/bookclubCheck out more here:https://gotopia.tech/episodes/428Laurenţiu Spilcă - Java Champion, Java Community Lead at Endava & Author of "Software Security for Developers" & more booksThomas Vitale - Senior Software Architect at Systematic & Author of "Cloud Native Spring in Action"RESOURCESLaurhttps://bsky.app/profile/laurspilca.bsky.socialhttps://x.com/laurspilcahttps://www.linkedin.com/in/laurenţiu-spilcă-01a931107https://laurspilca.comThomashttps://bsky.app/profile/thomasvitale.comhttps://mastodon.online/@thomasvitalehttps://twitter.com/vitalethomashttps://linkedin.com/in/vitalethomashttps://github.com/ThomasVitalehttps://www.thomasvitale.comLinkshttps://www.manning.com/books/software-security-for-developershttps://adibsaikali.wordpress.comDESCRIPTIONThomas Vitale sits down with Java Champion and author Laurentiu Spilca to discuss his co-authored book "Software Security for Developers". The conversation explores why security is so often avoided by developers, the widespread confusion between foundational concepts like encoding, hashing, and encryption, the dangers of reinventing established security standards, the growing risks of AI-generated code written without security awareness, and why understanding topics like PKI and certificates is more important than ever in modern software development.RECOMMENDED BOOKSAdib Saikali & Laurentiu Spilca • Software Security for Developers • https://amzn.to/4aPhqu0Laurentiu Spilca • Spring, Start Here • https://amzn.to/3L6Sv6cLaurentiu Spilca • Spring Security in Action • https://amzn.to/3LqEkZWLaurentiu Spilca • Troubleshooting Java • https://amzn.to/4u5vkj0Thomas Vitale • Cloud Native Spring in Action • https://amzn.to/3kLu1nsBlueskyInstagramLinkedInFacebookCHANNEL MEMBERSHIP BONUSJoin this channel to get early access to videos & other perks:https://www.youtube.com/channel/UCs_tLP3AiwYKwdUHpltJPuA/joinLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket: gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted daily!
Gugs Mhlungu speaks with Dr Mark Nasila, Chief Data and Analytics Officer at First National Bank Risk, about how powerful AI tools can strengthen cybersecurity, but also raise concerns about misuse, and explore a growing challenge in AI behaviour, systems that tend to affirm users rather than challenge them, and what that means for risk, decision-making, and responsible innovation. Gugs Mhlungu gets you ready for the weekend each Saturday and Sunday morning on 702. She is your weekend wake-up companion, with all you need to know for your weekend. The topics Gugs covers range from lifestyle, family, health, and fitness to books, motoring, cooking, culture, and what is happening on the weekend in 702land. Thank you for listening to a podcast from 702 Weekend Breakfast with Gugs Mhlungu. Listen live on Primedia+ on Saturdays and Sundays from 06:00 and 10:00 (SA Time) to Weekend Breakfast with Gugs Mhlungu broadcast on 702 https://buff.ly/gk3y0Kj For more from the show go to https://buff.ly/u3Sf7Zy or find all the catch-up podcasts here https://buff.ly/BIXS7AL Subscribe to the 702 daily and weekly newsletters https://buff.ly/v5mfetc Follow us on social media: 702 on Facebook: https://www.facebook.com/TalkRadio702 702 on TikTok: https://www.tiktok.com/@talkradio702 702 on Instagram: https://www.instagram.com/talkradio702/ 702 on X: https://x.com/Radio702 702 on YouTube: https://www.youtube.com/@radio702 See omnystudio.com/listener for privacy information.
Send a textFor most of the history of computing, software systems were written by humans and—at least in theory—understood by humans.But with AI coding assistants now embedded in everyday development workflows, we may be entering an era where large portions of production software are generated, modified, and extended by machines.Pramin Pradeep is the Co-Founder and CEO of BotGauge ( https://www.botgauge.com/ ), an autonomous “QA-as-a-Solution“ company focused on using AI to improve software testing and observability in modern development environments.Pramin's background sits at the intersection of AI-driven development and quality assurance. Prior to founding BotGauge, he held product leadership roles at Sauce Labs, one of the leading platforms for automated testing and continuous quality in enterprise software. Earlier in his career he was a founding product leader at AutonomIQ, an AI-based low-code testing platform that was later acquired by Sauce Labs.Across these roles, Pramin has focused on a central challenge in modern software engineering: as development accelerates through automation and AI coding assistants like GitHub Copilot, Claude, and Gemini, organizations are increasingly deploying code that no single engineer fully understands.Pramin's work explores how this emerging layer of AI-generated logic—what some are calling “shadow code”—may introduce new security risks, operational blind spots, and governance challenges inside complex software systems.Today we'll talk about what happens when software systems start evolving faster than our ability to fully comprehend them.#AI #AICoding #ShadowCode #BotGauge #SoftwareSecurity #Cybersecurity #EnterpriseSoftware #AIgeneratedCode #RuntimeObservability #SoftwareTesting #CriticalInfrastructure #TechnicalDebt #AIrisks #TechLeadership #InnovationSupport the show
In this episode, U.S. equity portfolio manager Grayson Witcher explores what it means to invest exclusively in American businesses at a time when the U.S. is becoming more short‑term, more transactional, and more central to global change. He contrasts a shifting U.S. "extraction" mindset with China's longer-term industrial strategy and considers how that dynamic is reshaping globalization into a more regional, security-conscious world. The conversation then turns to portfolio implications: why the team has been reducing exposure to mature, highly penetrated software names facing intensifying competition and AI disruption, how the market's treatment of AI has evolved from hype to a more "show me the returns" phase, and where they see resilient opportunities. Highlights: How a more short-term, "extraction"-oriented U.S. policy stance—via tariffs, reshoring, and industrial policy—is altering incentives for companies and trading partners. The evolving nature of software moats in an AI world, including higher competitive intensity, mature end markets, and why some long-term winners' valuations may no longer be justified. The market's transition from rewarding any AI narrative to demanding clearer evidence of economic returns on massive cloud and data-center capital spending. A deliberate tilt toward businesses positioned for a more regionalized, security-focused world order, including nuclear, defense, and automation suppliers with multiple ways to win. The importance of remaining bottom-up and valuation-driven while acknowledging regime change—using portfolio construction to manage uncertainty rather than making binary macro bets. Host: Andrew Johnson, CFA Institutional Portfolio Manager Guest: Grayson Witcher, CFA, AB Portfolio Manager This episode is available for download anywhere you get your podcasts. Founded in 1974, Mawer Investment Management Ltd. (pronounced "more") is a privately owned independent investment firm managing assets for institutional and individual investors. Mawer employs over 250 people in Canada, U.S., and Singapore. Visit Mawer at https://www.mawer.com. Follow us on social: LinkedIn - https://www.linkedin.com/company/mawer-investment-management/ Instagram - https://www.instagram.com/mawerinvestmentmanagement/
AI seems to be everywhere in 2026. This can be problematic when it goes undetected in our personal interactions, including our romantic lives though dating apps, catfishing, or romance scams. In this special Valentine's Day episode, Geoff and Skyler talk about the rise in spam tactics, the use of AI in catfishing and social engineering, and the "Dead Internet" theory. They tested some of these tactics, armed with a highly-trained LLM (Love Language Model), and made a "phishy" phone call to TrustedSec's Director of Software Security, Scott White. Find out if their social engineering attempt works and listen now! About this podcast: Security Noise, a TrustedSec Podcast hosted by Geoff Walton and Producer/Contributor Skyler Tuter, features our cybersecurity experts in conversation about the infosec topics that interest them the most. Find more cybersecurity resources on our website at https://trustedsec.com/resources.
Most organizations have security champions. Few have a real security culture.In this episode of AppSec Contradictions, Sean Martin explores why AppSec awareness efforts stall, why champion programs struggle to gain traction, and what leaders can do to turn intent into impact.
Most organizations have security champions. Few have a real security culture.In this episode of AppSec Contradictions, Sean Martin explores why AppSec awareness efforts stall, why champion programs struggle to gain traction, and what leaders can do to turn intent into impact.
In this episode of Product Talk, host Peter Pflaster sits down with Automox Staff Security Engineer Henry Smith to discuss what it really means to be secure by default. Together, they explore how Automox builds security into the foundation of its products, from engineering practices to company culture.You'll learn how Automox's “no security tax” philosophy gives every customer access to enterprise-grade protection — without hidden costs or trade-offs. Henry also shares his journey from IT support to cybersecurity engineering, offering practical advice for anyone looking to grow a career in IT or security.Tune in to hear how Automox approaches product security, fosters trust between engineering and security teams, and collaborates with industry peers to keep customers safe.
iOS 26 - Maybe a Little Too Early to Update? Maybe 4 Times a Charm — Replacing Beats Fit Pro with AirPods Pro 3 Support the Show Security Bits — 28 September 2025 Transcript of NC_2025_09_28 Join the Conversation: allison@podfeet.com podfeet.com/slack Support the Show: Patreon Donation Apple Pay or Credit Card one-time donation PayPal one-time donation Podfeet Podcasts Mugs at Zazzle NosillaCast 20th Anniversary Shirts Referral Links: Setapp - 1 month free for you and me PETLIBRO - 30% off for you and me Parallels Toolbox - 3 months free for you and me Learn through MacSparky Field Guides - 15% off for you and me Backblaze - One free month for me and you Eufy - $40 for me if you spend $200. Sadly nothing in it for you. PIA VPN - One month added to Paid Accounts for both of us CleanShot X - Earns me $25%, sorry nothing in it for you but my gratitude
Modern digital supply chains are increasingly complex and vulnerable. In this episode of Security Matters, host David Puner is joined by Retsef Levi, professor of operations management at the MIT Sloan School of Management, to explore how organizations can “sense the signals” of hidden risks lurking within their software supply chains, from open source dependencies to third-party integrations and AI-driven automation.Professor Levi, a leading expert in cyber resilience and complex systems, explains why traditional prevention isn't enough and how attackers exploit unseen pathways to infiltrate even the most secure enterprises. The conversation covers the critical need for transparency, continuous monitoring, and rapid detection and recovery in an era where software is built from countless unknown components.Key topics include:How to sense early warning signs of supply chain attacksThe role of AI and automation in both risk and defenseBest practices for mapping and securing your digital ecosystemWhy resilience—not just prevention—must be at the core of your security strategyWhether you're a CISO, IT leader or security practitioner, this episode will help you rethink your approach to digital supply chain risk and prepare your organization for what's next.Subscribe to Security Matters for expert insights on identity security, cyber resilience and the evolving threat landscape.
Support the show - try out Insight Hub free for 14 days now: https://testguild.me/insighthub In this episode of the TestGuild DevOps Toolchain Podcast, host Joe Colantonio sits down with Patrick Quilter, CEO of Deploy360, to explore how AI is reshaping DevSecOps and what it means for testers, developers, and security engineers. Patrick shares his unique journey from automation engineer to founder to acquisition, and now leading a company working directly with the Department of Defense on secure, AI-powered development pipelines. You'll learn: Why automation engineers are perfectly positioned to move into security How agentic AI can transform DevOps workflows with specialized security agents Why AI won't replace skilled developers—but can supercharge them The role of local vs. cloud LLMs in security and supply chain protection Where DevSecOps and AI are headed in the next 1–3 years Patrick also reveals how Deploy360 is rolling out its next-gen DevSecOps platform and why small-to-medium businesses may benefit most from early access. Learn more about Patrick and Deploy360: Don't forget to subscribe, share, and leave a review if you find this episode valuable for your testing or DevSecOps journey. Try out SmartBear's Bugsnag for free, today. No credit card required: https://testguild.me/bugsnagfree
The biggest evergreen issue in the ATM industry is of course security. Criminals are always ready with innovative methods to steal cash from ATMs faster than the industry can put up protective barriers.This is true of both the ATM hardware and software. In today's episode of the Bank Customer Experience podcast, Bradley Cooper spoke with Kit Patterson, a senior software architecture and security expert at KAL ATM Software to get an overhead view of current theft trends and ways to combat them.One new method that Patterson discussed was the relay attack. In this attack, one device is compromised is relays card data to another machine, which can be used to steal money from a victim."The basic story is they use two machines. They attack two machines in parallel. They wait until a victim puts a card into that victim ATM or ticket machine or anything where a card is being used. They take over that card and they relay information from that card to the cash out machine."He said that while this attack is difficult to pull off, it can also be challenging to detect and would require monitoring for certain types of unusual activity. For example, the software could detect that the card reader itself would take longer to transmit data in a relay attack than in a normal transaction, which should put up a red flag.Patterson also said that this relay attack is also taking place with mobile wallet fraud, where attackers are able to steal the victim's mobile wallet and relay that information to another actor who will get the cash from an ATM.He emphasized that criminals are willing to use as many methods as possible as "they don't follow the rules."To respond to these threats, Patterson pointed to the importance of holistic efforts and not just viewing security as "ticking boxes."Check out the full interview above and hear Patteron's thoughts on if AI is ready to transform ATM security.
In this episode, we sit down with Jim Manico, a longtime industry AppSec Leader, Educator, and Innovator, to discuss enhancing software security in the era of AI.This includes covering recent talks Jim has given about using AI as a force multiplier for software development, the importance of security-centric prompting, and the overall impact of AI on the field of AppSec.We discussed:A recent talk Jim gave where he discussed transforming secure software creation with AI, doing the work of teams of people on his own, and what used to take tens of thousands of hours through the use of agents and various frontier models and offerings.The importance of security-centric prompting and guidance for models to produce secure code and the impact on vulnerability velocity by doing so.The risks of the broader developer community leaning into these tools without adding security-centric prompts and guidance, but the opportunity for prompt libraries and enterprise controls to lead to systemic secure software development within the enterprise.The workforce implications of AI-driven development and the need to upskill to stay relevant (and employable).Where Jim sees opportunity beyond just AppSec when it comes to AI and Cybersecurity, in other areas such as GRC and SecOps as well.
Is security an afterthought in your Flutter projects? In a world where a single breach can cost millions and destroy user trust, every developer needs a solid foundation in security.In this episode of Flying High with Flutter, Allen Wyma sits down with seasoned software developer, trainer, and acclaimed author Laurențiu Spilcă to demystify application security. While Laurențiu's background is deep in the Java/Spring world, the principles he shares are universal and essential for any developer building modern applications.We dive deep into the "why" and "how" of securing your apps, from the initial authentication flow to the communication between your backend services.Timecodes:00:00 - Meet Laurențiu Spilcă & Why Security Can't Be an Afterthought06:16 - The Role of a CISO and Preventing Disasters like the log4j Vulnerability14:09 - The Future is Passwordless30:41 - Understanding OAuth2, OpenID Connect, and Why PKCE is CRITICAL for Mobile Apps41:45 - What is TLS? Why Your App Needs More Than Just HTTPS52:03 - Mutual TLS (mTLS): Securing Communication Between Your MicroservicesGET THE BOOK!
Please enjoy this encore of Word Notes. A descriptive model that provides a baseline of observed software security initiatives and activities from a collection of volunteer software development shops. CyberWire Glossary link: https://thecyberwire.com/glossary/bsimm Audio reference link: “OWASP AppSecUSA 2014 - Keynote: Gary McGraw - BSIMM: A Decade of Software Security.” YouTube Video. YouTube, September 19, 2014. Learn more about your ad choices. Visit megaphone.fm/adchoices
Please enjoy this encore of Word Notes. A descriptive model that provides a baseline of observed software security initiatives and activities from a collection of volunteer software development shops. CyberWire Glossary link: https://thecyberwire.com/glossary/bsimm Audio reference link: “OWASP AppSecUSA 2014 - Keynote: Gary McGraw - BSIMM: A Decade of Software Security.” YouTube Video. YouTube, September 19, 2014.
Ian Riopel is the CEO and Co-founder of Root, applying agentic AI to fix vulnerabilities instantly. A US Army veteran and former Counterintelligence Agent, he's held roles at Cisco, CloudLock, and Rapid7. Ian brings military-grade security expertise to software supply chains. John Amaral is the CTO and Co-founder of Root. Previously, he scaled Cisco Cloud Security to $500M in revenue and led CloudLock to a $300M acquisition. With five exits behind him, John specializes in building cybersecurity startups with strong technical vision. In this episode… Patching software vulnerabilities remains one of the biggest security challenges for many organizations. Security teams are often stretched thin as they try to keep up with vulnerabilities that can quickly be exploited. Open-source components and containerized deployments add even more complexity, especially when updates risk breaking production systems. As compliance requirements tighten and the volume of vulnerabilities grows, how can businesses eliminate software security risks without sacrificing productivity? Companies like Root are transforming how organizations approach software vulnerability remediation by applying agentic AI to streamline their approach. Rather than relying on engineers to triage and prioritize thousands of issues, Root's AI-driven platform scans container images, applies safe patches where available, and generates custom patches for outdated components that lack official fixes. Root's AI automation resolves approximately 95% or more vulnerabilities without breaking production systems, allowing organizations to meet compliance requirements while developers stay focused on building and delivering software. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels speak with Ian Riopel and John Amaral, Co-founders of Root, about how AI streamlines software vulnerability detection. Together, they explain how Root's agentic AI platform uses specialized agents to automate patching while maintaining software stability. John and Ian also discuss how regulations and compliance pressures are driving the need for faster remediation, and how Root differs from threat detection solutions. They also explain how AI can reduce security workloads without replacing human expertise.
The Trump administration is pumping the brakes on government wide software security requirements instead, President Donald Trump's new cybersecurity executive order calls for an industry consortium to study implementation of secure software development practices for more on these changes, Federal News Network's Justin Doubleday joins me.See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Global Crossing Airlines Group confirms cyberattack Google settles privacy lawsuits UK launches software security guidelines Huge thanks to our sponsor, Vanta Do you know the status of your compliance controls right now? Like...right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done 5 times faster with AI. Now that's…a new way to GRC. Get started at Vanta.com/headlines.
Send us a textCybersecurity isn't just for enterprises—small and medium businesses face increasingly sophisticated threats with fewer resources to combat them. In this information-packed episode, Sean Gerber explores why cybersecurity matters critically for SMBs while delivering practical CISSP exam questions focused on Domain 8.3.Sean begins by examining how even non-tech businesses rely heavily on digital systems, making them vulnerable to attacks that could devastate operations. A ransomware incident targeting inventory management or employee scheduling could cripple a small business just as effectively as one targeting a financial institution. Business continuity planning—often overlooked until disaster strikes—becomes a critical safeguard that many small businesses simply don't consider until it's too late.The economic reality of cybersecurity for small businesses creates a challenging landscape. While virtual CISO services and managed security operations centers offer potential solutions, many remain financially out of reach for smaller organizations. This creates a significant vulnerability gap in our business ecosystem that security professionals must work to address.The episode then transitions into fifteen carefully crafted CISSP practice questions focusing on Domain 8.3, covering essential concepts like API security, content security policies, message queue poisoning, and the principle of least privilege in containerized environments. Each question explores real-world vulnerabilities while providing clear explanations about proper security approaches.Whether you're studying for the CISSP exam or working to improve your organization's security posture, this episode delivers actionable insights on identifying and mitigating common application security vulnerabilities. Subscribe to the CISSP Cyber Training podcast for weekly deep dives into cybersecurity concepts that will help you pass your certification exam and become a more effective security professional.Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Chainguard, a software supply chain security startup, secured $356 million in a Series D funding round, achieving a valuation of $3.5 billion. The funding was co-led by Kleiner Perkins and IVP, with new investors including Salesforce Ventures and Datadog Ventures. The valuation reflects a threefold increase from the previous valuation of $1.12 billion after a $140 million Series C round. Chainguard focuses on secure software development tools, particularly for open-source software, and reported an annual recurring revenue of $40 million, aiming to exceed $100 million by fiscal year 2026. The company has raised a total of $612 million since its founding in 2021. Cybersecurity investment remains strong, with Exaforce recently raising $75 million in a Series A round and total funding for VC-backed cybersecurity startups surpassing $2.7 billion in Q1 2024, a 29% increase from the previous quarter.Learn more on this news visit us at: https://greyjournal.net/news/ Hosted on Acast. See acast.com/privacy for more information.
Send us a textSoftware security assessment can make or break your organization's defense posture, yet many professionals struggle with implementing effective evaluation strategies. This deep dive into CISSP Domain 8.3 reveals critical approaches to software security that balance technical requirements with business realities.The recent funding crisis surrounding CVEs (Common Vulnerability Exposures) serves as a perfect case study of how fragile our security infrastructure can be. When the standardized system for cataloging vulnerabilities faced defunding, it highlighted our dependence on these foundational systems and raised questions about sustainable models for critical security infrastructure.Database security presents unique challenges, particularly when managing multi-level classifications within a single environment. We explore how proper implementation requires strict separation between classification levels and how technologies like ODBC serve as intermediaries for legacy applications. The key takeaway? Data separation isn't just a technical best practice—it's an essential security control.Documentation emerges as a surprisingly critical element in effective security. Beyond regulatory compliance, proper documentation protects security professionals when incidents inevitably occur. As one security leader candidly explains, when breaches happen, fingers point toward security teams first—comprehensive documentation proves you implemented appropriate controls and communicated risks effectively.The most successful security professionals step outside their comfort zones, collaborating across organizational boundaries to integrate security throughout the development lifecycle. Static analysis, dynamic testing, vulnerability assessments, and penetration testing all provide complementary insights, but only when security and development teams maintain open communication channels.Ready to strengthen your software security assessment capabilities? Join us weekly for more insights that help you pass the CISSP exam and build practical security knowledge that makes a difference in your organization.Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
In this OODAcast, Chris Wysopal shares his insights from decades in cybersecurity, detailing his journey from the early hacking collective "The L0pht" to co-founding Veracode. Wysopal reflects on the evolution of cybersecurity, highlighting his early contributions to vulnerability research and advocating the importance of adversarial thinking in security practices. He emphasizes the transition from traditional vulnerability testing to comprehensive application risk management, recognizing the increased reliance on third-party software and the escalating complexity of securing modern applications. Wysopal also discusses how generative AI technologies are significantly accelerating application development but simultaneously creating substantial security challenges. He stresses that while AI-generated applications multiply rapidly, their vulnerability density remains comparable to human-written code. To manage this growing risk, Wysopal underlines the necessity of integrating automated, AI-driven vulnerability remediation into the software development lifecycle. Looking forward, Wysopal advocates for embedding security deeply within the application creation process, anticipating that AI will eventually assist in producing inherently secure software. However, he also underscores the enduring threat of social engineering attacks, urging enterprises to prioritize comprehensive security awareness programs to bolster their overall cybersecurity posture and resilience. The conversation examines some very interesting correlations between the mindset of the great hackers and the success of great entrepreneurs. Both take a good bit of grit, an ability to focus and be creative and perhaps most importantly: Persistence. Learn more about Chris Wysopal's approaches and the company he founded at Veracode. For insights into reducing your organization's attack surface see: State of Software Security 2025
In this episode, we sit down with Luke Hinds, CTO of Stacklok and creator of Sigstore, to learn from his extensive background in open source security. Luke shares insights into his journey and passion for security, highlighting the thrill of the 'cat and mouse' dynamics. He discusses Stacklok's project, Minder, a software supply chain platform designed to streamline security while boosting developer productivity. Luke also touches on Trusty, another Stacklok initiative aimed at assessing the security risks of open source packages using data science. The conversation expands to the impact of AI on code contributions and developer identity, reflecting on the evolving dynamics in software development and security. Finally, Luke shares thoughts on the ongoing challenges and opportunities in bridging the gap between operations and engineering to maintain robust security in fast-paced development environments. 00:00 Introduction 02:29 Personal Reflections on Security 04:14 Introduction to Stacklok and Minder 05:02 Minder's Features and Capabilities 07:38 Target Audience and Use Cases for Minder 10:41 Balancing Security and Developer Productivity 13:00 The Importance of Seamless Security 13:52 Introduction to Trusty: Understanding Open Source Security Risks 14:45 Analyzing Malicious Packages and Developer Contributions 18:06 The Role of Developer Identity in Open Source Projects 19:20 AI's Impact on Code Development and Security 20:10 Challenges and Future Directions in Developer Identity 23:31 Concluding Thoughts and Future Conversations Guest: Luke Hinds is the CTO of Stacklok. He is the creator of the open source project sigstore, which makes it easier for developers to sign and verify software artifacts. Prior to Stacklok, Luke was a distinguished engineer at Red Hat.
This is a bonus episode of Real Talks, and it's all about Perform. Perform isn't just a conference held by Dynatrace in LA every year—it's where innovation in observability & security, customers' success, and community come to light. I sit down with Michelle Vaughan, VP of Growth Marketing, to unpack her impressions and takeaways from this year's flagship event. You'll hear some stories about the software you use daily powered by Dynatrace (and you likely don't know about it). With 2,000+ in-person attendees, 25,000+ virtual, 50+ customer stories, and groundbreaking insights in AI, security, and observability, there's plenty to dive into. Tune in to hear what made Perform an unforgettable experience, from inspiring customer stories to hands-on learning—and yes, even the legendary Dynatrace socks. Enjoying the episode? Leave us a comment on Spotify or YouTube, or rate it on Spotify or Apple Podcasts. Where to find us: Connect with Sue Quackenbush on LinkedIn Connect with Michelle Vaughan on LinkedIn Discover the opportunities at Dynatrace and take your career to the next level: careers.dynatrace.com
⬥GUEST⬥Sarah Fluchs, CTO at admeritia | CRA Expert Group at EU Commission | On LinkedIn: https://www.linkedin.com/in/sarah-fluchs/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin⬥EPISODE NOTES⬥The European Commission's Cyber Resilience Act (CRA) introduces a regulatory framework designed to improve the security of digital products sold within the European Union. In a recent episode of Redefining CyberSecurity, host Sean Martin spoke with Sarah Fluchs, Chief Technology Officer at admeritia and a member of the CRA expert group at the EU Commission. Fluchs, who has spent her career in industrial control system cybersecurity, offers critical insights into what the CRA means for manufacturers, retailers, and consumers.A Broad Scope: More Than Just Industrial AutomationUnlike previous security regulations that focused on specific sectors, the CRA applies to virtually all digital products. Fluchs emphasizes that if a device is digital and sold in the EU, it likely falls under the CRA's requirements. From smartwatches and baby monitors to firewalls and industrial control systems, the regulation covers a wide array of consumer and business-facing products.The CRA also extends beyond just hardware—software and services required for product functionality (such as cloud-based components) are also in scope. This broad application is part of what makes the regulation so impactful. Manufacturers now face mandatory cybersecurity requirements that will shape product design, development, and post-sale support.What the CRA RequiresThe CRA introduces mandatory cybersecurity standards across the product lifecycle. Manufacturers will need to:Ensure products are free from known, exploitable vulnerabilities at the time of release.Implement security by design, considering cybersecurity from the earliest stages of product development.Provide security patches for the product's defined lifecycle, with a minimum of five years unless justified otherwise.Maintain a vulnerability disclosure process, ensuring consumers and authorities are informed of security risks.Include cybersecurity documentation, requiring manufacturers to provide detailed security instructions to users.Fluchs notes that these requirements align with established security best practices. For businesses already committed to cybersecurity, the CRA should feel like a structured extension of what they are already doing, rather than a disruptive change.Compliance Challenges: No Detailed Checklist YetOne of the biggest concerns among manufacturers is the lack of detailed compliance guidance. While other EU regulations provide extensive technical specifications, the CRA's security requirements span just one and a half pages. This ambiguity is intentional—it allows flexibility across different industries—but it also creates uncertainty.To address this, the EU will introduce harmonized standards to help manufacturers interpret the CRA. However, with tight deadlines, many of these standards may not be ready before enforcement begins. As a result, companies will need to conduct their own cybersecurity risk assessments and demonstrate due diligence in securing their products.The Impact on Critical Infrastructure and Industrial SystemsWhile the CRA is not specifically a critical infrastructure regulation, it has major implications for industrial environments. Operators of critical systems, such as utilities and manufacturing plants, will benefit from stronger security in the components they rely on.Fluchs highlights that many security gaps in industrial environments stem from weak product security. The CRA aims to fix this by ensuring that manufacturers, rather than operators, bear the responsibility for secure-by-design components. This shift could significantly reduce cybersecurity risks for organizations that rely on complex supply chains.A Security Milestone: Holding Manufacturers AccountableThe CRA represents a fundamental shift in cybersecurity responsibility. For the first time, manufacturers, importers, and retailers must guarantee the security of their products or risk being banned from selling in the EU.Fluchs points out that while the burden of compliance is significant, the benefits for consumers and businesses will be substantial. Security-conscious companies may even gain a competitive advantage, as customers start to prioritize products that meet CRA security standards.For those in the industry wondering how strictly the EU will enforce compliance, Fluchs reassures that the goal is not to punish manufacturers for small mistakes. Instead, the EU Commission aims to improve cybersecurity without unnecessary bureaucracy.The Bottom LineThe Cyber Resilience Act is set to reshape cybersecurity expectations for digital products. While manufacturers face new compliance challenges, consumers and businesses will benefit from stronger security measures, better vulnerability management, and increased transparency.Want to learn more? Listen to the full episode of Redefining CyberSecurity with Sean Martin and Sarah Fluchs to hear more insights into the CRA and what it means for the future of cybersecurity.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥Inspiring Post: https://www.linkedin.com/posts/sarah-fluchs_aaand-its-official-the-cyber-resilience-activity-7250162223493300224-zECA/Adopted CRA text: https://data.consilium.europa.eu/doc/document/PE-100-2023-INIT/en/pdfA list of Sarah's blog posts to get your CRA knowledge up to speed:1️⃣ Introduction to the CRA, the CE marking, and the regulatory ecosystem around it: https://fluchsfriction.medium.com/eu-cyber-resilience-act-9e092fffbd732️⃣ Explanation how the standards ("harmonised European norms, hEN") are defined that will detail the actual cybersecurity requirements in the CRA (2023): https://fluchsfriction.medium.com/what-cybersecurity-standards-will-products-in-the-eu-soon-have-to-meet-590854ba3c8c3️⃣ Overview of the essential requirements outlined in the CRA (2024): https://fluchsfriction.medium.com/what-the-cyber-resilience-act-requires-from-manufacturers-0ee0b917d2094️⃣ Overview of the global product security regulation landscape and how the CRA fits into it (2024): https://fluchsfriction.medium.com/product-security-regulation-in-2024-93ddc6dd89005️⃣ Good-practice example for the "information and instructions to the user," one of the central documentations that need to be written for CRA compliance and the only one that must be provided to the product's users (2024): https://fluchsfriction.medium.com/how-to-be-cra-compliant-and-make-your-critical-infrastructure-clients-happy-441ecd859f52⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity:
⬥GUEST⬥Sarah Fluchs, CTO at admeritia | CRA Expert Group at EU Commission | On LinkedIn: https://www.linkedin.com/in/sarah-fluchs/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin⬥EPISODE NOTES⬥The European Commission's Cyber Resilience Act (CRA) introduces a regulatory framework designed to improve the security of digital products sold within the European Union. In a recent episode of Redefining CyberSecurity, host Sean Martin spoke with Sarah Fluchs, Chief Technology Officer at admeritia and a member of the CRA expert group at the EU Commission. Fluchs, who has spent her career in industrial control system cybersecurity, offers critical insights into what the CRA means for manufacturers, retailers, and consumers.A Broad Scope: More Than Just Industrial AutomationUnlike previous security regulations that focused on specific sectors, the CRA applies to virtually all digital products. Fluchs emphasizes that if a device is digital and sold in the EU, it likely falls under the CRA's requirements. From smartwatches and baby monitors to firewalls and industrial control systems, the regulation covers a wide array of consumer and business-facing products.The CRA also extends beyond just hardware—software and services required for product functionality (such as cloud-based components) are also in scope. This broad application is part of what makes the regulation so impactful. Manufacturers now face mandatory cybersecurity requirements that will shape product design, development, and post-sale support.What the CRA RequiresThe CRA introduces mandatory cybersecurity standards across the product lifecycle. Manufacturers will need to:Ensure products are free from known, exploitable vulnerabilities at the time of release.Implement security by design, considering cybersecurity from the earliest stages of product development.Provide security patches for the product's defined lifecycle, with a minimum of five years unless justified otherwise.Maintain a vulnerability disclosure process, ensuring consumers and authorities are informed of security risks.Include cybersecurity documentation, requiring manufacturers to provide detailed security instructions to users.Fluchs notes that these requirements align with established security best practices. For businesses already committed to cybersecurity, the CRA should feel like a structured extension of what they are already doing, rather than a disruptive change.Compliance Challenges: No Detailed Checklist YetOne of the biggest concerns among manufacturers is the lack of detailed compliance guidance. While other EU regulations provide extensive technical specifications, the CRA's security requirements span just one and a half pages. This ambiguity is intentional—it allows flexibility across different industries—but it also creates uncertainty.To address this, the EU will introduce harmonized standards to help manufacturers interpret the CRA. However, with tight deadlines, many of these standards may not be ready before enforcement begins. As a result, companies will need to conduct their own cybersecurity risk assessments and demonstrate due diligence in securing their products.The Impact on Critical Infrastructure and Industrial SystemsWhile the CRA is not specifically a critical infrastructure regulation, it has major implications for industrial environments. Operators of critical systems, such as utilities and manufacturing plants, will benefit from stronger security in the components they rely on.Fluchs highlights that many security gaps in industrial environments stem from weak product security. The CRA aims to fix this by ensuring that manufacturers, rather than operators, bear the responsibility for secure-by-design components. This shift could significantly reduce cybersecurity risks for organizations that rely on complex supply chains.A Security Milestone: Holding Manufacturers AccountableThe CRA represents a fundamental shift in cybersecurity responsibility. For the first time, manufacturers, importers, and retailers must guarantee the security of their products or risk being banned from selling in the EU.Fluchs points out that while the burden of compliance is significant, the benefits for consumers and businesses will be substantial. Security-conscious companies may even gain a competitive advantage, as customers start to prioritize products that meet CRA security standards.For those in the industry wondering how strictly the EU will enforce compliance, Fluchs reassures that the goal is not to punish manufacturers for small mistakes. Instead, the EU Commission aims to improve cybersecurity without unnecessary bureaucracy.The Bottom LineThe Cyber Resilience Act is set to reshape cybersecurity expectations for digital products. While manufacturers face new compliance challenges, consumers and businesses will benefit from stronger security measures, better vulnerability management, and increased transparency.Want to learn more? Listen to the full episode of Redefining CyberSecurity with Sean Martin and Sarah Fluchs to hear more insights into the CRA and what it means for the future of cybersecurity.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥Inspiring Post: https://www.linkedin.com/posts/sarah-fluchs_aaand-its-official-the-cyber-resilience-activity-7250162223493300224-zECA/Adopted CRA text: https://data.consilium.europa.eu/doc/document/PE-100-2023-INIT/en/pdfA list of Sarah's blog posts to get your CRA knowledge up to speed:1️⃣ Introduction to the CRA, the CE marking, and the regulatory ecosystem around it: https://fluchsfriction.medium.com/eu-cyber-resilience-act-9e092fffbd732️⃣ Explanation how the standards ("harmonised European norms, hEN") are defined that will detail the actual cybersecurity requirements in the CRA (2023): https://fluchsfriction.medium.com/what-cybersecurity-standards-will-products-in-the-eu-soon-have-to-meet-590854ba3c8c3️⃣ Overview of the essential requirements outlined in the CRA (2024): https://fluchsfriction.medium.com/what-the-cyber-resilience-act-requires-from-manufacturers-0ee0b917d2094️⃣ Overview of the global product security regulation landscape and how the CRA fits into it (2024): https://fluchsfriction.medium.com/product-security-regulation-in-2024-93ddc6dd89005️⃣ Good-practice example for the "information and instructions to the user," one of the central documentations that need to be written for CRA compliance and the only one that must be provided to the product's users (2024): https://fluchsfriction.medium.com/how-to-be-cra-compliant-and-make-your-critical-infrastructure-clients-happy-441ecd859f52⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity:
Organizations build and deploy applications at an unprecedented pace, but security is often an afterthought. This episode of ITSPmagazine's Brand Story features Jim Manico, founder of Manicode Security, in conversation with hosts Sean Martin and Marco Ciappelli. The discussion explores the current state of application security, the importance of developer training, and how organizations can integrate security from the ground up to drive better business outcomes.The Foundation of Secure DevelopmentJim Manico has spent decades helping engineers and architects understand and implement secure coding practices. His work with the Open Web Application Security Project (OWASP), including contributions to the OWASP Top 10 and the OWASP Cheat Sheet Series, has influenced how security is approached in software development. He emphasizes that security should not be an afterthought but a fundamental part of the development process.He highlights OWASP's role in providing documentation, security tools, and standards like the Application Security Verification Standard (ASVS), which is now in its 5.0 release. These resources help organizations build secure applications, but Manico points out that simply having the guidance available isn't enough—engineers need the right training to apply security principles effectively.Why Training MattersManico has trained thousands of engineers worldwide and sees firsthand the impact of hands-on education. He explains that developers often lack formal security training, which leads to common mistakes such as insecure authentication, improper data handling, and vulnerabilities in third-party dependencies. His training programs focus on practical, real-world applications, allowing developers to immediately integrate security into their work.Security training also helps businesses beyond just compliance. While some companies initially engage in training to meet regulatory requirements, many realize the long-term value of security in reducing risk, improving product quality, and building customer trust. Manico shares an example of a startup that embedded security from the beginning, investing heavily in training early on. That approach helped differentiate them in the market and contributed to their success as a multi-billion-dollar company.The Role of AI and Continuous LearningManico acknowledges that the speed of technological change presents challenges for security training. Frameworks, programming languages, and attack techniques evolve constantly, requiring continuous learning. He has integrated AI tools into his training workflow to help answer complex questions, identify knowledge gaps, and refine content. AI serves as an augmentation tool, not a replacement, and he encourages developers to use it as an assistant to strengthen their understanding of security concepts.Security as a Business EnablerThe conversation reinforces that secure coding is not just about avoiding breaches—it is about building better software. Organizations that prioritize security early can reduce costs, improve reliability, and increase customer confidence. Manico's approach to education is about empowering developers to think beyond compliance and see security as a critical component of software quality and business success.For organizations looking to enhance their security posture, developer training is an investment that pays off. Manicode Security offers customized training programs to meet the specific needs of teams, covering topics from secure coding fundamentals to advanced application security techniques. To learn more or schedule a session, Jim Manico can be reached at Jim@manicode.com.Tune in to the full episode to hear more insights from Jim Manico on how security training is shaping the future of application security.Learn more about Manicode: https://itspm.ag/manicode-security-7q8iNote: This story contains promotional content. Learn more.Guest: Jim Manico, Founder and Secure Coding Educator at Manicode Security | On Linkedin: https://www.linkedin.com/in/jmanico/ResourcesDownload the Course Catalog: https://itspm.ag/manicode-x684Learn more and catch more stories from Manicode Security: https://www.itspmagazine.com/directory/manicode-securityAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
Forecast = Ransomware storms surge with an 87% spike in industrial attacks—brace for ICS strikes from GRAPHITE and BAUXITE! Infostealers hit healthcare and education, while VPN vulnerabilities pour in—grab your digital umbrella! It's report season and today the crew kicks things off with a breakdown of Veracode's State of Software Security 2025 Report, highlighting significant improvements in OWASP Top 10 pass rates but also noting concerning trends in high-severity flaws and security debt. Next, we take a peek at Dragos's 2025 OT/ICS Cybersecurity Report, which reveals an increase in ransomware attacks against industrial organizations and the emergence of new threat groups like GRAPHITE and BAUXITE. The report also details the evolution of malware targeting critical infrastructure, such as Fuxnet and FrostyGoop. The Huntress 2025 Cyber Threat Report is then discussed, showcasing the dominance of infostealers and malicious scripts in the threat landscape, with healthcare and education sectors being prime targets. The report also highlights the shift in ransomware tactics towards data theft and extortion. The team also quickly covers a recent and _massive_ $1.5 billion Ethereum heist. We *FINALLY* cover some recent findings from Censys, including their innovative approach to discovering non-standard port usage in Industrial Control System protocols. This segment also touches on the growing threat posed by vulnerabilities in edge security products. We also *FINALLY* get around to checking out VulnCheck's research, including an analysis of Black Basta ransomware group's tactics based on leaked chat logs, and their efforts to automate Stakeholder Specific Vulnerability Categorization (SSVC) for more effective vulnerability prioritization. The episode wraps up with mentions of GreyNoise's latest reports on mass internet exploitation and a newly discovered DDoS botnet, providing listeners with a well-rounded view of the current cybersecurity landscape. Storm Watch Homepage >> Learn more about GreyNoise >>
This week, we are joined by Jeff Williams, former Global Chairman of OWASP and Founder and CTO of Contrast Security, who is discussing what could happen to "Secure by Design" in the next administration and how to secure software through regs. Ben has the story of Elon Musk's and DOGE's incursion into federal databases. Dave's got the story of a man who was wrongly convicted of identity theft. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. Please take a moment to fill out an audience survey! Let us know how we are doing! Links to the stories: Inside Musk's Aggressive Incursion Into the Federal Government He Went to Jail for Stealing Someone's Identity. But It Was His All Along. Get the weekly Caveat Briefing delivered to your inbox. Like what you heard? Be sure to check out and subscribe to our Caveat Briefing, a weekly newsletter available exclusively to N2K Pro members on N2K CyberWire's website. N2K Pro members receive our Thursday wrap-up covering the latest in privacy, policy, and research news, including incidents, techniques, compliance, trends, and more. This week's Caveat Briefing covers the story of the Department of Justice (DOJ) suing to block Hewlett Packard Enterprise's (HPE) $14 billion acquisition of Juniper Networks, arguing that the merger would reduce competition in the wireless networking industry. The DOJ claims Juniper has pressured rivals like HPE to lower prices and innovate, and consolidation would weaken these benefits, potentially harming industries reliant on wireless networks. HPE and Juniper dispute the DOJ's claims, insisting the deal would enhance competition and improve networking infrastructure. Curious about the details? Head over to the Caveat Briefing for the full scoop and additional compelling stories. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you. Learn more about your ad choices. Visit megaphone.fm/adchoices
The latest episode of Redefining CyberSecurity on ITSPmagazine featured a thought-provoking discussion about integrating human factors into secure software development. Host Sean Martin was joined by Dr. Kelsey Fulton, Assistant Professor at the Colorado School of Mines, and Julie Haney, a computer scientist at the National Institute of Standards and Technology. The conversation explored how human-centered approaches can strengthen secure software practices and address challenges in the development process.A Human-Centered Approach to SecurityDr. Fulton shared how her research focuses on the human factors that impact secure software development. Her journey began during her graduate studies at the University of Maryland, where she was introduced to the intersection of human behavior and security in a course that sparked her interest. Her projects, such as investigating the transition from C to Rust programming languages, underscore the complexity of embedding security into the software development lifecycle.The Current State of Secure DevelopmentOne key takeaway from the discussion was the tension between functionality and security in software development. Developers often prioritize getting a product to market quickly, leading to decisions that sideline security considerations. Dr. Fulton noted that while developers typically have good intentions, they often lack the resources, tools, and organizational support necessary to incorporate security effectively.She highlighted the need for a “security by design” approach, which integrates security practices from the earliest stages of development. Embedding security specialists within development teams can create a cultural shift where security becomes a shared responsibility rather than an afterthought.Challenges in Adoption and EducationDr. Fulton's research reveals significant obstacles to adopting secure practices, including the complexity of tools and the lack of comprehensive education for developers. Even advanced tools like static analyzers and fuzzers are underutilized. A major barrier is developers' perception that security is not their responsibility, compounded by tight deadlines and organizational pressures.Additionally, her research into Rust adoption at companies illuminated technical and organizational challenges. Resistance often stems from the cost and complexity of transitioning existing systems, despite Rust's promise of enhanced security and memory safety.The Future of Human-Centered SecurityLooking ahead, Dr. Fulton emphasized the importance of addressing how developers trust and interact with tools like large language models (LLMs) for code generation. Her team is exploring ways to enhance these tools, ensuring they provide secure code suggestions and help developers recognize vulnerabilities.The episode concluded with a call to action for organizations to support research in this area and cultivate a security-first culture. Dr. Fulton underscored the potential of collaborative efforts between researchers, developers, and companies to improve security outcomes.By focusing on human factors and fostering supportive environments, organizations can significantly advance secure software development practices.____________________________Guests: Dr. Kelsey Fulton, Assistant Professor of Computer Science at the Colorado School of MinesWebsite | https://cs.mines.edu/project/fulton-kelsey/Julie Haney, Computer scientist and Human-Centered Cybersecurity Program Lead, National Institute of Standards and Technology [@NISTcyber]On LinkedIn | https://www.linkedin.com/in/julie-haney-037449119/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martin____________________________View This Show's SponsorsImperva | https://itspm.ag/imperva277117988LevelBlue | https://itspm.ag/levelblue266f6cThreatLocker | https://itspm.ag/threatlocker-r974___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
The latest episode of Redefining CyberSecurity on ITSPmagazine featured a thought-provoking discussion about integrating human factors into secure software development. Host Sean Martin was joined by Dr. Kelsey Fulton, Assistant Professor at the Colorado School of Mines, and Julie Haney, a computer scientist at the National Institute of Standards and Technology. The conversation explored how human-centered approaches can strengthen secure software practices and address challenges in the development process.A Human-Centered Approach to SecurityDr. Fulton shared how her research focuses on the human factors that impact secure software development. Her journey began during her graduate studies at the University of Maryland, where she was introduced to the intersection of human behavior and security in a course that sparked her interest. Her projects, such as investigating the transition from C to Rust programming languages, underscore the complexity of embedding security into the software development lifecycle.The Current State of Secure DevelopmentOne key takeaway from the discussion was the tension between functionality and security in software development. Developers often prioritize getting a product to market quickly, leading to decisions that sideline security considerations. Dr. Fulton noted that while developers typically have good intentions, they often lack the resources, tools, and organizational support necessary to incorporate security effectively.She highlighted the need for a “security by design” approach, which integrates security practices from the earliest stages of development. Embedding security specialists within development teams can create a cultural shift where security becomes a shared responsibility rather than an afterthought.Challenges in Adoption and EducationDr. Fulton's research reveals significant obstacles to adopting secure practices, including the complexity of tools and the lack of comprehensive education for developers. Even advanced tools like static analyzers and fuzzers are underutilized. A major barrier is developers' perception that security is not their responsibility, compounded by tight deadlines and organizational pressures.Additionally, her research into Rust adoption at companies illuminated technical and organizational challenges. Resistance often stems from the cost and complexity of transitioning existing systems, despite Rust's promise of enhanced security and memory safety.The Future of Human-Centered SecurityLooking ahead, Dr. Fulton emphasized the importance of addressing how developers trust and interact with tools like large language models (LLMs) for code generation. Her team is exploring ways to enhance these tools, ensuring they provide secure code suggestions and help developers recognize vulnerabilities.The episode concluded with a call to action for organizations to support research in this area and cultivate a security-first culture. Dr. Fulton underscored the potential of collaborative efforts between researchers, developers, and companies to improve security outcomes.By focusing on human factors and fostering supportive environments, organizations can significantly advance secure software development practices.____________________________Guests: Dr. Kelsey Fulton, Assistant Professor of Computer Science at the Colorado School of MinesWebsite | https://cs.mines.edu/project/fulton-kelsey/Julie Haney, Computer scientist and Human-Centered Cybersecurity Program Lead, National Institute of Standards and Technology [@NISTcyber]On LinkedIn | https://www.linkedin.com/in/julie-haney-037449119/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martin____________________________View This Show's SponsorsImperva | https://itspm.ag/imperva277117988LevelBlue | https://itspm.ag/levelblue266f6cThreatLocker | https://itspm.ag/threatlocker-r974___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest Jeremy Epling, chief product officer, Vanta. In this episode: What is the future of cybersecurity? Designing the outcomes we want The promise and peril of AI Is open-source open to more threats? Thanks to our podcast sponsor, Vanta! Say goodbye to spreadsheets and screenshots. Vanta automates evidence collection needed for audits with over 350 integrations—giving you continuous visibility into your compliance status. And with cross-mapped controls across 30 frameworks, you'll streamline compliance— and never duplicate your efforts. Learn more at Vanta.com.
In this episode of Corralling the Chaos, Angela presents a comprehensive checklist for businesses navigating the complex process of choosing new software solutions. Designed for event professionals and tech decision-makers, the episode dives into the crucial factors that make or break a successful software choice. Angela covers essential topics, from evaluating product depth, understanding the provider's industry experience, assessing security standards, mobile accessibility, and onboarding timelines, to ensuring ongoing product development and customer support. By the end of this episode, listeners will have a clearer roadmap for selecting the right software partner to empower their teams and streamline operations.
In this episode of the Security Swarm Podcast, the dynamic duo Andy Syrewicze and Paul Schnackenburg discuss the software quality problem in the cybersecurity and technology industry, as highlighted by Jen Easterly, the director of CISA. They delve into the risks associated with software selection, the role of industry analysts, the importance of software stability and security over innovation, and the need for developers to focus on secure coding practices. One area Andy and Paul focus on are the risks associated with software selection, highlighting the importance of evaluating factors such as the software's origin, reputation, and security features when making decisions. Andy and Paul also discuss the role of industry analysts like Gartner and Forrester, and how their focus on innovation and feature sets may not always align with the critical need for stability, security, and reliable support. Do you want to join the conversation? Join us in our Security Lab LinkedIn Group! Key Takeaways: The cybersecurity industry has a software quality problem, not just a security problem. Selecting software requires careful risk assessment, considering factors like the software's origin, reputation, and security features. Industry analysts often focus on innovation and features rather than software stability and security. The technology industry should reward software that is stable, secure, and operates as intended, not just the latest innovative features. Developers need to be trained in secure coding practices, as many graduates lack this knowledge. Understanding how threat actors could exploit vulnerabilities is crucial for developers to write secure code. The software landscape is constantly evolving, and the threat landscape is changing, requiring ongoing education and adaptation. Supply chain risks, such as pre-installed malware on refurbished devices, highlight the need for comprehensive security measures. Timestamps: (06:04) Assessing Software Risks (16:50) The Analyst Approach (21:11) Rewarding Stability and Security (27:16) Secure Coding Practices in Academia (32:59) Developers Understanding Threat Actors (34:33) Supply Chain Risks (37:32) Valuing Stability and Security over Innovation Episode Resources: Paul's Article Andy and Eric's Episode on Vendor Risk -- Proactively protect your organization's email from the growing threat of software vulnerabilities and malicious attacks. 365 Total Protection provides comprehensive security for Microsoft 365, safeguarding your business with advanced threat detection, spam filtering, and email encryption. Ensure your software is secure and your data is protected with Hornetsecurity's industry-leading 365 Total Protection. Defend your organization against sophisticated cyber threats with Hornetsecurity's Advanced Threat Protection, powered by cutting-edge technology. Our advanced system analyzes email content and attachments to detect and block even the most evasive malware and phishing attempts. Stay one step ahead of threat actors and protect your business with Hornetsecurity's Advanced Threat Protection.
In today's complex global supply chains, ensuring security across physical, cyber, and software dimensions is critical. This week, our own Jay Thoden van Velzen joins us to discuss the increasing risks of cyber-attacks as supply chains become more digital and interconnected. As we not only dive into the importance of third-party risk management and proactive measures to safeguard against vulnerabilities in software, Jay mentions that for organizations to navigate these challenges, they must prioritize comprehensive security strategies to protect their operations and data integrity. Come join us as we discuss the Future of Supply Chain
Guest: Cassie Crossley, VP, Supply Chain Security, Schneider Electric [@SchneiderElec]On LinkedIn | https://www.linkedin.com/in/cassiecrossley/____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this episode of On Location with Sean and Marco, hosts Sean Martin and Marco Ciappelli head to San Francisco to attend the OWASP Global AppSec conference. They kick off their journey with a light-hearted conversation about their destination, quickly segueing into the substantive core of the episode. The dialogue provides a rich backdrop to the conference's key focus: securing applications and the crucial role of Software Bill of Materials (SBOMs) in this context.Special guest Cassie Crossley joins the hosts to delve deeper into the significance of SBOMs. Cassie introduces herself and highlights her previous engagements with the podcast, touching on her upcoming session titled "The Missing Link: How We Collect and Leverage SBOMs." She explains the essential function of SBOMs in tracking open-source and commercial software components, noting the importance of transparency and risk evaluation in modern software development.Cassie explains that understanding the software components in use, including transitive dependencies, is crucial for managing risks. She discusses how her company, Schneider Electric, implements SBOMs within their varied product lines, ranging from firmware to cloud-based applications. By collecting and analyzing SBOMs, they can quickly assess vulnerabilities, much like how organizations scrambled to evaluate their exposure in the wake of the Log4J vulnerability.Sean and Marco steer the conversation towards the practical aspects of SBOM implementation for smaller companies. Cassie reassures that even startups and smaller enterprises can benefit from SBOMs without extensive resources, using free tools like Dependency-Track to manage their software inventories. She emphasizes that having an SBOM—even in a simplified form—provides a critical layer of visibility, enabling better risk management even with limited means.The discussion touches on the broader impact of SBOMs beyond individual corporations. Cassie notes the importance of regulatory developments and collective efforts, such as those by the Cybersecurity and Infrastructure Security Agency (CISA), to advocate for wider adoption of SBOM standards across industries.To wrap up, the hosts and Cassie discuss the value of conferences like OWASP Global AppSec for fostering community dialogues, sharing insights, and staying abreast of new developments in application security. They encourage listeners to attend these events to gain valuable knowledge and networking opportunities. Finally, in their closing remarks, Sean and Marco tease future episodes in the On Location series, hinting at more exciting content from their travels and guest interviews.____________________________This Episode's SponsorsHITRUST: https://itspm.ag/itsphitweb____________________________Follow our OWASP 2024 Global AppSec San Francisco coverage: https://www.itspmagazine.com/owasp-2024-global-appsec-san-francisco-cybersecurity-and-application-security-event-coverageOn YouTube:
Guest: Dr. Kathleen Fisher, Information Innovation Office (I2O) Director, Defense Advanced Research Projects Agency (DARPA) [@DARPA]On LinkedIn | https://www.linkedin.com/in/kathleen-fisher-4000964/At Black Hat | https://www.blackhat.com/us-24/summit-sessions/schedule/speakers.html#dr-kathleen-fisher-48776____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this On Location with Sean and Marco episode, hosts Sean Martin and Marco Ciappelli engage in an insightful conversation with Dr. Kathleen Fisher from the Defense Advanced Research Projects Agency (DARPA). The discussion centers around the upcoming Black Hat and DEF CON events, where Dr. Fisher is scheduled to deliver a keynote on the intersection of artificial intelligence (AI) and cybersecurity, with a particular focus on DARPA's ongoing initiatives and competitions.Dr. Fisher begins by providing an overview of her background and DARPA's mission to prevent technological surprises that could undermine U.S. national security. She recounts the success of the High-Assurance Cyber Military Systems (HACMS) program, which utilized formal methods to create highly secure software for military vehicles. This program demonstrated the potential of formal methods to revolutionize cybersecurity, proving that robust software could be developed to withstand hacking attempts, even from world-class red teams.The conversation then shifts to the AI Cyber Challenge (AICC) program, a major highlight of her upcoming keynote. AICC aims to leverage the power of AI combined with cyber reasoning systems to automatically find and fix vulnerabilities in real open-source software—an ambitious extension of DARPA's previous Cyber Grand Challenge. This competition involves collaboration with major tech companies like Google, Anthropic, OpenAI, and Microsoft, offering competitors access to state-of-the-art models to tackle real-world vulnerabilities.Dr. Fisher emphasizes the importance of public-private collaboration in advancing cybersecurity technologies. DARPA's charter allows it to work with a diverse range of organizations, from startups to national labs, in pursuit of strategic technological advances. The episode also touches on the potential impact of cyber vulnerabilities on critical infrastructure, underscoring the need for scalable and automatic solutions to address these threats.Listeners can anticipate Dr. Fisher highlighting these themes in her keynote, aimed at business leaders, practitioners, policymakers, and risk managers. She will outline how the audience can engage with DARPA's initiatives and contribute to the ongoing efforts to enhance national security through innovative technology solutions.The episode promises to provide a nuanced understanding of DARPA's role in pioneering AI-driven cybersecurity advancements and offers a preview of the exciting developments to be showcased at Black Hat and DEF CON.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________This Episode's SponsorsLevelBlue: https://itspm.ag/levelblue266f6cCoro: https://itspm.ag/coronet-30deSquareX: https://itspm.ag/sqrx-l91____________________________Follow our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegasOn YouTube:
In this episode, Stan Wisseman and Rob Aragao welcome Justin Young to explore the transformative role of Software Bill of Materials (SBOMs) in enhancing software supply chain security. Justin shares his extensive experience and insights into how SBOMs contribute to the maturation of the software industry, drawing parallels with the auto and food industries' approaches to defect and ingredient tracking.The discussion delves into the regulatory landscape, highlighting the FDA's SBOM requirements for medical devices, the U.S. National Cybersecurity Strategy, and various compliance mandates from CISA, DORA, PCI, and the EU CRA. Justin explains the importance of shifting liability to software vendors and away from end users and open-source developers, emphasizing the need for actively maintained and secure software components.Listeners will gain an understanding of the different SBOM formats, Cyclone DX and SPDX, and their respective advantages. Justin also addresses the challenges organizations face in managing SBOMs, including procurement, validation, and the necessity of a dedicated SBOM program manager.Finally, the episode explores the practicalities of SBOM implementation, from storage and cataloging to enrichment and vulnerability management, offering a comprehensive guide for organizations aiming to bolster their software security practices.Tune in to learn how SBOMs are reshaping the software industry, driving transparency, and enhancing security across software supply chains.Relevant Links:Episode 88: Open-Source Software: Unlocking efficiency and innovationEpisode 41: Do a little dance, Time for some SLSAEpisode 26: Log4j Vulnerabilities: All you need to know and how to protect yourselfEpisode 4: SolarWinds: Bringing down the building… Software Supply-Chain Pressure PointsWhitepaper: The need for a Software Bill of MaterialsSoftware Supply Chain Hub pageFollow or subscribe to the show on your preferred podcast platform.Share the show with others in the cybersecurity world.Get in touch via reimaginingcyber@gmail.com
The idea of smart robots automating away boring household chores sounds enticing, yet these devices rarely work as advertised: they get stuck, they break down, or are security nightmares. And so it's refreshing to see a company like Matic taking a different approach by attempting to build truly smart, reliable, and privacy-respecting robots. They use Rust for 95% of their codebase, and use camera vision to navigate, vacuum, and mop floors.I sit down with Eric Seppanen, Software Engineer at Matic, to learn about vertical integration in robotics, on-device sensor processing, large Rust codebases, and why Rust is a great language for the problem space.
Kyle Kelly joins Seth Law and Ken Johnson as a special guest on the Absolute AppSec podcast. Kyle is an Executive Cybersecurity Consultant at Bancsec, Inc, and Security Researcher at Semgrep, and founder of the wonderful Cramhacks newsletter. As a consultant and researcher, Kyle specializes in supply chain security, a speciality that informs the thoughts he publicizes, but even more so cramhacks reflects his desire to help his readers become contributors to improving the cybersecurity landscape and analysis of software security supply chains. Subscribe to Kyle's newsletter at cramhacks.com.
Guests: Allan Friedman, Senior Advisor and Strategist, Cybersecurity and Infrastructure Security Agency (CISA) [@CISAgov]On LinkedIn | https://www.linkedin.com/in/allanafriedman/At RSAC | https://www.rsaconference.com/experts/allan-friedmanBob Lord, Senior Technical Advisor, Cybersecurity and Infrastructure Security Agency (CISA) [@CISAgov]On LinkedIn | https://www.linkedin.com/in/lordbob/On Twitter | https://twitter.com/boblordAt RSAC | https://www.rsaconference.com/experts/Bob%20Lord____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this new On Location episode, Sean Martin hosted a conversation with Allan Friedman and Bob Lord from the Cyber Security and Infrastructure Security Agency (CISA) as part of the Chats on the Road to the RSA Conference series. The discussion centered around key topics such as securing software by design, navigating the intricacies of managing end-of-life (EOL) software, and emphasizing the crucial role of transparency in the software supply chain.Allan Friedman, a vocal advocate for the Software Bill of Materials (SBOM) — he has the t-shirt to prove it! — explored the increasing competitiveness of getting accepted to speak at renowned conferences like RSA, reflecting the growing awareness and urgency around cybersecurity topics. His upcoming RSA presentation is set to delve into the looming challenge of end-of-life and end-of-support software—a topic that, while not new, demands innovative technical and policy-level responses to mitigate emerging threats effectively.Bob Lord's discussion highlighted an area often overlooked yet critical for software security: memory safety. By sharing his experiences and underscoring the prevalence of vulnerabilities traced back to memory safety issues, Lord emphasized the necessity for developers and companies to adopt a more proactive and transparent approach in their software development practices. This call to action is not just about developing new solutions but also about ensuring that existing software is resilient against current and future threats.One of the key takeaways from this episode is the imperative of transparency in the software supply chain. As Friedman notes, the path to a more secure digital infrastructure lies in the ability to have clear visibility into the software components businesses rely on—including their age, vulnerabilities, and update requirements. This clarity is essential not only for building trust between software manufacturers and their customers but also for enabling a proactive stance on cybersecurity, which can significantly reduce the risks associated with outdated or unsupported software.Moreover, the conversation underscored the evolutionary nature of cybersecurity. As threats evolve, so too must our strategies and tools to combat them. The dialogue between Martin, Friedman, and Lord brought to light the importance of continuous learning, adaptation, and collaboration within the cybersecurity community to address these ongoing challenges.The episode represents a microcosm of the larger conversations happening within the fields of cybersecurity and software development. As we move forward, the insights shared by Allan Friedman and Bob Lord remind us of the critical importance of design security, comprehensive policies, and, above all, the need for a collective belief in the possibility of creating safer software solutions for the future.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:
This episode reports on a new campaign to steal credentials from LastPass users, a warning to admits of Ivanti Avalanche mobile device management software, and more
In this week's episode of The Future of Security Operations podcast, Thomas is joined by Matt Johansen. Matt is a security veteran who has helped defend startups, the biggest financial companies in the world, and everything in between. Alongside his day job as Head of Software Security at Reddit, he teaches companies how to protect against cyber attacks, and coaches entrepreneurs and CISOs that need help with infrastructure, application, cloud, and security policies. He also writes Vulnerable U, a weekly newsletter that talks about embracing the power of vulnerability for growth. Thomas and Matt discuss: - Moving from a large security team at Bank of America to a small one at Reddit - Embracing scrappiness and doing more with less - Overcoming sunk-cost fallacy - Why the 2014 Sony hack was a pivotal time for AppSec - Running the threat research centre at White Hat - What he looks for when hiring in AppSec, the SOC and beyond - His decision to start creating content about mental health in security - Moving past imposter syndrome - Renouncing superhero culture - Paved paths and guardrails, and what comes next after "shift left" - Lessons learned from Reddit's 2023 security incident - The power of automating incident response The Future of Security Operations is brought to you by Tines, the smart, secure workflow builder that powers some of the world's most important workflows. https://www.tines.com/solutions/security Where to find Matt Johansen: Vulnerable U newsletter: https://vulnu.mattjay.com/ Twitter: https://twitter.com/mattjay LinkedIn: https://www.linkedin.com/in/matthewjohansen/ TikTok: https://www.tiktok.com/@vulnerable_matt Reddit: https://www.redditinc.com/ mattjay.com: https://www.mattjay.com Where to find Thomas Kinsella: Twitter/X: https://twitter.com/thomasksec LinkedIn: https://www.linkedin.com/in/thomas-kinsella/ Tines: https://www.tines.com/ Resources mentioned: The Tech Professional's Guide to Mindfulness by Matt Johansen: https://www.mattjay.com/blog/the-tech-professionals-guide-to-mindfulness Matt's piece on developer experience in the Vulnerable U newsletter: https://vulnu.mattjay.com/p/vulnu-003-courage-quit Reddit's post on a February 2023 incident: https://www.reddit.com/r/reddit/comments/10y427y/we_had_a_security_incident_heres_what_we_know/ Collaborative Incident Response Best Practices: Don't Rely on Superheroes by Matt Johansen: https://www.mattjay.com/blog/superhero-incident-response Threat modeling depression by Matt Johansen: https://www.mattjay.com/blog/threat-model-depression In this episode: [02:14] Going from long-time Reddit user to employee [04:50] Running AppSec at Reddit [07:30] Being the internet's punching bag and boxing gloves [10:30] Building a team from scratch at White Hat and lessons learned from the 2014 Sony hack [15:10] Matt's approach to hiring [21:15] His decision to create content about mental health in security [23:20] Turning his Twitter network into his IRL network [27:55] Moving past imposter syndrome [30:00] Tools for safeguarding your mental health in incident response [36:20] Preserving work-life balance for his teams at Reddit [39:15] Moving past "shift left", and paved path to production and guardrails [47:40] Lessons learned from a February 2023 incident at Reddit [51:20] Renouncing superhero culture [52:20] Automating incident response [54:12] Connect with Matt
We knew they'd be petulant, but even our expectations were higher than this. We dig into how Apple dunked on devs after last week's show, yet another Microsoft hack, and more.
Guest: Francesco Cipollone, CEO & Founder at Phoenix Security [@sec_phoenix]On LinkedIn | https://www.linkedin.com/in/fracipo/On Twitter | https://twitter.com/FrankSEC42On YouTube | https://www.youtube.com/@phoenixsec____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Pentera | https://itspm.ag/penteri67a___________________________Episode NotesIn this episode of Redefining CyberSecurity Podcast, host Sean Martin is joined by Francesco Cipollone from Phoenix Security for a riveting conversation on the vulnerabilities associated with using pre-made tools for website development. The dialogue revolves around the inherent security risks these tools pose, especially when used by non-technical teams like marketing.Francesco shares a fascinating account of discovering a potential SQL injection in a well-known CRM system. This revelation underscores the importance of input validation and the necessity of secure defaults in any tool. The discussion also brings to light the fact that many systems do not consider these potential security risks as standard, often requiring additional licenses or configurations for basic security measures.The conversation takes an interesting turn as they discuss a new concept of a Workflow Bill of Materials™ (WBOM)—a term coined by the host, Sean Martin, for the first time. This idea extends beyond the typical focus on software bill of material security (which often focuses on source code, services, and APIs) to include a broader view of the tools and systems that teams use in their daily operations. The WBOM concept emphasizes the need for organizations to understand the associated risks of these tools and implement more secure practices.Sean and Francesco highlight the importance of threat modeling in identifying potential risks. They also discuss the challenges organizations face in ensuring security, especially when these tools are used by teams with zero security knowledge. The episode concludes with a call to action for the industry to move towards security by default and the ethical use of technology.This episode offers listeners an insightful look into the complexities of cybersecurity in the context of commonly used tools and systems, and the urgent need for a shift in perspective when it comes to securing these tools.___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
In this episode of Elixir Wizards, Xiang Ji and Nathan Hessler join hosts Sundi Myint and Owen Bickford to compare actor model implementation in Elixir, Ruby, and Clojure. In Elixir, the actor model is core to how the BEAM VM works, with lightweight processes communicating asynchronously via message passing. GenServers provide a common abstraction for building actors, handling messages, and maintaining internal state. In Ruby, the actor model is represented through Ractors, which currently map to OS threads. They discuss what we can learn by comparing models, understanding tradeoffs between VMs, languages, and concurrency primitives, and how this knowledge can help us choose the best tools for a project. Topics discussed in this episode: Difference between actor model and shared memory concurrency Isolation of actor state and communication via message passing BEAM VM design for high concurrency via lightweight processes GenServers as common abstraction for building stateful actors GenServer callbacks for message handling and state updates Agents as similar process abstraction to GenServers Shared state utilities like ETS for inter-process communication Global Interpreter Lock in older Ruby VMs Ractors as initial actor implementation in Ruby mapping to threads Planned improvements to Ruby concurrency in 3.3 Akka implementation of actor model on JVM using thread scheduling Limitations of shared memory concurrency on JVM Project Loom bringing lightweight processes to JVM Building GenServer behavior in Ruby using metaprogramming CSP model of communication using channels in Clojure Differences between BEAM scheduler and thread-based VMs Comparing Elixir to academic languages like Haskell Remote and theScore are hiring! Links mentioned in this episode: theScore is hiring! https://www.thescore.com/ Remote is also hiring! https://remote.com/ Comparing the Actor Model and CSP with Elixir and Clojure (https://xiangji.me/2023/12/18/comparing-the-actor-model-and-csp-with-elixir-and-clojure/) Blog Post by Xiang Ji Comparing the Actor model & CSP concurrency with Elixir & Clojure (https://www.youtube.com/watch?v=lIQCQKPRNCI) Xiang Ji at ElixirConf EU 2022 Clojure Programming Language https://clojure.org/ Akka https://akka.io/ Go Programming Language https://github.com/golang/go Proto Actor for Golang https://proto.actor/ RabbitMQ Open-Source Message Broker Software https://github.com/rabbitmq JVM Project Loom https://github.com/openjdk/loom Ractor for Ruby https://docs.ruby-lang.org/en/master/ractor_md.html Seven Concurrency Models in Seven Weeks: When Threads Unravel (https://pragprog.com/titles/pb7con/seven-concurrency-models-in-seven-weeks/)by Paul Butcher Seven Languages in Seven Weeks (https://pragprog.com/titles/btlang/seven-languages-in-seven-weeks/) by Bruce A. Tate GenServer https://hexdocs.pm/elixir/1.12/GenServer.html ets https://www.erlang.org/doc/man/ets.html Elixir in Action (https://pragprog.com/titles/btlang/seven-languages-in-seven-weeks/) by Saša Jurić Redis https://github.com/redis/redis Designing for Scalability with Erlang/OTP (https://www.oreilly.com/library/view/designing-for-scalability/9781449361556/) by Francesco Cesarini & Steve Vinoski Discord Blog: Using Rust to Scale Elixir for 11 Million Concurrent Users (https://discord.com/blog/using-rust-to-scale-elixir-for-11-million-concurrent-users) Xiang's website https://xiangji.me/ Feeling Good: The New Mood Therapy (https://www.thriftbooks.com/w/feeling-good-the-new-mood-therapy-by-david-d-burns/250046/?resultid=7691fb71-d8f9-4435-a7a3-db3441d2272b#edition=2377541&idiq=3913925) by David D. Burns Special Guests: Nathan Hessler and Xiang Ji.
Teaching AI to misbehave. Ransomware's effect on healthcare downtime. Two reports on the state of cybersecurity in the financial services sector. Possible connections between Hamas and Quds Force. Ukrainian cyber authorities report a rise in privateering Smokeloader attacks. Russian hacktivist auxiliaries strike Czech targets. My conversation with Sherrod DeGrippo, host of The Microsoft Threat Intelligence Podcast. Jay Bhalodia from Microsoft Federal shares insights on multi-cloud security. And Winter Vivern exploits a mail service 0-day. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/204 Selected reading. AI vs. human deceit: Unravelling the new age of phishing tactics (Security Intelligence) Ransomware attacks on US healthcare organizations cost $20.8bn in 2020 (Comparitech) Cyberattack at 5 southwestern Ontario hospitals leaves patients awaiting care (CBC News) State of Security for Financial Services (Swimlane) Veracode Reveals Automation and Training Are Key Drivers of Software Security for Financial Services (Business Wire) Hamas' online infrastructure reveals ties to Iran APT, researchers say (CSO Online) Hamas Application Infrastructure Reveals Possible Overlap With TAG-63 and Iranian Threat Activity | Recorded Future (Recorded Future) Ukraine cyber officials warn of a ‘surge' in Smokeloader attacks on financial, government entities (Record) Bloomberg: Russia steps up cyberattacks to disrupt Ukraine's key services (Euromaidan) Pro-Russia group behind today's mass cyberattack against Czech institutions (Expats.cz) Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers (We Live Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Josh Lemos former CISO of Block and the current CISO of GitLab comes from a pentester background and made his way to become a CISO. We were lucky enough to interview him during the hacker summer camp on his journey, his experience in AI, takeaway from BH CISO summit and types of CISOs & more. Episode YouTube: Video Link Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Josh's Linkedin (Josh Lemos) Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Newsletter - Cloud Security BootCamp Spotify TimeStamp for Interview Question (00:00) Introduction (01:47) A bit about Josh Lemos (03:48) What does cloud security mean to Josh? (04:53) What to look out for with AI/ML? (07:03) CISO perspective on AI/ML (08:13) What should a CISO roadmap look like in 2023? (10:39) Takeaways from BlackHat CISO Summit (12:24) CISO for B2B vs B2C (13:43) Hardware vs Software Security (14:41) Skills needed to become a CISO (15:48) What is cloud pentesting? (17:20) Fun Questions See you at the next episode!