POPULARITY
In this episode, I discuss what has been keeping me away from the mic, the Open Source Intelligence Defense and Security Framework (ODSF), and share updates on privacy topics including browser security, autonomous taxis, airport security cameras, and managing cryptocurrency. I also address listener questions about anonymous SIM cards and creating separate online identities.Official Website: https://psysecure.comIn this week's episode:Introducing the Open Source Intelligence Defense and Security Framework (ODSF)Browser privacy comparisons (Firefox, LibreWolf, Brave, Mulvad)Experiences with Waymo autonomous taxis and privacy considerationsTSA security cameras and opting out of facial recognitionListener questions about anonymous SIMs in Australia and creating sock puppet accountsUsing cryptocurrencyShow Links:BIP39 Generator - https://github.com/iancoleman/bip39Phoenix Wallet - https://phoenix.acinq.coZeus Wallet - https://zeusln.comLibreWolf Browser - https://librewolf.net/OSS Document Scanner (GrapheneOS) - https://github.com/Akylas/OSS-DocumentScannerMullvad Browser (randomDataOnCanvasExtract) - https://github.com/mullvad/mullvad-browser/issues/358Mullvad Browser (Letterboxing) - https://github.com/mullvad/mullvad-browser/issues/152“Minimize what can be known.”- MePodcast music: The R3cluseOfficial Website: https://psysecure.com Podcast music: The R3cluse
⬥GUEST⬥Ken Huang, Co-Chair, AI Safety Working Groups at Cloud Security Alliance | On LinkedIn: https://www.linkedin.com/in/kenhuang8/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com⬥EPISODE NOTES⬥In this episode of Redefining CyberSecurity, host Sean Martin speaks with Ken Huang, Co-Chair of the Cloud Security Alliance (CSA) AI Working Group and author of several books including Generative AI Security and the upcoming Agent AI: Theory and Practice. The conversation centers on what agentic AI is, how it is being implemented, and what security, development, and business leaders need to consider as adoption grows.Agentic AI refers to systems that can autonomously plan, execute, and adapt tasks using large language models (LLMs) and integrated tools. Unlike traditional chatbots, agentic systems handle multi-step workflows, delegate tasks to specialized agents, and dynamically respond to inputs using tools like vector databases or APIs. This creates new possibilities for business automation but also introduces complex security and governance challenges.Practical Applications and Emerging Use CasesKen outlines current use cases where agentic AI is being applied: startups using agentic models to support scientific research, enterprise tools like Salesforce's AgentForce automating workflows, and internal chatbots acting as co-workers by tapping into proprietary data. As agentic AI matures, these systems may manage travel bookings, orchestrate ticketing operations, or even assist in robotic engineering—all with minimal human intervention.Implications for Development and Security TeamsDevelopment teams adopting agentic AI frameworks—such as AutoGen or CrewAI—must recognize that most do not come with out-of-the-box security controls. Ken emphasizes the need for SDKs that add authentication, monitoring, and access controls. For IT and security operations, agentic systems challenge traditional boundaries; agents often span across cloud environments, demanding a zero-trust mindset and dynamic policy enforcement.Security leaders are urged to rethink their programs. Agentic systems must be validated for accuracy, reliability, and risk—especially when multiple agents operate together. Threat modeling and continuous risk assessment are no longer optional. Enterprises are encouraged to start small: deploy a single-agent system, understand the workflow, validate security controls, and scale as needed.The Call for Collaboration and Mindset ShiftAgentic AI isn't just a technological shift—it requires a cultural one. Huang recommends cross-functional engagement and alignment with working groups at CSA, OWASP, and other communities to build resilient frameworks and avoid duplicated effort. Zero Trust becomes more than an architecture—it becomes a guiding principle for how agentic AI is developed, deployed, and defended.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥BOOK | Generative AI Security: https://link.springer.com/book/10.1007/978-3-031-54252-7BOOK | Agentic AI: Theories and Practices, to be published August by Springer: https://link.springer.com/book/9783031900259BOOK | The Handbook of CAIO (with a business focus): https://www.amazon.com/Handbook-Chief-AI-Officers-Revolution/dp/B0DFYNXGMRMore books at Amazon, including books published by Cambridge University Press and John Wiley, etc.: https://www.amazon.com/stores/Ken-Huang/author/B0D3J7L7GNVideo Course Mentioned During this Episode: "Generative AI for Cybersecurity" video course by EC-Council with 255 people rated averaged 5 starts: https://codered.eccouncil.org/course/generative-ai-for-cybersecurity-course?logged=falsePodcast: The 2025 OWASP Top 10 for LLMs: What's Changed and Why It Matters | A Conversation with Sandy Dunn and Rock Lambros⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast:
⬥GUEST⬥Ken Huang, Co-Chair, AI Safety Working Groups at Cloud Security Alliance | On LinkedIn: https://www.linkedin.com/in/kenhuang8/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com⬥EPISODE NOTES⬥In this episode of Redefining CyberSecurity, host Sean Martin speaks with Ken Huang, Co-Chair of the Cloud Security Alliance (CSA) AI Working Group and author of several books including Generative AI Security and the upcoming Agent AI: Theory and Practice. The conversation centers on what agentic AI is, how it is being implemented, and what security, development, and business leaders need to consider as adoption grows.Agentic AI refers to systems that can autonomously plan, execute, and adapt tasks using large language models (LLMs) and integrated tools. Unlike traditional chatbots, agentic systems handle multi-step workflows, delegate tasks to specialized agents, and dynamically respond to inputs using tools like vector databases or APIs. This creates new possibilities for business automation but also introduces complex security and governance challenges.Practical Applications and Emerging Use CasesKen outlines current use cases where agentic AI is being applied: startups using agentic models to support scientific research, enterprise tools like Salesforce's AgentForce automating workflows, and internal chatbots acting as co-workers by tapping into proprietary data. As agentic AI matures, these systems may manage travel bookings, orchestrate ticketing operations, or even assist in robotic engineering—all with minimal human intervention.Implications for Development and Security TeamsDevelopment teams adopting agentic AI frameworks—such as AutoGen or CrewAI—must recognize that most do not come with out-of-the-box security controls. Ken emphasizes the need for SDKs that add authentication, monitoring, and access controls. For IT and security operations, agentic systems challenge traditional boundaries; agents often span across cloud environments, demanding a zero-trust mindset and dynamic policy enforcement.Security leaders are urged to rethink their programs. Agentic systems must be validated for accuracy, reliability, and risk—especially when multiple agents operate together. Threat modeling and continuous risk assessment are no longer optional. Enterprises are encouraged to start small: deploy a single-agent system, understand the workflow, validate security controls, and scale as needed.The Call for Collaboration and Mindset ShiftAgentic AI isn't just a technological shift—it requires a cultural one. Huang recommends cross-functional engagement and alignment with working groups at CSA, OWASP, and other communities to build resilient frameworks and avoid duplicated effort. Zero Trust becomes more than an architecture—it becomes a guiding principle for how agentic AI is developed, deployed, and defended.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥BOOK | Generative AI Security: https://link.springer.com/book/10.1007/978-3-031-54252-7BOOK | Agentic AI: Theories and Practices, to be published August by Springer: https://link.springer.com/book/9783031900259BOOK | The Handbook of CAIO (with a business focus): https://www.amazon.com/Handbook-Chief-AI-Officers-Revolution/dp/B0DFYNXGMRMore books at Amazon, including books published by Cambridge University Press and John Wiley, etc.: https://www.amazon.com/stores/Ken-Huang/author/B0D3J7L7GNVideo Course Mentioned During this Episode: "Generative AI for Cybersecurity" video course by EC-Council with 255 people rated averaged 5 starts: https://codered.eccouncil.org/course/generative-ai-for-cybersecurity-course?logged=falsePodcast: The 2025 OWASP Top 10 for LLMs: What's Changed and Why It Matters | A Conversation with Sandy Dunn and Rock Lambros⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast:
Steve Lee is lead at Spiral, Block's open source initiative, and has recently helped launch Presidio Bitcoin, a bitcoin community space in San Francisco. Craig Raw is the creator and maintainer of Sparrow Wallet, one of the best bitcoin desktop wallets available. We discuss the tradeoffs of Block's new Bitkey hardware wallet and potential improvements. Then we briefly jump into discussion on soft fork proposals for bitcoin vault functionality.Steve on Nostr: https://primal.net/moneyball Craig on Nostr: https://primal.net/craigraw EPISODE: 151BLOCK: 888348PRICE: 1222 sats per dollarsupport dispatch: https://citadeldispatch.com/donatenostr live chat: https://citadeldispatch.com/streamodell nostr account: https://primal.net/odelldispatch nostr account: https://primal.net/citadelyoutube: https://www.youtube.com/@CitadelDispatchpodcast: https://serve.podhome.fm/CitadelDispatchstream sats to the show: https://www.fountain.fm/join the chat: https://citadeldispatch.com/chatlearn more about me: https://odell.xyz(00:02:55) Introduction(00:04:32) Presidio Bitcoin Launch and Community Spaces(00:08:16) Challenges and Opportunities in South Africa(00:14:31) Bitkey: Making Bitcoin Self Custody Easier(00:33:08) Threat Modeling and Security Concerns(00:42:00) Future Scenarios for Bitkey and Sparrow Integration(00:54:02) Recovery Scenarios and User Experience(01:17:02) The Potential of Bitcoin Vaults(01:30:25) Final Thoughts and Future of Bitcoin SecurityFriend of the show Orange Surf wrote up some notes on Craig's proposed FROST improvement to Bitkey here: https://orange.surf/bitkey-notes/
Guest: Meador Inge, Security Engineer, Google Cloud Topics: Can you walk us through Google's typical threat modeling process? What are the key steps involved? Threat modeling can be applied to various areas. Where does Google utilize it the most? How do we apply this to huge and complex systems? How does Google keep its threat models updated? What triggers a reassessment? How does Google operationalize threat modeling information to prioritize security work and resource allocation? How does it influence your security posture? What are the biggest challenges Google faces in scaling and improving its threat modeling practices? Any stories where we got this wrong? How can LLMs like Gemini improve Google's threat modeling activities? Can you share examples of basic and more sophisticated techniques? What advice would you give to organizations just starting with threat modeling? Resources: EP12 Threat Models and Cloud Security EP150 Taming the AI Beast: Threat Modeling for Modern AI Systems with Gary McGraw EP200 Zero Touch Prod, Security Rings, and Foundational Services: How Google Does Workload Security EP140 System Hardening at Google Scale: New Challenges, New Solutions Threat Modeling manifesto EP176 Google on Google Cloud: How Google Secures Its Own Cloud Use Awesome Threat Modeling Adam Shostack “Threat Modeling: Designing for Security” book Ross Anderson “Security Engineering” book ”How to Solve It” book
Software Engineering Radio - The Podcast for Professional Software Developers
Tanya Janca, author of Alice and Bob Learn Secure Coding, discusses secure coding and secure software development life cycle with SE Radio host Brijesh Ammanath. This session explores how integrating security into every phase of the SDLC helps prevent vulnerabilities from slipping into production. Tanya strongly recommends defining security requirements early, and discusses the importance of threat modeling during design, secure coding practices, testing strategies such as static, dynamic, and interactive application security testing (SAST, DAST and IAST), and the need for continuous monitoring and improvement after deployment. This episode is sponsored by Codegate.ai
Organizations build and deploy applications at an unprecedented pace, but security is often an afterthought. This episode of ITSPmagazine's Brand Story features Jim Manico, founder of Manicode Security, in conversation with hosts Sean Martin and Marco Ciappelli. The discussion explores the current state of application security, the importance of developer training, and how organizations can integrate security from the ground up to drive better business outcomes.The Foundation of Secure DevelopmentJim Manico has spent decades helping engineers and architects understand and implement secure coding practices. His work with the Open Web Application Security Project (OWASP), including contributions to the OWASP Top 10 and the OWASP Cheat Sheet Series, has influenced how security is approached in software development. He emphasizes that security should not be an afterthought but a fundamental part of the development process.He highlights OWASP's role in providing documentation, security tools, and standards like the Application Security Verification Standard (ASVS), which is now in its 5.0 release. These resources help organizations build secure applications, but Manico points out that simply having the guidance available isn't enough—engineers need the right training to apply security principles effectively.Why Training MattersManico has trained thousands of engineers worldwide and sees firsthand the impact of hands-on education. He explains that developers often lack formal security training, which leads to common mistakes such as insecure authentication, improper data handling, and vulnerabilities in third-party dependencies. His training programs focus on practical, real-world applications, allowing developers to immediately integrate security into their work.Security training also helps businesses beyond just compliance. While some companies initially engage in training to meet regulatory requirements, many realize the long-term value of security in reducing risk, improving product quality, and building customer trust. Manico shares an example of a startup that embedded security from the beginning, investing heavily in training early on. That approach helped differentiate them in the market and contributed to their success as a multi-billion-dollar company.The Role of AI and Continuous LearningManico acknowledges that the speed of technological change presents challenges for security training. Frameworks, programming languages, and attack techniques evolve constantly, requiring continuous learning. He has integrated AI tools into his training workflow to help answer complex questions, identify knowledge gaps, and refine content. AI serves as an augmentation tool, not a replacement, and he encourages developers to use it as an assistant to strengthen their understanding of security concepts.Security as a Business EnablerThe conversation reinforces that secure coding is not just about avoiding breaches—it is about building better software. Organizations that prioritize security early can reduce costs, improve reliability, and increase customer confidence. Manico's approach to education is about empowering developers to think beyond compliance and see security as a critical component of software quality and business success.For organizations looking to enhance their security posture, developer training is an investment that pays off. Manicode Security offers customized training programs to meet the specific needs of teams, covering topics from secure coding fundamentals to advanced application security techniques. To learn more or schedule a session, Jim Manico can be reached at Jim@manicode.com.Tune in to the full episode to hear more insights from Jim Manico on how security training is shaping the future of application security.Learn more about Manicode: https://itspm.ag/manicode-security-7q8iNote: This story contains promotional content. Learn more.Guest: Jim Manico, Founder and Secure Coding Educator at Manicode Security | On Linkedin: https://www.linkedin.com/in/jmanico/ResourcesDownload the Course Catalog: https://itspm.ag/manicode-x684Learn more and catch more stories from Manicode Security: https://www.itspmagazine.com/directory/manicode-securityAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
Google replacing SMS with QR codes for authentication, MS pulls a VSCode extension due to red flags, threat modeling with TRAIL, threat modeling the Bybit hack, malicious models and malicious AMIs, and more! Show Notes: https://securityweekly.com/asw-320
Google replacing SMS with QR codes for authentication, MS pulls a VSCode extension due to red flags, threat modeling with TRAIL, threat modeling the Bybit hack, malicious models and malicious AMIs, and more! Show Notes: https://securityweekly.com/asw-320
⬥GUEST⬥Jake Braun, Acting Principal Deputy National Cyber Director, The White House | On LinkedIn: https://www.linkedin.com/in/jake-braun-77372539/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin⬥EPISODE NOTES⬥Cybersecurity is often framed as a battle between attackers and defenders, but what happens when hackers take on a different role—one of informing policy, protecting critical infrastructure, and even saving lives? That's the focus of the latest Redefining Cybersecurity podcast episode, where host Sean Martin speaks with Jake Braun, former Acting Principal Deputy National Cyber Director at the White House and current Executive Director of the Cyber Policy Initiative at the University of Chicago.Braun discusses The Hackers' Almanack, a project developed in partnership with DEF CON and the Franklin Project to document key cybersecurity findings that policymakers, industry leaders, and technologists should be aware of. This initiative captures some of the most pressing security challenges emerging from DEF CON's research community and translates them into actionable insights that could drive meaningful policy change.DEF CON, The Hackers' Almanack, and the Franklin ProjectDEF CON, one of the world's largest hacker conferences, brings together tens of thousands of security researchers each year. While the event is known for its groundbreaking technical discoveries, Braun explains that too often, these findings fail to make their way into the hands of policymakers who need them most. That's why The Hackers' Almanack was created—to serve as a bridge between the security research community and decision-makers who shape regulations and national security strategies.This effort is an extension of the Franklin Project, named after Benjamin Franklin, who embodied the intersection of science and civics. The initiative includes not only The Hackers' Almanack but also a volunteer-driven cybersecurity support network for under-resourced water utilities, a critical infrastructure sector under increasing attack.Ransomware: Hackers Filling the Gaps Where Governments Have StruggledOne of the most striking sections of The Hackers' Almanack examines the state of ransomware. Despite significant government efforts to disrupt ransomware groups, attacks remain as damaging as ever. Braun highlights the work of security researcher Vangelis Stykas, who successfully infiltrated ransomware gangs—not to attack them, but to gather intelligence and warn potential victims before they were hit.While governments have long opposed private-sector hacking in retaliation against cybercriminals, Braun raises an important question: Should independent security researchers be allowed to operate in this space if they can help prevent attacks? This isn't just about hacktivism—it's about whether traditional methods of law enforcement and national security are enough to combat the ransomware crisis.AI Security: No Standards, No Rules, Just ChaosArtificial intelligence is dominating conversations in cybersecurity, but according to Braun, the industry still hasn't figured out how to secure AI effectively. DEF CON's AI Village, which has been studying AI security for years, made a bold statement: AI red teaming, as it exists today, lacks clear definitions and standards. Companies are selling AI security assessments with no universally accepted benchmarks, leaving buyers to wonder what they're really getting.Braun argues that industry leaders, academia, and government must quickly come together to define what AI security actually means. Are we testing AI applications? The algorithms? The data sets? Without clarity, AI red teaming risks becoming little more than a marketing term, rather than a meaningful security practice.Biohacking: The Blurry Line Between Innovation and BioterrorismPerhaps the most controversial section of The Hackers' Almanack explores biohacking and its potential risks. Researchers at the Four Thieves Vinegar Collective demonstrated how AI and 3D printing could allow individuals to manufacture vaccines and medical devices at home—at a fraction of the cost of commercial options. While this raises exciting possibilities for healthcare accessibility, it also raises serious regulatory and ethical concerns.Current laws classify unauthorized vaccine production as bioterrorism, but Braun questions whether that definition should evolve. If underserved communities have no access to life-saving treatments, should they be allowed to manufacture their own? And if so, how can regulators ensure safety without stifling innovation?A Call to ActionThe Hackers' Almanack isn't just a technical report—it's a call for governments, industry leaders, and the security community to rethink how we approach cybersecurity, technology policy, and even healthcare. Braun and his team at the Franklin Project are actively recruiting volunteers, particularly those with cybersecurity expertise, to help protect vulnerable infrastructure like water utilities.For policymakers, the message is clear: Pay attention to what the hacker community is discovering. These findings aren't theoretical—they impact national security, public safety, and technological advancement in ways that require immediate action.Want to learn more? Listen to the full episode and explore The Hackers' Almanack to see how cybersecurity research is shaping the future.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥The DEF CON 32 Hackers' Almanack: https://thehackersalmanack.com/defcon32-hackers-almanackDEF CON Franklin Project: https://defconfranklin.com/ | On LinkedIn: https://www.linkedin.com/company/def-con-franklin/DEF CON: https://defcon.org/Cyber Policy Initiative: https://harris.uchicago.edu/research-impact/initiatives-partnerships/cyber-policy-initiative⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity:
⬥GUEST⬥Jake Braun, Acting Principal Deputy National Cyber Director, The White House | On LinkedIn: https://www.linkedin.com/in/jake-braun-77372539/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin⬥EPISODE NOTES⬥Cybersecurity is often framed as a battle between attackers and defenders, but what happens when hackers take on a different role—one of informing policy, protecting critical infrastructure, and even saving lives? That's the focus of the latest Redefining Cybersecurity podcast episode, where host Sean Martin speaks with Jake Braun, former Acting Principal Deputy National Cyber Director at the White House and current Executive Director of the Cyber Policy Initiative at the University of Chicago.Braun discusses The Hackers' Almanack, a project developed in partnership with DEF CON and the Franklin Project to document key cybersecurity findings that policymakers, industry leaders, and technologists should be aware of. This initiative captures some of the most pressing security challenges emerging from DEF CON's research community and translates them into actionable insights that could drive meaningful policy change.DEF CON, The Hackers' Almanack, and the Franklin ProjectDEF CON, one of the world's largest hacker conferences, brings together tens of thousands of security researchers each year. While the event is known for its groundbreaking technical discoveries, Braun explains that too often, these findings fail to make their way into the hands of policymakers who need them most. That's why The Hackers' Almanack was created—to serve as a bridge between the security research community and decision-makers who shape regulations and national security strategies.This effort is an extension of the Franklin Project, named after Benjamin Franklin, who embodied the intersection of science and civics. The initiative includes not only The Hackers' Almanack but also a volunteer-driven cybersecurity support network for under-resourced water utilities, a critical infrastructure sector under increasing attack.Ransomware: Hackers Filling the Gaps Where Governments Have StruggledOne of the most striking sections of The Hackers' Almanack examines the state of ransomware. Despite significant government efforts to disrupt ransomware groups, attacks remain as damaging as ever. Braun highlights the work of security researcher Vangelis Stykas, who successfully infiltrated ransomware gangs—not to attack them, but to gather intelligence and warn potential victims before they were hit.While governments have long opposed private-sector hacking in retaliation against cybercriminals, Braun raises an important question: Should independent security researchers be allowed to operate in this space if they can help prevent attacks? This isn't just about hacktivism—it's about whether traditional methods of law enforcement and national security are enough to combat the ransomware crisis.AI Security: No Standards, No Rules, Just ChaosArtificial intelligence is dominating conversations in cybersecurity, but according to Braun, the industry still hasn't figured out how to secure AI effectively. DEF CON's AI Village, which has been studying AI security for years, made a bold statement: AI red teaming, as it exists today, lacks clear definitions and standards. Companies are selling AI security assessments with no universally accepted benchmarks, leaving buyers to wonder what they're really getting.Braun argues that industry leaders, academia, and government must quickly come together to define what AI security actually means. Are we testing AI applications? The algorithms? The data sets? Without clarity, AI red teaming risks becoming little more than a marketing term, rather than a meaningful security practice.Biohacking: The Blurry Line Between Innovation and BioterrorismPerhaps the most controversial section of The Hackers' Almanack explores biohacking and its potential risks. Researchers at the Four Thieves Vinegar Collective demonstrated how AI and 3D printing could allow individuals to manufacture vaccines and medical devices at home—at a fraction of the cost of commercial options. While this raises exciting possibilities for healthcare accessibility, it also raises serious regulatory and ethical concerns.Current laws classify unauthorized vaccine production as bioterrorism, but Braun questions whether that definition should evolve. If underserved communities have no access to life-saving treatments, should they be allowed to manufacture their own? And if so, how can regulators ensure safety without stifling innovation?A Call to ActionThe Hackers' Almanack isn't just a technical report—it's a call for governments, industry leaders, and the security community to rethink how we approach cybersecurity, technology policy, and even healthcare. Braun and his team at the Franklin Project are actively recruiting volunteers, particularly those with cybersecurity expertise, to help protect vulnerable infrastructure like water utilities.For policymakers, the message is clear: Pay attention to what the hacker community is discovering. These findings aren't theoretical—they impact national security, public safety, and technological advancement in ways that require immediate action.Want to learn more? Listen to the full episode and explore The Hackers' Almanack to see how cybersecurity research is shaping the future.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥The DEF CON 32 Hackers' Almanack: https://thehackersalmanack.com/defcon32-hackers-almanackDEF CON Franklin Project: https://defconfranklin.com/ | On LinkedIn: https://www.linkedin.com/company/def-con-franklin/DEF CON: https://defcon.org/Cyber Policy Initiative: https://harris.uchicago.edu/research-impact/initiatives-partnerships/cyber-policy-initiative⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity:
No episódio de hoje abordamos o tema Product Security, destacando sua importância no ciclo de vida do desenvolvimento de software e no impacto direto da segurança nos produtos finais. Discutimos como integrar a segurança de maneira eficiente desde o início do desenvolvimento, alinhando as equipes de segurança, desenvolvimento e operações para garantir que o produto não seja apenas funcional, mas também seguro. Falamos sobre as práticas essenciais para proteger produtos em todas as fases, desde a concepção até a produção, incluindo Threat Modeling, Testes de Segurança, Análise de Vulnerabilidades e Secure Coding. Destacamos também como a cultura de segurança deve ser incorporada dentro das equipes de desenvolvimento, com foco em automação de testes de segurança, uso de ferramentas de análise estática e dinâmica, e práticas de revisão de código. Além disso, exploramos o papel vital das equipes de DevSecOps em garantir que a segurança seja uma parte intrínseca do processo de desenvolvimento ágil, sem comprometer a entrega de valor. Através de exemplos práticos e estudos de caso, mostramos como a segurança de produtos pode prevenir falhas críticas e proteger a integridade dos usuários e dados. Se você está buscando entender como as equipes podem garantir a segurança de produtos de forma eficaz e sem comprometer a agilidade, este episódio oferece insights valiosos!
Episode 112: In this episode of Critical Thinking - Bug Bounty Podcast Joseph Thacker is joined by Ciarán Cotter (Monke) to share his bug hunting journey and give us the rundown on some recent client-side and server-side bugs. Then they discuss WebSockets, SaaS security, and cover some AI news including Grok 3, Nuclei -AI Flag, and some articles by Johann Rehberger.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Guest - Ciarán Cotterhttps://x.com/monkehack====== Resources ======Mstyhttps://msty.app/From Day Zero to Zero Dayhttps://nostarch.com/zero-dayNuclei - ai flaghttps://x.com/pdiscoveryio/status/1890082913900982763ChatGPT Operator: Prompt Injection Exploits & Defenseshttps://embracethered.com/blog/posts/2025/chatgpt-operator-prompt-injection-exploits/Hacking Gemini's Memory with Prompt Injection and Delayed Tool Invocationhttps://embracethered.com/blog/posts/2025/gemini-memory-persistence-prompt-injection/====== Timestamps ======(00:00:00) Introduction(00:01:04) Bug Rundowns(00:13:05) Monke's Bug Bounty Background(00:20:03) Websocket Research(00:34:01) Connecting Hackers with Companies(00:34:56) Grok 3, Msty, From Day Zero to Zero Day(00:42:58) Full time Bug Bounty, SaaS security, and Threat Modeling while AFK(00:54:49) Nuclei - ai flag, ChatGPT Operator, and Hacking Gemini's Memory
In this episode, we dive into Apple's latest privacy retreat with the removal of Advanced Data Protection (ADP) for iCloud in the UK. We break down why Apple made this move, how ADP works, and what it means for users who care about encryption and data security. If you're in the UK and using Apple's ecosystem, this episode is a must-listen as I cover strategies to keep your data secure despite Apple's decision.In this week's episode:The UK's Investigatory Powers ActA technical breakdown of how iCloud ADP was supposed to protect user data.Alternatives to iCloud, including Nextcloud, GrapheneOS, and secure backups.Threat Modeling & The Privacy SpectrumListener Questions, addressing concerns about online privacy, social media exposure, and what to do when friends dismiss security risks.Show Links:Apple pulls data protection tool (BBC News) - https://www.bbc.com/news/articles/cgj54eq4vejoApple Intelligence - https://www.macrumors.com/2025/02/11/apple-intelligence-re-enabled-in-latest-updates/pfSense Guide - https://psysecure.com/complete-setup-guide-to-pfSenseNextcloud Guide - https://psysecure.com/self-hosting-nextlcoudMöbius Sync - https://mobiussync.com/Obsidian - https://obsidian.md/“The right to privacy is not merely a right to secrecy. It is a right to control information about oneself.”- AnonymousPodcast music: The R3cluse
⬥GUESTS⬥Sandy Dunn, Consultant Artificial Intelligence & Cybersecurity, Adjunct Professor Institute for Pervasive Security Boise State University | On Linkedin: https://www.linkedin.com/in/sandydunnciso/Rock Lambros, CEO and founder of RockCyber | On LinkedIn | https://www.linkedin.com/in/rocklambros/Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martinView This Show's Sponsors⬥EPISODE NOTES⬥The rise of large language models (LLMs) has reshaped industries, bringing both opportunities and risks. The latest OWASP Top 10 for LLMs aims to help organizations understand and mitigate these risks. In a recent episode of Redefining Cybersecurity, host Sean Martin sat down with Sandy Dunn and Rock Lambros to discuss the latest updates to this essential security framework.The OWASP Top 10 for LLMs: What It Is and Why It MattersOWASP has long been a trusted source for security best practices, and its LLM-specific Top 10 is designed to guide organizations in identifying and addressing key vulnerabilities in AI-driven applications. This initiative has rapidly gained traction, becoming a reference point for AI security governance, testing, and implementation. Organizations developing or integrating AI solutions are now evaluating their security posture against this list, ensuring safer deployment of LLM technologies.Key Updates for 2025The 2025 iteration of the OWASP Top 10 for LLMs introduces refinements and new focus areas based on industry feedback. Some categories have been consolidated for clarity, while new risks have been added to reflect emerging threats.• System Prompt Leakage (New) – Attackers may manipulate LLMs to extract system prompts, potentially revealing sensitive operational instructions and security mechanisms.• Vector and Embedding Risks (New) – Security concerns around vector databases and embeddings, which can lead to unauthorized data exposure or manipulation.Other notable changes include reordering certain risks based on real-world impact. Prompt Injection remains the top concern, while Sensitive Information Disclosure and Supply Chain Vulnerabilities have been elevated in priority.The Challenge of AI SecurityUnlike traditional software vulnerabilities, LLMs introduce non-deterministic behavior, making security testing more complex. Jailbreaking attacks—where adversaries bypass system safeguards through manipulative prompts—remain a persistent issue. Prompt injection attacks, where unauthorized instructions are inserted to manipulate output, are also difficult to fully eliminate.As Dunn explains, “There's no absolute fix. It's an architecture issue. Until we fundamentally redesign how we build LLMs, there will always be risk.”Beyond Compliance: A Holistic Approach to AI SecurityBoth Dunn and Lambros emphasize that organizations need to integrate AI security into their overall IT and cybersecurity strategy, rather than treating it as a separate issue. AI governance, supply chain integrity, and operational resilience must all be considered.Lambros highlights the importance of risk management over rigid compliance: “Organizations have to balance innovation with security. You don't have to lock everything down, but you need to understand where your vulnerabilities are and how they impact your business.”Real-World Impact and AdoptionThe OWASP Top 10 for LLMs has already been widely adopted, with companies incorporating it into their security frameworks. It has been translated into multiple languages and is serving as a global benchmark for AI security best practices.Additionally, initiatives like HackerPrompt 2.0 are helping security professionals stress-test AI models in real-world scenarios. OWASP is also facilitating industry collaboration through working groups on AI governance, threat intelligence, and agentic AI security.How to Get InvolvedFor those interested in contributing, OWASP provides open-access resources and welcomes participants to its AI security initiatives. Anyone can join the discussion, whether as an observer or an active contributor.As AI becomes more ingrained in business and society, frameworks like the OWASP Top 10 for LLMs are essential for guiding responsible innovation. To learn more, listen to the full episode and explore OWASP's latest AI security resources.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥OWASP GenAI: https://genai.owasp.org/Link to the 2025 version of the Top 10 for LLM Applications: https://genai.owasp.org/llm-top-10/Getting Involved: https://genai.owasp.org/contribute/OWASP LLM & Gen AI Security Summit at RSAC 2025: https://genai.owasp.org/event/rsa-conference-2025/AI Threat Mind Map: https://github.com/subzer0girl2/AI-Threat-Mind-MapGuide for Preparing and Responding to Deepfake Events: https://genai.owasp.org/resource/guide-for-preparing-and-responding-to-deepfake-events/AI Security Solution Cheat Sheet Q1-2025:https://genai.owasp.org/resource/ai-security-solution-cheat-sheet-q1-2025/HackAPrompt 2.0: https://www.hackaprompt.com/⬥ADDITIONAL INFORMATION⬥✨ To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcastRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist on YouTube:
⬥GUESTS⬥Sandy Dunn, Consultant Artificial Intelligence & Cybersecurity, Adjunct Professor Institute for Pervasive Security Boise State University | On Linkedin: https://www.linkedin.com/in/sandydunnciso/Rock Lambros, CEO and founder of RockCyber | On LinkedIn | https://www.linkedin.com/in/rocklambros/Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martinView This Show's Sponsors⬥EPISODE NOTES⬥The rise of large language models (LLMs) has reshaped industries, bringing both opportunities and risks. The latest OWASP Top 10 for LLMs aims to help organizations understand and mitigate these risks. In a recent episode of Redefining Cybersecurity, host Sean Martin sat down with Sandy Dunn and Rock Lambros to discuss the latest updates to this essential security framework.The OWASP Top 10 for LLMs: What It Is and Why It MattersOWASP has long been a trusted source for security best practices, and its LLM-specific Top 10 is designed to guide organizations in identifying and addressing key vulnerabilities in AI-driven applications. This initiative has rapidly gained traction, becoming a reference point for AI security governance, testing, and implementation. Organizations developing or integrating AI solutions are now evaluating their security posture against this list, ensuring safer deployment of LLM technologies.Key Updates for 2025The 2025 iteration of the OWASP Top 10 for LLMs introduces refinements and new focus areas based on industry feedback. Some categories have been consolidated for clarity, while new risks have been added to reflect emerging threats.• System Prompt Leakage (New) – Attackers may manipulate LLMs to extract system prompts, potentially revealing sensitive operational instructions and security mechanisms.• Vector and Embedding Risks (New) – Security concerns around vector databases and embeddings, which can lead to unauthorized data exposure or manipulation.Other notable changes include reordering certain risks based on real-world impact. Prompt Injection remains the top concern, while Sensitive Information Disclosure and Supply Chain Vulnerabilities have been elevated in priority.The Challenge of AI SecurityUnlike traditional software vulnerabilities, LLMs introduce non-deterministic behavior, making security testing more complex. Jailbreaking attacks—where adversaries bypass system safeguards through manipulative prompts—remain a persistent issue. Prompt injection attacks, where unauthorized instructions are inserted to manipulate output, are also difficult to fully eliminate.As Dunn explains, “There's no absolute fix. It's an architecture issue. Until we fundamentally redesign how we build LLMs, there will always be risk.”Beyond Compliance: A Holistic Approach to AI SecurityBoth Dunn and Lambros emphasize that organizations need to integrate AI security into their overall IT and cybersecurity strategy, rather than treating it as a separate issue. AI governance, supply chain integrity, and operational resilience must all be considered.Lambros highlights the importance of risk management over rigid compliance: “Organizations have to balance innovation with security. You don't have to lock everything down, but you need to understand where your vulnerabilities are and how they impact your business.”Real-World Impact and AdoptionThe OWASP Top 10 for LLMs has already been widely adopted, with companies incorporating it into their security frameworks. It has been translated into multiple languages and is serving as a global benchmark for AI security best practices.Additionally, initiatives like HackerPrompt 2.0 are helping security professionals stress-test AI models in real-world scenarios. OWASP is also facilitating industry collaboration through working groups on AI governance, threat intelligence, and agentic AI security.How to Get InvolvedFor those interested in contributing, OWASP provides open-access resources and welcomes participants to its AI security initiatives. Anyone can join the discussion, whether as an observer or an active contributor.As AI becomes more ingrained in business and society, frameworks like the OWASP Top 10 for LLMs are essential for guiding responsible innovation. To learn more, listen to the full episode and explore OWASP's latest AI security resources.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥OWASP GenAI: https://genai.owasp.org/Link to the 2025 version of the Top 10 for LLM Applications: https://genai.owasp.org/llm-top-10/Getting Involved: https://genai.owasp.org/contribute/OWASP LLM & Gen AI Security Summit at RSAC 2025: https://genai.owasp.org/event/rsa-conference-2025/AI Threat Mind Map: https://github.com/subzer0girl2/AI-Threat-Mind-MapGuide for Preparing and Responding to Deepfake Events: https://genai.owasp.org/resource/guide-for-preparing-and-responding-to-deepfake-events/AI Security Solution Cheat Sheet Q1-2025:https://genai.owasp.org/resource/ai-security-solution-cheat-sheet-q1-2025/HackAPrompt 2.0: https://www.hackaprompt.com/⬥ADDITIONAL INFORMATION⬥✨ To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcastRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist on YouTube:
Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat models with developers. Speculative data flow attacks demonstrated against Apple chips with SLAP and FLOP, the design and implementation choices that led to OCSP's demise, an appsec angle on AI, updating the threat model and recommendations for implementing OAuth 2.0, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-316
Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat models with developers. Show Notes: https://securityweekly.com/asw-316
Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat models with developers. Speculative data flow attacks demonstrated against Apple chips with SLAP and FLOP, the design and implementation choices that led to OCSP's demise, an appsec angle on AI, updating the threat model and recommendations for implementing OAuth 2.0, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-316
Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat models with developers. Show Notes: https://securityweekly.com/asw-316
In this conversation, Tanya Janca discusses the importance of secure coding in the cybersecurity landscape, sharing her journey and experiences as both a developer and educator. She emphasizes the need for software developers to understand security principles, the role of OWASP in providing resources, and the challenges of balancing user experience with security measures. Tanya also highlights the significance of validation in development and the implications of implied trust in cybersecurity practices.
Software Engineering Radio - The Podcast for Professional Software Developers
Matthew Adams, Head of Security Enablement at Citi, joins SE Radio host Priyanka Raghavan to explore the use of large language models in threat modeling, with a special focus on Matthew's work, Stride GPT. The episode kicks off with an overview of threat modeling, its applications, and the stages of the development life cycle where it fits in. They then discuss the STRIDE methodology and strideGPT, highlighting practical examples, the technology stack behind the application, and the tool's inputs and outputs. The show concludes with tips and tricks for optimizing tool outputs and advice on other open source projects that utilize generative AI to bolster cybersecurity defenses. Brought to you by IEEE Computer Society and IEEE Software magazine.
Brett Crawley discusses the Elevation of Privilege (EoP) card game, a powerful tool for threat modeling in software development. The discussion explores recent extensions to the game including privacy-focused suits and TRIM (Transfer, Retention/Removal, Inference, Minimization) categories. Crawley emphasizes that threat modeling shouldn't end with the game but should be an ongoing process throughout an application's lifecycle, ideally starting before implementation. He also shares insights from his book, which provides detailed examples and guidance for teams new to threat modeling using EoP.You can find Brett on X @brettcrawleyBrett's book: Threat Modeling Gameplay with EoP: A reference manual for spotting threats in software architectureBook recommendation:Conscious Business by Fred KofmanFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Episode 99: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Roni dissect an old thread of Justin's talking about how best to start bug bounty with the goal of making $100k in the first year.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - AssetNote: Check out their ASMR board (no not that kind!)https://assetnote.io/asmrToday's Guest - https://x.com/0xLupinResourcesJustin's Twitter Threadhttps://x.com/Rhynorater/status/1699395452481769867Timestamps(00:00:00) Introduction(00:03:00) Web Fundamentals Education(00:46:01) Threat Modeling and Hacking Goals(01:18:58) Vuln Types and finding Specialization
Episode 97: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel jump into some cool news items, including a recent Okta Bcrypt vulnerability, insights into crypto bugs, and some intricacies of Android and Chrome security. They also explore the latest research from Portswigger on payload concealment techniques, and the introduction of the Lightyear tool for PHP exploits.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - ThreatLocker: Check out Network Control!https://www.criticalthinkingpodcast.io/tl-ncResourcesOkta bcryptAndroid Web Attack Surface WriteupsConcealing payloads in URL credentialsDumping PHP files with LightyearLimit maximum number of filter chainsDom-Explorer tool launchedMultiHTMLParseJSON CrackCaido/Burp notes pluginTimestamps(00:00:00) Introduction(00:02:43) Okta Release and bcrypt(00:10:26) Android Web Attack Surface Writeups(00:20:21) More Portswigger Research(00:28:29) Lightyear and PHP filter chains(00:35:09) Dom-Explorer(00:45:24) The JSON Debate(00:49:59) Notes plugin for Burp and Caido
Q&A202: How can people better understand threat modeling? What are security concerns for custom Android ROMs? What are our favorite episodes of Darknet Diaries? Have we ever seen a website remove our 2FA without telling us? Join our next Q&A on Patreon: https://www.patreon.com/collection/415684?view=expanded or XMR Chat: https://xmrchat.com/surveillancepodWelcome to the Surveillance Report Q&A - featuring Techlore & The New Oil answering your questions about privacy and security.❤️ Support us on Patreon: https://www.patreon.com/surveillancepod
Can you pen test yourself? Paula Januszkiewicz says yes! Richard talks to Paula about taking an active role in understanding your organization's security vulnerabilities. Paula talks about the low-hanging fruit she often finds as a professional penetration tester - typically on poorly maintained infrastructure like PKI servers. The conversation digs into tooling you can use to find vulnerabilities - just make sure you trust the source of those tools. Not everyone is a good guy in open source! And, of course, there's always a time to bring in professionals to do a deeper level of testing. Don't wait until the breach happens to take some action!LinksCqurePenetration TestingGitHub Secrets ScanningHaveIBeenPwnedRecorded August 22, 2024
Software Engineering Radio - The Podcast for Professional Software Developers
Luis Rodríguez, CTO of Xygeni.io, joins host Robert Blumen for a discussion of the recently thwarted attempt to insert a backdoor in the SSH (Secure Shell) daemon. OpenSSH is a popular implementation of the protocol used in major Linux distributions for authentication over a network. Luis describes how a backdoor in a supporting library was recently discovered and removed before the package was published to stable releases of the Linux distros. The conversation explores the mechanism of the attack through modifying a function table in the runtime; how the attack was inserted during the build; how the attack was carefully staged in a series of modifications to the lz compression library; the nature of “Jia Tan,” the entity who committed the changes to the open source project; social engineering that the entity used to gain the trust of the open source community; what forensics indicates about the location of the entity; hypotheses about whether criminal or state actors backed the entity; how the attack was detected; implications for other open source projects; why traditional methods for detecting exploits would not have helped find this; and lessons learned by the community. Brought to you by IEEE Computer Society and IEEE Software magazine.
If you have questions at the intersection of Cybersecurity and AI, you need to know Donato at WithSecure! Donato has been threat modeling AI applications and seriously applying those models in his day-to-day work. He joins us in this episode to discuss his LLM application security canvas, prompt injections, alignment, and more.
If you have questions at the intersection of Cybersecurity and AI, you need to know Donato at WithSecure! Donato has been threat modeling AI applications and seriously applying those models in his day-to-day work. He joins us in this episode to discuss his LLM application security canvas, prompt injections, alignment, and more.
“Even though usability and security tradeoffs will always be with us, we can get much smarter. Some of the techniques are really simple. For one, write everything down a user needs to do in order to use your app securely. Yeah, keep writing.”In this episode, we talk about:What is threat modeling and why should product teams and UX designers care about it? (Also check out Adam's first episode on Human-Centered Security).Focus on parts of the user journey where you might gain or lose customers: what tradeoffs between usability and security are you making here?Involve a cross-disciplinary team from the very beginning. This is critiical: “How do we get focused on the parts of the problem that matter so we don't spend forever on the wrong stuff?”Adam Shostack is an expert on threat modeling, having worked at Microsoft and currently running security consultancy Shostack + Associates. He is the author of The New School of Information Security, Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn From Star Wars. Adam's YouTube channel has entertaining videos that are also excellent resources for learning about threat modeling.
This episode of Windows Weekly has Paul, Richard, and Leo chatting about everything from Microsoft Recall's upcoming availability to AMD's move to acquire ZT Systems. Paul reviews a new Meteor Lake-equipped laptop from HP, and Leo shows off his Diablo skills on iPad. The group also takes a look at gamescom news, including a trailer for Indiana Jones and the Great Circle (which has a release date!) and an awesome Xbox Adaptive Joystick for accessibility. Windows 11 Recall will ship with Windows 11 24H2 in preview in October Canary (last week) - New Sandbox, FAT32 improvements, more Dev and Beta - One new feature, one removed feature Lenovo revenues point to ongoing PC market rebound HP's efforts to overcome Meteor Lake problems are about as successful as they can be Microsoft 365 Unified Teams client is now available Supposedly Loop 2.0 is out and/or coming soon as well Proton shifts ownership to non-profit foundation AI/Hardware Paul: I will not pay for AI AMD tries to acquire its way into being an Nvidia competitor There's a cheaper new Raspberry 5 Antitrust Judge in Epic v. Google: Oh, Google is going to pay Dev Quick follow-up to last week's VS 2022 releases Microsoft didn't document an important change to how Windows 11 theming works in .NET 9 Preview, all hell broke loose Continued work on WPF app modernization—dialogs, custom title bar area—and a long chat with Rafael uncovers the serious problems remaining here Xbox Xbox Insiders can test Game Pass Standard for $1 Microsoft shows off lots of Xbox games and one PS5 game at gamescom Phil Spencer defends this strategy at the show Microsoft's Xbox Series X|S refreshes are available for preorder, ship in October Microsoft announces new Xbox accessibility accessories New Game Pass titles to include early access to COD: Black Ops 6 Nvidia GeForce Now adds auto sign in to Xbox Epic Games Store launches on Android and iOS It's not just regular laptops that are getting better at gaming: AAA mobile gaming is real New Atari 7800 Tips and Picks Tip of the week: Windows on Arm - Then and Now App pick of the week: Start11 RunAs Radio this week: Threat Modeling in the Cloud with Romina Druta & Daniela Cruzes Brown liquor pick of the week: Armorik Sherry Cask Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: canary.tools/twit - use code: TWIT 1password.com/windowsweekly bigid.com/windowsweekly betterhelp.com/WINDOWS
This episode of Windows Weekly has Paul, Richard, and Leo chatting about everything from Microsoft Recall's upcoming availability to AMD's move to acquire ZT Systems. Paul reviews a new Meteor Lake-equipped laptop from HP, and Leo shows off his Diablo skills on iPad. The group also takes a look at gamescom news, including a trailer for Indiana Jones and the Great Circle (which has a release date!) and an awesome Xbox Adaptive Joystick for accessibility. Windows 11 Recall will ship with Windows 11 24H2 in preview in October Canary (last week) - New Sandbox, FAT32 improvements, more Dev and Beta - One new feature, one removed feature Lenovo revenues point to ongoing PC market rebound HP's efforts to overcome Meteor Lake problems are about as successful as they can be Microsoft 365 Unified Teams client is now available Supposedly Loop 2.0 is out and/or coming soon as well Proton shifts ownership to non-profit foundation AI/Hardware Paul: I will not pay for AI AMD tries to acquire its way into being an Nvidia competitor There's a cheaper new Raspberry 5 Antitrust Judge in Epic v. Google: Oh, Google is going to pay Dev Quick follow-up to last week's VS 2022 releases Microsoft didn't document an important change to how Windows 11 theming works in .NET 9 Preview, all hell broke loose Continued work on WPF app modernization—dialogs, custom title bar area—and a long chat with Rafael uncovers the serious problems remaining here Xbox Xbox Insiders can test Game Pass Standard for $1 Microsoft shows off lots of Xbox games and one PS5 game at gamescom Phil Spencer defends this strategy at the show Microsoft's Xbox Series X|S refreshes are available for preorder, ship in October Microsoft announces new Xbox accessibility accessories New Game Pass titles to include early access to COD: Black Ops 6 Nvidia GeForce Now adds auto sign in to Xbox Epic Games Store launches on Android and iOS It's not just regular laptops that are getting better at gaming: AAA mobile gaming is real New Atari 7800 Tips and Picks Tip of the week: Windows on Arm - Then and Now App pick of the week: Start11 RunAs Radio this week: Threat Modeling in the Cloud with Romina Druta & Daniela Cruzes Brown liquor pick of the week: Armorik Sherry Cask Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: canary.tools/twit - use code: TWIT 1password.com/windowsweekly bigid.com/windowsweekly betterhelp.com/WINDOWS
This episode of Windows Weekly has Paul, Richard, and Leo chatting about everything from Microsoft Recall's upcoming availability to AMD's move to acquire ZT Systems. Paul reviews a new Meteor Lake-equipped laptop from HP, and Leo shows off his Diablo skills on iPad. The group also takes a look at gamescom news, including a trailer for Indiana Jones and the Great Circle (which has a release date!) and an awesome Xbox Adaptive Joystick for accessibility. Windows 11 Recall will ship with Windows 11 24H2 in preview in October Canary (last week) - New Sandbox, FAT32 improvements, more Dev and Beta - One new feature, one removed feature Lenovo revenues point to ongoing PC market rebound HP's efforts to overcome Meteor Lake problems are about as successful as they can be Microsoft 365 Unified Teams client is now available Supposedly Loop 2.0 is out and/or coming soon as well Proton shifts ownership to non-profit foundation AI/Hardware Paul: I will not pay for AI AMD tries to acquire its way into being an Nvidia competitor There's a cheaper new Raspberry 5 Antitrust Judge in Epic v. Google: Oh, Google is going to pay Dev Quick follow-up to last week's VS 2022 releases Microsoft didn't document an important change to how Windows 11 theming works in .NET 9 Preview, all hell broke loose Continued work on WPF app modernization—dialogs, custom title bar area—and a long chat with Rafael uncovers the serious problems remaining here Xbox Xbox Insiders can test Game Pass Standard for $1 Microsoft shows off lots of Xbox games and one PS5 game at gamescom Phil Spencer defends this strategy at the show Microsoft's Xbox Series X|S refreshes are available for preorder, ship in October Microsoft announces new Xbox accessibility accessories New Game Pass titles to include early access to COD: Black Ops 6 Nvidia GeForce Now adds auto sign in to Xbox Epic Games Store launches on Android and iOS It's not just regular laptops that are getting better at gaming: AAA mobile gaming is real New Atari 7800 Tips and Picks Tip of the week: Windows on Arm - Then and Now App pick of the week: Start11 RunAs Radio this week: Threat Modeling in the Cloud with Romina Druta & Daniela Cruzes Brown liquor pick of the week: Armorik Sherry Cask Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: canary.tools/twit - use code: TWIT 1password.com/windowsweekly bigid.com/windowsweekly betterhelp.com/WINDOWS
This episode of Windows Weekly has Paul, Richard, and Leo chatting about everything from Microsoft Recall's upcoming availability to AMD's move to acquire ZT Systems. Paul reviews a new Meteor Lake-equipped laptop from HP, and Leo shows off his Diablo skills on iPad. The group also takes a look at gamescom news, including a trailer for Indiana Jones and the Great Circle (which has a release date!) and an awesome Xbox Adaptive Joystick for accessibility. Windows 11 Recall will ship with Windows 11 24H2 in preview in October Canary (last week) - New Sandbox, FAT32 improvements, more Dev and Beta - One new feature, one removed feature Lenovo revenues point to ongoing PC market rebound HP's efforts to overcome Meteor Lake problems are about as successful as they can be Microsoft 365 Unified Teams client is now available Supposedly Loop 2.0 is out and/or coming soon as well Proton shifts ownership to non-profit foundation AI/Hardware Paul: I will not pay for AI AMD tries to acquire its way into being an Nvidia competitor There's a cheaper new Raspberry 5 Antitrust Judge in Epic v. Google: Oh, Google is going to pay Dev Quick follow-up to last week's VS 2022 releases Microsoft didn't document an important change to how Windows 11 theming works in .NET 9 Preview, all hell broke loose Continued work on WPF app modernization—dialogs, custom title bar area—and a long chat with Rafael uncovers the serious problems remaining here Xbox Xbox Insiders can test Game Pass Standard for $1 Microsoft shows off lots of Xbox games and one PS5 game at gamescom Phil Spencer defends this strategy at the show Microsoft's Xbox Series X|S refreshes are available for preorder, ship in October Microsoft announces new Xbox accessibility accessories New Game Pass titles to include early access to COD: Black Ops 6 Nvidia GeForce Now adds auto sign in to Xbox Epic Games Store launches on Android and iOS It's not just regular laptops that are getting better at gaming: AAA mobile gaming is real New Atari 7800 Tips and Picks Tip of the week: Windows on Arm - Then and Now App pick of the week: Start11 RunAs Radio this week: Threat Modeling in the Cloud with Romina Druta & Daniela Cruzes Brown liquor pick of the week: Armorik Sherry Cask Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: canary.tools/twit - use code: TWIT 1password.com/windowsweekly bigid.com/windowsweekly betterhelp.com/WINDOWS
What are the threats your cloud application and infrastructure are facing? While at NDC Oslo, Richard chatted with Daniela Cruzes and Romina Druta about their work building threat models for cloud-based applications. Daniela discusses how modeling helps to understand security concerns before applications are deployed and attacked - often, security retrofits are time-consuming and expensive, so thinking them through beforehand has enormous benefits. Romina dives into the supply chain side of threats - open-source libraries with backdoors, even down to development tools with malware. There are a lot of threats - but when you look, there are often great solutions as well. You'll need to collaborate with development to secure things, but security isn't optional and is worth fighting for.LinksCloud-Native Application Protection PlatformArgoVSCode Malicious Extention ThreatsRecorded June 12, 2024
This episode of Windows Weekly has Paul, Richard, and Leo chatting about everything from Microsoft Recall's upcoming availability to AMD's move to acquire ZT Systems. Paul reviews a new Meteor Lake-equipped laptop from HP, and Leo shows off his Diablo skills on iPad. The group also takes a look at gamescom news, including a trailer for Indiana Jones and the Great Circle (which has a release date!) and an awesome Xbox Adaptive Joystick for accessibility. Windows 11 Recall will ship with Windows 11 24H2 in preview in October Canary (last week) - New Sandbox, FAT32 improvements, more Dev and Beta - One new feature, one removed feature Lenovo revenues point to ongoing PC market rebound HP's efforts to overcome Meteor Lake problems are about as successful as they can be Microsoft 365 Unified Teams client is now available Supposedly Loop 2.0 is out and/or coming soon as well Proton shifts ownership to non-profit foundation AI/Hardware Paul: I will not pay for AI AMD tries to acquire its way into being an Nvidia competitor There's a cheaper new Raspberry 5 Antitrust Judge in Epic v. Google: Oh, Google is going to pay Dev Quick follow-up to last week's VS 2022 releases Microsoft didn't document an important change to how Windows 11 theming works in .NET 9 Preview, all hell broke loose Continued work on WPF app modernization—dialogs, custom title bar area—and a long chat with Rafael uncovers the serious problems remaining here Xbox Xbox Insiders can test Game Pass Standard for $1 Microsoft shows off lots of Xbox games and one PS5 game at gamescom Phil Spencer defends this strategy at the show Microsoft's Xbox Series X|S refreshes are available for preorder, ship in October Microsoft announces new Xbox accessibility accessories New Game Pass titles to include early access to COD: Black Ops 6 Nvidia GeForce Now adds auto sign in to Xbox Epic Games Store launches on Android and iOS It's not just regular laptops that are getting better at gaming: AAA mobile gaming is real New Atari 7800 Tips and Picks Tip of the week: Windows on Arm - Then and Now App pick of the week: Start11 RunAs Radio this week: Threat Modeling in the Cloud with Romina Druta & Daniela Cruzes Brown liquor pick of the week: Armorik Sherry Cask Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: canary.tools/twit - use code: TWIT 1password.com/windowsweekly bigid.com/windowsweekly betterhelp.com/WINDOWS
This episode of Windows Weekly has Paul, Richard, and Leo chatting about everything from Microsoft Recall's upcoming availability to AMD's move to acquire ZT Systems. Paul reviews a new Meteor Lake-equipped laptop from HP, and Leo shows off his Diablo skills on iPad. The group also takes a look at gamescom news, including a trailer for Indiana Jones and the Great Circle (which has a release date!) and an awesome Xbox Adaptive Joystick for accessibility. Windows 11 Recall will ship with Windows 11 24H2 in preview in October Canary (last week) - New Sandbox, FAT32 improvements, more Dev and Beta - One new feature, one removed feature Lenovo revenues point to ongoing PC market rebound HP's efforts to overcome Meteor Lake problems are about as successful as they can be Microsoft 365 Unified Teams client is now available Supposedly Loop 2.0 is out and/or coming soon as well Proton shifts ownership to non-profit foundation AI/Hardware Paul: I will not pay for AI AMD tries to acquire its way into being an Nvidia competitor There's a cheaper new Raspberry 5 Antitrust Judge in Epic v. Google: Oh, Google is going to pay Dev Quick follow-up to last week's VS 2022 releases Microsoft didn't document an important change to how Windows 11 theming works in .NET 9 Preview, all hell broke loose Continued work on WPF app modernization—dialogs, custom title bar area—and a long chat with Rafael uncovers the serious problems remaining here Xbox Xbox Insiders can test Game Pass Standard for $1 Microsoft shows off lots of Xbox games and one PS5 game at gamescom Phil Spencer defends this strategy at the show Microsoft's Xbox Series X|S refreshes are available for preorder, ship in October Microsoft announces new Xbox accessibility accessories New Game Pass titles to include early access to COD: Black Ops 6 Nvidia GeForce Now adds auto sign in to Xbox Epic Games Store launches on Android and iOS It's not just regular laptops that are getting better at gaming: AAA mobile gaming is real New Atari 7800 Tips and Picks Tip of the week: Windows on Arm - Then and Now App pick of the week: Start11 RunAs Radio this week: Threat Modeling in the Cloud with Romina Druta & Daniela Cruzes Brown liquor pick of the week: Armorik Sherry Cask Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: canary.tools/twit - use code: TWIT 1password.com/windowsweekly bigid.com/windowsweekly betterhelp.com/WINDOWS
In this episode of the Threat Modeling Podcast, host Chris Romeo takes listeners on a journey through the intricate world of threat modeling. Joined by senior security consultant Gavin Klondike, the episode delves into Gavin's experiences and insights into threat modeling, particularly in the context of artificial intelligence and machine learning. Gavin shares a detailed case study, discussing methodologies, strengths, weaknesses, and the importance of holistic threat modeling processes. The conversation also highlights the challenges posed by large language models (LLMs), and Gavin provides a comprehensive threat model for LLM applications, exploring various vulnerabilities and mitigations. Links for this episode:The Threat Modeling blog post discussed during the episode.danielmiessler.comembracethered.comaivillage.orgllmtop10.comWelcome to Smart Threat Modeling. Devici makes threat modeling simple, actionable, and scalable. Identify and deal with threats faster than ever. Build three free models and collaborate with up to ten people in our Free Forever plan. Get started at devici.com and threat model for free! Smart threat modeling for development teams.
Guest: Dr. Kostas Papapanagiotou, Advisory Services Director, Census S.A.On LinkedIn | https://www.linkedin.com/in/kpapapan/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesCybersecurity practices for medical devices are crucial, touching on compliance, patient safety, and the rigorous demands of various sectors such as automotive and financial services. In an insightful conversation between Sean Martin, host of the Redefining CyberSecurity Podcast, and Kostas Papapanagiotou, leader of the advisory service division at Census, several key takeaways emerge. Kostas, who has over 20 years of experience in cybersecurity and application security, underscores the complexity of medical devices.No longer confined to standalone units, modern medical devices may encompass hardware components, software, connectivity to hospital networks or cloud services, and more. Thus, they require a comprehensive security approach.Kostas notes that the FDA views these devices holistically, requiring all components to be evaluated for security risks. One of the most significant points highlighted is the concept of shared responsibility. According to Kostas, it is essential for medical device manufacturers to consider how their products integrate with existing hospital networks and what security measures are necessary to protect patient information. This extends to issuing guidelines and documentation for secure network integration, an effort that underscores the necessity of thorough and clear documentation in maintaining cybersecurity standards.Furthermore, Kostas points out that regulations like the FDA's post-market plan necessitate that manufacturers prepare for the entire lifecycle of a device, including potential vulnerabilities that may arise years after deployment. He shares real-world examples, such as the challenge of outdated Android versions in medical devices, which can no longer receive security updates and thus present vulnerabilities. In addition to compliance, the podcast discusses the shift left security paradigm, which emphasizes integrating security measures early in the software development lifecycle to prevent costly and challenging fixes later.Kostas advocates for proactive threat modeling as a tool to foresee potential risks and implement security controls right from the design phase. This approach aligns with the FDA's emphasis on mitigating patient harm as the ultimate priority.The conversation also touches on how these rigorous requirements from the medical device sector can inform cybersecurity practices in other critical areas like automotive manufacturing. Kostas remarks that the automotive industry is yet to reach the maturity seen in medical device regulations, often grappling with interoperability and supply chain complexities.This podcast episode offers vital insights and actionable advice for cybersecurity professionals and organizations involved with critical, life-impacting technologies. Engaging discussions such as these underline the importance of regulatory compliance, thorough documentation, and proactive security measures in safeguarding both technology and human lives.___________________________SponsorsImperva: https://itspm.ag/imperva277117988LevelBlue: https://itspm.ag/attcybersecurity-3jdk3___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
Guest: Dr. Kostas Papapanagiotou, Advisory Services Director, Census S.A.On LinkedIn | https://www.linkedin.com/in/kpapapan/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesCybersecurity practices for medical devices are crucial, touching on compliance, patient safety, and the rigorous demands of various sectors such as automotive and financial services. In an insightful conversation between Sean Martin, host of the Redefining CyberSecurity Podcast, and Kostas Papapanagiotou, leader of the advisory service division at Census, several key takeaways emerge. Kostas, who has over 20 years of experience in cybersecurity and application security, underscores the complexity of medical devices.No longer confined to standalone units, modern medical devices may encompass hardware components, software, connectivity to hospital networks or cloud services, and more. Thus, they require a comprehensive security approach.Kostas notes that the FDA views these devices holistically, requiring all components to be evaluated for security risks. One of the most significant points highlighted is the concept of shared responsibility. According to Kostas, it is essential for medical device manufacturers to consider how their products integrate with existing hospital networks and what security measures are necessary to protect patient information. This extends to issuing guidelines and documentation for secure network integration, an effort that underscores the necessity of thorough and clear documentation in maintaining cybersecurity standards.Furthermore, Kostas points out that regulations like the FDA's post-market plan necessitate that manufacturers prepare for the entire lifecycle of a device, including potential vulnerabilities that may arise years after deployment. He shares real-world examples, such as the challenge of outdated Android versions in medical devices, which can no longer receive security updates and thus present vulnerabilities. In addition to compliance, the podcast discusses the shift left security paradigm, which emphasizes integrating security measures early in the software development lifecycle to prevent costly and challenging fixes later.Kostas advocates for proactive threat modeling as a tool to foresee potential risks and implement security controls right from the design phase. This approach aligns with the FDA's emphasis on mitigating patient harm as the ultimate priority.The conversation also touches on how these rigorous requirements from the medical device sector can inform cybersecurity practices in other critical areas like automotive manufacturing. Kostas remarks that the automotive industry is yet to reach the maturity seen in medical device regulations, often grappling with interoperability and supply chain complexities.This podcast episode offers vital insights and actionable advice for cybersecurity professionals and organizations involved with critical, life-impacting technologies. Engaging discussions such as these underline the importance of regulatory compliance, thorough documentation, and proactive security measures in safeguarding both technology and human lives.___________________________SponsorsImperva: https://itspm.ag/imperva277117988LevelBlue: https://itspm.ag/attcybersecurity-3jdk3___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
August in Vegas brings intense (but dry) heat and the annual Summer Hacker Camp of events. Arguably, the most fun and intriguing of the bunch is DEF CON (August 8-11, 2024), the world's leading hacking conference, 32 years strong. The show features the third year of the Quantum Village. And for the second year in a row, host Konstantinos Karagiannis will be speaking. Join him for a chat with Mark Carney and Victoria Kumaran to learn how you can get hands-on experience with quantum computing and related security tech and techniques at the show. For more on DEF CON, visit https://defcon.org/index.html. For more on Quantum Village, visit https://quantumvillage.org/. Visit Protiviti at www.protiviti.com/US-en/technology-consulting/quantum-computing-services to learn more about how Protiviti is helping organizations get post-quantum ready. Follow host Konstantinos Karagiannis on Twitter and Instagram: @KonstantHacker and follow Protiviti Technology on LinkedIn and Twitter: @ProtivitiTech. Questions and comments are welcome! Theme song by David Schwartz, copyright 2021. The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by, Protiviti Inc., The Post-Quantum World, or their respective officers, directors, employees, agents, representatives, shareholders, or subsidiaries. None of the content should be considered investment advice, as an offer or solicitation of an offer to buy or sell, or as an endorsement of any company, security, fund, or other securities or non-securities offering. Thanks for listening to this podcast. Protiviti Inc. is an equal opportunity employer, including minorities, females, people with disabilities, and veterans.
Guests: Kim Wuyts, Manager Cyber & Privacy, PwC Belgium [@PwC_Belgium]On LinkedIn | https://www.linkedin.com/in/kwuyts/On Twitter | https://twitter.com/WuytskiOn Mastodon | https://mastodon.social/@kimwAvi Douglen, CEO / Board of Directors, Bounce Security & OWASPOn LinkedIn | https://www.linkedin.com/in/avidouglen/On Twitter | https://twitter.com/sec_tigger____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this episode of On Location with Sean and Marco, host Sean Martin offers a deep dive into the OWASP AppSec Lisbon event, engaging in a meaningful conversation with Kim Wuyts and Avi Douglen. Sean starts by setting the stage for an insightful discussion focused on privacy, security, and the integration of both in modern application development.Kim Wuyts, a Cyber and Privacy Manager at PwC Belgium, shares her journey from a security researcher to a privacy engineering expert, emphasizing the importance of privacy threat modeling and the intricate balance between security and privacy. She explains how privacy not only strengthens security but also involves complex considerations like legal, ethical, and technological aspects. Kim highlights the need for companies to adopt privacy by design, ensuring data is used with care and transparency, rather than merely being collected and stored.Avi Douglen, Lead Consultant at Bounce Security, brings his experience in threat modeling to the conversation, recounting his learning curve in understanding the depths of privacy beyond mere confidentiality. He speaks about the importance of educating security engineers on privacy considerations and using value-driven security to protect stakeholders' interests. Avi stresses that privacy and security should be integrated from the beginning of the application development process to avoid clashes and ensure robust, privacy-respecting systems.Throughout the discussion, the guests delve into various privacy engineering practices, including data minimization, the handling of meta-information, and the potential conflicts between security requirements and privacy needs. They touch on real-world scenarios where privacy can enhance overall security posture and how privacy engineering aligns with compliance requirements such as GDPR.Sean, Kim, and Avi also explore the concept of architectural data mapping and selecting the right components for privacy. They discuss the evolving skill set required for privacy engineering and how integrating privacy with existing security practices can add significant value to any organization.The episode concludes with a look at the upcoming training session at the OWASP AppSec event in Lisbon, emphasizing the need for a diverse audience, including security engineers, privacy professionals, and developers. This session aims to foster a collaborative environment where participants can expand their knowledge and apply practical privacy by design principles in their work.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugalOn YouTube:
In this podcast episode, Nandita Rao Narla explores the reasons why privacy threat modeling programs often fail, such as being expensive with a lot of friction in the development lifecycle, misalignment with organizational strategies focused on compliance rather than risk, and difficulty demonstrating a clear return on investment. Nandita highlights some successful strategies, including leveraging existing security threat modeling resources, simplifying the approach for better adoption like Adam Shostack's four-question framework, aligning with organizational values and culture, and encouraging a mindset of considering what could go wrong. The role of tooling in privacy threat modeling is discussed, with most organizations currently not using many dedicated tools beyond data mapping and asset discovery, while larger companies with mature programs may utilize more advanced tooling. Ultimately, privacy threat modeling represents the next frontier, with a strong privacy program partnering with security threat modeling being the next generation approach.Welcome to Smart Threat Modeling. Devici makes threat modeling simple, actionable, and scalable. Identify and deal with threats faster than ever. Build three free models and collaborate with up to ten people in our Free Forever plan. Get started at devici.com and threat model for free! Smart threat modeling for development teams.
This is a great interview with Adam Shostack on all things threat modeling. He's often the first name that pops into people's heads when threat modeling comes up, and has created or been involved with much of the foundational material around the subject. Adam recently released a whitepaper that focuses on and defines inherent threats. Resources: Here's the Inherent Threats Whitepaper Adam's book, Threat Modeling: Designing for Security Adam's latest book, Threats: What Every Engineer Should Learn from Star Wars We mention the Okta Breach - here's my writeup on it We mention the CSRB report on the Microsoft/Storm breach, here's Adam's blog post on it And finally, Adam mentions the British Library incident report, which is here, and Adam's blog post is here Show Notes: https://securityweekly.com/esw-359
Guest: Paul McCarty, Software Supply Chain Red Team, GitLab [@gitlab]On LinkedIn | https://www.linkedin.com/in/mccartypaul/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesIn this episode of the Redefining Cybersecurity Podcast, host Sean Martin engages in a detailed discussion with Paul McCarty on the intricate web of software supply chain security. McCarty, formerly of SecureStack and now with GitLab, shares his panoramic view on the evolving complexity of application environments and the pivotal role they play in today's digital infrastructure. The conversation pivots around the increasingly multifaceted nature of the software supply chain, highlighted by McCarty's work on an open-source project aimed at mapping out these complexities visually.Throughout the episode, Martin and McCarty explore the notion of red teaming within the context of the software supply chain. McCarty elucidates the concept of red teaming as an essential exercise in identifying and addressing security vulnerabilities, emphasizing its transition from traditional methods to a more nuanced approach tailored to the software supply chain's intricate demands.A significant part of their discussion is dedicated to exploring the ten stages of the software supply chain, as identified by McCarty. This segment sheds light on the broad spectrum of components involved, from the developers and their tools to the deployment environments and the underpinning hardware. The dialogue also touches on critical aspects such as the role of containers across various stages and the potential security implications presented by third-party services and cloud components.The episode wraps up with insights into the shared responsibility model in cloud services, debunking misconceptions about security in the cloud. McCarty stresses the importance of recognizing the extensive attack surface introduced by widespread reliance on public cloud services and the need for a continuous red teaming approach to address these challenges effectively.Listeners are offered a comprehensive overview of the critical factors contributing to software supply chain security, emphasizing the need for a broader understanding and proactive measures to mitigate risks in this increasingly complex domain.Key Questions AddressedWhat does red teaming the software supply chain mean and why is it important?How has the complexity of software supply chains evolved, and what are the implications for cybersecurity?What role do containers play across different stages of the software supply chain, and how do they impact security?___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
Robert and Chris talk with Hendrik Ewerlin, a threat modeling advocate and trainer. Hendrik believes you can threat model anything, and he recently applied threat modeling to the process of threat modeling itself. His conclusions are published in the document Threat Modeling of Threat Modeling, where he aims to help practitioners, in his own words, "tame the threats to the threat modeling process." They explore the role of threat modeling in software development, emphasizing the dire consequences of overlooking this crucial process. They discuss why threat modeling serves as a cornerstone for security, and why Hendrik stresses the importance of adopting a process that is effective, efficient, and satisfying. If you care about secure software, you will want to listen in as Hendrik emphasizes why the approach to threat modeling, as well as the process itself, is so critical to success in security.Links:=> Hendrik Ewerlin: https://hendrik.ewerlin.com/security/=> Threat Modeling of Threat Modeling: https://threat-modeling.net/threat-modeling-of-threat-modeling/Recommended Reading:=> Steal Like An Artist and other books by Austin Kleon https://austinkleon.com/books/FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Do you need an essential guide for Threat Modeling your Cloud Environment, then this episode is definitely for you. Ashish sat down with Tyson Garrett from TrustOnCloud. We explore why and how organizations should approach threat modeling in cloud to enhance their security posture. Tyson and Ashish go through the practical steps required for effective threat modeling, including identifying and prioritizing threats, and the continuous adaptation required to address the dynamic nature of cloud services. Guest Socials: Tyson Garrett Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (02:50) A bit about Tyson Garrett (04:27) What is Threat Modeling in Cloud? (06:29) Threat Modeling the right way in the Cloud (08:23) Threat Modeling in Cloud vs On Prem (11:05) Examples of Threat Modeling (13:41) Threat Modeling AI Services from Cloud Providers (21:58) Including Threat Modeling in Security Programs (25:09) Threat Modeling Cloud at Scale (28:08) Different Approaches for Threat Modeling (30:21) Challenges with Threat Modeling in Cloud (33:42) Best Practices for Threat Modeling in Cloud (39:59) Showing ROI on Threat Modeling (42:57) Maturity Levels of Threat Modeling (45:21) Starting point for learning about Threat Models (46:12) The Fun Questions (48:41) Where can you connect with Tyson Resources spoken about during the episode TrustOnCloud has kindly offered a Free ThreatModel of your choice to our listeners - you can register here to pick yours
Jason Nelson, an accomplished expert in information security management, joins Chris to share insights on establishing successful threat modeling programs in data-intensive industries like finance and healthcare. Jason presents his three main pillars to consider when establishing a threat modeling program: consistency, repeatability, and efficacy. The discussion also provides a series of fascinating insights into security practices, regulatory environments, and the value of a threat modeling champion. As a threat modeling practitioner, Jason provides an essential perspective to anyone serious about application security.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on Dec 13, 2022. Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck. What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models. Segment Resources: - Original blog: https://segment.com/blog/redefining-threat-modeling/ - Open Sourced slides: https://github.com/segmentio/threat-modeling-training Show Notes: https://securityweekly.com/vault-asw-8