The Security Table (Izar Tarandach, Matt Coles, and Chris Romeo)
Explorez tous les épisodes de The Security Table
| Date | Titre | Durée | |
|---|---|---|---|
| 11 Dec 2022 | Security tools and the companies that make them | 00:52:59 | |
In the inaugural episode of the Security Table, the gang discusses Mark Curphey's article, "A Security Tools Crash Is Coming." We consider the four conditions Mark describes, and then we riff on what it means for the security world in 2023. We also uncover several debates that will resurface in upcoming episodes, such as SBOM: what is it really for? FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 16 Dec 2022 | Should security give up on developers? | 00:48:49 | |
The gang discusses whether security should or could give up on developers. We explore what the development world would look like if security did all the security, and the developer's responsibility ended when they committed a PR. Conclusions are eventually reached. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 02 Jan 2023 | Software bill of materials -- what is it good for? | 00:52:45 | |
The gang considers the software bill of materials (SBOM) approach and asks hard questions about what SBOM is for and whether it improves security. Note the gang believes in SBOM. We ask the hard questions to help us all expand our minds and truly understand the value propositions. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 14 Jan 2023 | Lastpass and the Security of Security Products | 00:59:32 | |
The gang discusses the Lastpass breach and the need for the security of utility-style security providers. We discuss Lastpass from a different angle - the responsibility of "hard security" providers. Lastpass is as "hard security" service as it can be - are security people taking things as seriously as they should? Are we too "here's your two months of credit policing, thank you very much" accommodated? We explore and reach some conclusions. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 07 Feb 2023 | Security talent shortage — fact or fiction | 00:42:23 | |
The gang considers whether the security talent shortage is fact or fiction. We've all hired people for security roles at different places and have heard about this "shortage" for years. We discuss the role of the business in building strong apprenticeship programs and the efforts of academia to prepare people for these roles. We don't resolve everything that needs resolution, so we'll be back with part two next week on this same topic.
FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 14 Feb 2023 | Security talent conclusion, from the candidates viewpoint | 00:40:46 | |
The gang continues our discussion and debate around the security talent shortage. We consider the issue from the candidate's viewpoint this time, thinking about all the different things candidates have to deal with in being hired, from years of experience, certification, and depth of the interview process. We try to draw some actionable conclusions for hiring managers because, without action, we are just part of the problem. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 27 Feb 2023 | Acronyms, Abbreviations, and a slide into Application Security | 00:41:03 | |
Matt, Izar, and Chris started the conversation by discussing all the acronyms and abbreviations we use in security and then morphed into a discussion of what application security is. While they only scratched the surface of what application security is, this episode will make you think about all the acronyms we use in our industry and how they are received by those that are new and outsiders. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 05 Mar 2023 | Application Security, Product Security, and what do we call this thing we do | 00:51:27 | |
The gang is back to debate and discuss the definition of application security. We start by figuring out what an application is and then layer security on top of it. We branched into how product security fits against application security and eventually concluded that system security is all-encompassing, but it's an old term. We also learn that Izar is uncomfortable speaking about cybersecurity at cocktail parties. Enjoy! FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 13 Mar 2023 | The US National Cybersecurity Strategy - Introduction - Part One | 00:46:07 | |
The United States released a new National Cybersecurity Strategy. The gang gathers to discuss the new strategy and look at it from a practitioner's perspective. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 20 Mar 2023 | The US National Cybersecurity Strategy -- Pillars One and Two | 01:10:32 | |
The Security Table gang continues our discussion about the United States National Cybersecurity Strategy, released in 2023. We cover pillars one and two, defend critical infrastructure, and disrupt and dismantle threat actors. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 03 Apr 2023 | A Convergence of AI in the World of Cybersecurity | 00:46:00 | |
Izar, Matt, and Chris scour the Interwebs for an article to discuss, only to find that each person has chosen an article related to the convergence of AI and cybersecurity. We discuss whether ChatGPT can replace humans with threat modeling, Microsoft's Security Copilot, and the open letter to freeze AI development for six months. AI is the future, and it will significantly impact the security professional's role. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 27 Apr 2023 | The Final Take on the National Cybersecurity Strategy: Software Liability And Privacy | 00:52:01 | |
Chris Romeo, Izar Tarandach, and Matt Coles discuss the national cybersecurity strategy, focusing on pillar three, which aims to shape market forces to drive security and resilience. They explore the idea of liability and the goal of shifting the consequences of poor cybersecurity away from the most vulnerable. The trio also considers the influence of GDPR and its impact on the US, comparing it to the European Union's experience. The podcast hosts discuss the need for better security in IoT devices and the potential impact of the policy on the rest of the world, including China. In addition, they express concern about the potential for a tedious and complex liability process similar to the medical industry, which may not ultimately benefit users. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 04 May 2023 | Reasonable Software Security: Do We Really Need DAST? | 00:36:55 | |
In this episode of the Security Table, the gang discusses reasonable software security. They explore whether current application security tooling, such as dynamic application security testing (DAST), provides a decent return on investment. The group acknowledges that the value of security tools depends on the organization's context and specific needs. They also touch on the importance of understanding a company's risk appetite and how this can inform what is considered reasonable security. The conversation concludes with the idea that reasonable security is not constant but a function with various arguments. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 19 May 2023 | Simple Product Security Requirements | 00:38:05 | |
Matt, Izar, and Chris discuss the United Kingdom's new minimum security standards for all Internet-connected consumer products. They highlight three key aspects of these new standards: FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 27 May 2023 | Capture the Flag or NOT? | 00:41:22 | |
There is an overemphasis on Capture The Flag in the security world. Instead, the industry should focus more on the 'builder' perspective to develop robust systems rather than the 'breaker' mindset typically associated with penetration testing and CTF competitions. In addition, we must shift the industry's reward and recognition structures to incentivize building secure-by-design systems. Red teaming is not just about penetration testing but also about testing the operations of the people who manage defenses. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 05 Jun 2023 | Security Guardrails and Paved Roads | 00:42:36 | |
Guard rails and paved roads -- how do they fit together in application security? Guardrails are security tools in the pipeline that help ensure the software doesn't drift too far from established standards. These guardrails allow developers to maintain their creativity and flexibility while building features that ultimately go to the customer. Paved roads are platforms that developers can build on top of without having to worry about aspects like identity and access management. Paved roads and guardrails funnel developer activity without breaking their freedom to do what they need to do FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 12 Jun 2023 | Privacy and the creepiness factor of collecting data | 00:47:30 | |
What is privacy, and how does it intersect with security? We are joined by our first guest, Ally O'Leary, a privacy compliance expert. Ally works for a consumer electronics company, ensuring compliance with global privacy laws and acting as a data protection officer. The episode delves into the intersection of privacy and security, with Ally explaining how these two areas often go hand in hand. She emphasizes the importance of understanding the definition of personal information and being aware of where such data is stored within a company's systems. A significant part of the discussion revolves around why security and privacy are two different functions within a company. Ally explains that privacy is a relatively new concept for most companies, often triggered by regulations like the GDPR. She also mentions that privacy often becomes part of the legal function due to the close work with attorneys to interpret laws. The conversation also touches on the challenges of data governance and the importance of proper data ownership on the business side. Ally highlights the need for regular reviews of data flows and audits to stay on top of data governance. Towards the end of the episode, Ally advises security professionals on when to involve privacy experts in their processes, especially during the development life cycle. She encourages security professionals to notify their privacy colleagues about any projects or initiatives that might impact systems containing personal data. Overall, the episode provides valuable insights into the world of privacy compliance, the relationship between privacy and security, and the role of data governance in protecting personal information. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 20 Jun 2023 | We Don't Know What We Don't Know | 00:22:30 | |
Certificate pinning is a security measure used in computer networking and something Chris candidly admits to his lack of understanding. Matt and Izar explain certificate pinning, a client-side operation that adds an extra layer of security to the Transport Layer Security (TLS) protocol and ensures that the client application checks the server's certificate against a known copy of that certificate. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 29 Jun 2023 | Lack of Reasonable, or Everything That Is Wrong with Security Requirements | 00:34:15 | |
How do you determine what constitutes "reasonable security" when evaluating vendors? Is “reasonable” a measure of compliance to a set standard? Is it reasonable to expect mature threat modeling practices? Some expectations are too high to be reasonable, but the minimum standard that both parties agree upon doesn’t seem like enough. Join the hosts of the Security Table as they discuss the importance of a reasonable security standard, one that both a vendor and the buyer can agree upon. Izar bemoans the vetting process for software vendors that can be overburdened with paperwork and checkboxes, but still lack confidence in a product’s security. Can we do better? He asks Matt and Chris what information or assurances vendors can reasonably provide to convince buyers that they truly understand and prioritize security. Chris proposes evaluating people, process, tools, and governance as a starting point. Matt raises concerns about needing to satisfy the concerns of the end customer and internal teams and leadership. Threat modeling is proposed as a basic starting point. But, is threat modeling just a bare minimum, or is it the reasonable standard both sides of the discussion can be happy with? The team discusses the importance of seeing the pipeline of any product being considered. What is reasonable? A threat model, documentation of that model, and an invitation to read and ask questions about the described process. The threat model needs to cover what and how software is built, as well as deployment into production. That is enough. That's reasonable. Is the team’s conclusion reasonable? Listen along, and watch for the upcoming discussion on LinkedIn. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 10 Jul 2023 | Should #AppSec be Part of the Development Team? | 00:37:05 | |
The big question is if it's possible to lose the application security team and move all the functions directly into development. We discuss "shifting everything left," which refers to integrating security earlier in the development process. We express concern that developers are being burdened with increasing responsibility without being given the power or resources to handle it effectively. This is referred to as the "inverse Spider-Man thing" - with great responsibility should come great power, but this isn't always the case in AppSec. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 18 Jul 2023 | Security Posture is a Thing | 00:44:54 | |
What is security posture? Izar was at a conference in Amsterdam, where he was asked to define security posture and how to measure it. Is security posture qualitative or quantitative, and can it be compared across teams, organizations, and departments? This led us down this rabbit hole; what is security posture, and is it even possible to measure? Security posture is multi-dimensional, differentiating between organizational and system security postures. Security activities that are reasonable to a company's level of risk acceptance are essential. Leadership changes could impact security posture; the departure of a CISO, for example, doesn't immediately affect the security posture as the policies and experiences built up over time remain. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 26 Jul 2023 | Why Do Engineers Hate Security? | 00:49:28 | |
There is a relationship between security professionals and engineers. Explore the possibility of engineers disliking security personnel and how security professionals can improve their relationship with engineers. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 01 Aug 2023 | Security Champions as the Answer to Engineering Hating Security | 00:43:54 | |
What happens when engineers transform into security champions? Is this beneficial, and what are the implications of this transformation? Izar reveals his transition from a naysayer to a supporter of security champions, and Chris and Matt seek to understand his current position. They explore the position of Security Champion and discuss the components of a good security champion program. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 15 Aug 2023 | Secure by Design | 00:39:27 | |
"Secure by Design" has garnered attention with the release of a document by CISA. What does it mean? How does it fit with Threat Modeling? And do you know if Secure by Design will answer our need for secure software? FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 22 Aug 2023 | Jim Manico ❤️ Threat Modeling: The Untold Story | 00:56:19 | |
Jim Manico joins Chris, Matt, and Izar at the Security Table for a rousing discussion on his Threat Modeling journey. They also learn about each other's thoughts about DAST, SAST, SCA, Security in AI, and several other topics. Jim is an educator at heart, and you learn quickly that he loves application security. Jim is not afraid to drop a few controversial opinions and even a rap! FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 29 Aug 2023 | The Return on Investment of Threat Modeling | 00:33:49 | |
The Security Table team dialogues about the importance of data and metrics in understanding and communicating risk. After Matt defines ROI, Izar emphasizes that while data is crucial, it doesn't always come in numerical form. Instead, risk can be expressed in various ways, such as trends, and doesn't necessarily need to be quantified in traditional terms. Chris stresses that executives need tangible metrics and data to make informed decisions, especially when communicating with legal teams and other stakeholders.
FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 05 Sep 2023 | Imposter Syndrome | 00:34:37 | |
Imposter Syndrome is when a person feels inadequate despite their accomplishments. Not unique to the field of cybersecurity or even software development, imposter syndrome can affect any professional as they advance and grow in their area of expertise. Matt and Izar, both seasoned security professionals, openly discuss the dichotomy between their intellectual achievements and the emotional weight of feeling like they don't belong. They touch upon the challenges of presenting at conferences, where the internal dialogue of self-doubt might be at its loudest, yet they've learned to project confidence. The conversation also highlights the importance of understanding one's worth, emphasizing that it doesn't stem from external validation or the opinions of others. The hosts each share personal anecdotes, such as moments when they felt most vulnerable on stage, and how they've learned to navigate these feelings over time. This podcast serves as a candid exploration of the imposter syndrome, offering insights and encouragement to professionals from any field who might feel the same way. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 12 Sep 2023 | AppSec vs. ProdSec | 00:37:06 | |
Chris Romeo, Matt Coles, and Izar Tarandach attempt to demystify the concepts of Application Security (AppSec) and Product Security (ProdSec). They find that even defining and differentiating both concepts is challenging. Various articles exist about AppSec and ProdSec, but the industry is generally confused about these terms. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 19 Sep 2023 | Threat Modeling Conference | 00:32:18 | |
The Security Table gathers to discuss the upcoming ThreatModCon 2023 (https://www.threatmodelingconnect.com), the inaugural and only conference dedicated entirely to threat modeling. ThreatModCon 2023 Sunday, October 29, 2023 Marriott Marquis Washington, DC The Threat Modeling Conference will cover various aspects of threat modeling, from AI integration to privacy concerns, from a brief history of threat modeling to hands-on workshops. The sessions will emphasize learning, interaction, and applying knowledge in real-world scenarios. ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- From threatmodelingconnect.com: Join us for the inaugural Threat Modeling Conference — the first annual meetup of our community — on October 29th to learn, share, and discuss how to make threat modeling approachable to everyone. Come away with the latest trends, tools, and strategies in threat modeling, helping you stay ahead of the curve as you navigate the constantly-changing cybersecurity landscape Meet the Speakers I’m new to threat modeling, Is this conference for me? ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- Listen in to hear what excites Chris, Matt, and Izar about ThreatModCon, and sign up to attend yourself! Threat Modeling is for Everyone! https://www.threatmodelingconnect.com/ FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 26 Sep 2023 | The Hamster Wheel of Scan and Fix | 00:56:28 | |
Matt and Izar join in a debate with Chris Romeo as he challenges the paradigm of "scan and fix" in application security. Chris references a LinkedIn post he made, which sparked significant reactions, emphasizing the repetitive nature of the scan and fix process. His post critiqued the tools used in this process, noting that they often produce extensive lists of potential vulnerabilities, many of which might be false positives or not appropriately prioritized. He underscores the need for innovation in this domain, urging for a departure from the traditional methods. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 10 Oct 2023 | A Show About Nothing that Turned into Something | 00:33:32 | |
The Security Table gathers this week to discuss expectations about tooling in the Application Security industry. Matt emphasizes that tools should essentially automate tasks that humans can perform but in a faster and more efficient manner. The conversation then shifts to the overwhelming nature of communication platforms like Slack. Izar highlights the challenges of managing attention spans and context-switching when one is part of numerous Slack channels, likening it to being in a room with a hundred simultaneous conversations. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 17 Oct 2023 | The Future Role of Security and Shifting off the Table | 00:54:58 | |
The Security Table gathers to discuss the evolving landscape of application security and its potential integration with development. Chris posits that application or product security will eventually be absorbed by the development sector, eliminating the need for separate teams. One hindrance to this vision is the friction between security and engineering teams in many organizations. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 24 Oct 2023 | NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations | 00:20:09 | |
Matt, Chris, and Izar discuss the recently published "NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations." They review each point and critically analyze the document's content, pointing out areas where the terminology might be misleading or where the emphasis should be shifted. As they work through the top ten list, several trends and larger conversations appear out of the individual points. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 08 Nov 2023 | An SBOM Fable | 00:37:17 | |
Join Chris, Matt, and Izar for a lively conversation about an article that offers 20 points of "essential details" to look for in a Software Bill of Materials (SBOM). They dissect and debate various points raised in the article, including generating SBOMs, the necessary components, and how to gauge the quality of this digital inventory. Their critique is both insightful and humorously candid, and they will offer you a tour through the often complex world of software documentation. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 14 Nov 2023 | An SBOM Lifecycle | 00:45:39 | |
Aditi Sharma joins Matt, Izar, and Chris around the Security Table to discuss Software Bill of Materials (SBOMs). The team discusses potential advantages as well as challenges of SBOMs in different contexts such as SaaS solutions, physical products, and internal procedures. The episode also explores the importance of knowing what software components a company is consuming and the significance of SBOM for vulnerability management and risk posture. The team concludes by stressing that while SBOM has great potential value, the value realization is still a work in progress. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 21 Nov 2023 | CVSS 4.0 Unleashed with Patrick Garrity | 00:58:26 | |
Patrick Garrity joins the Security Table to unpack CVSS 4.0, its impact on your program, and whether or not it will change the game, the rules of how the game is played, or maybe the entire game. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 29 Nov 2023 | Looking Back, Looking Forward | 00:46:14 | |
Join Izar, Matt, and Chris in a broad discussion covering the dynamics of the security community, the evolving role of technology, and the profound impact of social media on our lives. As the trio considers what they are most thankful for in security, they navigate a series of topics that blend professional insights with personal experiences, offering a unique perspective on how these elements intersect in the modern world. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 19 Dec 2023 | The Impact of Prompt Injection and HackAPrompt_AI in the Age of Security | 01:04:38 | |
Sander Schulhoff of Learn Prompting joins us at The Security Table to discuss prompt injection and AI security. Prompt injection is a technique that manipulates AI models such as ChatGPT to produce undesired or harmful outputs, such as instructions for building a bomb or rewarding refunds on false claims. Sander provides a helpful introduction to this concept and a basic overview of how AIs are structured and trained. Sander's perspective from AI research and practice balances our security questions as we uncover where the real security threats lie and propose appropriate security responses.
FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 09 Jan 2024 | AppSec Resolutions | 00:47:44 | |
Join us for the final episode of The Security Table for 2023. Chris, Izar, and Matt answer fan mail, make fun predictions for the upcoming year, discuss their resolutions for improving cybersecurity, and make a call to action to global listeners. Highlights include the reach of the podcast, explaining Large Language Models (LLMs), Quantum LLMs, Software Bill of Materials (SBOM), and the importance of teaching secure coding from high school level up. Chris, Izar, and Matt share their passion for making cybersecurity more accessible, practical, and effective through critical discussions and innovative ideas. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 16 Jan 2024 | Open Source Puppies and Beer | 00:40:34 | |
Chris, Izar, and Matt address the complexities of open-source component usage, vulnerability patches, civic responsibility, and licensing issues in this Security Table roundtable. Sparked by a LinkedIn post from Bob Lord, Senior Technical Advisor at CISA, they discuss whether software companies have a civic duty to distribute fixes for vulnerabilities they discover in open-source components. They also examine if there is a need to threat model every third-party component and consider the implications of certain licenses for security patches. This is a discussion that needs to be had by anyone using open-source components in their code. Listen in and engage as we learn and think through this important issue together! Links: Bob Lord’s post about Open Source Responsibility: FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 23 Jan 2024 | Threat Modeling Capabilities | 00:41:57 | |
This week around the Security Table Matt, Izar and Chris discuss the recently-published Threat Modeling Capabilities document. They explore how capabilities serve as measurable goals that organizations either possess or lack, contrasting the binary nature of capabilities with the continuum of maturity. The team shares insights on the careful definition and measurement of each capability, highlighting the creative debates and diverse perspectives that enriched the document. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 30 Jan 2024 | Bug Bounty Theater and Responsible Bug Bounty | 00:27:13 | |
Izar, Matt, and Chris discuss the effectiveness of bug bounty programs and delve into topics such as scoping challenges, the ethical considerations of selling exploits, and whether it is all just bug bounty theater. The hosts share their insights and opinions on the subject, providing a thought-provoking discussion on the current state of bug bounties in the security industry. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 06 Feb 2024 | Adam Shostack -- Thinking like an Attacker and Risk Management in the Capabilities | 00:46:23 | |
Threat modeling expert Adam Shostack joins Chris, Izar, and Matt in this episode of the Security Table. They look into threat actors and their place in threat modeling. There's a lively discussion on risk management, drawing the line between 'thinking like an attacker' and using current attacker data to inform a threat model. Adam also suggests that we must evaluate if risk assessments serve us well and how they impact organizations on various levels. The recurring theme is the constant need for evolution and adaptation in threat modeling and risk management processes. You can tune in to get a rich perspective on these key cybersecurity topics. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 13 Feb 2024 | Villainy, Open Source, and the Software Supply Chain | 00:32:02 | |
Matt, Izar, and Chris have a lively discussion about how security experts perceive open-source software. Referencing a post that described open source as a 'hive of scum and villainy,' the team dissects the misconceptions about open source software and challenges the narrative around its security. They explore the complexities of the software supply chain, the notion of 'inheritance' when it comes to security vulnerabilities, and the impact of transitive dependencies. They also discuss reputation systems, dependency injection, and the reality of accepting responsibility for incorporated software packages and their security issues. Tune in for these and other thoughtful insights about the interplay between open source solutions and security aspects in software development. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 20 Feb 2024 | Prioritizing AppSec: A Conversation Between a VP of Eng, a Product Manager, and a Security "Pro" | 00:37:09 | |
Prompted by fan mail, Chris, Izar, and Matt engage in a role-playing scenario as a VP of engineering, a security person, and a product manager. They explore some of the challenges and competing perspectives involved in prioritizing application security. They highlight the importance of empathy, understanding business needs and language, and building relationships within an organization while dealing with security threats and solutions. They end with insights into the role of AI in AppSec, its prioritization, and its limitations. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 27 Feb 2024 | Selling Fear, Uncertainty, and Doubt | 00:41:09 | |
Matt, Izar, and Chris discuss the impact of fear, uncertainty, and doubt (FUD) within cybersecurity. FUD is a double-edged sword - while it may drive awareness among consumers, it also leads to decision paralysis or misguided actions due to information overload. The saturation of breach reports and security threats also desensitizes users and blurs the line between vigilant security practices and unnecessary panic. Fear-based security strategies do not foster a secure environment. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 12 Mar 2024 | Debating the Priority and Value of Memory Safety | 00:34:58 | |
Chris, Izar, and Matt tackle the first point of the recent White House report, "Back to the Building Blocks: a Path toward Secure and Measurable Software." They discuss the importance of memory safety in software development, particularly in the context of critical infrastructure. They also explore what memory safety means, citing examples like the dangers of using C over safer alternatives such as Java, Rust, or Go. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 19 Mar 2024 | Secure by Default in the Developer Toolset and DevEx | 00:43:46 | |
Matt, Chris, and Izar talk about ensuring security within the developer toolset and the developer experience (DevEx). Prompted by a recent LinkedIn post by Matt Johansen, they explore the concept of "secure by default" tools. The conversation highlights the importance of not solely relying on tools but also considering the developer experience, suggesting that even with secure tools, the ultimate responsibility for security lies with the developers and the organization. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 26 Mar 2024 | How I Learned to Stop Worrying and Love the AI | 00:42:19 | |
Dive into the contentious world of AI in software development, where artificial intelligence reshapes coding and application security. We spotlight the surge of AI-generated code and the incorporation of copy-pasted snippets from popular forums, focusing on their impact on code quality, security, and maintainability. The conversation critically examines the diminishing role of traditional quality assurance measures versus the growing reliance on automated tools and AI, highlighting potential compromises between development speed and security integrity. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 02 Apr 2024 | SQLi All Over Again? | 00:37:55 | |
Chris, Matt, and Izar discuss a recent Secure by Design Alert from CISA on eliminating SQL injection (SQLi) vulnerabilities. The trio critiques the alert's lack of actionable guidance for software manufacturers, and they discuss various strategies that could effectively mitigate such vulnerabilities, including ORMs, communicating the why, and the importance of threat modeling. They also explore potential ways to improve the dissemination and impact of such alerts through partnerships with organizations like OWASP, the various PSIRTs, and ISACs, and leveraging threat intelligence effectively within AppSec programs. Ultimately, the trio wants to help CISA maximize its effectiveness in the software security industry. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 09 Apr 2024 | Nobody's Going To Mess with Our STRIDE | 00:39:31 | |
Matt, Izar, and Chris take issue with a controversial blog post that criticizes STRIDE as being outdated, time-consuming, and does not help the right people do threat modeling. The post goes on to recommend that LLMs should handle the task. The trio counters these points by highlighting STRIDE's origin, utility, and adaptability. Like any good instrument, it is important to use the right tools in the right context. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 02 May 2024 | XZ and the Trouble with Covert Identities in Open Source | 00:43:54 | |
Matt, Izar, and Chris delve into the complexities of open source security. They explore the topics of trust, vulnerabilities, and the potential infiltration by malicious actors. They emphasize the importance of proactive security measures, the challenges faced by maintainers, and propose solutions like improved funding models and behavior analysis for enhancing security within the open source ecosystem. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 14 May 2024 | 12 Factors of Threat Modeling | 00:45:39 | |
Chris, Matt and Izar share their thoughts on an article published by Carnegie Mellon University’s Software Engineering Institute. The list from the article covers various threat modeling methodologies such as STRIDE, PASTA, LinDoN, and OCTAVE methodology for risk management. They emphasize the importance of critical thinking in the field, provide insights into strengths, applications, and limitations of each method, and highlight the significance of annotated threat models for application security.
Mentioned in this Episode: Podcast episode: Nobody's Going to Mess with Our STRIDE https://www.youtube.com/watch?v=TDFRe_icFmY&pp=ygUSdGhlIHNlY3VyaXR5IHRhYmxl FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 21 May 2024 | Why Developers Will Take Charge of Security, Tests in Prod | 00:48:10 | |
The script delves into a multifaceted discussion encompassing critiques and praises of book-to-movie adaptations like 'Hitchhiker's Guide to the Galaxy', 'Good Omens', and 'The Chronicles of Narnia'. It then transitions to a serious examination of developers' evolving role in security, advocating for 'shift left' and DevSecOps approaches. The conversation navigates through challenges developers encounter in security practices, stressing the necessity of a DevSecOps framework, secure coding languages, and executive support for fostering a robust security culture within organizations. Chris, Izar and Matt begin the episode with a lighthearted discussion about books turned into movies, including Hitchhiker's Guide to the Galaxy and The Chronicles of Narnia series. The main topic of conversation on today’s episode is an article titled "Why Developers Will Take Charge of Security, Tests in Production" by Lorraine Lawson, which interviews Larry Meshrom. The article suggests that developers should take on more responsibility for security, including testing in production environments, as security teams are often perceived as a blocker and don't understand the day-to-day work of developers. The guys question whether developers truly want to take on more security responsibilities, given the constantly evolving nature of security threats and the time it takes to stay up-to-date. They also discuss the role of product managers in driving security and privacy prioritization, and the need for executives to understand the business value of investing in security. The hosts argue that while mature organizations have governance processes in place to enforce security, smaller companies may lack such mechanisms. Ultimately, it is concluded that product managers are best positioned to communicate the business value of security to executives, as they are closest to understanding customer needs and revenue drivers. They propose that the industry should focus on educating and empowering product managers to prioritize security and privacy, and to make the case for investing in these areas to executives. This approach could help bridge the gap between security teams and developers, and drive a culture of security within organizations. Link to article: https://thenewstack.io/why-developers-will-take-charge-of-security-tests-in-prod/ FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 31 May 2024 | Debating the CISA Secure by Design Pledge | 00:39:41 | |
In this episode of 'The Security Table,' hosts Chris Romeo, Matt Coles, and Izar Tarandach discuss the CISA Secure by Design Pledge, a recent initiative where various companies commit to improving software security practices. The hosts critique the pledge, arguing that many of the signatory companies have long been focused on software security, making the pledge redundant for them. They dissect specific goals of the pledge, such as increasing multi-factor authentication (MFA) and reducing default passwords, and express concerns about their actual impact. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 04 Jun 2024 | Security, Stories, Jazz and Stage Presence with Brook Schoenfield | 00:52:04 | |
In this episode of 'The Security Table,' hosts Chris Romeo, Izar Tarandach, and Matt Coles are joined by Brook Schoenfield, a seasoned security professional, to share insights and stories from his extensive career. The conversation covers Brook's experience in writing books on security, lessons learned from his 40-year career, and personal anecdotes about his life as a musician, including playing with legends like Bo Diddley and Chuck Berry. Brook highlights the importance of ensemble work in both security and music. Books written by Brook Schoenfield: Secrets Of A Cyber Security Architect (Auerbach, 2019) https://brookschoenfield.com/?page_id=331 Securing Systems: Applied Security Architecture https://brookschoenfield.com/?page_id=245 FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 18 Jun 2024 | Privacy vs. Security: Complexity at the Crossroads | 00:35:48 | |
In this episode of the Security Table, Chris, Izar, and Matt delve into the evolving landscape of cybersecurity. The episode has a humorous start involving t-shirts and Frogger as a metaphor for the cybersecurity journey, the conversation shifts to the significant topic of cybersecurity being at a crossroads as suggested by a CSO Online article. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 03 Jul 2024 | Rethinking Security Conferences: Engagement and Innovation | 00:26:04 | |
In this episode Chris, Matt, and Izar discuss the current state of security conferences and gatherings for professionals in the field. They discuss the value and viability of different types of gatherings, the importance of networking and community-building at events, innovative approaches to conference formats and the need for something more engaging and participatory that caters to both introverts and extroverts. Personal experiences and preferences for conference attendance and speaking engagements are discussed along with hybrid approaches that combine presentations with facilitated discussions and interactive elements. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 17 Jul 2024 | To SSH or Not? | 00:28:08 | |
In this episode of 'The Security Table,' we are back from our midsummer break to discuss OpenSSH regression vulnerability. We dig into the nuances of this race condition leading to remote code execution, explore the chain of security updates, and the role of QA in preventing such regressions. We debate the necessity of SSH in modern cloud-native environments and its alternatives. Plus, we answer the critical question of who should catch these vulnerabilities first — QA teams, pentesters, or automated tools? FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 24 Jul 2024 | The Stages of Grief in Incident Response | 00:24:05 | |
Join Chris, Izar, and Matt as they sit around the Security Table to dissect and discuss the different stages of dealing with security incidents. In this episode, they explore the developer's stages of grief during an incident, and discuss a recent large-scale IT incident. They share insights from their multi-decade experience in security, analyze the fragility of current systems, and discuss the role of luck and probability in security failures. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 31 Jul 2024 | Computing Has Trust Issues | 00:46:09 | |
Join us in this episode of The Security Table as we dive into the world of cybersecurity, starting with a nostalgic discussion about our favorite security-themed movies like 'Sneakers,' 'War Games,' and 'The Matrix.' We then shift gears to explore a critical topic in modern computing: the vulnerabilities and implementation issues of Secure Boot. Discover the intricate details of key management, human errors, and the challenges of maintaining trust in hardware and software systems. The conversation extends to the practicalities of password management, passkeys, and the broader implications of securing digital identities. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 07 Aug 2024 | The Intersection of Hardware and Software Security | 00:30:25 | |
In this episode of The Security Table, Chris, Izar, and Matt discuss an article that discusses threat modeling in the context of hardware. They explore the intersection of hardware and software security, the importance of understanding attack surfaces, and the challenges posed by vulnerabilities in hardware components, such as speculative execution faults and the impact of supply chain security. Join the conversation as they examine the critical points in the ongoing dialogue around hardware and software security integration. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 14 Aug 2024 | The Illusion of Secure Software | 00:40:18 | |
In this episode of The Security Table Podcast, hosts ChriS, Izar and Matt dive into the recent statement by CISA's Jen Easterly on the cybersecurity industry's software quality problem. They discuss the implications of her statement, explore the recurring themes in security guidelines, and debate whether the core issue is with people or technology. Join the conversation as they analyze the roles of developers, QA engineers, and emerging AI tools in shaping a secure future, questioning if the industry is on the right path to real change. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 28 Aug 2024 | Innovations in Threat Modeling? | 00:31:36 | |
In this episode of The Security Table, hosts Chris Romeo, Izar Tarandach, and Matt Coles dive into the evolving concept of threat models, stepping beyond traditional boundaries. They explore 'Rethinking Threat Models for the Modern Age,' an article by author Evan Oslick. Focusing on user behavior, alert fatigue, and the role of psychological acceptability, they debate whether broader human factors should integrate into threat modeling. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 11 Sep 2024 | Philosophizing Cloud Security | 00:28:40 | |
In this episode of the Security Table, our hosts discuss the concept of the 'Shared Fate Model' in cloud security. The conversation explores how this model builds on the shared responsibility model and the implications for cloud service providers and consumers. From robust default security measures to the historical evolution of ISPs, the discussion covers technical and philosophical aspects of cloud infrastructure security. Join us for an informative and engaging session filled with the past and present of internet connectivity and cloud service security. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 18 Sep 2024 | Numb to Data Breaches, and How it Impacts Security of the Average Feature | 00:32:22 | |
In this episode of the Security Table with Chris Romeo, Izar Tarandach, and Matt Coles, the team dives into the evolving landscape of modern security approaches. They discuss the shift from strategy to tactics, the impact of data breaches, and why people are becoming numb to such incidents. The episode also touches on the importance of understanding the business side of security and the role of product managers as security champions. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 09 Oct 2024 | Experts Want to Excel | 00:44:07 | |
What constitutes an expert in the field of threat modeling? Today Matt, Chris and Izar explore cultural references, the intricacies of threat modeling practices, and the criteria that define an expert. The discussion touches on the evolution of threat modeling, the roles of facilitators, and the importance of experience and recognition in the field. The guys humorously debate the challenge of scaling practices in large organizations and share thoughts on how expertise can inspire others. Enjoy this amusing episode complete with tangents on movies, old media technologies, sports analogies, and competitive Excel. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 16 Oct 2024 | Everything is Boring | 00:29:59 | |
Is everything boring? Chris, Izar and Matt discuss why nothing seems interesting enough lately. Is the excitement of vulnerabilities and ransomware waning? The guys touch on Governance, Risk, and Compliance (GRC) in corporate auditing, the impact of ransomware and the contentious role of cyber insurance, the fading novelty of AI and its influence on security, and examine why essential security tasks might feel mundane yet remain vital. This is a candid conversation you won’t want to miss. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 23 Oct 2024 | We'll Be Here Until We Become Obsolete | 00:27:48 | |
This week we explore the multifaceted concept of obsolescence in technology, detailing its planned, unplanned, and forced forms. We delve into the security implications of outdated or unsupported devices and software, with a spotlight on cloud-connected vehicles and their vulnerabilities. We discuss architectural decisions, regulatory requirements, and real-world incidents like the OnStar hack, reflecting on the need for robust security protocols. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 07 Nov 2024 | Why 100X Isn't the Answer | 00:44:54 | |
A good discussion today covering two different articles, the first covers CISA's list of product security "bad practices", questioning whether it provides real value or is just content marketing. Then the discussion moves onto an article about Shift Left. The group debates whether it is truly more expensive to fix design flaws versus implementation bugs, noting the difficulty of quantifying the cost difference. They argue that the focus should be on providing proper training and incentives for developers to build secure software, rather than just adding more security tools. Articles discussed in the episode: Product Security Bad Practices FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 13 Nov 2024 | The STRIDE Controversy: Evolution vs. Extinction in Security Models | 00:41:11 | |
We discuss a controversial LinkedIn post claiming "Threat Modeling is Dead." While the STRIDE methodology may need updating, it remains a valuable "gateway" tool for teaching security concepts to developers without security backgrounds. We discuss how STRIDE serves as a useful categorization system, emphasize that dogmatic approaches to threat modeling are problematic, and argue that what matters most are results rather than strict adherence to any particular methodology. Our conclusion; STRIDE is still alive and relevant, but it could benefit from an update to demonstrate its continued applicability. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 10 Dec 2024 | Is it Necessary? Not everything requires an LLM | 00:42:39 | |
We debate the necessity and efficiency of LLMs in finding code vulnerabilities in a C library compared to traditional static code analyzers and fuzzing techniques. The conversation explores broader topics in application security testing, including the evolving landscape of Dynamic Application Security Testing (DAST), fuzzing, and the potential of emerging technologies like Application Detection and Response (ADR). FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 11 Dec 2024 | Find Your Conferences and watch Die Hard. And the Princess Bride. | 00:29:12 | |
What makes a conference truly valuable? Is it the unexpected connections and serendipitous meetings of minds, or the chance to break free from the "security echo chamber" by exploring diverse conference experiences? We discuss the considerations that make conferences worth attending and examine whether they are compelling enough to warrant personal investment. Whether large or intimate, each conference provides a distinct journey of learning and interaction. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 08 Jan 2025 | Hovercrafts and the Evolution of AppSec in 2025 | 00:35:00 | |
Hovercrafts and application security in the new year. We revisit last year's predictions on Quantum LLM, SBOMs, and whether DAST tools will make a comeback. With humor and forward-thinking, we explore what the future might hold for application security, the rise of new technologies, and even the outlandish idea of AppSec being dead. Episode mentioned: FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 22 Jan 2025 | The Cyber Trust Mark Debate | 00:47:12 | |
The Cyber Trust Mark, a new FCC program aimed at assuring the security of IoT devices is the topic of discussion today. We discuss various aspects of the Cyber Trust Mark, the history of similar initiatives like UL certification, and the challenges faced by consumers in determining the security of their devices. They also debate the merits and drawbacks of regulations like the EU's Cyber Resilience Act, the importance of secure-by-default design, and the limitations of relying solely on consumers or independent labs to ensure security. Throughout, they explore whether this new mark can genuinely make a difference or if it's just a rehash of old ideas. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||
| 12 Feb 2025 | The Department of No | 00:45:12 | |
We’re discussing the complexities of saying 'yes' or 'no' in the context of security decisions in today’s episode and the enduring challenge of integrating security into software development. The conversation swerves into the intriguing idea of a trade-like progression for developers, contrasting it with current knowledge work. The episode culminates in a hit parade of pop culture references, including Star Wars, Star Trek, Firefly, and more. Tune in for a thought-provoking and fun conversation!
FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast Thanks for Listening! | |||