ESW #309 – Tal Morgenstern, Casey Smith
The CI/CD pipeline is the backbone of the software development process, so it's critical to ensure you are meeting and exceeding the most critical security measures. Throughout this podcast, Tal Morgenstern, Co-founder and CSO of Vulcan Cyber, will break down the process of how organizations can properly secure a CI/CD pipeline into a checklist of four key steps, as well as offer a handful of tools and tactics security leadership can use to bake risk-based vulnerability management into their CI/CD pipelines. He will explain how securing your CI/CD pipelines alone is not enough to reduce the chances of cyber attacks and the importance for organizations to not only maintain security at speed and scale, but quality at speed and scale. Finally, Tal will dive into how Vulcan Cyber helps organizations to streamline security tasks in every stage of the cyber-risk management process, integrating with their existing tools for true end-to-end risk management.
Segment Resources: https://vulcan.io/
https://vulcan.io/blog/ci-cd-security-5-best-practices/
https://www.youtube.com/watch?v=nosAxWc-4dc
Tap, tap - is this thing on? Why do defenders still struggle to detect attacks and attacker activities? Why do so many tools struggle to detect attacks?
Today, we've got an expert on detection engineering to help us answer these questions. Thinkst's Canary and Canarytokens make in catching penetration testers and attackers stupidly simple. Thinkst Labs aims to push these tools even further. Casey will share some of the latest research coming out of labs, and we'll ponder why using deception for detection isn't yet a de facto best practice.
https://canary.tools https://canarytokens.org https://blog.thinkst.com
Finally, in the enterprise security news, We quickly explain the SVB collapse, A few interesting fundings, Rapid7 acquires Minerva who? We’ll explain. GPT-4 - what’s new? Detect text written by an AI! Then, produce text that can’t be detected as written by an AI! The K-Shaped recovery of the cybersecurity industry, Software Security is More than Vulnerabilities, Microsoft Outlook hacks itself, Robert Downey Jr. gets into teh cyberz, & Reversing intoxication! Visit https://www.securityweekly.com/esw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
Full Audio
Segments
1. How to Secure Your CI/CD Pipeline by Prioritizing Cyber-Risk Management – Tal Morgenstern – ESW #309
The CI/CD pipeline is the backbone of the software development process, so it's critical to ensure you are meeting and exceeding the most critical security measures. Throughout this podcast, Tal Morgenstern, Co-founder and CSO of Vulcan Cyber, will break down the process of how organizations can properly secure a CI/CD pipeline into a checklist of four key steps, as well as offer a handful of tools and tactics security leadership can use to bake risk-based vulnerability management into their CI/CD pipelines. He will explain how securing your CI/CD pipelines alone is not enough to reduce the chances of cyber attacks and the importance for organizations to not only maintain security at speed and scale, but quality at speed and scale. Finally, Tal will dive into how Vulcan Cyber helps organizations to streamline security tasks in every stage of the cyber-risk management process, integrating with their existing tools for true end-to-end risk management.
Segment Resources: https://vulcan.io/
Announcements
Security Weekly listeners: Identiverse 2023 is heading to Vegas! Join the digital identity community at the ARIA Resort & Casino in Las Vegas, May 30th to June 2nd. Identiverse is a must-attend annual event that brings together over 2,500 security professionals for 4 days of world-class learning, engagement, and entertainment.
As a community member, you’re able to receive 20% off your Identiverse 2023 tickets using code IDV23-SW20!
Register today: securityweekly.com/identiverse2023
Guest
Tal Morgenstern is the Co-Founder & CPO at Vulcan Cyber. Tal brings almost 20 years of experience in cybersecurity products development and design to Vulcan Cyber – experience he gained in the Israeli army, building cutting-edge Elbit systems, Israel’s largest defense contractor, and during his tenure in various R&D and product design roles.
Hosts
2. Applied Research & the Power of Sustained Thinking – Casey Smith – ESW #309
Tap, tap - is this thing on? Why do defenders still struggle to detect attacks and attacker activities? Why do so many tools struggle to detect attacks?
Today, we've got an expert on detection engineering to help us answer these questions. Thinkst's Canary and Canarytokens make in catching penetration testers and attackers stupidly simple. Thinkst Labs aims to push these tools even further. Casey will share some of the latest research coming out of labs, and we'll ponder why using deception for detection isn't yet a de facto best practice.
https://canary.tools https://canarytokens.org https://blog.thinkst.com
Gallery Images
Announcements
We’d like to invite our listeners to be part of our 2023 SC Awards!
Our prestigious and competitive SC Awards program recognizes outstanding innovations, organizations, and leaders that are advancing the practice of information security. This year, there are awards in 36 categories up for grabs, including best IT security-related training program, innovator of the year, best SASE solution, and more. We’d love to see your company in the spotlight!
Visit securityweekly.com/scawards to submit your entries by March 20!
Guest
Casey Smith is a Senior Security Researcher at Thinkst Applied Research. He enjoys continually working to understand and evaluate the limits of defensive systems. He led the development of Atomic Red Team, an open-source testing platform that security teams can use to assess detection coverage. His background includes security analysis, threat research, penetration testing, and incident response. Casey has spoken at several security conferences. DerbyCon, Shmoocon, BlackHat USA, BlueHat, BlueHat IL, and Troopers.
Hosts
3. Robert Downey Jr, K-Shaped, GPT-4, Rapid7, & SVB – ESW #309
Finally, in the enterprise security news, We quickly explain the SVB collapse, A few interesting fundings, Rapid7 acquires Minerva who? We’ll explain. GPT-4 - what’s new? Detect text written by an AI! Then, produce text that can’t be detected as written by an AI! The K-Shaped recovery of the cybersecurity industry, Software Security is More than Vulnerabilities, Microsoft Outlook hacks itself, Robert Downey Jr. gets into teh cyberz, & Reversing intoxication!
Gallery Images
Announcements
Security Weekly listeners save $100 on their RSA Conference 2023 Full Conference Pass! RSA Conference will take place April 24-27 in San Francisco and on demand. To register using our discount code, please visit https://securityweekly.com/rsac2023 and use the code 53UCYBER! We hope to see you there!
Hosts
- 1. DUMPSTER FIRE: Over 100 VCs, investors voice solidarity with Silicon Valley Bank
And then they told their portfolio companies to remove $44B from it.
Should we even bother talking about it? I guess not everyone has binged the details like we have...
- 2. FUNDING: Capital One Ventures and Citi Ventures Invest in Securiti – Securiti
- 3. FUNDING: Samsung Next Invests In Mitiga, Brings Total Funding to $45M
- 4. FUNDING: Want data security? Concentrate on cybersecurity training, RangeForce raises $20M
- 5. FUNDING: Revelstoke Announces $20M Series B Funding Following Exponential Growth in Its First Year in Market
- 6. FUNDING: a16z-backed Uno launches a design-centric password manager
If someone finds a vulnerability in this app, it needs to be called "Uno Attack"
- 7. ACQUISITIONS: Rapid7 Acquires Minerva Labs to Extend Leading Managed Detection and Response Service with Ransomware Prevention Technology
The Malware 'sandman' company finally gets an exit. I had lost track of this company, but they innovated a neat trick where they can convince malware that it's being investigated, which causes many malwares to get sleepy...
- 8. NEW PRODUCTS: GPT-4
AI marches on. Unclear as to whether it's updating itself at this point.
- 9. NEW TOOL: AI Content Detector Checks GPT-3, ChatGPT, & More for Free
Detect text written by an AI! Then, obfuscate it so no one can detect it as written by an AI! This tool giveth and then taketh away...
- 10. NEW OPEN SOURCE: gh-sbom (automatically generate SBOMs!)
- 11. NEW OPEN SOURCE: Bearer (FOSS SAST tool)
- 12. ESSAYS: Cloud Security from First Principles
- 13. ESSAYS: Software Security is More than Vulnerabilities
- 14. ESSAYS: The K-Shaped Recovery of the Cybersecurity Industry
- 15. ESSAYS: CISO Role Undergoes Evolution as Role Grows More Complex
- 16. ESSAYS: Looking for ways to promote products and services that make cybersecurity a better place: five unique case studies
- 17. REPORTS: Cybercrime Losses Exceeded $10 Billion in 2022: FBI
Not $10 Trillion? Are we sure about the numbers here? /sarcasm
- 18. VULNERABILITIES: Critical Microsoft Outlook/365 bug CVE-2023-23397 under attack
We don't usually cover these, but this one is just incredible. :face_palm:
- 19. SQUIRREL: Robert Downey Jr. joins Boston-based cybersecurity company’s board of directors – The Boston Globe
- 20. SQUIRREL: UT Southwestern scientists discover agent that reverses effects of intoxication
