DevOps, Compliance, Security awareness

Scientific Hooligans – PSW #632

This week, we welcome you with our Roundtable Discussion on DevOps and Securing Applications, where we'll cover how to navigate the wide variety of options for securing modern applications and the processes used to build and deploy software today! Next up we debate one of Information Security's long-standing debates: Security vs. Compliance! The final segment in this episode assembles a panel of experts to discuss The History of Security and what we can learn from the past!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. DevOps and Securing Applications – PSW #632

- Given that DevOps is a process and its execution requires many different tools, how do we get started "doing DevOps"?

- What about DevOps allows us to produce more secure applications?

- What concepts inside of DevOps do most people lose site of?

- What are the major challenges involved in taking an application from traditional development to DevOps?

- What are some of the best approaches to making an application more resilient to threats

- To ORM or not to ORM?

- Which services do you implement yourself vs. using a cloud service?

- How do I choose the best secrets vault?

- What should I use an orchestrator for and what should I not use an orchestrator for?

- How do I build a secure API for my app?

- Thoughts on GraphQL vs. REST security implications?

Guests

Chris Eng
Chris Eng
Chief Research Officer at Veracode

Chris Eng is Chief Research Officer at Veracode. A founding member of the Veracode team, he is responsible for all research initiatives including applied research and product security. Chris is a frequent speaker at industry conferences and serves on review boards for Black Hat USA and the Kaspersky Security Analyst Summit. He is also a charter member of MITRE’s CWE/CAPEC Board. Bloomberg, Fox Business, CBS, and other prominent media outlets have featured Chris in their coverage. Previously, Chris was technical director at Symantec (formerly @stake) and an engineer at the National Security Agency.

Eric Johnson
Eric Johnson
Principal Security Engineer at Puma Security

Eric is co-founder and Principal Security Engineer at Puma Security focusing on cloud security, static code analysis, and DevSecOps automation. His experience includes performing cloud security reviews, infrastructure as code automation, application security automation, web and mobile application penetration testing, secure development lifecycle consulting, and secure code review assessments. Eric is also a Principal Instructor with the SANS Institute where he authors information security courses on cloud security, DevSecOps automation, secure coding, and defending mobile apps. He delivers security training for SANS around the world, and presents security research at conferences including SANS, BlackHat, OWASP, BSides, RSA, DevOpsDays, and ISSA.

Frank Catucci
Frank Catucci
Head of AppSec at DataRobot

Frank Catucci is a global application security leader with over 15 years of diverse experience which grants him the unique ability to see and lead information and application security with a unique, complete and holistic approach. Frank is currently leading efforts within application security and devsecops with groundbreaking security research, techniques and completeness of vision, as a pioneer and leader of application security and devsecops advancement.

James Ford
James Ford
Head of Information Security at CrossBorder Solutions

As a technology leader with wide-ranging experience over 24 years at ADP, instilling entrepreneurial dynamism into product development has been a constant theme of my career. ADP is a world-class provider of solutions. My efforts delivered the technical vision and direction for dozens of products addressing complex business needs with well-designed simplicity. This set me up well to transition to helping other companies solve difficult problems… My value comes from knowing what to do to bring a product to life with minimal risk and maximum benefit to customers and the bottom line. I’ve seen just about every business, project, and technology situation, and can look at an idea from both big picture and detail perspectives to ensure a product’s success. Much of my work focuses on the people side of technology. I thrive on shaping great teams and cultures needed for breakthrough innovation, and on being an evangelist – I love to share knowledge about new products, practices, and technologies to help emerging companies punch above their weight and achieve their business goals through technology.

Jason Kent
Jason Kent
Hacker in Residence at Cequence Security

For over the last 20 years, Jason has been ethically peering into Client Behavior, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organizations secure their assets and intellectual property from unauthorized access. As a consultant he’s taken hundreds of organizations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IoT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence’s customers safe.

Josh Corman
Josh Corman
Founder, I am The Cavalry / recently Chief Strategist for the CISA COVID Task Force at I am The Cavalry

Joshua Corman is a Founder of I am The Cavalry (dot org), and recently served as Chief Strategist for the CISA COVID Task Force. He previously served as CSO for PTC, Director of the Cyber Statecraft Initiative for the Atlantic Council, CTO for Sonatype, and other senior roles. He co-founded RuggedSoftware and IamTheCavalry to encourage new security approaches in response to the world’s increasing dependence on digital infrastructure. His unique approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security. He also serves as an Adjunct Faculty for Carnegie Mellon’s Heinz College, and was a member of the Congressional Task Force for Healthcare Industry Cybersecurity.

Keith Hoodlet
Keith Hoodlet
Application Security Manager at Thermo Fisher Scientific

Keith Hoodlet is the Application Security Manager at Thermo Fisher Scientific. He is the Co-Founder of the InfoSec Mentors Project .

Sandy Carielli
Sandy Carielli
Principal Analyst at Forrester Research

Sandy is a principal analyst at Forrester advising security and risk professionals on application security, with a particular emphasis on the collaboration among security and risk, application development, operations, and business teams. Her research covers topics such as proactive security design, security testing in the software delivery lifecycle, protection of applications in production environments, and remediation of hardware and software flaws.

Hosts

April Wright
April Wright
Preventative Security Specialist at Architect Security
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
Matt Alderman
Matt Alderman
VP, Product at Living Security
Mike Shema
Mike Shema
Security Partner at Square
Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly

2. Security vs. Compliance – PSW #632

It was once said that if Security and Compliance were in a relationship the status would be "It's Complicated". This discussion will aim to help you understand this relationship and how it can be beneficial or a mere distraction to an organization's overall security posture.

- Define "Secure" and "Compliant".

- Does compliance merely raise awareness about security shortcomings?

- What is the relationship between Security and Compliance?

- Being Secure and being Compliant are mere points in time, how can we best develop a process to ensure we are always striving to a secure and compliant state?

- How does Security impact and/or influence Compliance?

- How does Compliance impact and/or influence Security?

- How do you balance these extremes: "We will be Secure and ignore compliance" vs. "We will be compliant but ignore security"

Guests

Alex Wood
Alex Wood
CISO at The Anschutz Corporation

Alex Wood has over 20 years of experience in Information Security is currently the CISO for The Anschutz Corporation. Alex has managed security programs and services at major companies across verticals, including telecommunications, energy, healthcare, entertainment, travel, and financial services. Additionally, Alex has served as a Director on the International Board of the Information System Security Association (ISSA) and is Past-President of the ISSA Denver Chapter. Alex is also Co-host of the Colorado = Security Podcast. Alex received a Bachelor of Arts from Grinnell College and a Masters of Applied Science in Computer Information Systems Security from the University of Denver.

Jim Hietala
Jim Hietala
VP, Security at The Open Group

Jim Hietala, is Vice President, Security for The Open Group, where he manages security and risk management programs and standards activities, He has participated in the development of several industry standards including O-ISM3, O-ESA, and the Open FAIR Body of Knowledge. He led the development of the Open FAIR standards and the certification program for risk analysts, and a joint Open Group and SIRA risk management practices survey project. He also led the development of compliance and audit guidance for the Cloud Security Alliance’s v2 publication.

Jon Fredrickson
Jon Fredrickson
Information Security & Privacy Officer at Blue Cross & Blue Shield of Rhode Island

Jon Fredrickson is the Information Security and Privacy Officer for Blue Cross and Blue Shield of Rhode Island. He graduated from the University of Rhode Island with a B.A. in Economics. Prior to joining BCBSRI, Jon was the CISO of Southcoast Health and has had various other IT Security positions in healthcare, services and manufacturing. During the past 12 years of working in the IT security field, Jon has developed a pragmatic approach to implementing cybersecurity solutions and assisting his organizations in properly measuring and managing cyber and privacy risk. Jon is a member of the Association for Executives in Healthcare Information Security, the Healthcare Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG), and is a Certified Information Security Manager.

Ron Gula
Ron Gula
President at Gula Tech Adventures

Ron is President at Gula Tech Adventures which focuses on cyber technology, cyber policy and recruiting more people to the cyber workforce. Since 2017, GTA has invested in dozens of cyber start-ups and funds and supported multiple cyber nonprofits and projects. From 2002 to 2016, Ron was the co-founder and CEO of Tenable Network Security. He helped grow the company to 20,000 customers, raise $300m in venture capital and grow revenues to $100m, setting up the company for an IPO in 2018. Prior to Tenable, Ron was a cyber industry pioneer and developed one of the first commercial network intrusion detection systems called Dragon, ran risk mitigation for the first cloud company, was deploying network honeypots in the mid 90s for the DOD and was a penetration tester for the NSA and got to participate in some of the nation’s first cyber exercises. Ron is involved in a variety of cyber nonprofits and think tanks including Defending Digital Campaigns, the Center for Internet Security, the National Security Institute and the Wilson Center. In 2020, Ron was honored to receive the Northern Virginia Technology Council Cyber Investor of the Year award and the Baltimore Business Journal Power 10 CEO award.

Wendy Nather
Wendy Nather
Head of Advisory CISOs at Duo Security at Cisco

Wendy Nather leads the Advisory CISO team at Cisco. She was previously the Research Director at the Retail ISAC, and Research Director of the Information Security Practice at 451 Research. Wendy led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation (now UBS), and served as CISO of the Texas Education Agency. She was inducted into the Infosecurity Europe Hall of Fame in 2021. Wendy serves on the advisory board for Sightline Security, and is a Senior Cybersecurity Fellow at the Robert Strauss Center for International Security and Law at the University of Texas at Austin.

Hosts

April Wright
April Wright
Preventative Security Specialist at Architect Security
Jeff Man
Jeff Man
Information Security Evangelist at Online Business Systems
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
Larry Pesce
Larry Pesce
Principal Managing Consultant and Director of Research & Development at InGuardians
Matt Alderman
Matt Alderman
VP, Product at Living Security
Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Scott Lyons
Scott Lyons
CEO at Red Lion

3. Security History – Lessons from the past – PSW #632

The history of security can be traced back to a variety of different sources. The amount of articles on the topic is dizzying. Most will cite names of early phone phreaks, Kevin Mitnick, Kevin Poulsen, Steve Jobs, Steve Wozniak and quickly transition to many other more recent "hacks" or breaches. Our goal is to not review the history of hacking. This is the history of security. We've carefully chosen key events and research to discuss the very beginnings of security, and their impact and lessons for today's ever-evolving security landscape.

Guests

Jayson E. Street
Jayson E. Street
VP of INFOSEC at SphereNY

Jayson E. Street is an author of the “Dissecting the hack: Series”. Also the DEF CON Groups Global Ambassador. Plus the VP of InfoSec for SphereNY. He has also spoken at DEF CON, DerbyCon, GRRCon and at several other ‘CONs and colleges on a variety of Information Security subjects. He was a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006.

Jeremiah Grossman
Jeremiah Grossman
Founder & CEO at Bit Discovery

Jeremiah Grossman is a world-renowned expert in information security, a highly acclaimed security researcher, and an industry innovator. Over the last 20 years, Jeremiah pioneered application security as the founder of WhiteHat Security and served as Chief of Security Strategy for SentinelOne, focusing on ransomware and EDR. Today, as CEO of Bit Discovery, he’s taking on arguably the hardest and most important unsolved problem in the entire industry — attack surface management.

Ron Gula
Ron Gula
President at Gula Tech Adventures

Ron is President at Gula Tech Adventures which focuses on cyber technology, cyber policy and recruiting more people to the cyber workforce. Since 2017, GTA has invested in dozens of cyber start-ups and funds and supported multiple cyber nonprofits and projects. From 2002 to 2016, Ron was the co-founder and CEO of Tenable Network Security. He helped grow the company to 20,000 customers, raise $300m in venture capital and grow revenues to $100m, setting up the company for an IPO in 2018. Prior to Tenable, Ron was a cyber industry pioneer and developed one of the first commercial network intrusion detection systems called Dragon, ran risk mitigation for the first cloud company, was deploying network honeypots in the mid 90s for the DOD and was a penetration tester for the NSA and got to participate in some of the nation’s first cyber exercises. Ron is involved in a variety of cyber nonprofits and think tanks including Defending Digital Campaigns, the Center for Internet Security, the National Security Institute and the Wilson Center. In 2020, Ron was honored to receive the Northern Virginia Technology Council Cyber Investor of the Year award and the Baltimore Business Journal Power 10 CEO award.

Winn Schwartau
Winn Schwartau
Security Theoretician at WinnSchwartau.Com

Winn Schwartau: A Brief Bio

“After talking to Winn for an hour and a half, you’re like, what the f*** just happened? – Bob Todrank

Winn has lived Cyber Security since 1983, and now says, “I think, maybe, I’m just starting to understand it.” His predictions about the internet & security have been scarily spot on. He coined the term “Electronic Pearl Harbor” while testifying before Congress in 1991 and showed the world how and why massive identify theft, cyber-espionage, nation-state hacking and cyber-terrorism would be an integral part of our future. He was named the “Civilian Architect of Information Warfare,” by Admiral Tyrrell of the British MoD.
His new book, “Analogue Network Security” is a mathematical, time-based and probabilistic approach to justifiable security. His goal is to provide a first set of tools and methods to “fix security and the internet”, including fake news, spam, phishing, DDoS and more. It will twist your mind.

Fellow, Royal Society of the Arts
Distinguished Fellow: Ponemon Institute
International Security Hall of Fame: ISSA
Top-20 industry pioneers: SC Magazine.
Top 25 Most Influential: Security Magazine
Top 5 Security Thinkers: SC Magazine.
Power Thinker and one of the 50 most powerful people: Network World.
Top Rated (4.85/5) RSA Speaker
Top Rated Webinar: 4.56 (ISC2)
.001% Top Influencer RSAC-2019

Author: Pearl Harbor Dot Com (Die Hard IV), 3 volumes of “Information Warfare,” “CyberShock”, “Internet and Computer Ethics for Kids”, “Time Based Security” (More on his web site.)
Founder: www.TheSecurityAwarenessCompany.Com
Founder: www.InfowarCon.Com
Executive Producer: “Hackers Are People Too”

Hosts

April Wright
April Wright
Preventative Security Specialist at Architect Security
Doug White
Doug White
Professor at Roger Williams University
Jack Daniel
Jack Daniel
Security Wizard at Co-Founder of Security BSides
Jason Albuquerque
Jason Albuquerque
Chief Operating Officer at Envision Technologies
Jeff Man
Jeff Man
Information Security Evangelist at Online Business Systems
Larry Pesce
Larry Pesce
Principal Managing Consultant and Director of Research & Development at InGuardians
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
Matt Alderman
Matt Alderman
VP, Product at Living Security
Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
prestitial ad