Episodios
-
In this week's episode of the Security Repo Podcast, we dive into an unusual topic for the program, navigating the US immigration system and the challenges that many security professionals working in the US face. Join us as we discuss how to apply lessons from the world of pentesting to succeeding in the face of bureaucracy. We are joined by José A. Martinez. José is the owner of too many Pokemon games which he still hasn’t played. Born in Mexico but raised in Chicago, José loves guitars, books, cameras, and trying out new food. José worked in retail before transitioning to information security as an apprentice in a consulting firm, where he currently focuses on web application pentesting as a senior delivery analyst.Links mentioned in this episode:https://www.linkedin.com/in/jose-martinez-castro/
-
In this week's episode of the Security Repo Podcast, we turn our attention to STIR/SHAKEN, a requirement for US cell phone carriers that has been implemented to stop SPAM robocalls. We also look at password policies and research into how to make better passwords.
We are joined by Per Thorsheim. Per is the founder and main organizer of PasswordsCon, the first conference dedicated to passwords, pins and anything related to digital authentication. He has been working in infosec for 30 years, and claims to know your next password. His bio on Linkedin has more information if you’re interested.
Links mentioned in this episode:
https://www.linkedin.com/in/thorsheim/
https://mastodon.social/@thorsheim
https://www.fcc.gov/call-authentication
-
¿Faltan episodios?
-
In this episode of The Security Repo Podcast, we look at how we satisfy the goals of compliance and security, which might seem like they would be the same thing, yet are not. We are joined by David Hawthorne. David is a technology factotum with 20 years of experience across system administration, data and software architecture, and DevOps. As the Director of Cloud Engineering at O3 Solutions, David successfully led SOC 2 and GRC initiatives. He is dedicated to delivering business value through automation and analytics and actively contributes to the DevSecOps and data communities as a speaker and mentor.We will discuss the role of the compliance audit and what frameworks like SOC2 were supposed to solve. We dive into the approach of supporting and empowering teams as a lifeguard as opposed to being a police officer yelling "no" all the time. By the end, David shares some practical advice for growing your team and staying safe as you scale.Links mentioned in this episode:http://davidhawthorne.comhttps://github.com/shellninja
-
In this episode of The Security Repo Podcast, we broach a wide variety of topics, ranging from The Theory of Constraints, source control horror stories, and using scorecards to drive cross-team success. We are joined by Justin Reock, the Head of Developer Relations for Cortex.io. He is an outspoken speaker, writer, and software practice evangelist. He has over 20 years of experience working in various software roles and has delivered enterprise solutions, technical leadership, and community education on a range of topics. We start by talking about how the work of Ed Deming translates into modern software workflow and what that means for security. Branching from there, we dip into how developer and build tooling can and should include security. The one thing all developers have in common is source control, and Justin's background lets him share a few stories that are not to be missed. We end with a new twist on Best Advice/Worst Advice that gives us deeper insight into our guest. Thanks for tuning into this episode. Links mentioned in this episode:https://www.linkedin.com/in/justinreock/OpenRewrite and Modern https://www.moderne.ai/blog/overview-...Pre-frontal cortex podcast - https://podcasts.apple.com/us/podcast... IDPcon.com - https://idpcon.com/
-
In this episode of The Security Repo Podcast, we take a look at how to do secrets rotation in a highly available systems reliably.
We are joined by Kenton McDonough. Kent got his MS in Computer Science from Virginia Tech in 2021 with a focus on systems and networking. He currently does security automation for Viasat Inc, a global Satellite internet service provider, with an emphasis on credential management and RBAC systems.
We walk through the tech stack that Kent works with, which includes a little of everything. We revisit his talk topic at BSides as Vegas 2024 with a discussion of 'blue/green' secrets rotation. By the end, we uncover some best practices to keep in mind when architecting a scalable, highly available application with regard to secrets management.
Links shared in the episode:
kent07[at]bt.edu
"Zero downtime credential rotation" at BSides Las Vegas 2024
https://www.youtube.com/live/b22uT4pYpk8?feature=shared&t=17092
-
In this episode of The Security Repo Podcast, let's talk about the largest IT threat outside of IT, and maybe out of the line of site of Security teams, Shadow IT.
We are joined by Garrett Gross, a seasoned cybersecurity professional with over twenty years of experience. Garrett currently holds the position of Head of Product Success at Nudge Security. His primary focus is on implementing innovative strategies to address SaaS sprawl and mitigate the risks associated with shadow IT. With a strong background in security operations, incident response, and threat research, Garrett's expertise and dedication to the field are evident. He actively contributes to the cybersecurity community by collaborating with organizations such as OWASP and ISSA, aiming to elevate industry standards and best practices.
We start with a look at how bad the issue of shadow IT really is today and what it is potentially costing companies. From there, we talk about how blocking people from working is a less-than-optimal way to implement security since people will often bypass those restrictions. By the end, we discuss the idea of nudging people, using guardrails, and some clever automation, to do the right thing and improve security for us all.
Links from this episode:
https://www.linkedin.com/in/garretthgross/
https://nudgesecurity.com
https://www.nudgesecurity.com/our-approach
-
We have had so much fun making The Security Repo Podcast, and we hope you have learned as much as we have along the way. The tides of change have finally reached our shore, and we are sad to announce the departure of Mackenzie Jackson, our original founder, producer, and co-host of the podcast, from our regular episodes. We wish him much success in his new adventures. We are also announcing a brand new chapter in the history of the program. Dwayne McDaniel will now be joined weekly by Kayssar Daher, the head of security at GitGuardian. As an active security practitioner, Kayssar asks different kinds of questions that we know you will most find insightful and engaging. We have some amazing things planned for the future of the show. Thank you for listening and being part of the Security Repo Podcast community.
-
In this episode of The Security Repo Podcast, we explore all things Data Loss Prevention (DLP).
We are joined by Daniel Jay, Senior Director of Product Management at GTB Technologies.
We start with a quick high-level of the topic of Data Loss Prevention and how we met at the RSA Conference 2024. By the end, we turn the conversation to AI and balance the risks of using LLMs with faster output.
Links mentioned in this episode:
https://www.linkedin.com/in/daniel-jay-a683b635/
GTTB.com
-
In this episode of The Security Repo Podcast, we look at security automation and how we can engineer our way to better security overall.
We are joined, once again by Huxley Barbee, who has been a fixture of the security community for over 20 years. Professionally, he was a security consultant working with customers in finance, insurance, manufacturing, and higher education. Currently, he leads the security engineering group at a fintech company. Beyond the day job, he is also active in the security and hacker community. He started attending DEF CON in the late 90s, has spoken at many conferences throughout the US, and is the lead organizer for BSidesNYC. He lives in New York. You should connect with him on social media, buy him a drink, or both.
We start with a great discussion of what to automate and what not to automate when thinking about security. From there, we explore the role of AI in the security tool belt and how we can best leverage it to improve our posture. By the end, we get some updates about BSides NYC and elsewhere.
Links from this episode:
Previous Appearance:
https://youtu.be/vDNPsAPnSDc
Socials:
https://www.linkedin.com/in/jhbarbee/
BSides NYC:
https://bsidesnyc.org/
-
In this episode of The Security Repo Podcast, we take a look at the role developer training and awareness have in improving security.We are joined by Chris Lindsey, Application Security Evangelist at Mend.io. He is a seasoned speaker who has appeared at conferences, webinars, and private events. Chris draws on expertise from more than 15 years of direct security experience leading and building security programs and over 35 years of experience leading teams in programming software, solutions, and security architecture.We start with how training and awareness are the start of the process but not all that is needed. From there, we discuss developer tooling vs security tooling and what gaps exist. By the end, we get into AI and how to think about a future with auto-remediation. Links from this episode:https://www.linkedin.com/in/chris-lindsey-39b3915/
-
In this episode of The Security Repo Podcast, we dive deep into how AI is helping the Red, Blue, and Purple teams and how we can leverage ChatGPT to stay ahead of attackers. We are joined once again by Jason Haddix Founder, CEO and Head of Training at Arcanum Information Security. He is also the creator of the Arcanum Cyber Security Bot:https://chatgpt.com/g/g-HTsfg2w2z-arcanum-cyber-security-botListen in to find out what you have been missing about AI. https://www.linkedin.com/in/jhaddix/
-
In this episode of The Security Repo Podcast, we dive deep into a rather troubling phenomenon: scammers who target senior citizens. We are joined by Anita Nikolich, a speaker and a university-based cybersecurity researcher specializing in network security and cryptocurrency analytics. She joins us as the founder and co-principal Investigator of DART, a collective of researchers, security experts, game designers, and community-based organizations who have come together to combine their expertise and passion to develop the Deception Awareness and Resilience Training (DART) platform. We discuss real-world examples, the realities of scammers and cybercrime, and why they target the people they attack. We also get into how the DART collective is working to ensure we raise awareness in a way that affects the most people without being too heavy-handed. Anita shares some free resources to help protect the people you love and tells us how we can get involved to help.
Learn more at https://dartcollective.net/https://dartcollective.net/deepcover/
-
In this episode of The Security Repo Podcast, we dive deep into a pervasive cybersecurity issue: open data buckets. Joined by Glen Helton, Director of Information Security at a major multinational and founder of the Sky Witness Project, we explore how improperly secured cloud storage—commonly known as "open buckets"—can expose sensitive data to the world. Glen shares insights on the scale of the problem, revealing that billions of files are currently accessible to anyone with the right tools. We discuss real-world examples, the challenges of responsible disclosure, and practical advice for organizations to secure their data. Whether you're a seasoned security professional or a curious listener, this episode will make you rethink how you handle and protect data in the cloud.
-
In this episode of The Security Repo, we sit down with Jossef Harush Kadouri, a pioneer in software supply chain security and founder of Dustico, now part of Checkmarx. Jossef shares his journey from startup to acquisition, detailing the ever-evolving landscape of supply chain attacks. We explore how malicious actors are exploiting open-source ecosystems, the challenges of maintaining secure software, and practical steps developers and organizations can take to protect themselves. Whether you're a seasoned security professional or new to the field, this episode offers valuable insights into safeguarding your software's supply chain.
Show Notes: Linkedin - https://linkedin.com/in/jossef
-
This episode we are joined by Avi Douglen, Founder and CEO of Bounce Security. Avi, a key figure in the security community and former OWASP chapter chair. The discussion covers the significance of OWASP, its resources, threat modeling and Avi's personal journey within the organization.Listeners will gain insights into the concept of value-driven threat modeling and how it can enhance security measures by focusing on what truly matters for a product. Avi also shares his views on the unique challenges and risks the security community faces, the necessity of inclusivity, and the pivotal role of threat modeling in security processes.Avi also gives us his insights into the best and worst security advice they’ve encountered, providing both humorous and thought-provoking anecdotes. Whether you're a seasoned security professional or new to the field, this episode is packed with valuable takeaways on building and maintaining robust security practices. Tune in to learn from Avi’s extensive experience and his innovative approaches to securing products effectively.Show Notes: Social Media for Avi Linkedin - https://www.linkedin.com/in/avidouglenTwitter (X) - https://twAvi Douglen - Bounce Security | LinkedInitter.com/sec_tiggerBounce Security - https://www.bouncesecurity.com/Avi on OWASP - https://owasp.org/www-board-candidates/2023/avi_douglen OWASP Global Lisbon - https://owaspglobalappseclisbon2024.sched.com/avid2
-
Today we sit down with Bobby Kuzma, Director of Offensive Cyber Operations at Pro Circular and adjunct professor at the University of Washington. Bobby shares his unique journey into the world of penetration testing, including how he accidentally acquired his CISSP certification. We delve into the fascinating world of offensive security, discussing the highs and lows of pen testing, the importance of creativity in cybersecurity, and Bobby’s current work on leveraging AI to enhance security testing. Tune in for an insightful conversation filled with real-world stories, expert advice, and a look at the future of cybersecurity.Show NotesBobby’s Linkedin - https://www.linkedin.com/in/bobbykuzma/ Introduction - 0:00 Accidentally getting CISSP - 1:09Talking about failures in pen-testing - 6:33 Stories when things go wrong - 9:30 Legal issues with pen-testing - 17:30 Have you been arrested? 21:00What advice would you give to your younger self - 23:00 Best and Worst - 28:16
-
Today we welcome J Wolfgang Goerlich, an advisory CISO, mentor, and strategist. We delve into the intricacies of security design frameworks and the importance of building and maintaining relationships in the cybersecurity field. Wolfgang shares his expertise on creating effective security programs, fostering trust within teams, and navigating the challenges of the CISO role. Tune in to gain valuable insights on cybersecurity strategy and the significance of collaborative relationships in achieving security goals.
Show Notes:
Linkedin: https://www.linkedin.com/in/jwgoerlich/
X / Twitter: https://x.com/jwgoerlich
Website: https://jwgoerlich.com/
Securing Sexuality: https://www.securingsexuality.com/
Introduction - 0:00
Security Design Framework - 1:00
Security obstacles & user experience - 6:50
Become a CISO - 9:05
Wolfgang's journey to CISO - 12:50
Managing relationships in security - 17:10
Building effective teams - 28:30
Best and Worst - 29:40
-
Today we dive into the fascinating world of nuclear energy and cybersecurity with Andrew Elliot, a senior manager at KPMG's cybersecurity team. Andrew shares his journey from a nuclear engineer to a cybersecurity expert, providing unique insights into the importance of security culture, the resurgence of nuclear energy, and the critical role of cybersecurity in protecting critical infrastructure. Tune in to explore the complexities of nuclear security, the significance of cybersecurity training, and the future of energy security.
Show Notes:
Linkedin - https://www.linkedin.com/in/andrew-elliot-3a25b95b/
0:00 - Introduction
1:07 - Getting started in nuclear energy
3:35 - Resurgence in nuclear
9:55 - Nuclear security to KPMG
12:15 - Effective security exercises
16:20 - Lessons from nuclear security
19:45 - The goal of security in companies
21:50 - Opinion on Cyber Insurance
26:50 - Where /when to invest in security
32:02 - Best and Worst
-
In this episode of The Security Repo, we dive deep into the world of threat modelling with Paul McCarty, a veteran in the field of DevSecOps and founder of SecureStack. Paul shares his journey from being a Unix admin to working with high-profile organizations like NASA and GitLab. We explore the essentials of threat modeling, the significance of cloud-native security, and frameworks he has developed for threat modeling like TVPO. Tune in to learn how to stay ahead in the ever-evolving landscape of cybersecurity.
Show Notes
Paul’s GitHub https://github.com/6mile
DevSecOps Playbook - https://github.com/6mile/DevSecOps-Playbook
Secure Code Red training - https://sourcecodered.com/Linkedin - https://www.linkedin.com/in/mccartypaul/
Introduction: 0:00
Pauls Journey: 1:10
the Cloud Native Mission: 2:55
Pauls History with Threat Modeling: 4:00
TVPO Framework for Threat Modeling 6:52
When Should Companies Start Threat Modeling 10:15
When to Threat Model: 12:00
Unique Risks of Threat Modelling Open-Source 13:50
Red Team Code Puppets: 21:48
Best and Worst: 28:00
-
In this episode of The Security Repo, we dive into the fascinating world of cybersecurity with JR Johnson, a seasoned information security professional with over 14 years of experience. JR shares his journey from web development to penetration testing and cybersecurity consulting, highlighting the unique challenges faced by higher education institutions. Tune in to learn about the complexities of securing university networks, the importance of foundational security practices, and JR's expert advice for both IT professionals and students. Whether you're interested in cybersecurity or work in academia, this episode offers valuable insights into protecting educational environments in the digital age.Social Media for JR X (Twitter): https://x.com/infosecjr Linkedin: https://www.linkedin.com/in/jr-johnson-853952203/
- Mostrar más
