The Security Table is four cybersecurity industry veterans from diverse backgrounds discussing how to build secure software and all the issues that arise!
…
continue reading
1
Numb to Data Breaches, and How it Impacts Security of the Average Feature
32:22
32:22
Play later
Play later
Lists
Like
Liked
32:22
In this episode of the Security Table with Chris Romeo, Izar Tarandach, and Matt Coles, the team dives into the evolving landscape of modern security approaches. They discuss the shift from strategy to tactics, the impact of data breaches, and why people are becoming numb to such incidents. The episode also touches on the importance of understandin…
…
continue reading
In this episode of the Security Table, our hosts discuss the concept of the 'Shared Fate Model' in cloud security. The conversation explores how this model builds on the shared responsibility model and the implications for cloud service providers and consumers. From robust default security measures to the historical evolution of ISPs, the discussio…
…
continue reading
In this episode of The Security Table, hosts Chris Romeo, Izar Tarandach, and Matt Coles dive into the evolving concept of threat models, stepping beyond traditional boundaries. They explore 'Rethinking Threat Models for the Modern Age,' an article by author Evan Oslick. Focusing on user behavior, alert fatigue, and the role of psychological accept…
…
continue reading
In this episode of The Security Table Podcast, hosts ChriS, Izar and Matt dive into the recent statement by CISA's Jen Easterly on the cybersecurity industry's software quality problem. They discuss the implications of her statement, explore the recurring themes in security guidelines, and debate whether the core issue is with people or technology.…
…
continue reading
1
The Intersection of Hardware and Software Security
30:25
30:25
Play later
Play later
Lists
Like
Liked
30:25
In this episode of The Security Table, Chris, Izar, and Matt discuss an article that discusses threat modeling in the context of hardware. They explore the intersection of hardware and software security, the importance of understanding attack surfaces, and the challenges posed by vulnerabilities in hardware components, such as speculative execution…
…
continue reading
Join us in this episode of The Security Table as we dive into the world of cybersecurity, starting with a nostalgic discussion about our favorite security-themed movies like 'Sneakers,' 'War Games,' and 'The Matrix.' We then shift gears to explore a critical topic in modern computing: the vulnerabilities and implementation issues of Secure Boot. Di…
…
continue reading
Join Chris, Izar, and Matt as they sit around the Security Table to dissect and discuss the different stages of dealing with security incidents. In this episode, they explore the developer's stages of grief during an incident, and discuss a recent large-scale IT incident. They share insights from their multi-decade experience in security, analyze t…
…
continue reading
In this episode of 'The Security Table,' we are back from our midsummer break to discuss OpenSSH regression vulnerability. We dig into the nuances of this race condition leading to remote code execution, explore the chain of security updates, and the role of QA in preventing such regressions. We debate the necessity of SSH in modern cloud-native en…
…
continue reading
1
Rethinking Security Conferences: Engagement and Innovation
26:04
26:04
Play later
Play later
Lists
Like
Liked
26:04
In this episode Chris, Matt, and Izar discuss the current state of security conferences and gatherings for professionals in the field. They discuss the value and viability of different types of gatherings, the importance of networking and community-building at events, innovative approaches to conference formats and the need for something more engag…
…
continue reading
1
Privacy vs. Security: Complexity at the Crossroads
35:48
35:48
Play later
Play later
Lists
Like
Liked
35:48
In this episode of the Security Table, Chris, Izar, and Matt delve into the evolving landscape of cybersecurity. The episode has a humorous start involving t-shirts and Frogger as a metaphor for the cybersecurity journey, the conversation shifts to the significant topic of cybersecurity being at a crossroads as suggested by a CSO Online article. Th…
…
continue reading
1
Security, Stories, Jazz and Stage Presence with Brook Schoenfield
52:04
52:04
Play later
Play later
Lists
Like
Liked
52:04
In this episode of 'The Security Table,' hosts Chris Romeo, Izar Tarandach, and Matt Coles are joined by Brook Schoenfield, a seasoned security professional, to share insights and stories from his extensive career. The conversation covers Brook's experience in writing books on security, lessons learned from his 40-year career, and personal anecdote…
…
continue reading
1
Debating the CISA Secure by Design Pledge
39:41
39:41
Play later
Play later
Lists
Like
Liked
39:41
In this episode of 'The Security Table,' hosts Chris Romeo, Matt Coles, and Izar Tarandach discuss the CISA Secure by Design Pledge, a recent initiative where various companies commit to improving software security practices. The hosts critique the pledge, arguing that many of the signatory companies have long been focused on software security, mak…
…
continue reading
1
Why Developers Will Take Charge of Security, Tests in Prod
48:10
48:10
Play later
Play later
Lists
Like
Liked
48:10
The script delves into a multifaceted discussion encompassing critiques and praises of book-to-movie adaptations like 'Hitchhiker's Guide to the Galaxy', 'Good Omens', and 'The Chronicles of Narnia'. It then transitions to a serious examination of developers' evolving role in security, advocating for 'shift left' and DevSecOps approaches. The conve…
…
continue reading
Chris, Matt and Izar share their thoughts on an article published by Carnegie Mellon University’s Software Engineering Institute. The list from the article covers various threat modeling methodologies such as STRIDE, PASTA, LinDoN, and OCTAVE methodology for risk management. They emphasize the importance of critical thinking in the field, provide i…
…
continue reading
1
XZ and the Trouble with Covert Identities in Open Source
43:54
43:54
Play later
Play later
Lists
Like
Liked
43:54
Matt, Izar, and Chris delve into the complexities of open source security. They explore the topics of trust, vulnerabilities, and the potential infiltration by malicious actors. They emphasize the importance of proactive security measures, the challenges faced by maintainers, and propose solutions like improved funding models and behavior analysis …
…
continue reading
Matt, Izar, and Chris take issue with a controversial blog post that criticizes STRIDE as being outdated, time-consuming, and does not help the right people do threat modeling. The post goes on to recommend that LLMs should handle the task. The trio counters these points by highlighting STRIDE's origin, utility, and adaptability. Like any good inst…
…
continue reading
Chris, Matt, and Izar discuss a recent Secure by Design Alert from CISA on eliminating SQL injection (SQLi) vulnerabilities. The trio critiques the alert's lack of actionable guidance for software manufacturers, and they discuss various strategies that could effectively mitigate such vulnerabilities, including ORMs, communicating the why, and the i…
…
continue reading
1
How I Learned to Stop Worrying and Love the AI
42:19
42:19
Play later
Play later
Lists
Like
Liked
42:19
Dive into the contentious world of AI in software development, where artificial intelligence reshapes coding and application security. We spotlight the surge of AI-generated code and the incorporation of copy-pasted snippets from popular forums, focusing on their impact on code quality, security, and maintainability. The conversation critically exa…
…
continue reading
1
Secure by Default in the Developer Toolset and DevEx
43:46
43:46
Play later
Play later
Lists
Like
Liked
43:46
Matt, Chris, and Izar talk about ensuring security within the developer toolset and the developer experience (DevEx). Prompted by a recent LinkedIn post by Matt Johansen, they explore the concept of "secure by default" tools. The conversation highlights the importance of not solely relying on tools but also considering the developer experience, sug…
…
continue reading
1
Debating the Priority and Value of Memory Safety
34:58
34:58
Play later
Play later
Lists
Like
Liked
34:58
Chris, Izar, and Matt tackle the first point of the recent White House report, "Back to the Building Blocks: a Path toward Secure and Measurable Software." They discuss the importance of memory safety in software development, particularly in the context of critical infrastructure. They also explore what memory safety means, citing examples like the…
…
continue reading
Matt, Izar, and Chris discuss the impact of fear, uncertainty, and doubt (FUD) within cybersecurity. FUD is a double-edged sword - while it may drive awareness among consumers, it also leads to decision paralysis or misguided actions due to information overload. The saturation of breach reports and security threats also desensitizes users and blurs…
…
continue reading
1
Prioritizing AppSec: A Conversation Between a VP of Eng, a Product Manager, and a Security "Pro"
37:09
37:09
Play later
Play later
Lists
Like
Liked
37:09
Prompted by fan mail, Chris, Izar, and Matt engage in a role-playing scenario as a VP of engineering, a security person, and a product manager. They explore some of the challenges and competing perspectives involved in prioritizing application security. They highlight the importance of empathy, understanding business needs and language, and buildin…
…
continue reading
1
Villainy, Open Source, and the Software Supply Chain
32:02
32:02
Play later
Play later
Lists
Like
Liked
32:02
Matt, Izar, and Chris have a lively discussion about how security experts perceive open-source software. Referencing a post that described open source as a 'hive of scum and villainy,' the team dissects the misconceptions about open source software and challenges the narrative around its security. They explore the complexities of the software suppl…
…
continue reading
1
Adam Shostack -- Thinking like an Attacker and Risk Management in the Capabilities
46:23
46:23
Play later
Play later
Lists
Like
Liked
46:23
Threat modeling expert Adam Shostack joins Chris, Izar, and Matt in this episode of the Security Table. They look into threat actors and their place in threat modeling. There's a lively discussion on risk management, drawing the line between 'thinking like an attacker' and using current attacker data to inform a threat model. Adam also suggests tha…
…
continue reading
1
Bug Bounty Theater and Responsible Bug Bounty
27:13
27:13
Play later
Play later
Lists
Like
Liked
27:13
Izar, Matt, and Chris discuss the effectiveness of bug bounty programs and delve into topics such as scoping challenges, the ethical considerations of selling exploits, and whether it is all just bug bounty theater. The hosts share their insights and opinions on the subject, providing a thought-provoking discussion on the current state of bug bount…
…
continue reading
This week around the Security Table Matt, Izar and Chris discuss the recently-published Threat Modeling Capabilities document. They explore how capabilities serve as measurable goals that organizations either possess or lack, contrasting the binary nature of capabilities with the continuum of maturity. The team shares insights on the careful defini…
…
continue reading
Chris, Izar, and Matt address the complexities of open-source component usage, vulnerability patches, civic responsibility, and licensing issues in this Security Table roundtable. Sparked by a LinkedIn post from Bob Lord, Senior Technical Advisor at CISA, they discuss whether software companies have a civic duty to distribute fixes for vulnerabilit…
…
continue reading
Join us for the final episode of The Security Table for 2023. Chris, Izar, and Matt answer fan mail, make fun predictions for the upcoming year, discuss their resolutions for improving cybersecurity, and make a call to action to global listeners. Highlights include the reach of the podcast, explaining Large Language Models (LLMs), Quantum LLMs, Sof…
…
continue reading
1
The Impact of Prompt Injection and HackAPrompt_AI in the Age of Security
1:04:38
1:04:38
Play later
Play later
Lists
Like
Liked
1:04:38
Sander Schulhoff of Learn Prompting joins us at The Security Table to discuss prompt injection and AI security. Prompt injection is a technique that manipulates AI models such as ChatGPT to produce undesired or harmful outputs, such as instructions for building a bomb or rewarding refunds on false claims. Sander provides a helpful introduction to t…
…
continue reading
Join Izar, Matt, and Chris in a broad discussion covering the dynamics of the security community, the evolving role of technology, and the profound impact of social media on our lives. As the trio considers what they are most thankful for in security, they navigate a series of topics that blend professional insights with personal experiences, offer…
…
continue reading
Patrick Garrity joins the Security Table to unpack CVSS 4.0, its impact on your program, and whether or not it will change the game, the rules of how the game is played, or maybe the entire game. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast ➜LinkedIn: The Security Table Podcast ➜YouTube: The Security Table YouTube Channel Thanks for Listenin…
…
continue reading
Aditi Sharma joins Matt, Izar, and Chris around the Security Table to discuss Software Bill of Materials (SBOMs). The team discusses potential advantages as well as challenges of SBOMs in different contexts such as SaaS solutions, physical products, and internal procedures. The episode also explores the importance of knowing what software component…
…
continue reading
Join Chris, Matt, and Izar for a lively conversation about an article that offers 20 points of "essential details" to look for in a Software Bill of Materials (SBOM). They dissect and debate various points raised in the article, including generating SBOMs, the necessary components, and how to gauge the quality of this digital inventory. Their criti…
…
continue reading
1
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
20:09
20:09
Play later
Play later
Lists
Like
Liked
20:09
Matt, Chris, and Izar discuss the recently published "NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations." They review each point and critically analyze the document's content, pointing out areas where the terminology might be misleading or where the emphasis should be shifted. As they work through the top ten list, sever…
…
continue reading
1
The Future Role of Security and Shifting off the Table
54:58
54:58
Play later
Play later
Lists
Like
Liked
54:58
The Security Table gathers to discuss the evolving landscape of application security and its potential integration with development. Chris posits that application or product security will eventually be absorbed by the development sector, eliminating the need for separate teams. One hindrance to this vision is the friction between security and engin…
…
continue reading
1
A Show About Nothing that Turned into Something
33:32
33:32
Play later
Play later
Lists
Like
Liked
33:32
The Security Table gathers this week to discuss expectations about tooling in the Application Security industry. Matt emphasizes that tools should essentially automate tasks that humans can perform but in a faster and more efficient manner. The conversation then shifts to the overwhelming nature of communication platforms like Slack. Izar highlight…
…
continue reading
Matt and Izar join in a debate with Chris Romeo as he challenges the paradigm of "scan and fix" in application security. Chris references a LinkedIn post he made, which sparked significant reactions, emphasizing the repetitive nature of the scan and fix process. His post critiqued the tools used in this process, noting that they often produce exten…
…
continue reading
The Security Table gathers to discuss the upcoming ThreatModCon 2023 (https://www.threatmodelingconnect.com), the inaugural and only conference dedicated entirely to threat modeling. ThreatModCon 2023 Sunday, October 29, 2023 Marriott Marquis Washington, DC The Threat Modeling Conference will cover various aspects of threat modeling, from AI integr…
…
continue reading
Chris Romeo, Matt Coles, and Izar Tarandach attempt to demystify the concepts of Application Security (AppSec) and Product Security (ProdSec). They find that even defining and differentiating both concepts is challenging. Various articles exist about AppSec and ProdSec, but the industry is generally confused about these terms. Discussing the role o…
…
continue reading
Imposter Syndrome is when a person feels inadequate despite their accomplishments. Not unique to the field of cybersecurity or even software development, imposter syndrome can affect any professional as they advance and grow in their area of expertise. Matt and Izar, both seasoned security professionals, openly discuss the dichotomy between their i…
…
continue reading
1
The Return on Investment of Threat Modeling
33:49
33:49
Play later
Play later
Lists
Like
Liked
33:49
The Security Table team dialogues about the importance of data and metrics in understanding and communicating risk. After Matt defines ROI, Izar emphasizes that while data is crucial, it doesn't always come in numerical form. Instead, risk can be expressed in various ways, such as trends, and doesn't necessarily need to be quantified in traditional…
…
continue reading
1
Jim Manico ❤️ Threat Modeling: The Untold Story
56:19
56:19
Play later
Play later
Lists
Like
Liked
56:19
Jim Manico joins Chris, Matt, and Izar at the Security Table for a rousing discussion on his Threat Modeling journey. They also learn about each other's thoughts about DAST, SAST, SCA, Security in AI, and several other topics. Jim is an educator at heart, and you learn quickly that he loves application security. Jim is not afraid to drop a few cont…
…
continue reading
"Secure by Design" has garnered attention with the release of a document by CISA. What does it mean? How does it fit with Threat Modeling? And do you know if Secure by Design will answer our need for secure software? "Secure by Design" means a system is designed with secure principles. The system should come pre-hardened and pre-secured, ensuring u…
…
continue reading
1
Security Champions as the Answer to Engineering Hating Security
43:54
43:54
Play later
Play later
Lists
Like
Liked
43:54
What happens when engineers transform into security champions? Is this beneficial, and what are the implications of this transformation? Izar reveals his transition from a naysayer to a supporter of security champions, and Chris and Matt seek to understand his current position. They explore the position of Security Champion and discuss the componen…
…
continue reading
There is a relationship between security professionals and engineers. Explore the possibility of engineers disliking security personnel and how security professionals can improve their relationship with engineers. Security professionals need to be empathetic, have strong soft skills, and be able to influence and embed themselves within the engineer…
…
continue reading
What is security posture? Izar was at a conference in Amsterdam, where he was asked to define security posture and how to measure it. Is security posture qualitative or quantitative, and can it be compared across teams, organizations, and departments? This led us down this rabbit hole; what is security posture, and is it even possible to measure? S…
…
continue reading
1
Should #AppSec be Part of the Development Team?
37:05
37:05
Play later
Play later
Lists
Like
Liked
37:05
The big question is if it's possible to lose the application security team and move all the functions directly into development. What are developers' roles in application security (AppSec), and what challenges do they face? We delve into developers' responsibility in ensuring security, despite not always having the necessary tools or training to do…
…
continue reading
1
Lack of Reasonable, or Everything That Is Wrong with Security Requirements
34:15
34:15
Play later
Play later
Lists
Like
Liked
34:15
How do you determine what constitutes "reasonable security" when evaluating vendors? Is “reasonable” a measure of compliance to a set standard? Is it reasonable to expect mature threat modeling practices? Some expectations are too high to be reasonable, but the minimum standard that both parties agree upon doesn’t seem like enough. Join the hosts o…
…
continue reading
Certificate pinning is a security measure used in computer networking and something Chris candidly admits to his lack of understanding. Matt and Izar explain certificate pinning, a client-side operation that adds an extra layer of security to the Transport Layer Security (TLS) protocol and ensures that the client application checks the server's cer…
…
continue reading
1
Privacy and the creepiness factor of collecting data
47:30
47:30
Play later
Play later
Lists
Like
Liked
47:30
What is privacy, and how does it intersect with security? We are joined by our first guest, Ally O'Leary, a privacy compliance expert. Ally works for a consumer electronics company, ensuring compliance with global privacy laws and acting as a data protection officer. The episode delves into the intersection of privacy and security, with Ally explai…
…
continue reading