- First off, can you each tell us a bit about your backgrounds and experience in the space? - What made you all decide to found Stacklok, what gaps and opportunities in the ecosystem did you see? - What are your thoughts around the industry's response to software supply chain security and how do you see things such as OSS and Sigstore playing a role? - While we've seen tremendous adoption of OSS and for reasons such as speed to market, the robust OSS community, innovation and more, as ...
May 31, 2023•38 min
Nikki - What does cyber resiliency mean to you? Nikki - Can you tell us a little bit more about the Cyberspace Solarium Commission or CSC, in particular I'm interested in the promotion of national resilience. Can you talk a little bit about what that means and what's in progress at the moment? Chris - There's been a lot of activity lately with the Cyber EO, OMB Memos, activities by NIST, publications by CISA and of course the National Cyber Strategy. How do you feel about where we...
May 26, 2023•51 min
Nikki - You're a newly minted CISO and SES - how's it going? How have the first few months been in the role? Nikki - With your background in both Academia as an Adjunct Professor and with your cyber and executive leadership experience - how important would you say the intersection of academia, research, and leadership go? Chris - We know you're a big proponent in servant leadership. What does being a Servant Leader in Cybersecurity and more broadly in general mean to you? Chris - ...
May 19, 2023•22 min
Chris - To set the stage for the discussion of vulnerability management, Rezilion recently had a report that found that organizations had over 100,000 backlogged vulnerabilities. Why do you think things have gotten so bad? Chris - Leaders also stated that they are able to patch less than half of that backlog, thousands of vulnerabilities never get addressed. Doesn't this create a situation ripe for malicious actors to exploit? Nikki - You have a background in both data science and security ...
May 12, 2023•33 min
Chris - Why do you think SaaS security is so overlooked in the conversation around cloud security, despite SaaS being so pervasive? Chris - SaaS obviously involves a lot of third-party integrations. What are the risks o f these ungoverned integrations and can they have a cascading impact if one of the providers has an incident? Nikki - Chris and I have talked a lot about software security, SBOM's, and what does open source security look like. As a leader in the cybersecurity community, what...
May 05, 2023•27 min
Chris: First off, tell us a bit about NetRise, what you all do, and what your focus is on? Chris: There's been a tremendous focus as of late on software supply chain security, as you know, but much of it focuses on things such as Cloud, SaaS, Containers etc. at NetRise you all take a focus on Firmware, IoT and Cyber Physical Systems (CPS). Why is that and what are some concerns folks overlook with these vectors? Nikki: You just announced the launch of ETHOS - a cooperation between several o...
Apr 28, 2023•37 min
Chris: Can you tell us a bit about your background and what the role of the Deputy Principal Cyber Advisor does? Nikki: When we talk about workforce challenges, I think about the types of skills that someone is looking for in a cyber program. What types of skills do you look for in hiring and what kinds of skills do we still need in the cyber profession? Chris: We know you've been focused heavily on the Cybersecurity workforce for DoN. In our discussions of digital modernization, the focus ...
Apr 21, 2023•34 min
Apr 14, 2023•27 min
Nikki - First - tell me a little bit about yourself and your background Nikki - You have a ton of experience with the Army, can you talk a little bit about what you like most about working with the military and specifically in HR? Chris - We hear a lot about digital transformation in the DoD, Cloud, Cyber, Zero Trust, and so on - but how critical do you think the workforce is to make all of these transformation efforts successful Chris - We know the DoD has historically struggled to attract and ...
Apr 07, 2023•24 min
Chris: I have been following your research for several years now, dating back to your role before Chainguard. As you have watched the conversation around Software Supply Chain Security unfold in the industry, do you feel like we're making positive headway? Chris: You have done a lot of research into software supply chain security, and of course SBOM's. One recent study you took a look at the quality of SBOM's in the OSS ecosystem, compared to say the NTIA defined minimum elements ...
Mar 31, 2023•37 min•Season 4Ep. 11
Chris: Before we dive into some technical topics and questions, we would love to hear a bit about your background and career Chris: - We've now seen the introduction of JWCC into the mix after quite a challenging road to get there. What major changes do you see JWCC playing in the DoD cloud landscape and cloud adoption journey? Nikki: - There's been a tremendous focus on software supply chain security, with a 742% increase in software supply chain attacks in the last three years. What ...
Mar 27, 2023•30 min
Nikki - With your experience in various cloud and Cybersecurity roles, what would you say the top 3 concerns are right now for cloud security? Nikki - I see you do a lot of work Cybersecurity and cloud education, do you feel like we have better tools and resources today than a few years ago? Or too many resources? Chris - We know you have a Detection Engineering background. For folks not familiar with Detection Engineering can you tell us a bit about it and the role it plays in Cloud Security? C...
Mar 24, 2023•28 min
Chris - I have to start with the intersection of law and cybersecurity. We're seeing major strides in regulations, both federal and state (like NYFDS), to regulate and enforce cybersecurity policies and program-based guidance. What are some of the emerging trends we're seeing in cyber law? Chris - As you know, we recently saw the new National Cyber Strategy, which makes a push for shifting the burden/responsibility for cybersecurity on the vendor or those best positioned to address it....
Mar 10, 2023•45 min
Nikki: I have to start with an article you wrote a couple of years ago, about how we explain and provide context around vulnerabilities. I love the analogy of a 'vulnerability recipe' and how we can step through an explanation of vulnerabilities. Can you talk a little bit about the process and what compelled you to explore this topic? Nikki: I saw you spoke to Ron Ross recently, we had him on the show last year talking about cyber resiliency and of course software supply chain. Can you...
Mar 04, 2023•42 min
Nikki: I saw you recently did a Cyber Jeopardy Panel at the American Bar Association about cybersecurity and cyber law - can you talk a little bit about the intersection of cybersecurity and law? Chris: Continuing on that thread a little more, and you and I have chatted about this, what are some of the dichotomies or challenges of Cybersecurity in a democratic society versus say an authoritative regime or nation? Chris: I know you have a background with the DoJ and U.S. Attorney's office, a...
Feb 24, 2023•39 min
Chris: First off, why do you think soft skills are so often overlooked or undervalued in our field of cybersecurity? Chris: I'm curious your perspective on how to help people build soft skills, much like technical skills, some may have more of an aptitude for technical work or prefer not interacting with people as often. Any advice for folks who may be a bit more of an introvert and finding dealing with people intimidating? Niki: I wanted to first talk about the Learning resources you have ...
Feb 12, 2023•35 min
Nikki: My first question is about your book, The Application Security Handbook - who do you think most benefits from this type of book and why do you think they need it? Nikki: What inspired you to write this? You have a ton of experience from being a security architect, to working in an IAM group, to application security - I would imagine all of that expertise allows you to see application security through a unique lens. Chris: In your book you touch on the dichotomy of shifting security left w...
Feb 03, 2023•37 min
- Can you tell us a bit about the book, what made you want to write it and how you settled on this topic? - Historically IT and Security have been at odds, often feeling like the other party is conflicting with their goals and responsibilities. Why do you think this is? - Do you think the push for DevSecOps and breaking down silos between Security and Operations (and Development) has helped at all? - Your book talks about emotional intelligence, empathy and non-technical traits. How critical do ...
Jan 27, 2023•27 min
Nikki - What do you see as emerging trends around cybersecurity guidance and frameworks? With the newer NIST 800-53r5 and the SSDF, there is a TON of literature coming out from NIST. What's next? Chris - I wanted to dig into SSDF a bit. Can you tell us a bit about being involved in that? How it came about after the Cyber EO and your experience writing it? Chris - We know OMB is now requiring Federal agencies to start to self-attest to secure software development practices, specifically SSDF...
Jan 15, 2023•26 min
Nikki: To start us off, I'm curious about your opinion on the current state of vulnerability management guidance and documentation available for organizations. There are some references from NIST, but a lot of it centers around compliance. Chris: How do you think things such as Cloud, DevSecOps and shift-left security have changed vulnerability management? Nikki: Can you talk a little bit about what organizations and their vulnerability management programs should be working on right now? Wi...
Jan 09, 2023•28 min
Nikki - I wanted to start with the major explosion of ransomware and ransomware-as-a-service across all industries. This seems like a good starting point for why cybersecurity advisors belong in the boardroom. Do you think the sophistication and ease of purchase with ransomware should be part of the conversation to bring more cyber experts in? Nikki - You made a post recently about the vast cybersecurity risk that API's pose to organizations. API security has been top of mind given how prev...
Dec 16, 2022•46 min
- Before we dive into the technical topics, you're a repeat Founder, including some acquisitions of firms you've founded. Can you tell us a bit about that Founders journey and what leads you to creating organizations? - Something you've been focused on a lot lately is Software Supply Chain Security. Why is this such a complicated topic, and has it always been, or do you feel it is increasingly complex? - One of the challenges organizations have around OSS use is OSS Governance and...
Nov 28, 2022•33 min
- You recently wrote an article about the SBOM Frenzy being Pre-Mature. For those not familiar with SBOM's, what is an SBOM and what has led to the frenzy as you call it? - In your article you discuss challenges related to the build environments and hosts that can cause different outputs and SBOM's unless a build occurs on two identical machines. Can you explain why that is? - What role do you think emerging frameworks such as SLSA or SSDF and higher maturity requirements for things su...
Nov 12, 2022•36 min
Nikki: With your latest book, the Security Yearbook for 2022 ,this is the third iteration of the series right? It started in 2020 and has only grown since then. Can you talk a little bit about why you started this annual compilation of research? Nikki: For any other security practitioners or anyone in the field who's interested in writing a book or putting together a comprehensive manuscript or research, do you have any tips or advice for them to get started? Chris: Can you tell us about yo...
Nov 12, 2022•28 min
- First off, tell us a bit about your background, you were a developer prior to focusing on Law. Why the change and do you feel that technical background helps you in your legal and academic career? - Before we dive into the specifics of the paper and topics, what led you to focus on this issue for research and publication? - You penned an article about how modern digital infrastructure is built on a "house of cards". Can you elaborate on that? - Your paper is broken down into several ...
Oct 27, 2022•1 hr 1 min
- Looking at your background, you've held a lot of Identity-centric roles and positions in the industry. How do you think Identity and associated security is evolving with the continued adoption of Cloud? - Identity is obviously at the core of the conversation around Zero Trust, what do you think some of the fundamental things organizations get wrong when it comes IAM at-scale? - You recently made the pivot from roles with a strong Identity focus to API and API Security. What drove you to m...
Oct 07, 2022•46 min
Chris: Before we dive into too many specific topics, one thing I wanted to ask is, you've been working in/around the topic of SBOM and Software Supply Chain for sometime via NTIA, CycloneDX, SCVS etc. How did you have the foresight or what drove you to focus on this topic well before many others in the industry? Nikki: You mentioned recently about the SBOM Forum and their recommendation of the NVD adopt Package URL. I think the recommendations are great for NVD, because the NVD, CVE ID mech...
Sep 30, 2022•44 min
Chris: To start us off, why do you think OSS and the software supply chain are now beginning to get so much attention, despite being widely used for years now? Chris: When it comes to OSS, any thoughts on how we balance security while also not stifling the innovative creative environment that is the OSS ecosystem? Nikki: On one of your recent podcast episodes, you discussed how open source can be unfair, whether that's to users or to developers. Can you break that down a little bit for our ...
Sep 23, 2022•35 min
Chris: What do you think some of the fundamental changes of IAM are from on-prem to cloud? Chris: What are some of the key tradeoffs and considerations for using IDaaS offerings? Nikki: There are a lot of solutions out there that discuss zero trust as a product or a service that can be leveraged to 'bake in' zero trust into an environment. But I'm curious on your perspective - do you think we need additional tools to configure zero trust principles, or leverage the technology at h...
Sep 20, 2022•39 min
- What do you think some of the primary factors are that contributed to GRC not coming along initially with the DevOps movement? - Traditionally, what factors have plagued compliance when it comes to software delivery? - How do some of those factors change in the era of DevOps and Cloud-native? - Do you think regulation has a significant impact, and how can policy and regulation be improved? - How important is it for the workforce aspect of GRC to be addressed when it comes to compliance innovat...
Sep 20, 2022•43 min
