Jim Manico joins Chris, Matt, and Izar at the Security Table for a rousing discussion on his Threat Modeling journey. They also learn about each other's thoughts about DAST, SAST, SCA, Security in AI, and several other topics. Jim is an educator at heart, and you learn quickly that he loves application security. Jim is not afraid to drop a few controversial opinions and even a rap! Jim discusses the importance of static application security testing (SAST) and how it is becoming increasingly impo...
Aug 22, 2023•56 min•Season 1Ep. 25
"Secure by Design" has garnered attention with the release of a document by CISA. What does it mean? How does it fit with Threat Modeling? And do you know if Secure by Design will answer our need for secure software? "Secure by Design" means a system is designed with secure principles. The system should come pre-hardened and pre-secured, ensuring users don't have to configure it for security after installation. On the other hand, "Secure by Default" means that the system is configured correctly ...
Aug 15, 2023•39 min
What happens when engineers transform into security champions? Is this beneficial, and what are the implications of this transformation? Izar reveals his transition from a naysayer to a supporter of security champions, and Chris and Matt seek to understand his current position. They explore the position of Security Champion and discuss the components of a good security champion program. Matt defines security champions as developers with influence who can be a bridge between security and engineer...
Aug 01, 2023•44 min•Season 1Ep. 23
There is a relationship between security professionals and engineers. Explore the possibility of engineers disliking security personnel and how security professionals can improve their relationship with engineers. Security professionals need to be empathetic, have strong soft skills, and be able to influence and embed themselves within the engineering team. Resource management is essential, and avoiding engineers feeling like security is always giving them an over-the-shoulder look. Being part o...
Jul 26, 2023•49 min
What is security posture? Izar was at a conference in Amsterdam, where he was asked to define security posture and how to measure it. Is security posture qualitative or quantitative, and can it be compared across teams, organizations, and departments? This led us down this rabbit hole; what is security posture, and is it even possible to measure? Security posture is multi-dimensional, differentiating between organizational and system security postures. Security activities that are reasonable to ...
Jul 18, 2023•45 min•Season 1Ep. 21
The big question is if it's possible to lose the application security team and move all the functions directly into development. What are developers' roles in application security (AppSec), and what challenges do they face? We delve into developers' responsibility in ensuring security, despite not always having the necessary tools or training to do so effectively. We discuss "shifting everything left," which refers to integrating security earlier in the development process. We express concern th...
Jul 10, 2023•37 min
How do you determine what constitutes "reasonable security" when evaluating vendors? Is “reasonable” a measure of compliance to a set standard? Is it reasonable to expect mature threat modeling practices? Some expectations are too high to be reasonable, but the minimum standard that both parties agree upon doesn’t seem like enough. Join the hosts of the Security Table as they discuss the importance of a reasonable security standard, one that both a vendor and the buyer can agree upon. Izar bemoa...
Jun 29, 2023•34 min•Season 1Ep. 19
Certificate pinning is a security measure used in computer networking and something Chris candidly admits to his lack of understanding. Matt and Izar explain certificate pinning, a client-side operation that adds an extra layer of security to the Transport Layer Security (TLS) protocol and ensures that the client application checks the server's certificate against a known copy of that certificate. The discussion leads to a reflection on the vast amount of knowledge required in cybersecurity, emp...
Jun 20, 2023•23 min•Season 1Ep. 18
What is privacy, and how does it intersect with security? We are joined by our first guest, Ally O'Leary, a privacy compliance expert. Ally works for a consumer electronics company, ensuring compliance with global privacy laws and acting as a data protection officer. The episode delves into the intersection of privacy and security, with Ally explaining how these two areas often go hand in hand. She emphasizes the importance of understanding the definition of personal information and being aware ...
Jun 12, 2023•48 min
Guard rails and paved roads -- how do they fit together in application security? Guardrails are security tools in the pipeline that help ensure the software doesn't drift too far from established standards. These guardrails allow developers to maintain their creativity and flexibility while building features that ultimately go to the customer. Paved roads are platforms that developers can build on top of without having to worry about aspects like identity and access management. Paved roads and g...
Jun 05, 2023•43 min
There is an overemphasis on Capture The Flag in the security world. Instead, the industry should focus more on the 'builder' perspective to develop robust systems rather than the 'breaker' mindset typically associated with penetration testing and CTF competitions. In addition, we must shift the industry's reward and recognition structures to incentivize building secure-by-design systems. A CTF is a type of cybersecurity competition where participants solve security-related challenges to find fla...
May 27, 2023•41 min
Matt, Izar, and Chris discuss the United Kingdom's new minimum security standards for all Internet-connected consumer products. They highlight three key aspects of these new standards: Banning of Universal Default and Easily Guessable Passwords: The hosts agree this is a long-overdue measure, as universal default passwords present a significant security risk. They also touch on challenges such as vendor services requiring default passwords and potential ways to address this, like physical switch...
May 19, 2023•38 min
In this episode of the Security Table, the gang discusses reasonable software security. They explore whether current application security tooling, such as dynamic application security testing (DAST), provides a decent return on investment. The group acknowledges that the value of security tools depends on the organization's context and specific needs. They also touch on the importance of understanding a company's risk appetite and how this can inform what is considered reasonable security. The c...
May 04, 2023•37 min
Chris Romeo, Izar Tarandach, and Matt Coles discuss the national cybersecurity strategy, focusing on pillar three, which aims to shape market forces to drive security and resilience. They explore the idea of liability and the goal of shifting the consequences of poor cybersecurity away from the most vulnerable. The trio also considers the influence of GDPR and its impact on the US, comparing it to the European Union's experience. The podcast hosts discuss the need for better security in IoT devi...
Apr 27, 2023•52 min
Izar, Matt, and Chris scour the Interwebs for an article to discuss, only to find that each person has chosen an article related to the convergence of AI and cybersecurity. We discuss whether ChatGPT can replace humans with threat modeling, Microsoft's Security Copilot, and the open letter to freeze AI development for six months. AI is the future, and it will significantly impact the security professional's role. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast ➜LinkedIn: The Security Table P...
Apr 03, 2023•46 min
The Security Table gang continues our discussion about the United States National Cybersecurity Strategy, released in 2023. We cover pillars one and two, defend critical infrastructure, and disrupt and dismantle threat actors. We talk about the importance of defining critical infrastructure and the responsibility of both the private and public sectors in protecting it. We also mention cybersecurity requirements to support national security and public safety and the challenge of getting various a...
Mar 20, 2023•1 hr 11 min
The United States released a new National Cybersecurity Strategy. The gang gathers to discuss the new strategy and look at it from a practitioner's perspective. We discuss the impact and depth of the malicious actor section, with an increased emphasis on the nation-state and the details shared about nation-state adversaries. We also get into a debate about a statement made regarding the dependence and need to be placed on the system instead of the end user to make security decisions. Is this str...
Mar 13, 2023•46 min
The gang is back to debate and discuss the definition of application security. We start by figuring out what an application is and then layer security on top of it. We branched into how product security fits against application security and eventually concluded that system security is all-encompassing, but it's an old term. We also learn that Izar is uncomfortable speaking about cybersecurity at cocktail parties. Enjoy! FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast ➜LinkedIn: The Security ...
Mar 05, 2023•51 min
Matt, Izar, and Chris started the conversation by discussing all the acronyms and abbreviations we use in security and then morphed into a discussion of what application security is. While they only scratched the surface of what application security is, this episode will make you think about all the acronyms we use in our industry and how they are received by those that are new and outsiders. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast ➜LinkedIn: The Security Table Podcast ➜YouTube: The ...
Feb 27, 2023•41 min
The gang continues our discussion and debate around the security talent shortage. We consider the issue from the candidate's viewpoint this time, thinking about all the different things candidates have to deal with in being hired, from years of experience, certification, and depth of the interview process. We try to draw some actionable conclusions for hiring managers because, without action, we are just part of the problem. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast ➜LinkedIn: The Secu...
Feb 14, 2023•41 min
The gang considers whether the security talent shortage is fact or fiction. We've all hired people for security roles at different places and have heard about this "shortage" for years. We discuss the role of the business in building strong apprenticeship programs and the efforts of academia to prepare people for these roles. We don't resolve everything that needs resolution, so we'll be back with part two next week on this same topic. Show notes: https://www.prnewswire.com/news-releases/despite...
Feb 07, 2023•42 min
The gang discusses the Lastpass breach and the need for the security of utility-style security providers. We discuss Lastpass from a different angle - the responsibility of "hard security" providers. As security practitioners, we have been telling users to "just use a password manager." So what do we do now? How do password managers impact the way we give advice? Lastpass is as "hard security" service as it can be - are security people taking things as seriously as they should? Are we too "here'...
Jan 14, 2023•1 hr
The gang considers the software bill of materials (SBOM) approach and asks hard questions about what SBOM is for and whether it improves security. Note the gang believes in SBOM. We ask the hard questions to help us all expand our minds and truly understand the value propositions. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast ➜LinkedIn: The Security Table Podcast ➜YouTube: The Security Table YouTube Channel Thanks for Listening!...
Jan 02, 2023•53 min
The gang discusses whether security should or could give up on developers. We explore what the development world would look like if security did all the security, and the developer's responsibility ended when they committed a PR. Conclusions are eventually reached. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast ➜LinkedIn: The Security Table Podcast ➜YouTube: The Security Table YouTube Channel Thanks for Listening!...
Dec 16, 2022•49 min
In the inaugural episode of the Security Table, the gang discusses Mark Curphey's article, " A Security Tools Crash Is Coming ." We consider the four conditions Mark describes, and then we riff on what it means for the security world in 2023. We also uncover several debates that will resurface in upcoming episodes, such as SBOM: what is it really for? FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast ➜LinkedIn: The Security Table Podcast ➜YouTube: The Security Table YouTube Channel Thanks for ...
Dec 11, 2022•53 min
