Artwork

Player FM - Internet Radio Done Right
Checked 17d ago
Aggiunto venticinque settimane fa
Contenuto fornito da Chris Lindsey. Tutti i contenuti dei podcast, inclusi episodi, grafica e descrizioni dei podcast, vengono caricati e forniti direttamente da Chris Lindsey o dal partner della piattaforma podcast. Se ritieni che qualcuno stia utilizzando la tua opera protetta da copyright senza la tua autorizzazione, puoi seguire la procedura descritta qui https://it.player.fm/legal.
Player FM - App Podcast
Vai offline con l'app Player FM !
icon Daily Deals

Compromised and Reactive to Proactive Approaches

40:22
 
Condividi
 

Manage episode 437874869 series 3589650
Contenuto fornito da Chris Lindsey. Tutti i contenuti dei podcast, inclusi episodi, grafica e descrizioni dei podcast, vengono caricati e forniti direttamente da Chris Lindsey o dal partner della piattaforma podcast. Se ritieni che qualcuno stia utilizzando la tua opera protetta da copyright senza la tua autorizzazione, puoi seguire la procedura descritta qui https://it.player.fm/legal.

In Episode 03 of Secrets of AppSec Champions podcast titled "Compromised: Proactive to Reactive," hosts Chris Lindsey and guest Phil Guimond tackle the critical distinctions between proactive and reactive security strategies. They emphasize the importance of access logging and visibility in detecting compromises early, pointing out how changes in access logs can signal potential threats. They stress the necessity of implementing secure, tamper-proof log storage and discuss automation solutions like the "Have I Been Pwned" API and CAPTCHA to mitigate risks such as account takeovers.
The discussion extends to network security, highlighting the dangers of rushed setups that overlook essential measures like network segmentation and client isolation. They examine the risks associated with flat networks in office environments and how external threats can penetrate poorly segmented Wi-Fi networks. Additionally, the episode covers the significance of managing software dependencies, advocating for regular updates to dependencies and leveraging multiple sources to detect vulnerabilities beyond the National Vulnerability Database (NVD). The utilization of container technologies like Kubernetes and Docker is highlighted for their ability to seamlessly update images and pods, thereby enhancing security.
Finally, Chris and Phil underscore the importance of proper repository management, focusing on active projects and addressing outdated or unused code that poses security risks. Training developers in security practices and involving security professionals who can write code are presented as key strategies for proactive security. Chris and Phil also acknowledge the challenges of finding and retaining skilled security personnel while encouraging the audience to engage with the podcast and provide feedback. Together, they advocate for a balanced approach to security—automating where possible, prioritizing proactive measures, and continuously improving the organization's overall security posture.

❇️ Key Topics with Timestamps
00:00 Password Reuse Across Websites: Detection Methods
06:06 Managing Security Challenges and Password Reuse
08:30 Challenges of Unused Code in Development Projects
10:19 Managing Data Overload with GitHub API
15:33 The Risks of Network Interconnected Cloud Access
17:32 Security Risks of IP Whitelisting in Cloud Hadoop Clusters
20:23 Securing Network Logs from Tampering
24:12 The Impact of NVD Pausing on Vulnerability Detection
26:23 Efficiently Addressing Container Image Vulnerabilities
31:17 The Importance of Developer Training Over Tools
35:43 Tools for High-Level Security Posture Overview
38:13 The Vital Importance of App Security Leaders

  continue reading

11 episodi

Artwork
iconCondividi
 
Manage episode 437874869 series 3589650
Contenuto fornito da Chris Lindsey. Tutti i contenuti dei podcast, inclusi episodi, grafica e descrizioni dei podcast, vengono caricati e forniti direttamente da Chris Lindsey o dal partner della piattaforma podcast. Se ritieni che qualcuno stia utilizzando la tua opera protetta da copyright senza la tua autorizzazione, puoi seguire la procedura descritta qui https://it.player.fm/legal.

In Episode 03 of Secrets of AppSec Champions podcast titled "Compromised: Proactive to Reactive," hosts Chris Lindsey and guest Phil Guimond tackle the critical distinctions between proactive and reactive security strategies. They emphasize the importance of access logging and visibility in detecting compromises early, pointing out how changes in access logs can signal potential threats. They stress the necessity of implementing secure, tamper-proof log storage and discuss automation solutions like the "Have I Been Pwned" API and CAPTCHA to mitigate risks such as account takeovers.
The discussion extends to network security, highlighting the dangers of rushed setups that overlook essential measures like network segmentation and client isolation. They examine the risks associated with flat networks in office environments and how external threats can penetrate poorly segmented Wi-Fi networks. Additionally, the episode covers the significance of managing software dependencies, advocating for regular updates to dependencies and leveraging multiple sources to detect vulnerabilities beyond the National Vulnerability Database (NVD). The utilization of container technologies like Kubernetes and Docker is highlighted for their ability to seamlessly update images and pods, thereby enhancing security.
Finally, Chris and Phil underscore the importance of proper repository management, focusing on active projects and addressing outdated or unused code that poses security risks. Training developers in security practices and involving security professionals who can write code are presented as key strategies for proactive security. Chris and Phil also acknowledge the challenges of finding and retaining skilled security personnel while encouraging the audience to engage with the podcast and provide feedback. Together, they advocate for a balanced approach to security—automating where possible, prioritizing proactive measures, and continuously improving the organization's overall security posture.

❇️ Key Topics with Timestamps
00:00 Password Reuse Across Websites: Detection Methods
06:06 Managing Security Challenges and Password Reuse
08:30 Challenges of Unused Code in Development Projects
10:19 Managing Data Overload with GitHub API
15:33 The Risks of Network Interconnected Cloud Access
17:32 Security Risks of IP Whitelisting in Cloud Hadoop Clusters
20:23 Securing Network Logs from Tampering
24:12 The Impact of NVD Pausing on Vulnerability Detection
26:23 Efficiently Addressing Container Image Vulnerabilities
31:17 The Importance of Developer Training Over Tools
35:43 Tools for High-Level Security Posture Overview
38:13 The Vital Importance of App Security Leaders

  continue reading

11 episodi

Tutti gli episodi

×
 
In Episode 11 of Secrets of AppSec Champions, Chris Lindsey and Cassie Crossley delve into the intricate world of supply chain security. Cassie Crossley, Vice President of Supply Chain Security at Schneider Electric, brings her extensive experience in software development and security to the fore, emphasizing the importance of following secure development practices. She advocates for the separation of build and development environments to avoid outdated methods and stresses the significance of modern frameworks like Google's Salsa platform and the NIST Secure Software Development Framework (SSDF), despite its lack of certification measures. Crossley also discusses the unique challenges of maintaining provenance for older software, especially open-source projects, and highlights the crucial role of developer education in preventing vulnerabilities introduced by unverified code snippets. Chris Lindsey raises pertinent concerns about access control complexities within production environments and underscores the need for rigorous security measures to ensure the integrity of devices and software. The conversation shifts to the potential threats posed by AI, with both speakers stressing the importance of embedding security into AI-generated code from the outset. They explore global supply chain security issues, referencing Cisco’s audits and the effectiveness of zero-trust policies. Crossley also addresses the impact of legislative measures like California's connected devices law on both consumer and industrial devices, and how cybersecurity practices have evolved since the 80s and 90s. The episode wraps up on a personal note, with Crossley sharing her views on career growth and the importance of pursuing roles that bring personal fulfillment. She advocates for exploring opportunities within the same organization to foster both personal and professional development without losing accumulated knowledge and experience. This episode offers listeners a comprehensive overview of supply chain security, blending high-level frameworks with practical challenges, and provides valuable insights into both the technical and human aspects of the field. Key topics with timestamps: 1. Understanding Supply Chain Security and Modern Software Practices with Cassie Crossley 2. Securing Software Development: From Google Salsa to NIST SSDF Standards 3. Protecting Supply Chains: Challenges and Solutions in a Digital World 4. Cassie Crossley on Cybersecurity Challenges in Modern Supply Chains 5. The Role of AI and Secure Development in Supply Chain Integrity 6. Ensuring Safe Software: Best Practices and Emerging Threats 7. Access Control, Zero Trust, and Supply Chain Security Insights 8. Cassie Crossley Discusses Securing Legacy Systems and Modern Software 9. From AI to Software Certification: Enhancing Cybersecurity Practices 10. Navigating the Complexities of Supply Chain Security and Software Updates For more amazing application security information, please visit the following LinkedIn communities: https://www.linkedin.com/company/appsec-hive Provided by Mend.io (https://mend.io)…
 
In this episode of "Secrets of AppSec Champions," host Chris Lindsey engages with Michael Vance, the CISO at Navient, to explore the nuances of bounty programs and their integration with traditional penetration testing. Michael discusses the journey of transitioning from a managed vulnerability disclosure program (VDP) to a full-scale bug bounty program. He highlights the importance of establishing clear policies and scopes for these programs to ensure effective and safe collaboration with external hackers. Through these structured programs, Navient was able to address resource constraints, boosting their testing capabilities threefold while reducing costs. The conversation also delves into the historical challenges faced by companies in managing security reports, often due to mistrust and insufficient communication channels. Michael and Chris stress the value of legal, structured avenues for ethical hacking, enabling companies to receive and act on security findings without friction. They discuss the potential risks, such as the involvement of 'black hat' hackers, and how employing established platforms like Bugcrowd or HackerOne helps mitigate these concerns by vetting participants and managing the process. This approach not only enhances security but also publicly demonstrates the company's commitment to safeguarding data. Towards the end, Michael shares invaluable advice for security practitioners: the critical need to fully understand the problems they are tasked with solving, which often involves grasping both technical and business aspects. This holistic understanding is crucial for devising effective security measures. The episode concludes with Chris thanking Michael for his insights, reaffirming the episode's focus on creating efficient, secure systems for managing and mitigating vulnerabilities through both internal efforts and external collaborations. Key Topics by time stamps: 04:40 Transitioning App Security Services: From Ethical Hacking to Testing Stream 06:43 Boosting Application Workload Capacity through Efficient Testing Measures 10:02 Establishing Policies and Rules for Ethical Hacking 14:47 Evaluating the Effectiveness of Repeated Testing 19:51 Reviving a Project and Uncovering Unexpected Flaws 21:59 Effective Security: Understanding the Problem For more amazing application security information, please visit the following LinkedIn communities: https://www.linkedin.com/company/appsec-hive Provided by Mend.io (https://mend.io)…
 
In this episode of "Secrets of AppSec Champions," titled "Auditing Your Security Program," host Chris Lindsey converses with Roddy Bergeron, a cybersecurity fellow at SherWeb. They tackle several pressing topics in the realm of cybersecurity auditing, starting with the financial repercussions of poor data management. A friend's experience underscores the importance of sending condensed data rather than raw data to avoid increased cloud storage costs. This leads to a broader discussion about data lifecycle policies, retention, and the necessity of consulting legal teams to navigate varying regulatory requirements. They emphasize the importance of proper data integrity measures, like using tamper-proof formats and effective backup strategies such as the three, two, one methodology and worm media. The conversation then shifts towards the evolving regulatory landscape, highlighting Cybersecurity Maturity Model Certification (CMMC) and its mandate for third-party auditors to certify companies accessing government contracts. Roddy underscores the benefits of external audits in identifying blind spots and ensuring compliance, a practice likened to the financial industry's audit requirements. He shares his rich background in government auditing, nonprofit work, and managed service providers, providing a nuanced perspective on the interconnected risks in IT environments. Roddy offers insights into key cybersecurity practices, stressing how external audits can mitigate risks, identified as crucial in a complex digital landscape. The episode wraps up with a focus on the human element in cybersecurity. Roddy Bergeron emphasizes the need for emotional intelligence and continuous learning in incident response, pointing out that technical prowess alone is insufficient. He shares his hardest lesson: the necessity of prioritizing the human side of incident response, recognizing the profound impact of cybersecurity incidents on people's lives and careers. The conversation concludes with an invitation from Chris for listeners to subscribe and review the podcast, as they reflect on the importance of humility and ongoing improvement in the ever-evolving cybersecurity field. Key TimeStamps: 00:00 Evolving Financial Regulations: A Varied Career Perspective 04:32 Importance of Comprehensive Auditing for Business Cybersecurity 07:43 The Impact of Interconnected Systems on Liability 10:32 The Significance of Purposeful Data Collection for Security 12:18 Maximizing Security Visibility without Overload 15:26 Effective Data Management for Businesses 19:23 The Impact of Cybersecurity Legislation and CMMC 24:23 Improving Risk Posture through Third-Party Assessments 28:10 The Crucial Role of Human Empathy in Incident Response 29:10 The Importance of Employee Care During Incidents For more amazing application security information, please visit the following LinkedIn communities: https://www.linkedin.com/company/appsec-hive Provided by Mend.io (https://mend.io)…
 
In Episode 07 of Secrets of AppSec Champions, PenTesting with Nat Shere, Chris Lindsey hosts seasoned penetration tester Nathaniel Shere, who currently serves as the Technical Services Director at Craft Compliance. Nathaniel shares his journey into penetration testing, starting from his master's in cybersecurity and leading to over a decade of experience in the field. The duo delves into the pressing issues within the security industry, such as the high levels of stress, the pressure to remain updated, and the often exaggerated emphasis on industry certifications. They both agree that certifications, while useful for exposure, can sometimes be blown out of proportion, potentially watering down the actual requirements. The discussion extends to technical aspects, highlighting the importance of error handling, visibility of dependencies, and the complexity of exploiting vulnerabilities like SQL injection. Nathaniel recounts memorable experiences, including the development of a Python script that uncovered critical security issues, and stresses the value of detecting and monitoring potential threats. The episode provides an in-depth look at the various penetration testing methodologies—white box, black box, and gray box—and the necessity of using accurate environments that mirror production settings. Both speakers emphasize the hacker's perspective in revealing security flaws and the role of secure coding practices and multi-factor authentication in strengthening security postures. Chris and Nathaniel also touch on the ethical implications and collaborative benefits of penetration testing. Nathaniel highlights the importance of providing prioritized information to developers and the value of pen testing in offering true risk assessments. They agree on the need for external penetration testing for unbiased evaluations and recommend internal pen testers collaborate with external experts for broader exposure. Altogether, this episode offers listeners a balanced view of the technical and human elements crucial to successful penetration testing. ❇️ Key Topics with Timestamps 00:00 Career Progression in Cybersecurity Consultancy 05:03 Unexpected Access: Default Credentials and Security Breach 08:52 The Value of Penetration Testing in Development 12:19 Burp Suite: Demonstrating Data Theft Capabilities 14:59 Developers Overlooking Security Vulnerabilities: Common Mindset Mistakes 19:06 The Efficiency of Whitebox Testing in Application Assessment 21:52 Penetration Testing Reports and Web-Based Security Issues: An Internship Anecdote 26:12 The Importance of Internal and External Pen Testing 30:18 Managing Stress in Cybersecurity Career 32:50 The Value of Certifications in Security Learning 34:19 Promoting Shows: A Guide to Engaging Audiences For more amazing application security information, please visit the following LinkedIn communities: https://www.linkedin.com/company/appsec-hive Provided by Mend.io (https://mend.io)…
 
Welcome to Episode 06 of "Secrets of AppSec Champions," titled "Working With Your CISO," featuring host Chris Lindsey and guest Yaron Levi, the Chief Information Security Officer (CISO) at Dolby Labs. In this episode, Yaron Levi, with over 15 years of experience in various security functions, provides insights into the multifaceted role of a CISO. He discusses the relatively young profession, highlighting its diverse structures and responsibilities which include enabling businesses while managing risk and regulatory compliance. The conversation delves into foundational aspects of security programs, such as governance, risk, compliance, and the importance of maintaining a robust defense posture. Yaron underscores the necessity for continuous learning and collaboration within the security field and emphasizes that the CISO's role is more about enabling safe business operations rather than strictly enforcing rules. One of the key discussions revolves around the commonality of security threats, the significance of basic security measures, and how a substantial number of breaches stem from simple vulnerabilities like exposed credentials and misconfigurations. Yaron also emphasizes the importance of integrating security education for software developers and engaging software architects in mentoring roles. The episode sheds light on the productive nature of bug bounty programs and responsible disclosure platforms for vulnerability testing. Yaron advocates for encouraging young individuals to engage in ethical hacking through structured channels. The episode also touches on AI's impact on software development and security, reiterating a balanced approach to leveraging new technologies safely. The importance of simulations and tabletop exercises to prepare for security incidents is discussed, with example scenarios like ransomware attacks being used to test and improve response times. Finally, Yaron stresses the importance of communication, especially in remote environments, urging employees to over-communicate any security concerns. He shares his experience of starting his role during the pandemic and highlights the significance of building trust remotely. Chris Lindsey wraps up the episode by thanking Yaron Levi for his valuable insights and encourages listeners to subscribe, rate, and review the podcast to stay updated on future episodes. Time Stamps: 00:00 Striving for 'Good Enough' in Business 06:01 Intentional Outreach and Security Measures: A Reminder 07:49 The Crucial Role of CISO in Cybersecurity and Software Development 12:49 Security: When, Not If 14:08 Prioritizing Cybersecurity Fundamentals: Key Threats Remain 19:50 The Minecraft Generation: Using Energy for Pen Testing 21:52 Building Bug Bounty Environment and Tabletop Exercises 25:36 Learning from a Ransomware Event Mishap 27:38 Challenges to Standardizing the CISO Role 33:15 Reframing the Role of Security: Protection Over Punishment For more amazing application security information, please visit the following LinkedIn communities: https://www.linkedin.com/company/appsec-hive Provided by Mend.io (https://mend.io)…
 
In the episode "Reactive to Proactive" of the podcast Secrets of AppSec Champions, host Chris Lindsey engages with Shashank Balasubramanian, the Head of Application Security at Tripadvisor. Shashank has been managing the application security program at Tripadvisor for over four years, during which he has overseen the transition from a reactive to a proactive security approach. The conversation delves into the distinct characteristics of reactive vs. proactive security programs, highlighting the importance of integrating security measures early in the development process and fostering strong relationships between security teams and developers. They discuss the significance of implementing the right security tools, such as Software Composition Analysis (SCA) tools, to address third-party vulnerabilities effectively and integrating these tools into the CI/CD pipeline. Shashank emphasizes the value of building a security-aware culture within the development teams through regular training and the establishment of a Security Champion program. These champions, who are trained in security best practices, help scale the security team's efforts by embedding themselves within various development teams, facilitating a proactive approach to security. The episode also touches on the importance of executive engagement and effective communication regarding the security landscape. By providing detailed reports and metrics to executives, security teams can ensure there is a clear understanding of the program's ROI and reduce the likelihood of surprise incidents. This high-level visibility and proactive security posture ultimately lead to a more robust and efficient security program, enabling the organization to address vulnerabilities before they become significant issues. The conversation sheds light on practical strategies and tools that can help security professionals transition from reactive to proactive security measures, fostering a more secure and resilient organization. | ❇️ Key Topics with Timestamps 00:00 The Reactive Approach to Building Software Programs 04:51 Empowering Proactive Vulnerability Management with Appsec Tools 06:48 Maximizing ROI by Installing Security Tools in CI/CD Pipeline 12:20 Optimizing Security-Team Communication for Program Success 14:05 Strategic Approach to Security Threats in Business 18:33 Engaging Developers in Security Through Champion Program 22:43 Preparing for Unexpected Challenges in the Industry 24:11 Prioritizing Open Source and Pen Testing 27:05 Appsec Champions: Valuable Tips for Success For more amazing application security information, please visit the following LinkedIn communities: https://www.linkedin.com/company/appsec-hive Provided by Mend.io (https://mend.io)…
 
In this episode of "Secrets of AppSec Champions" titled "Security Champions," host Chris Lindsey engages with Jigar Shah, an executive global director in the IT identity, access, and application security space, to explore the critical importance of cybersecurity in our increasingly digital and interconnected world. The episode underscores the heightened awareness of security issues among both technical and non-technical individuals. Jigar emphasizes the necessity of ingraining a robust security culture within organizations, stressing the roles of training, resource allocation, and clearly defined responsibilities for security champions. Meanwhile, Chris discusses the initial challenges in launching security programs and highlights the importance of integrating influencers into security teams with transparent communication. The conversation extends to framing security as an investment rather than a cost, aiming to break down silos between security and development teams. Jigar and Chris both emphasize that with the rise of AI technology, there is an increasing need for integration, collaboration, and healthy debate to drive innovation. Effective communication, continuous training, and development support are deemed essential for empowering security champions within a company. They also discuss ways to incentivize security roles through financial rewards, public recognition, and by bringing dispersed teams together, ensuring that security remains a priority even over product releases. Leaders are called upon to educate and hold teams accountable for the risks and business outcomes associated with inadequate security practices. The episode concludes with insights into the framework and governance required to run successful security champion programs, emphasizing the need for clear objectives and monitoring. Jigar advocates for influencing without authority by fostering cross-functional meetings and executive buy-in to elevate cybersecurity awareness. Chris suggests recruiting volunteers with a strong desire to learn for the security champion program and underscores the importance of executive support and selecting champions with good technical and communication skills. The episode wraps up with a call-to-action for listeners to subscribe, leave ratings and reviews, and Chris's closing remarks on cultivating a culture where security is everyone's responsibility. ❇️ Key Topics with Timestamps 00:00 Enabling Business Success through IT Leadership 05:34 The Role of Executive Buy-In in Program Success 08:46 Effective Strategies for Recruiting Security Champions 11:06 Encouraging Cybersecurity Awareness and Engagement in Organizations 16:54 Advancing Careers Through Specialized Database Work 18:50 Developing Organizational Culture and Empowering Influencers 24:02 Maximizing Business Value Through IT Department Management 27:07 Incentivizing Dispersed Teams: Building Unity 28:57 The Importance of Reward and Recognition for Motivation 31:52 Leadership Responsibility in Educating Peers on Risks 37:14 Promoting a Culture of Shared Responsibility in Security Leadership 38:22 Maximizing Appsec Champions: Subscriptions, Ratings, and Discovery For more amazing application security information, please visit the following LinkedIn communities: https://www.linkedin.com/company/appsec-hive Provided by Mend.io (https://mend.io)…
 
In Episode 03 of Secrets of AppSec Champions podcast titled "Compromised: Proactive to Reactive," hosts Chris Lindsey and guest Phil Guimond tackle the critical distinctions between proactive and reactive security strategies. They emphasize the importance of access logging and visibility in detecting compromises early, pointing out how changes in access logs can signal potential threats. They stress the necessity of implementing secure, tamper-proof log storage and discuss automation solutions like the "Have I Been Pwned" API and CAPTCHA to mitigate risks such as account takeovers. The discussion extends to network security, highlighting the dangers of rushed setups that overlook essential measures like network segmentation and client isolation. They examine the risks associated with flat networks in office environments and how external threats can penetrate poorly segmented Wi-Fi networks. Additionally, the episode covers the significance of managing software dependencies, advocating for regular updates to dependencies and leveraging multiple sources to detect vulnerabilities beyond the National Vulnerability Database (NVD). The utilization of container technologies like Kubernetes and Docker is highlighted for their ability to seamlessly update images and pods, thereby enhancing security. Finally, Chris and Phil underscore the importance of proper repository management, focusing on active projects and addressing outdated or unused code that poses security risks. Training developers in security practices and involving security professionals who can write code are presented as key strategies for proactive security. Chris and Phil also acknowledge the challenges of finding and retaining skilled security personnel while encouraging the audience to engage with the podcast and provide feedback. Together, they advocate for a balanced approach to security—automating where possible, prioritizing proactive measures, and continuously improving the organization's overall security posture. ❇️ Key Topics with Timestamps 00:00 Password Reuse Across Websites: Detection Methods 06:06 Managing Security Challenges and Password Reuse 08:30 Challenges of Unused Code in Development Projects 10:19 Managing Data Overload with GitHub API 15:33 The Risks of Network Interconnected Cloud Access 17:32 Security Risks of IP Whitelisting in Cloud Hadoop Clusters 20:23 Securing Network Logs from Tampering 24:12 The Impact of NVD Pausing on Vulnerability Detection 26:23 Efficiently Addressing Container Image Vulnerabilities 31:17 The Importance of Developer Training Over Tools 35:43 Tools for High-Level Security Posture Overview 38:13 The Vital Importance of App Security Leaders…
 
In this episode of Secrets of AppSec Champions, host Chris Lindsey and guest Toby Jackson dive into the strategies and best practices for maturing an application security (AppSec) program. Toby underscores the necessity of validating video messages, with the same rigor applied to emails and texts, to mitigate security threats. Emphasizing the growing menace of SIM card hijacking and SMS interception, both experts advocate for regular reviews of security processes and procedures. They also stress the critical role of education in an organization's security posture, championing the integration of security awareness training into HR programs and developer education to identify and resolve vulnerabilities. The discussion moves to the importance of leadership understanding security vulnerabilities, where Chris and Toby recommend clearly communicating the potential impacts to ensure informed decision-making. Both suggest maintaining thorough documentation and sharing attack findings with development teams to help them address weaknesses effectively. When it comes to penetration testing, they advise addressing issues identified by Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) tools before external pen tests. This ensures a more thorough assessment and prioritizes fixing high-risk applications first, while also advocating for long-term security planning that aligns with business goals and maintenance of strong inter-team relationships. Chris and Toby explore the evolving landscape of security tools, AI, and their implications. They caution about the potential for AI in security to automate routine tasks while warning of data privacy risks. Policies and procedures must be in place to safeguard intellectual property and manage AI use, underlining the need for leadership involvement in AI-related decisions. The conversation underscores the importance of keeping security tools up to date and having cross-team communication, supported by security champions. To wrap up, the podcast encourages listeners to subscribe, rate, and review the show, reinforcing the value of community engagement in the ongoing discourse on application security. Key Topics with timestamps: 00:00 Decoding Application Security: Maturing Your Program 05:52 The Importance of Detail-Oriented Security Leadership 07:49 Strategies for Evaluating and Securing Applications 12:25 Evaluating and Maturing Penetration Testing Tools 13:28 Importance of Regularly Reassessing Security Tools 18:34 Security Tools and AI Analysis Vendors Importance 22:28 Importance of Maturity, Communication, and Planning in Security Testing 25:31 Implementing Internal Keywords for Identity Verification 27:34 Integrating Security Awareness into HR Training Plans 32:54 The Impact of Pen Tests on Application Security 35:36 Advancing Security: Insights and Progress with Toby 05:52 The Importance of Detail-Oriented Security Leadership 07:49 Strategies for Evaluating and Securing Applications 12:25 Evaluating and Maturing Penetration Testing Tools 13:28 Importance of Regularly Reassessing Security Tools 18:34 Security Tools and AI Analysis Vendors Importance 22:28 Importance of Maturity, Communication, and Planning in Security Testing 25:31 Implementing Internal Keywords for Identity Verification 27:34 Integrating Security Awareness into HR Training Plans 32:54 The Impact of Pen Tests on Application Security 35:36 Advancing Security: Insights and Progress with Toby…
 
📋 Show Notes Secrets of AppSec Champions: Laying the Foundation of Application Security In the inaugural episode of the multi-part series 'Decoding Application Security,' host Chris Lindsey and guest Anthony Israel-Davis, Product Security Manager at Fortra, dive into the fundamentals of building a successful application security program for large teams. They discuss essential first steps when starting at a new company, the importance of understanding the company culture, and the critical role of security champions. The conversation covers various aspects of application security, including the implementation of SCA, SAST, and DAST tools, the nuances of API and container security, and the importance of building strong relationships with developers and QA teams. Ultimately, the episode emphasizes the incremental and strategic approach necessary for managing and mitigating risks effectively in a complex software development environment. ❇️ Key Topics with Timestamps 00:00 Introduction to Software Building 00:59 Meet the Expert: Anthony Israel Davis 01:08 First Steps in a New Company 02:57 Understanding the Application Environment 04:54 Building a Solid Security Foundation 11:29 The Role of Static Analysis (SAST) 17:12 Empowering Teams with Security Mindset 22:07 Collaboration with QA for Security 24:47 Ensuring a Clean Build: Developer and QA Collaboration 26:17 Dynamic Scanning Explained 27:32 Regression Testing and DAST 28:05 Understanding DAST Results and Fuzzing 33:24 API Testing: A Critical Component 37:02 Containerization and Security 42:12 Building a Secure Development Process 46:39 Final Thoughts and Key Takeaways…
 
Loading …

Benvenuto su Player FM!

Player FM ricerca sul web podcast di alta qualità che tu possa goderti adesso. È la migliore app di podcast e funziona su Android, iPhone e web. Registrati per sincronizzare le iscrizioni su tutti i tuoi dispositivi.

 

icon Daily Deals
icon Daily Deals
icon Daily Deals

Guida rapida

Ascolta questo spettacolo mentre esplori
Riproduci