Check out the BrakeSecEd Twitch at https://twitch.tv/brakesec

Join the Discord! https://discord.gg/brakesec

#youtube VOD (in 1440p): https://www.youtube.com/watch?v=axQWGyd79NM 

Questions and topics: Bsides Vancouver discussion Semgrep Community and Academy Building communities What are ‘secure guardrails’ Reducing barriers between security and developers How to sell security to devs: “hey, if you want to see us less, buy/use this?” “Security is your barrier, but we have goals that we can’t reach without your help.” https://wehackpurple.com/devsecops-worst-practices-artificial-gates/  How are you seeing things like AI being used to help with DevOps or is it just making things more complicated? Not just helping write code, but infrastructure Ops, software inventories, code repo hygiene, etc? OWASP PNW https://www.appsecpnw.org/ Alice and Bob coming next year!

Additional information / pertinent LInks (Would you like to know more?): shehackpurple.ca  Semgrep (https://semgrep.dev/) https://aliceandboblearn.com/ https://academy.semgrep.dev/ (free training) Netflix ‘paved roads’: https://netflixtechblog.com/how-we-build-code-at-netflix-c5d9bd727f15 https://en.wikipedia.org/wiki/Nudge_theory  https://www.perforce.com/blog/qac/what-is-linting  https://www.youtube.com/watch?v=FSPTiw8gSEU  https://techhq.com/2024/02/air-canada-refund-for-customer-who-used-chatbot/ 

Show points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb  Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@BrakeSecEd Twitch Channel: https://twitch.tv/brakesec

Youtube VOD: https://youtu.be/G3PxZFmDyj4

#appsec, #owasp, #ASVS, #joshGrossman, #informationsecurity, #SBOM, #supplychain, #podcast, #twitch, #brakesec, #securecoding, #Codeanalysis

Questions and topics:

1. The background to the topic, why is it something that interests you? How do you convince developers to take your course?

2. What do you think the root cause of the gap is?

3. Who is causing the gaps? (‘go fast’ culture, overzealous security, GRC requirements, basically everyone?)

4. Where do gaps begin? Is it the ‘need’ to ‘move fast’?

5. What can devs do to involve security in their process? Sprint planning? SCA tools?

6. How have you seen this go wrong at organizations?

7. How important is it to have security early in the product development process?

8. What sort of challenges do you think mainstream security people face in AppSec scenarios?

9. How does Product Security differ from Application Security? (what if the product is an application?)

10. What are the key development concepts that security people need to be familiar with to effectively get involved in AppSec/ProdSec?

11.. How do you suggest a security team approach AppSec/ProdSec?                Leadership buy-in                Effective/valuable processes                Tools should achieve a goal

12. SBOM - NTIA is asking for it, How to get dev teams to care.

13. Key takeaways?

Additional information / pertinent LInks (Would you like to know more?): BlackHat Training: https://www.blackhat.com/us-24/training/schedule/index.html#accelerated-appsec--hacking-your-product-security-programme-for-velocity-and-value-virtual-37218

https://www.walkme.com/blog/leadership-buy-in/

https://www.bouncesecurity.com/

https://www.teamgantt.com/blog/raci-chart-definition-tips-and-example

https://www.cisa.gov/sbom

SCA Tools https://chpk.medium.com/top-10-software-composition-analysis-sca-tools-for-devsecops-85bd3b7512dd 

https://semgrep.dev/ 

https://www.linkedin.com/in/joshcgrossman 

https://owasp.org/www-project-application-security-verification-standard/ 

https://github.com/OWASP/ASVS/tree/master/5.0

https://owasp.org/www-project-cyclonedx/

https://joshcgrossman.com/

PyCon talk about custom security testing: https://www.youtube.com/watch?v=KuNZzDjvMlg 

Michal's Black Hat course - Accurate and Scalable: Web Application Bug Hunting: https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-37210 

https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-372101705524544 

ASVS website: https://owasp.org/asvs 

Lightning talk I did recently about OWASP: https://www.bouncesecurity.com/eventspast#f86548cb37cb2a82728b1762bd1b7aee 

Show points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb  Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@brakeseced Twitch Channel: https://twitch.tv/brakesec

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time based on new information and experiences and do not represent views of past, present, or future employers.

Recorded: 08 Apr 2024

Youtube VOD: https://www.youtube.com/watch?v=K8qApvsFtqw

Show Topic Summary:

If you want to get in the mind of a board member, I submit to you my discussion with Mary Gardner we did last night on #brakesec #education. Join Mary and I as we discuss the functions of a board, messaging to various levels of leadership and teams, and what it takes to make that leap to being a CISO. And when you're done, and you need someone to help your org get more mature, contact the team at GoldiKnox. #cybersecurity #informationsecurity #ciso #leadership #GRC

Questions and topics:

1. https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity

   1. “Just 69% of responding board members see eye-to-eye with their chief information security officers (CISOs). Fewer than half (47%) of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations. “

   2. They obviously have different priorities, so what brings everyone to the table to discuss? Are they even worried about security?

2. Tactical goals vs. org goals and aligning them

3. What are boards most worried about these days? 

   1. Staying relevant in the face of AI?

   2. What tech will protext them from the newest threats?

4. GRC is forced security, security is completely optional, Compliance requires some sort of security

Additional information / pertinent LInks (Would you like to know more?):

1. Research organizations (gartner, forrester, etc)

2. https://goldiknox.com/ 

3. https://www.linkedin.com/pulse/board-needs-help-planning-cybersecurity-start-here-daniel-briley-k7xzc

4. https://hbr.org/2022/11/is-your-board-prepared-for-new-cybersecurity-regulations

5. https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-sentenced-three-years-probation-covering-data

Show points of Contact:

Amanda Berlin: @infosystir @hackershealth 

Brian Boettcher: @boettcherpwned

Bryan Brake: https://linkedin.com/in/brakeb 

Brakesec Website: https://www.brakeingsecurity.com

Youtube channel: https://youtube.com/@brakeseced

Twitch Channel: https://twitch.tv/brakesec

Discord: https://discord.gg/brakesec

Full Youtube VOD: https://www.youtube.com/watch?v=uX7odQTBkyQ 

Questions and topics:

1. Let’s talk about Mindful Business Podcast

   1. What’s the topics you cover?

2. Topic #1: discuss your experiences when you were a new leader.

   1.  What worked? What didn't? What would you have done differently?

   2. Do you emulate your manager's style? What have been your go-to management resources? 

   3. What is a good piece of advice that you’ve been given or that you impart to others that relates to leadership?

3. Topic #2: building/Operating SaaS products (we can discuss securing them, what functions should be table stakes (data structures, logging, etc)

4. Topic #3: What are bare minimums for building ‘secure’ Saas products in your particular field? And how do you balance security with a positive user experience (i. e. getting customers to buy into MFA/OAUTH, OTA updates

5. Topic #4: Do many SaaS products get over-integrated? Is the need for integration override best practices in security? 

Additional information / pertinent LInks (Would you like to know more?):

1. Twitter/Mastodon: https://twitter.com/AccidentalCISO https://infosec.exchange/@accidentalciso

2. The Mindful Business Security Show: https://www.mindfulsmbshow.com/ https://twitter.com/mindfulsmbshow

Show points of Contact:

Amanda Berlin: @infosystir @hackershealth 

Brian Boettcher: @boettcherpwned

Bryan Brake: https://linkedin.com/in/brakeb 

Brakesec Website: https://www.brakeingsecurity.com

Youtube channel: https://youtube.com/@brakeseced

Twitch Channel: https://twitch.tv/brakesec

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time based on new information, and do not represent views of past, present, or future employers.

Recorded: 28 Jan 2024

Youtube VOD: https://youtube.com/live/uX7odQTBkyQ

Questions and topics:

1. Let’s talk about Mindful Business Podcast

   1. What’s the topics you cover?

2. Topic #1: discuss your experiences when you were a new leader.

   1.  What worked? What didn't? What would you have done differently?

   2. Do you emulate your manager's style? What have been your go-to management resources? 

   3. What is a good piece of advice that you’ve been given or that you impart to others that relates to leadership?

3. Topic #2: building/Operating SaaS products (we can discuss securing them, what functions should be table stakes (data structures, logging, etc)

4. Topic #3: What are bare minimums for building ‘secure’ Saas products in your particular field? And how do you balance security with a positive user experience (i. e. getting customers to buy into MFA/OAUTH, OTA updates

5. Topic #4: Do many SaaS products get over-integrated? Is the need for integration override best practices in security? 

Additional information / pertinent LInks (Would you like to know more?):

1. Twitter/Mastodon: https://twitter.com/AccidentalCISO https://infosec.exchange/@accidentalciso

2. The Mindful Business Security Show: https://www.mindfulsmbshow.com/ https://twitter.com/mindfulsmbshow

Show points of Contact:

Amanda Berlin: @infosystir @hackershealth 

Brian Boettcher: @boettcherpwned

Bryan Brake: https://linkedin.com/in/brakeb 

Brakesec Website: https://www.brakeingsecurity.com

Youtube channel: https://youtube.com/@brakeseced

Twitch Channel: https://twitch.tv/brakesec

It's our 10th anniversary and the first show of our 2024 season!

Amanda was on "7 minute security"

https://7minsec.com/projects/podcast

Check out the complete VOD at https://youtu.be/vbmEtkxhAMg

Explicit language warning

www.brakeingsecurity.com

https://twitch.tv/brakesec

https://bit.ly/brakesecyt

Youtube Video:  https://youtu.be/IUDPlQaQg8M

https://forms.gle/rf145MoN7cskwMjf8   is the link to the survey. Your information (should you choose to identify yourself) will not be shared outside of the BrakeSec Team.

Thank all of you for listening and for your input.

RSS feed for the audio podcast is at https://www.brakeingsecurity.com/rss  website: https://www.brakeingsecurity.com 

Show Topic Summary:

Ms. Berlin proposes a question of how to gather more headcount with metrics, we discuss the BLUFFS bluetooth vulnerability, and “Ranty Claus” talks about CISA’s remarks of putting the onus on device product makers to remove choice for customers and implement secure defaults.

#youtube VOD: https://www.youtube.com/watch?v=emcAzTx9z0c 

Questions and topics:

1. https://cyberscoop.com/cisa-goldstein-secure-by-design/

2. https://hackaday.com/2023/12/02/update-on-the-bluffs-bluetooth-vulnerability/

Additional information / pertinent LInks (Would you like to know more?):

1. https://cyberscoop.com/jen-easterly-secure-by-design/

2. https://www.cisa.gov/resources-tools/resources/stop-passing-buck-cybersecurity 

3. Examples of companies forcing changes https://www.bleepingcomputer.com/news/microsoft/microsoft-will-roll-out-mfa-enforcing-policies-for-admin-portal-access/  

4. https://github.com/aya-rs/aya - eBPF implementation in Rust

5. https://ossfortress.io/  

6. https://www.darkreading.com/endpoint-security/critical-logofail-bugs-secure-boot-bypass-millions-pcs 

Show points of Contact:

Amanda Berlin: @infosystir @hackershealth 

Brian Boettcher: @boettcherpwned

Bryan Brake: @bryanbrake on Mastodon.social, https://linkedin.com/in/brakeb 

Brakesec Website: https://www.brakeingsecurity.com

Twitter: @brakesec 

Youtube channel: https://youtube.com/c/BDSPodcast

Twitch Channel: https://twitch.tv/brakesec

Subscribe on Twitch using Amazon Prime and watch us live: https://twitch.tv/brakesec

Check out our VODs on Youtube: https://www.youtube.com/@BrakeSecEd  Join the BrakeSecEd discord: https://discord.gg/brakesec 

News:

https://www.darkreading.com/remote-workforce/1password-latest-victim-okta-customer-service-breach

https://www.documentcloud.org/documents/24075435-bhi-notice

https://www.bleepingcomputer.com/news/security/us-energy-firm-shares-how-akira-ransomware-hacked-its-systems/

https://www.bleepingcomputer.com/news/security/ransomware-isnt-going-away-the-problem-is-only-getting-worse/

https://www.shacknews.com/article/137505/ransomware-group-capcom-2020-arrested

https://www.bleepingcomputer.com/news/security/flipper-zero-can-now-spam-android-windows-users-with-bluetooth-alerts/

https://www.nasdaq.com/articles/three-cybersecurity-sectors-that-resist-economic-downturns

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.

Guest Bio: Nicole is the Chief Product Officer at Axio. Nicole has spent her career building awareness around the benefits of usable security and human-centered security as a way to increase company revenue and create a seamless user experience.

 Youtube VOD Link: https://youtube.com/live/tFaAB9an47g

 Questions and topics: Usable security: is it an oxymoron?

What determines if the security is ‘usable’ or no? We sacrifice security for a better UX, what can be done to alleviate that? Or is it some sort of sliding scale in “poor UX, amazing security or awesome UX, poor security” Examples of poor UX for ‘people’: MFA, and password managers.

SEC updates and ‘material events’ and how that would affect security, IR, and other company reporting functions. 

Also, additional documentation (Regulation S-K Item 106) https://www.linkedin.com/posts/nicole-sundin-5225a1149_sec-adopts-rules-on-cybersecurity-risk-management-activity-7090065804083290112-ISD8

Are companies ready to talk about their cybersecurity? Can the SEC say “you’re not doing enough?”

 What is ‘enough’?

Are we heading toward yet another audit needed for public companies, similar to SOX?

When does an 8-K get publicly disclosed?

Materiality is based on a “reasonable investor”?

So, you don’t need to announce that until you’re certain, and it’s based on what you can collect? Cyber Risk Management and some good examples of how to set up a proper cyber risk organization

Additional Links:

https://csrc.nist.gov/CSRC/media/Projects/usable-cybersecurity/images-media/Is%20Usable%20Security%20an%20Oxymoron.pdf

http://web.mit.edu/Saltzer/www/publications/protection/Basic.html

https://www.sec.gov/news/press-release/2023-139

https://www.sec.gov/news/statement/munter-statement-assessing-materiality-030922

https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/sec-final-cybersecurity-disclosure-rules.html

https://www.nasa.gov/centers/ames/research/technology-onepagers/hc-computing.html

 https://securityscorecard.com/blog/what-is-cyber-security-performance-management/

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.

Guest Bio: John is the CEO of Aronetics. An avid climber and runner, John has spoken at many conferences about topics like ZeroTrust, BIOS/UEFI security, communication security, and malware. Aronetics is a technology-enabled service provider. 

Youtube VOD: https://youtube.com/live/5dIVTwVZLAU

Linkedin VOD: https://www.linkedin.com/video/live/urn:li:ugcPost:7101738254823030784

Show Topic Summary:

John joins us to discuss “letters of Marque” in an effort for hackers to ‘hack back’... the overreliance on automation, and communication siloes. We also talk about what a ‘junior position’ in infosec looks like with AI doing all the “Level 1 SOC Analyst” type roles normally given to someone fresh to the security industry.

Questions and topics:

1. Is infosec over reliant on automation? Automation comes with its own challenges.

   1. Documentation woes

   1. Automation is usually found in userland

Aronetics’ Thor provides defense and counter-offense tamper-proof technology digitally tied to 

Letter of Marque - good idea, or geopolitical disaster waiting to happen?

Siloes and communication -best ways to overcome those in an org and outside?

How do we overcome siloing?

Overcoming security challenges?Identity management - 2FA is everywhere, there’s already ways around 2FA, so what now? 3FA? Biometrics? Make everyone carry around physical tokens that we can lose?

Blog post: https://www.aronetics.com/post-quantum-cryptography/ What do we need to protect against? Nation states with quantum computers? Rubber hose cryptography?

Crime thrives in areas of low visibility. https://www.aronetics.com/unknown/ 

https://www.aronetics.com/inside-the-breach/ (threat detection - the crime thrives in low vis areas)

Show points of Contact:

Brakesec Website: https://www.brakeingsecurity.com

Youtube channel: https://youtube.com/c/BDSPodcast

Twitch Channel: https://twitch.tv/brakesec

Amanda Berlin: @[email protected] (Mastodon) @hackershealth 

Brian Boettcher: @boettcherpwned

Bryan Brake: @bryanbrake on Mastodon.social