Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
Player FM - Internet Radio Done Right
Checked 25d ago
اضافه شده در four سال پیش
محتوای ارائه شده توسط Chris Hughes. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط Chris Hughes یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
مشابه Resilient Cyber
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
The power of Data is undeniable. And unharnessed - it’s nothing but chaos. Making data your ally. Using it to lead with confidence and clarity. Host Jess Carter is solving problems in real-time to reveal what’s possible. Helping communities and people thrive. This is Data Driven Leadership, a show brought to you by Resultant.
…
continue reading
Download This Show is your weekly guide to the world of media, culture, and technology. From social media to gadgets, streaming services to privacy issues. Each week Rae Johnston and guests take a fun, deep dive into how technology is reshaping our lives.
…
continue reading
Flash Forward is a show about possible (and not so possible) future scenarios. What would the warranty on a sex robot look like? How would diplomacy work if we couldn’t lie? Could there ever be a fecal transplant black market? (Complicated, it wouldn’t, and yes, respectively, in case you’re curious.) Hosted and produced by award winning science journalist Rose Eveleth, each episode combines audio drama and journalism to go deep on potential tomorrows, and uncovers what those futures might re ...
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
We help founders make something people want.
…
continue reading
Three nerds discussing tech, Apple, programming, and loosely related matters.
…
continue reading
Player FM - برنامه پادکست
با برنامه Player FM !
با برنامه Player FM !
))
Daily Deals
S3E12: Daniel Krivelevich of Cider Security - CI/CD Pipeline Security
Manage episode 335171735 series 2947250
محتوای ارائه شده توسط Chris Hughes. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط Chris Hughes یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
- For folks that are familiar, what is a CI/CD pipeline and why is it becoming such a hot topic in modern software delivery?
- Do you think earlier on in the pursuit of DevOps/DevSecOps organizations overlooked the pipeline as an attack vector?
- Any thoughts are notable incidents such as SolarWinds, do you think they brought more attention to the build environment?
- What are you thoughts on emerging guidance such as SLSA NIST SSDF or 800-161. Do you think these are helping bring attention to best practices on securing pipelines?
- In the context of software supply chain security, why do you think pipelines are so critical?
- Keeping on the theme of SBOM, what are your thoughts on the rising adoption and push for SBOM, and now VEX and how can pipelines help facilitate that?
- Cider has produced some excellent resources such as articles and also CICD Goat - how do you all keep innovating on the knowledge and tooling front and how has it been received by the community?
- One of those resources is the Top 10 CICD security risks. Do you want to touch on the list and maybe a couple of the leading risks from the list?
- Any recommendations on learning resources for folks wanting to learn more about pipeline security, best practices and why it is important?
166 قسمت
اشتراک گذاری
Manage episode 335171735 series 2947250
محتوای ارائه شده توسط Chris Hughes. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط Chris Hughes یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
- For folks that are familiar, what is a CI/CD pipeline and why is it becoming such a hot topic in modern software delivery?
- Do you think earlier on in the pursuit of DevOps/DevSecOps organizations overlooked the pipeline as an attack vector?
- Any thoughts are notable incidents such as SolarWinds, do you think they brought more attention to the build environment?
- What are you thoughts on emerging guidance such as SLSA NIST SSDF or 800-161. Do you think these are helping bring attention to best practices on securing pipelines?
- In the context of software supply chain security, why do you think pipelines are so critical?
- Keeping on the theme of SBOM, what are your thoughts on the rising adoption and push for SBOM, and now VEX and how can pipelines help facilitate that?
- Cider has produced some excellent resources such as articles and also CICD Goat - how do you all keep innovating on the knowledge and tooling front and how has it been received by the community?
- One of those resources is the Top 10 CICD security risks. Do you want to touch on the list and maybe a couple of the leading risks from the list?
- Any recommendations on learning resources for folks wanting to learn more about pipeline security, best practices and why it is important?
166 قسمت
همه قسمت ها
×
In this episode, I sit down with longtime industry leader and visionary Phil Venables to discuss the evolution of cybersecurity leadership, including Phil's own journey from CISO to Venture Capitalist. We chatted about: A recent interview Phil gave about CISOs transforming into business-critical digital risk leaders and some of the key themes and areas CISOs need to focus on the most when making that transition Some of the key attributes CISOs need to be the most effective in terms of technical, soft skills, financial acumen, and more, leaning on Phil's 30 years of experience in the field and as a multiple-time CISO Phil's transition to Venture Capital with Ballistic Ventures and what drew him to this space from being a security practitioner Some of the product areas and categories Phil is most excited about from an investment perspective The double-edged sword is AI, which is used for security and needs security. Phil's past five years blogging and sharing his practical, hard-earned wisdom at www.philvenables.com, and how that has helped him organize his thinking and contribute to the community. Some specific tactics and strategies Phil finds the most valuable when it comes to maintaining deep domain expertise, but also broader strategic skillsets, and the importance of being in the right environment around the right people to learn and grow…
1 Resilient Cyber w/ Vineeth Sai Narajala: Model Context Protocol (MCP) - Potential & Pitfalls 18:32
In this episode, I discuss the Model Context Protocol (MCP) with the OWASP GenAI Co-Lead for Agentic Application Security, Vineeth Sai Narajala. We will discuss MCP's potential and pitfalls, its role in the emerging Agentic AI ecosystem, and how security practitioners should consider secure MCP enablement. We discussed: MCP 101, what it is and why it matters The role of MCP as a double-edged sword, offering opportunities but additional risks and considerations from a security perspective Vineeth's work on the "Vulnerable MCP" project is a repository of MCP risks, vulnerabilities, and corresponding mitigations. How MCP is also offering tremendous opportunities on the security-enabling side, extending security capabilities into AI-native platforms such as Claude and Cursor, and security vendors releasing their own MCP servers Where we see MCP heading from a research and implementation perspective Additional Resources: Anthropic - Introducing the Model Context Protocol (MCP) Enhanced Tool Definition Interface (ETDI): A Security Fortification for the Model Context Protocol Enterprise-Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation Strategies Vulnerable MCP Project…
1 Resilient Cyber w/ Jay Jacobs & Michael Roytman - VulnMgt Modernization & Localized Modeling 33:53
In this episode, I sit with long-time vulnerability management and data science experts Jay Jacobs and Michael Roytman , who recently co-founded Empirical Security . We dive into the state of vulnerability management, including: How it is difficult to quantify and evaluate the effectiveness of vulnerability prioritization and scoring schemes, such as CVSS, EPSS, KEV, and proprietary vendor prioritization frameworks, and what can be done better Systemic challenges include setbacks in the NIST National Vulnerability Database (NVD) program, the MITRE CVE funding fiasco, and the need for a more resilient vulnerability database and reporting ecosystem. Domain-specific considerations when it comes to vulnerability identifiers and vulnerability management, in areas such as AppSec, Cloud, and Configuration Management, and using data to make more effective decisions The overuse of the term “single pane of glass” and some alternatives Empirical’s innovative approach to “localized” models when it comes to vulnerability management, which takes unique organizational and environmental considerations into play, such as mitigating controls, threats, tooling, and more, and how they are experimenting with this new approach for the industry…
In this episode, we sit down with the Co-Founder and CPO of Seemplicity , Ravid Circus , to discuss tackling the prioritization crisis in cybersecurity and how AI is changing vulnerability management. We dove into a lot of great topics, including: The massive challenge of not just finding and managing vulnerabilities but also remediation, with Seemplicity’s Year in Review report finding organizations face 48.6 million vulnerabilities annually and only 1.7 % of them are critical. That still means hundreds of thousands to millions of vulnerabilities need to be remedied - and organizations struggle with this, even with the context of what to prioritize. There’s a lot of excitement around AI in Cyber, including in GRC, SecOps, and, of course, AppSec and vulnerability management. How do you discern between what is hype and what can provide real outcomes? What practical steps can teams take to bridge the gap between AI’s ability to find problems and security teams’ ability to fix them? One of the major issues is determining who is responsible for fixing findings in the space of Remediation Operations, where Seemplicity specializes. Ravid talks about how, both technically and culturally, Seemplicity addresses this challenge of finding the fixer. What lies ahead for Seemplicity this year with RSA and beyond…
In this episode, we sit down with Varun Badhwar , Founder and CEO of Endor Labs , to discuss the state of AI for AppSec and move beyond the buzzwords. We discussed the rapid adoption of AI-driven development, its implications for AppSec, and how AppSec can leverage AI to address longstanding challenges and mitigate organizational risks at scale. Varun and I dove into a lot of great topics, such as: The rise of GenAI and LLMs and their broad implications on Cybersecurity The dominant use case of AI-driven development with Copilots and LLM written code, leading to a Developer productivity boost. AppSec has struggled to keep up historically, with vulnerability backlogs getting out of control. What will the future look like now? Studies show that AI-driven development and Copilots don’t inherently produce secure code, and frontier models are primarily trained on open source software, which has vulnerabilities and other risks. What are the implications of this for AppSec? How can AppSec and Cyber leverage AI and agentic workflows to address systemic security challenges? Developers and attackers are both early adopters of this technology. Navigating vulnerability prioritization, dealing with insecure design decisions and addressing factors such as transitive dependencies. The importance of integrating with developer workflows, reducing cognitive disruption and avoiding imposing a “Developer Tax” with legacy processes and tooling from security.…
In this episode, we sit down with David Melamed and Shai Horovitz of the Jit team. We discussed Agentic AI for AppSec and how security teams use it to get real work done. We covered a lot of key topics, including: What some of the systemic problems facing AppSec are, even before the widespread adoption of AI, such as vulnerability prioritization, security technical debt and being outnumbered exponentially by Developers. The surge of interest and investment in AI and agentic workflows for AppSec, and why AppSec is an appealing space for this sort of investment and excitement. How the prior wave of AppSec tooling was focused on findings problems, riding the wave of shift left but how this has led to alert fatigue and overload, and how the next-era of AppSec tools will need to focus on not just finding but actually fixing problems. Some of the unique capabilities and features the Jit team has been working on, such as purpose-built agents in areas such as SecOps, AppSec and Compliance, as well as context-graphs with organizational insights to drive effective remediation. The role of Agentic AI and how it will help tackle some of the systemic challenges in the AppSec industry. Addressing concerns around privacy and security when using AI, by leveraging offerings from CSPs and integrating guardrails and controls to mitigate risks.…
In this episode, we sit down with Piyush Sharrma, CEO and co-founder of the Tuskira team. They're an AI-powered defense optimization platform innovating around leveraging an Agentic Security Mesh. We will dive into topics such as Platform vs. Point Solutions, Security Tool Sprawl, Alert Fatigue, and how AI can create "intelligent" layers to unify and enhance security tooling ROI. We discussed: What drove Piyush to jump back into the startup space after successfully exiting from a previous startup he helped found The industry debate around Platform vs. Point Solutions or Best-of-Breed and the perspectives between industry industry leaders and innovative startups Dealing with the challenge of alert fatigue security and development teams and the role of AI in reducing cognitive overload and providing insight into organizational risks across tools, tech stacks, and architectures The role of AI in providing intelligence layers or an Agentic Security Mesh across existing security tools and defenses and mitigating organizational risks beyond isolated vulnerability scans by looking at compensating controls, configurations, and more. Shifting security from a reactionary model around incident response and exploitation to a preemptive risk defense model that minimizes attack surface and optimizes existing security investments and architectures…
We sit with Lasso Security CEO and Co-Founder Elad Schulman in this episode. Lasso focuses on secure enterprise LLM/GenAI adoption, from LLM Applications, GenAI Chatbots, Code Protection, Model Red Teaming, and more. Check them out at https://lasso.security We dove into a lot of great topics, such as: Dealing with challenges around visibility and governance of AI, much like previous technological waves such as mobile, Cloud, and SaaS Unique security considerations for different paths of using and building with AI, such as self-hosted models and consuming models as-a-service from SaaS LLM providers Potential vulnerabilities and threats associated with AI-driven development products such as Copilots and Coding assistants Software Supply Chain Security (SSCS) risks such as package hallucinations, and both safeguarding the data that goes out to external coding tools, as well as secure consumption of the data coming into the organization Securing AI itself and dealing with risks and threats such as model poisoning and implementing model red teaming Lasso discovered several critical concerns in their AI security research, such as Microsoft’s Copilot exposing thousands of private GitHub repos…
In this episode, we sit with security leader and venture investor Sergej Epp to discuss the Cloud-native Security Landscape. Sergej currently serves as the Global CISO and Executive at Cloud Security leader Sysdig and is a Venture Partner at Picus Capital. We will dive into some insights from Sysdig's recent " 2025 Cloud-native Security and Usage Report ." Big shout out to our episode sponsor, Yubico ! Passwords aren’t enough. Cyber threats are evolving, and attackers bypass weak authentication every day. YubiKeys provides phishing-resistant security for individuals and businesses—fast, frictionless, and passwordless. Upgrade your security: https://yubico.com Sergj and I dove into a lot of great topics related to Cloud-native Security, including: Some of the key trends in the latest Sysdig 2025 Cloud-native Security Report and trends that have stayed consistent YoY. Sergj points out that while attackers have stayed consistent, organizations have and continue to make improvements to their security Sergj elaborated on his current role as Sysdig’s internal CISO and his prior role as a field CISO and the differences between the two roles in terms of how you interact with your organization, customers, and the community. We unpacked the need for automated Incident Response, touching on how modern cloud-native attacks can happen in as little as 10 minutes and how organizations can and do struggle without sufficient visibility and the ability to automate their incident response. The report points out that machine identities, or Non-Human Identities (NHI), are 7.5 times riskier than human identities and that there are 40,000 times more of them to manage. This is a massive problem and gap for the industry, and Sergj and I walked through why this is a challenge and its potential risks. Vulnerability prioritization continues to be crucial, with the latest Sysdig report showing that just 6% of vulnerabilities are “in-use”, or reachable. Still, container bloat has ballooned, quintupling in the last year alone. This presents real problems as organizations continue to expand their attack surface with expanded open-source usage but struggle to determine what vulnerabilities truly present risks and need to be addressed. We covered the challenges with compliance, as organizations wrestle with multiple disparate compliance frameworks, and how compliance can drive better security but also can have inverse impacts when written poorly or not keeping pace with technologies and threats. We rounded out the conversation with discussing AI/ML packages and the fact they have grown by 500% when it comes to usage, but organizations have decreased public exposure of AI/ML workloads by 38% since the year prior, showing some improvements are being made to safeguarding AI workloads from risks as well.…
In this episode, we sit down with Lior Div and Nate Burke of 7AI to discuss Agentic AI, Service-as-Software, and the future of Cybersecurity. Lior is the CEO/Co-Founder of 7AI and a former CEO/Co-Founder of Cybereason, while Nate brings a background as a CMO with firms such as Axonius, Nagomi, and now 7AI . Lior and Nate bring a wealth of experience and expertise from various startups and industry-leading firms, which made for an excellent conversation. We discussed: The rise of AI and Agentic AI and its implications for cybersecurity. Why the 7AI team chose to focus on SecOps in particular and the importance of tackling toil work to reduce cognitive overload, address workforce challenges, and improve security outcomes. The importance of distinguishing between Human and Non-Human work, and why the idea of eliminating analysts is the wrong approach. Being reactive and leveraging Agentic AI for threat hunting and proactive security activities. The unique culture that comes from having the 7AI team in-person on-site together, allowing them to go from idea to production in a single day while responding quickly to design partners and customer requests. Challenges of building with Agentic AI and how the space is quickly evolving and growing. Key perspectives from Nate as a CMO regarding messaging around AI and getting security to be an early adopter rather than a laggard when it comes to this emerging technology. Insights from Lior on building 7AI compared to his previous role, founding Cybereason, which went on to become an industry giant and leader in the EDR space.…
In this episode, we sit down with Investor, Advisor, Board Member, and Cybersecurity Leader Chenxi Wang to discuss the interaction of AI and Cybersecurity, what Agentic AI means for Services-as-a-Software, as well as security in the boardroom Chenxi and I covered a lot of ground, including: When we discuss AI for Cybersecurity, it is usually divided into two categories: AI for Cybersecurity and Securing AI. Chenxi and I walk through the potential for each and which one she finds more interesting at the moment. Chenxi believes LLMs are fundamentally changing the nature of software development, and the industry's current state seems to support that. We discussed what this means for Developers and the cybersecurity implications when LLMs and Copilots create the majority of code and applications. LLMs and GenAI are currently being applied to various cybersecurity areas, such as SecOps, GRC, and AppSec. Chenxi and I unpack which areas AI may have the greatest impact on and the areas we see the most investment and innovation in currently. As mentioned above, there is also the need to secure AI itself, which introduces new attack vectors, such as supply chain attacks, model poisoning, prompt injection, and more. We cover how organizations are currently dealing with these new attack vectors and the potential risks. The biggest buzz of 2025 (and beyond) is Agentic AI or AI Agents, and their potential to disrupt traditional services work represents an outsized portion of cybersecurity spending and revenue. Chenxi envisions a future where Agentic AI and Services-as-a-Software may change what cyber services look like and how cyber activities are conducted within an organization. If you aren’t already following Chenxi Wang on LinkedIn, I strongly recommend you do. I have a lot of connections, but she is someone when I see a post, I am sure to stop and read because she shares a TON of great insights from the boardroom, investment, cyber, startups, AI, and more. I’m thankful to have her on the show to come chat!…
In this episode, we sit down with Rob Shavell, CEO and Co-Founder of DeleteMe , an organization focused on safeguarding exposed personal data on the public web and addressing user privacy challenges. We dove into a lot of great topics, such as: The rapidly growing problem of personal data ending up on the public web and some of the major risks many may not think about or realize Trends contributing to personal data exposure, from the Internet itself to social media, mobile phones/apps, IoT devices, COVID, and now AI Where to get started when it comes to taking control of your personal data and privacy Potential abuses and malicious uses for personal data and how threat actors are leveraging it How DeleteMe can help, as well as free resources and DIY guides that individuals can use to mitigate risk associated with their personal data being exposed…
In this episode of Resilient Cyber, we sit down with Steve Martano, Partner in the cyber Security Practice at Artico Search, to discuss the recent IANS & Artico Search Publications on the 2025 State of the CISO, security budgets, and broader security career dynamics. Steve and I touched on some great topics, including: The 2025 State of the CISO report and key findings Board reporting cadences for CISO’s and the importance of Boardroom involvement in Cybersecurity The three archetypes of CISO’s: Tactical, Functional and Strategic How security leaders can advance their career to becoming strategic CISO’s as well as key considerations for organziation’s looking to attract and retain their security talent The growing scope of responsibility for CISO roles from not just Infosec but to broader IT, business risk, and digital strategy and implications for CISO’s Security budget trends, spending, macroeconomic factors and allocations Here are a list of some of the great resources from IANS and Artico below on various areas of interest for CISO’s and Security leaders alike! https://www.iansresearch.com/resources/ians-security-budget-benchmark-report https://www.iansresearch.com/resources/ians-ciso-compensation-benchmark-report https://www.iansresearch.com/resources/ians-state-of-the-ciso-report https://www.iansresearch.com/resources/ians-leadership-organization-benchmark-report…
In this episode of Resilient Cyber, we catch up with Katie Norton , an Industry Analyst at IDC who focuses on DevSecOps and Software Supply Chain Security. We will dive into all things AppSec, including 2024 trends and analysis and 2025 predictions. Katie and I discussed: Her role with IDC and transition from Research and Data Analytics into being a Cyber and AppSec Industry Analyst and how that background has served her during her new endeavor. Key themes and reflections in AppSec through 2024, including disruption among Software Composition Analysis (SCA) and broader AppSec testing vendors. The age-old Platform vs. Point product debate concerns the iterative and constant cycle of new entrants and innovations that grow, add capabilities, and become platforms or are acquired by larger platform vendors. The cycle continues infinitely. Katie's key research areas for 2025 include Application Security Posture Management (ASPM), Platform Engineering, SBOM Management, and Securing AI Applications. The concept of a “Developer Tax” and the financial and productivity impact legacy security tools and practices are having on organizations while also building silos between us and our Development peers. The role of AI in corrective code fixes and the ability of AI-assisted automated remediation tooling to drive down remediation timelines and vulnerability backlogs. The importance of storytelling, both as an Industry Analyst and in the broader career field of Cybersecurity.…
1 Resilient Cyber w/ Ed Merrett - AI Vendor Transparency: Understanding Models, Data and Customer Impact 23:55
In this episode of Resilient Cyber, Ed Merrett, Director of Security & TechOps at Harmonic Security, will dive into AI Vendor Transparency. We discussed the nuances of understanding models and data and the potential for customer impact related to AI security risks. Ed and I dove into a lot of interesting GenAI Security topics, including: Harmonic’s recent report on GenAI data leakage shows that nearly 10% of all organizational user prompts include sensitive data such as customer information, intellectual property, source code, and access keys. Guardrails and measures to prevent data leakage to external GenAI services and platforms The intersection of SaaS Governance and Security and GenAI and how GenAI is exacerbating longstanding SaaS security challenges Supply chain risk management considerations with GenAI vendors and services, and key questions and risks organizations should be considering Some of the nuances between self-hosted GenAI/LLM’s and external GenAI SaaS providers The role of compliance around GenAI and the different approaches we see between examples such as the EU with the EU AI Act, NIS2, DORA, and more, versus the U.S.-based approach…
In this episode, we sit down with Sounil Yu , Co-Founder and CTO at Knostic , a security company focusing on need-to-know-based access controls for LLM-based Enterprise AI. Sounil is a recognized industry security leader and the author of the widely popular Cyber Defense Matrix. Sounil and I dug into a lot of interesting topics, such as: The latest news with DeepSeek and some of its implications regarding broader AI, cybersecurity, and the AI arms race, most notably between China and the U.S. The different approaches to AI security and safety we’re seeing unfold between the U.S. and EU, with the former being more best-practice and guidance-driven and the latter being more rigorous and including hard requirements. The age-old concept of need-to-know access control, the role it plays, and potentially new challenges implementing it when it comes to LLM’s Organizations rolling out and adopting LLMs and how they can go about implementing least-permissive access control and need-to-know Some of the different security considerations between Some of the work Knostic is doing around LLM enterprise readiness assessments, focusing on visibility, policy enforcement, and remediation of data exposure risks ---------------- Interested in sponsoring an issue of Resilient Cyber? This includes reaching over 16,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives Reach out below! -> Contact Us! ----------------…
SecOps continues to be one of the most challenging areas of cybersecurity. It involves addressing alert fatigue, minimizing dwell time and meantime-to-respond (MTTR), automating repetitive tasks, integrating with existing tools, and leading to ROI. In this episode, we sit with Grant Oviatt, Head of SecOps at Prophet Security and an experienced SecOps leader, to discuss how AI SOC Analysts are reshaping SecOps by addressing systemic security operations challenges and driving down organizational risks. Grant and I dug into a lot of great topics, such as: Systemic issues impacting the SecOps space include alert fatigue, triage, burnout, staffing shortages, and inability to keep up with threats. What makes SecOps such a compelling niche for Agentic AI, and what key ways can AI help with these systemic challenges? How Agentic AI and platforms such as Prophet Security can aid with key metrics such as SLOs or meantime-to-remediation (MTTR) to drive down organizational risks. Addressing the skepticism around AI, including its use in production operational environments and how the human-in-the-loop still plays a critical role for many organizations. Many organizations are using Managed Detection and Response (MDR) providers as well, and how Agentic AI may augment or replace these existing offerings depending on the organization's maturity, complexity, and risk tolerance. How Prophet Security differs from vendor-native offerings such as Microsoft Co-Pilot and the role of cloud-agnostic offerings for Agentic AI.…
While cybercriminals can (and do) infiltrate organizations by exploiting software vulnerabilities and launching brute force attacks, the most direct—and often the most effective—route is via the inbox. As the front door of an enterprise and the gateway upon which employees rely to do their jobs, the inbox represents an ideal access point for attackers. And it seems that, unfortunately, cybercriminals aren’t lacking when it comes to identifying new ways to sneak in. Abnormal Security’s Field CISO, Mick Leach, will discuss some of the sophisticated threats we anticipate escalating in the coming year—including cryptocurrency fraud, AI-generated business email compromise, and more. Mick and I dove into a lot of great topics, including: The evolution of email based attacks and why traditional tooling may fall short How attackers are leveraging GenAI and LLM’s to make more compelling email-based attacks How defenders can utilize AI to improve their defensive capabilities The role of tooling such as Secure Email Gateways and more, and how they still play a role but fail to meet the latest threat landscape How Abnormal is tacking email-based attacks and the outcomes they are helping customers achieve with streamlined integration and use…
In this episode, we sit down with Rajan Kapoor , Field CISO of Material Security , to discuss the security risks and shortcomings of native cloud workspace security offerings and the role of modern platforms for email security, data governance, and posture management. Email and Cloud Collaboration Workspace Security continues to be one of the most pervasive and challenging security environments, and Rajan provided a TON of excellent insights. We covered: Why email and cloud workspaces are some of the most highly targeted environments by cyber criminals, what they can do once they do compromise the email environment, and the broad implications. The lack of security features and capabilities of native cloud workspaces such as M365 and Google Workspaces and the technical and resource constraints that drive teams to seek out innovative products such as Material Security. The tug of war between security and productivity and how Material Security helps address challenges of the native workspaces that often make it hard for people to do their work and lead to security being sidestepped. Particularly industries that are targeted and impacted the most, such as healthcare, where there is highly sensitive data, regulatory challenges, and more. Common patterns among threats, attacks, and vulnerabilities and how organizations can work to bolster the security of their cloud workspace environments. This is a fascinating area of security. We often hear “identity is the new perimeter” and see identity play a key role in trends such as zero trust. But, so often, that identity starts with your email, and it can lead to lateral movement, capturing MFA codes, accessing sensitive data, impacting business partners, phishing others in the organization, and more, all of which can have massive consequences for the organizations impacted. Raja brought his expertise as a Field CISO and longtime security practitioner to drop a ton of gems in this one, so be sure to check it out!…
We’ve heard a ton of excitement about AI Agents, Agentic AI, and its potential for Cybersecurity. This ranges in areas such as GRC, SecOps, and Application Security (AppSec). That is why I was excited to sit down with Ghost Security Co-Founder/CEO Greg Martin. In this episode, we sit down with Ghost Security CEO and Co-Founder Greg Martin to chat about Agentic AI and AppSec. Agentic AI is one of the hottest trends going into 2025, and we will discuss what it is, its role in AppSec, and what system industry challenges it may help tackle. Greg and I chatted about a lot of great topics, including: The hype around Agentic AI and what makes AppSec, in particular, such a promising area and use case for AI to tackle longstanding AppSec challenges such as vulnerabilities, insecure code, backlogs, and workforce constraints. Greg’s experience as a multi-time founder, including going through acquisitions, but what continues to draw him back to being a builder and operational founder. The challenges of historical AppSec tooling and why the time for innovation, new ways of thinking, and leveraging AI is due. Whether we think AI will end up helping or hurting more in terms of defenders and attackers and their mutual use of this promising technology. And much more, so be sure to tune in and check it out, as well as check out his team at Ghost Security and what they’re up to!…
In this episode, we will be sitting down with Filip Stojkovski and Dylan Williams to dive into AI, Agentic AI, and the intersection with cybersecurity, specifically Security Operations (SecOps). I’ve been following Filip and Dylan for a bit via LinkedIn and really impressed with their perspective on AI and its intersection with Cyber, especially SecOps. We dove into that in this episode including: What exactly Agentic AI and AI Agents are, and how they work What a Blueprint for AI Agents in Cybersecurity may look like, using their example in their blog with the same title The role of multi-agentic architectures, potential patterns, and examples such as Triage Agents, Threat Hunting Agents, and Response Agents and how they may work in unison The potential threats to AI Agents and Agentic AI architectures, including longstanding challenges such as Identity and Access Management (IAM), Least-Permissive Access Control, Exploitation, and Lateral Movement The current state of adoption across enterprises and the startup landscape and key considerations for CISO’s and security leaders looking to potentially leverage Agentic SecOps products and offerings…
In this episode, we sit down with StackAware Founder and AI Governance Expert Walter Haydock. Walter specializes in helping companies navigate AI governance and security certifications, frameworks, and risks. We will dive into key frameworks, risks, lessons learned from working directly with organizations on AI Governance, and more. We discussed Walter’s pivot with his company StackAware from AppSec and Supply Chain to a focus on AI Governance and from a product-based approach to a services-oriented offering and what that entails. Walter has been actively helping organizations with AI Governance, including helping them meet emerging and newly formed standards such as ISO 42001. Walter provides field notes, lessons learned and some of the most commonly encountered pain points organizations have around AI Governance. Organizations have a ton of AI Governance and Security resources to rally around, from OWASP, Cloud Security Alliance, NIST, and more. Walter discusses how he recommends organizations get started and where. The U.S. and EU have taken drastically different approaches to AI and Cybersecurity, from the EU AI Act, U.S. Cyber EO, Product Liability, and more. We discuss some of the pros and cons of each and why the U.S.’s more relaxed approach may contribute to economic growth, while the EU’s approach to being a regulatory superpower may impede their economic growth. Walter lays our key credentials practitioners can explore to demonstrate expertise in AI security, including the IAPP AI Governance credential, which he recently took himself. You can find our more about Walter Haydock by following him on LinkedIn where he shares a lot of great AI Governance and Security insights, as well as his company website www.stackaware.com…
In this episode, we sit with the return guest, Jim Dempsey. Jim is the Managing Director of the Cybersecurity Law Center at IAPP, Senior Policy Advisory at Stanford, and Lecturer at UC Berkeley. We will discuss the complex cyber regulatory landscape, where it stands now, and implications for the future based on the recent U.S. Presidential election outcome. We dove into a lot of topics including: The potential impact of the latest U.S. Presidential election, including the fact that while there are parallels between Trump’s first term and Joe Biden’s, there are also key differences. We’re likely to see a deregulatory approach related to commercial industry and consumer tech but much more alignment and firm stances related to cyber and national security. The future of efforts around Software Liability and Safe Harbor Contrasted differences between the EU’s tech regulatory efforts and the U.S. The U.S. has taken a much more voluntary approach. While Jim is an advocate of regulation and thinks it is needed, he simply cannot get behind the heavy-handed approach of the EU and suspects it will continue to widen the tech gap between the U.S. and the EU. What is the potential for regulatory harmonization and the challenges due to the unique aspects of each industry, vertical, data types, and more. Jim leads the recently formed IAPP Cybersecurity Law Center He is also the author of the book Cybersecurity Law Fundamentals, Second Edition .…
In this episode of Resilient Cyber I will be chatting with industry leaders Tyler Shields and James Berthoty on the topic of "Shift Left". This includes the origins and early days of the shift left movement, as well as some of the current challenges, complaints and if the shift left movement is losing its shine. We dive into a lot of topics such as: Tyler and Jame’s high-level thoughts on shift left and where it may have went wrong or run into challenges Tyler’s thoughts on the evolution of shift left over the last several decades from some of his early Pen Testing roles and working with early legacy applications before the age of Cloud, DevOps and Microservices James’ perspective, having started in Cyber in the age of Cloud and how his entire career has come at shift left from a bit of a different perspective The role that Vendors, VC’s and products play and why the industry only seems to come at this from the tool perspective Where we think the industry is headed with similar efforts such as Secure-by-Design/Default and its potential as well as possible challenges…
In this episode we sit down Shyam Sankar, Chief Technology Officer (CTO) of Palantir Technologies. We will dive into a wide range of topics, from cyber regulation, software liability, navigating Federal/Defense cyber compliance and the need for digital defense of the modern national security ecosystem. - First off, for those unfamiliar with you and your background, can you tell us a bit about yourself, as well as Palantir? You're a big proponent on the role that software plays now, and will play in the future when it comes the fifth domain of warfare, cybersecurity, so let's give into some of those topics. - I know you've voiced some strong opinions on the role of cyber insurance and also compliance when it comes to its static nature, compared to the dynamic activity of malicious actors and the threat landscape. Can you expand on that? - You and I also chatted about the fact that most cyber issues tie back to hygiene, and that there are no silver bullets. Do you feel like this gets lost among the marketing hype of cyber? - I know you've talked about externalizing some of Palantir's software infrastructure to enable more companies with security infrastructure and toolchains. Can you tell us about some of those capabilities? - The enablement of more companies is key, as you know the DIB has seen massive consolidation in the past decade or more, largely with the small handful of players dominating the lions share of the work in the DoD. This arguably poses systemic concentrated risks, as well as doesn't give access for the DoD to commercial innovation. You called the DoD's most powerful ally America's commerical tech sector in a recent piece. We know that times have changed, and unlike eras of the past, most digital innovation comes from the commercial space, but DoD tends to have a not built here syndrome, no doubt driven by incumbents, incentives, fiefdom building and more. What do you think the national security risks of this are? - Given you've been around DoD for some time, you've no doubt been exposed to processes like ATO's and RMF and more. What are your thoughts on the current state of compliance in the DoD and how it could potentially hinder access to commercial innovation?…
In this episode we sit down with Mark Simos to dive into his RSA Conference talk "You're Doing It Wrong - Common Security AntiPatterns" to dig into several painfully true anti-patterns in cybersecurity and how we often are our own worst enemy. - - First off, for those not familiar with you or your background, can you tell us a bit about that. - So you delivered this talk at RSA, focused on Cybersecurity "Anti-Patterns". How did the talk come about and how was it received by the audience? We won't be able to name them all, but I would love to discuss some of them. - You talk about the technology-centric thinking, and how folks believe security is about technology instead of business assets. Can you explain this one? - The silver bullet mindset was another that jumped out to me. This is thinking a single solution can 100% solve complex and continuous problems. What ways have you seen this one play out? - The paradox of blame is one that made me laugh because I have seen this play out a lot. You talk about the CYA mentality, how security warns about issues, they are skipped and then security is blamed. This one really stings because I have seen it happen, and in fact, I feel like we're seeing it play out with some of the CISO liability cases and regulations that are emerging. - Perhaps one of the most well known anti-patterns of security being the office of no or resisting trends. I feel like we saw this with Cloud, Mobile, SaaS and now AI. Why do we keep repeating these mistakes?…
- First off, for those who don't know you, can you tell us a bit about your background? - You've been providing a deep dive talk into how to become a CISO. I'm curious, what made you put together the presentation, and how has it been received so far when you've had a chance to deliver it? - You have broken down what you call "four stages of the journey" that encompasses skills in areas such as Technical, Management, Leadership and Political. This to me comes across as CISO's need to be multidisciplinary professionals with a variety of skillsets. What do you think makes this so important for CISO's to be successful? - Let's walk through the four stages a bit. You start off with Technical skills. This seems to the foundation many CISO's start with, coming from roles in areas such as engineering, architecture and so on. What makes this foundation so key? - How do CISO's maintain a strong technical foundation and depth, as they get further away from the tactical work and more into the leadership and strategic role? - CISO's of course have to be able to manage the teams they build and/or oversee. What are some of the key management leadership skills you think CISO's must have? - Leading is a fundamental part of what CISO's do. Whether it is direct reports, or the broader security org. What are some of these leadership skills and how can they have a positive or negative impact? - Last but not least is the political side of things. CISO's of course operate among other C Suite peers, the board and within complex organizations with competing interests, personalities and incentives. This could arguably be the most important skill to hone in terms of ensuring you're effective in your role, and have a lasting impact on organizational risks. What are your thoughts on the political skills front? - I'm curious as someone who's been a multiple time CISO and is now advising others on how to obtain the role - where do you see the role of the CISO headed in the future? We see new aspects such as litigation, SEC rules, determining materiality, CISO's needing to speak the language of the business and more - all while needing to manage risks with the ever changing technological landscape, with AI being the latest example. Where is it all headed?…
- First off, for folks not familiar with your background, can you tell us a bit about that and how you got to the role you're in now? - We see rapid adoption of AI and security inevitably trying to keep up, where should folks start? - There are some really interesting intersections when it comes to AI and supply chain, what are some of them? - We see a thriving OSS ecosystem around AI, including communities and platforms like Hugging Face. What are some key things to keep in mind here? - AI BOM's - what are they, how do they differ from SBOM's, and what are some notable efforts underway right now around them?…
In this episode we sit down with Amir Kessler and Aviram Shmueli of AppSec innovator Jit to dive into the complexities of the modern AppSec landscape and explore the emerging Application Security Posture Management (ASPM) ecosystem. - First off, for folks not familiar with your backgrounds, can you tell us a bit about both of your backgrounds and how you got to the roles you're in now? - We're seeing a ton of interest in the topic of ASPM in the AppSec space. What do you think has led to this emerging category and what key problems is it looking to solve? - I know your team puts a big emphasis on not just the tech but also the DexEx and UX. Why is this so critical to address AppSec risks and securing organizations and their code? - While there is value in ASPM platforms, many Dev teams and engineers are opinionated about their tools, how important is this flexibility and extensibility in the platform that the Jit team has built? - A key challenge includes vulnerability overload. Teams drowning in massive vulnerability backlogs and trying to add vulnerability context and focus on the most relevant risks for developers. How does Jit approach this? - Not all ASPM platforms are the same, but we see many vendors rallying around the category. What do you think makes Jit unique and differentiates what the team has built?…
- For those that don't know you, can you tell us a bit about your background and your current role? - I know you help lead the ATLAS project for MITRE, what exactly is ATLAS and how did it come about? - The AI threat landscape is evolving quickly, as organizations are rapidly adopting GenAI, LLM's and AI more broadly. We are still flushing out some fundamental risks, threats and vulnerabilities to consider. Why is it so important to have a way to characterize it all? - When it comes to AI Security, there is also a lot of hype, buzz and dare I say FUD out there. Why are you so adamant that we take a data-driven and actionable approach? - I know you recently helped participate in the first big AI security incident focused TTX, including with CISA and other Government and Industry partners, can you speak a bit about the experience and why exercises like this are important for organizations to do when it comes to AI security? - As someone close to the AI domain, when it comes to security, what are your thoughts on both where we're headed for security of AI, and AI to bolster security? - For folks wanting to learn more about ATLAS, and the work MITRE is doing around AI security, where should folks get started? - What are some key open questions and opportunities for the community to help shape the future of AI security and assurance? https://atlas.mitre.org/ ← Check out MITRE ATLAS!…
به Player FM خوش آمدید!
Player FM در سراسر وب را برای یافتن پادکست های با کیفیت اسکن می کند تا همین الان لذت ببرید. این بهترین برنامه ی پادکست است که در اندروید، آیفون و وب کار می کند. ثبت نام کنید تا اشتراک های شما در بین دستگاه های مختلف همگام سازی شود.
Daily Deals
مشابه Resilient Cyber
Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
The power of Data is undeniable. And unharnessed - it’s nothing but chaos. Making data your ally. Using it to lead with confidence and clarity. Host Jess Carter is solving problems in real-time to reveal what’s possible. Helping communities and people thrive. This is Data Driven Leadership, a show brought to you by Resultant.
…
continue reading
Download This Show is your weekly guide to the world of media, culture, and technology. From social media to gadgets, streaming services to privacy issues. Each week Rae Johnston and guests take a fun, deep dive into how technology is reshaping our lives.
…
continue reading
Flash Forward is a show about possible (and not so possible) future scenarios. What would the warranty on a sex robot look like? How would diplomacy work if we couldn’t lie? Could there ever be a fecal transplant black market? (Complicated, it wouldn’t, and yes, respectively, in case you’re curious.) Hosted and produced by award winning science journalist Rose Eveleth, each episode combines audio drama and journalism to go deep on potential tomorrows, and uncovers what those futures might re ...
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
We help founders make something people want.
…
continue reading
Three nerds discussing tech, Apple, programming, and loosely related matters.
…
continue reading
Player FM - برنامه پادکست
با برنامه Player FM !
با برنامه Player FM !
))
