Chris, Izar, and Matt address the complexities of open-source component usage, vulnerability patches, civic responsibility, and licensing issues in this Security Table roundtable. Sparked by a LinkedIn post from Bob Lord, Senior Technical Advisor at CISA, they discuss whether software companies have a civic duty to distribute fixes for vulnerabilities they discover in open-source components. They also examine if there is a need to threat model every third-party component and consider the...

Join us for the final episode of The Security Table for 2023. Chris, Izar, and Matt answer fan mail, make fun predictions for the upcoming year, discuss their resolutions for improving cybersecurity, and make a call to action to global listeners. Highlights include the reach of the podcast, explaining Large Language Models (LLMs), Quantum LLMs, Software Bill of Materials (SBOM), and the importance of teaching secure coding from high school level up. Chris, Izar, and Matt share their passion...

Sander Schulhoff of Learn Prompting joins us at The Security Table to discuss prompt injection and AI security. Prompt injection is a technique that manipulates AI models such as ChatGPT to produce undesired or harmful outputs, such as instructions for building a bomb or rewarding refunds on false claims. Sander provides a helpful introduction to this concept and a basic overview of how AIs are structured and trained. Sander's perspective from AI research and practice balances our security...

Join Izar, Matt, and Chris in a broad discussion covering the dynamics of the security community, the evolving role of technology, and the profound impact of social media on our lives. As the trio considers what they are most thankful for in security, they navigate a series of topics that blend professional insights with personal experiences, offering a unique perspective on how these elements intersect in the modern world. Chris begins by highlighting the importance of collaboration and...

Patrick Garrity joins the Security Table to unpack CVSS 4.0, its impact on your program, and whether or not it will change the game, the rules of how the game is played, or maybe the entire game. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast ➜LinkedIn: The Security Table Podcast ➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Aditi Sharma joins Matt, Izar, and Chris around the Security Table to discuss Software Bill of Materials (SBOMs). The team discusses potential advantages as well as challenges of SBOMs in different contexts such as SaaS solutions, physical products, and internal procedures. The episode also explores the importance of knowing what software components a company is consuming and the significance of SBOM for vulnerability management and risk posture. The team concludes by stressing that while...

Join Chris, Matt, and Izar for a lively conversation about an article that offers 20 points of "essential details" to look for in a Software Bill of Materials (SBOM). They dissect and debate various points raised in the article, including generating SBOMs, the necessary components, and how to gauge the quality of this digital inventory. Their critique is both insightful and humorously candid, and they will offer you a tour through the often complex world of software documentation. Hear about...

Matt, Chris, and Izar discuss the recently published "NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations." They review each point and critically analyze the document's content, pointing out areas where the terminology might be misleading or where the emphasis should be shifted. As they work through the top ten list, several trends and larger conversations appear out of the individual points. The trio delves into the nuances of system configurations, emphasizing...

The Security Table gathers to discuss the evolving landscape of application security and its potential integration with development. Chris posits that application or product security will eventually be absorbed by the development sector, eliminating the need for separate teams. One hindrance to this vision is the friction between security and engineering teams in many organizations. Many people think that security incidents have negative implications on brand reputation and value. Izar...

The Security Table gathers this week to discuss expectations about tooling in the Application Security industry. Matt emphasizes that tools should essentially automate tasks that humans can perform but in a faster and more efficient manner. The conversation then shifts to the overwhelming nature of communication platforms like Slack. Izar highlights the challenges of managing attention spans and context-switching when one is part of numerous Slack channels, likening it to being in a room with...

Matt and Izar join in a debate with Chris Romeo as he challenges the paradigm of "scan and fix" in application security. Chris references a LinkedIn post he made, which sparked significant reactions, emphasizing the repetitive nature of the scan and fix process. His post critiqued the tools used in this process, noting that they often produce extensive lists of potential vulnerabilities, many of which might be false positives or not appropriately prioritized. He underscores the need for...

The Security Table gathers to discuss the upcoming ThreatModCon 2023 (https://www.threatmodelingconnect.com), the inaugural and only conference dedicated entirely to threat modeling. ThreatModCon 2023  Sunday, October 29, 2023 Marriott Marquis Washington, DC The Threat Modeling Conference will cover various aspects of threat modeling, from AI integration to privacy concerns, from a brief history of threat modeling to hands-on workshops. The sessions will emphasize learning, interaction,...

Chris Romeo, Matt Coles, and Izar Tarandach attempt to demystify the concepts of Application Security (AppSec) and Product Security (ProdSec). They find that even defining and differentiating both concepts is challenging. Various articles exist about AppSec and ProdSec, but the industry is generally confused about these terms.  Discussing the role of hardware in product security initiates an animated debate. Questions arise about whether the presence of hardware makes something more of a...

Imposter Syndrome is when a person feels inadequate despite their accomplishments. Not unique to the field of cybersecurity or even software development, imposter syndrome can affect any professional as they advance and grow in their area of expertise. Matt and Izar, both seasoned security professionals, openly discuss the dichotomy between their intellectual achievements and the emotional weight of feeling like they don't belong. They touch upon the challenges of presenting at conferences,...

The Security Table team dialogues about the importance of data and metrics in understanding and communicating risk. After Matt defines ROI, Izar emphasizes that while data is crucial, it doesn't always come in numerical form. Instead, risk can be expressed in various ways, such as trends, and doesn't necessarily need to be quantified in traditional terms. Chris stresses that executives need tangible metrics and data to make informed decisions, especially when communicating with legal teams...

Jim Manico joins Chris, Matt, and Izar at the Security Table for a rousing discussion on his Threat Modeling journey. They also learn about each other's thoughts about DAST, SAST, SCA, Security in AI, and several other topics. Jim is an educator at heart, and you learn quickly that he loves application security. Jim is not afraid to drop a few controversial opinions and even a rap! Jim discusses the importance of static application security testing (SAST) and how it is becoming increasingly...

"Secure by Design" has garnered attention with the release of a document by CISA. What does it mean? How does it fit with Threat Modeling? And do you know if Secure by Design will answer our need for secure software? "Secure by Design" means a system is designed with secure principles. The system should come pre-hardened and pre-secured, ensuring users don't have to configure it for security after installation. On the other hand, "Secure by Default" means that the system is configured...

What happens when engineers transform into security champions? Is this beneficial, and what are the implications of this transformation? Izar reveals his transition from a naysayer to a supporter of security champions, and Chris and Matt seek to understand his current position. They explore the position of Security Champion and discuss the components of a good security champion program. Matt defines security champions as developers with influence who can be a bridge between security and...

There is a relationship between security professionals and engineers. Explore the possibility of engineers disliking security personnel and how security professionals can improve their relationship with engineers. Security professionals need to be empathetic, have strong soft skills, and be able to influence and embed themselves within the engineering team. Resource management is essential, and avoiding engineers feeling like security is always giving them an over-the-shoulder look.  Being...

What is security posture? Izar was at a conference in Amsterdam, where he was asked to define security posture and how to measure it. Is security posture qualitative or quantitative, and can it be compared across teams, organizations, and departments? This led us down this rabbit hole; what is security posture, and is it even possible to measure? Security posture is multi-dimensional, differentiating between organizational and system security postures. Security activities that are reasonable...

The big question is if it's possible to lose the application security team and move all the functions directly into development. What are developers' roles in application security (AppSec), and what challenges do they face?  We delve into developers' responsibility in ensuring security, despite not always having the necessary tools or training to do so effectively.  We discuss "shifting everything left," which refers to integrating security earlier in the development process. We express...

How do you determine what constitutes "reasonable security" when evaluating vendors? Is “reasonable” a measure of compliance to a set standard? Is it reasonable to expect mature threat modeling practices? Some expectations are too high to be reasonable, but the minimum standard that both parties agree upon doesn’t seem like enough. Join the hosts of the Security Table as they discuss the importance of a reasonable security standard, one that both a vendor and the buyer can agree upon. Izar...

Certificate pinning is a security measure used in computer networking and something Chris candidly admits to his lack of understanding. Matt and Izar explain certificate pinning, a client-side operation that adds an extra layer of security to the Transport Layer Security (TLS) protocol and ensures that the client application checks the server's certificate against a known copy of that certificate. The discussion leads to a reflection on the vast amount of knowledge required in cybersecurity,...

What is privacy, and how does it intersect with security? We are joined by our first guest, Ally O'Leary, a privacy compliance expert. Ally works for a consumer electronics company, ensuring compliance with global privacy laws and acting as a data protection officer. The episode delves into the intersection of privacy and security, with Ally explaining how these two areas often go hand in hand. She emphasizes the importance of understanding the definition of personal information and being...

Guard rails and paved roads -- how do they fit together in application security?  Guardrails are security tools in the pipeline that help ensure the software doesn't drift too far from established standards. These guardrails allow developers to maintain their creativity and flexibility while building features that ultimately go to the customer. Paved roads are platforms that developers can build on top of without having to worry about aspects like identity and access management. Paved roads...