EP 40 — Steve Springett on Solving Software Supply Chain Security and SBOM Challenges

Future of Application Security

Player FM - Internet Radio Done Right

הוסף לפני three שנים

תוכן מסופק על ידי Tromzo. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Tromzo או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.

Netflix Is A Daily Joke

1
Tom Segura: A Joke About Supermodels 2:40

לפני 10 ימים2:40

הפעל מאוחר יותר

רשימות

לייק

אהבתי

2:40

Tom Segura jokes about supermodels in his Netflix special, "Sledgehammer".

לפני שנתיים 33:58

MP3•בית הפרקים

In this episode of the Future of Application Security, Harshil speaks with Steve Springett. They discuss the broad definition of what software supply chain security is, the implementation of SBOMs after the White House's Executive Order, and how organizations can effectively adopt, operationalize, and use SBOMs. They also discuss the biggest drivers for better software supply chain security, why you need to manage more than just vulnerabilities, and how organizations can start chipping away at their software security chain problems.

Topics discussed:

Steve's broadly encompassing definition of software supply chain security.
How organizations scrambled to adopt and operationalize SBOMs after the White House's Executive Order, and why Steve started SCVS (OWASP Software Component Verification Standard) as a response.
Why software supply chain security goes beyond just understanding and addressing your vulnerabilities, but should include knowing your inventory, and the pedigree and provenance of your assets.
Why SBOMs have suddenly gained in popularity, likely because of supply chain attacks and breach fatigue and the need for better solutions.
What to do with an SBOM: how do you share it, how can you request it at scale, how can you analyze it, and what do you do with it once you have it.
How to address the vulnerabilities that are listed in an SBOM that will remain unexploitable, and how to ensure the customer experience isn't negatively impacted by that list.
How machine learning may play a role in better understanding risk across the software supply chain.
Why capitalism and customer demand will be the biggest driver in pushing forward advancements in software supply chain security.

60 פרקים

#Business #Tromzo

EP 40 — Steve Springett on Solving Software Supply Chain Security and SBOM Challenges

Future of Application Security

published לפני שנתיים

שתפו

MP3•בית הפרקים

Topics discussed:

Steve's broadly encompassing definition of software supply chain security.
How organizations scrambled to adopt and operationalize SBOMs after the White House's Executive Order, and why Steve started SCVS (OWASP Software Component Verification Standard) as a response.
Why software supply chain security goes beyond just understanding and addressing your vulnerabilities, but should include knowing your inventory, and the pedigree and provenance of your assets.
Why SBOMs have suddenly gained in popularity, likely because of supply chain attacks and breach fatigue and the need for better solutions.
What to do with an SBOM: how do you share it, how can you request it at scale, how can you analyze it, and what do you do with it once you have it.
How to address the vulnerabilities that are listed in an SBOM that will remain unexploitable, and how to ensure the customer experience isn't negatively impacted by that list.
How machine learning may play a role in better understanding risk across the software supply chain.
Why capitalism and customer demand will be the biggest driver in pushing forward advancements in software supply chain security.

60 פרקים

#Business #Tromzo

All episodes

1
EP 60 - Appian’s Abdullah Munawar on Enhancing Product Security Amid Evolving Development Trends 21:05

לפני 1 year21:05

21:05

In this episode of the Future of Application Security podcast, Harshil speaks with Abdullah Munawar , Director of Product Security at Appian . Abdullah shares valuable insights into his journey from security assessments and consulting to leading product security efforts, discussing the evolving challenges and strategies for building effective security programs in modern development environments. He discussed the importance of evolving security practices beyond identification to implementation within organizations, including the need for a holistic approach to product security and focusing on high-priority vulnerabilities. Abdullah also explains the challenges of maintaining data quality in AI companies. Topics discussed: The transition from consulting to in-house product security and the importance of hands-on experience in understanding the challenges of implementing security fixes and mechanisms. Defining the scope of product security in the context of decentralized development practices and the shift towards "you build it, you manage it" approaches. The changing role and structure of product security teams to address the full stack of security concerns, from architecture and automation to traditional AppSec tasks. Strategies for driving remediation and adoption of security practices, including leadership buy-in, targeted automation, and empathy-building initiatives like security champion programs. Emerging challenges in product security related to AI and data management, such as data poisoning, segregation, and unintended leakage.…

1
EP 59 - Nat Mokry on Advancing Application Security in the Gaming Industry 26:55

לפני 1 year26:55

26:55

In our latest episode of the Future of Application Security podcast, Nat Mokry , VP of Application & Product Security at Xbox (formerly of Activision Blizzard at the time of recording), shares valuable insights into the world of application security, from the mission of defending player trust to emphasizing the importance of technical skills in cybersecurity. Nat provides guidance on building effective security teams and navigating the evolving challenges in the industry. Topics discussed: Earning and defending player trust as a guiding principle of business and strategies for making mission statements actionable. Building and structuring a diverse security team, and the challenges faced by appsec teams in the current landscape. The concept of the "piggy bank of trust" in security relationships that Nat says helps him and his team remember that people skills are important too. Balancing technical expertise and security knowledge, depending on what your data is telling you. Having the humility to ask questions and not have all the answers. The difference between solving problems for people and minimizing the chances of them doing something wrong.…

1
EP 58 — Asana's Felix Matenaar on Building Resilient Security Practices for the Future 32:45

לפני 1 year32:45

32:45

In this episode of the Future of Application Security podcast, Harshil interviews Felix Matenaar , Head of Product Security at Asana . Felix shares insights into his journey from Germany to Silicon Valley, where he transitioned from mobile security to leading Asana's product security efforts. The conversation highlights Felix's experience in creating security frameworks that eliminate vulnerabilities by building secure product lifecycles and ensuring alignment with business objectives. His approach integrates rigorous security measures directly into the development process, reflecting Asana's commitment to robust, proactive security. Topics Discussed: Felix discusses his transition from software engineering to product security and his strategic move from Google to Asana. Strategies for integrating security seamlessly into product development to enhance safety without compromising functionality. How effective security practices can accelerate business processes and foster trust with users. The importance of collaboration across different organizational functions to ensure comprehensive security coverage. The role of leadership in fostering a security-centric culture within tech companies. Insights into upcoming challenges and innovations in the field of application security.…

1
EP 57 — Clari's Steve Lukose on Using SLAs as Benchmarks for Businesses 27:05

לפני 1 year27:05

27:05

In this episode of the Future of Application Security, Harshil speaks with Steve Lukose , Vice President of Security at Clari , about how security is becoming a business enabler rather than just an organization. Steve explains why SLAs will become one of the benchmarks for security experts to use, but that it won’t necessarily be for all aspects of security. Still, they’ll be a great tool to help security organizations plan ahead for their next steps. They also discuss the importance of cross functional collaboration, why your team should build relationships outside of the group, and how regulatory bodies are driving change. Topics discussed: The importance of building relationships within your team and outside of it. Why SLAs will become a benchmark for security leaders to use for planning their next business steps. How security leaders can work with their teams, partners such as engineers, and stakeholders to make sure they stay on track and keep focus. How product managers can help facilitate projects by understanding what each stakeholder needs. How security transcends barriers by becoming a business enabler, shifting from a restrictive function to one that supports and enhances organizational objectives and growth. The importance of cross functional collaboration. How scrutiny from regulatory bodies such as the SEC is driving change.…

1
EP 56 — Aruneesh Salhotra on Why Security is Everyone’s Job 24:49

לפני 1 year24:49

24:49

In this episode of the Future of Application Security, Harshil speaks with Aruneesh Salhotra , CEO and Fractional CISO, SNM Consulting Inc. They discuss the unique challenges and opportunities of application security in the financial sector, including how the "necessary evil" of regulations is increasing accountability around security efforts. They also talk about the need for more vigilant software supply chain security, two better approaches to vulnerability management, and how AI can create self-sufficiency among developers. Topics discussed: The "necessary evil" of regulations and how they're increasing accountability around data storage, pen testing, and more. Two approaches security teams can take to better manage application vulnerabilities: a call graph and runtime SCA. What your attack surface is and how to effectively manage it. The increasing importance of software supply chain security and the value of establishing an open source program office. Why security should be everyone's job and how adopting security today will bear fruit tomorrow. How AI can increase developer self-sufficiency by giving feedback and insights on security actions.…

1
EP 55 — BlackBerry's Christine Gadsby on What's Driving Software Supplier Transparency and Accountability 26:21

לפני 1 year26:21

26:21

In this episode of the Future of Application Security, Harshil speaks with Christine Gadsby , VP, Product Security at BlackBerry , a software company specializing in cybersecurity. They discuss the new initiatives driving software transparency, like SBOMs and VEX, and how adoption will not only come from regulations but from companies holding their software suppliers more accountable. They also talk about the need for better telemetry practices and more connected tooling and how security professionals can get involved in industry change and mentorship. Topics discussed: The important role frameworks like NIST 800-218 and CISA's Secure By Design will play in establishing standards. The ways in which SBOMs and VEX are driving software transparency that will keep customers safer. How commercial industries will increase their software supplier accountability in response to the rising cost of insecurity. How many companies lack knowledge about what's in the software they sell and the importance of having good telemetry practices. Why lack of good tools and the ability to connect tools is a challenge to product security today. Advice to security professionals about not letting things like SBOM and VEX get away from you as you prepare for the future of software development. How product security professionals can get involved with industry efforts to drive change.…

1
EP 54 — LPL Financial's Chad Girouard on Improving Application Security Through Better Tools and Relationships 23:43

לפני 1 year23:43

23:43

In this episode of the Future of Application Security, Harshil speaks with Chad Girouard , AVP Application Security at LPL Financial , a provider of investment and business solutions. They discuss how security teams can better engage with developers, and how they can encourage secure coding through scanning tools and security champion programs. They also talk about how to manage the "results deluge" with single-pane-of-glass tools, how AI can help with more meaningful reporting, and why security buy-in is a team effort. Topics discussed: How to manage the various challenges of application security: competing tools, relationships, maturity, and more. How to bridge the different priorities of security teams and developers. How to encourage more secure coding by shifting left and developing a security champions program. Why leading and implementing security buy-in and processes is a team effort across the organization. How to manage today’s “results deluge” with single-pane-of-glass tools and more meaningful reporting. How AI can help discern real findings from all the information that a security team collects. What's the most important security metric to measure in 2024? It's Mean Time to Remediate (MTTR). Download our new MTTR guide: https://lnkd.in/evjcf4Vt…

1
EP 53 — ReversingLabs's Dave Ferguson on Securing Your Software Supply Chains 24:24

לפני 1 year24:24

24:24

In this episode of the Future of Application Security, Harshil speaks with Dave Ferguson , Director of Technical Product Management, Software Supply Chain Security at ReversingLabs , which offers software supply chain security analysis platform. They discuss the rising need for software supply chain security as a result of the complexities around how software is built today. They also talk about ways to identify novel attacks through analyzing software behaviors, how efforts like SBOMs and registries help increase transparency, and why software supply chain security needs to evolve from just looking for vulnerabilities. Topics discussed: How Dave's diverse background in security, as well as his piqued interest around the SolarWinds and 3CX attacks, led to his focus on software supply chain security today. How a product manager leads by working with development teams, meeting with customers, incorporating new features and integrations, and helping bring new solutions to market. How the complexities associated with building software today — like open source and automation — have increased the possibility of adversaries slipping in. Why analyzing software behavior across previous builds and seeing what's changed can help flag novel attacks. Today's trends that are increasing transparency in software creation, including the rising demand for SBOMs and the possibility of trust registries for commercial software. Why software supply chain security approaches need to move beyond just looking at vulnerabilities to find ways to root out all malicious activity. RELATED RESOURCE: Today, most application security tools are designed to find vulnerabilities, not fix them. What is noise and what is risk? And, more importantly, how do you accelerate the remediation of the most critical vulnerabilities? The answer lies within one key metric — Mean Time to Remediate (MTTR). Taking a better strategy to decrease your MTTR and keep your organization safe can begin today — download the paper to learn how .…

1
EP 52 — Gen’s Curtis Koenig on Speaking the Language of Why Security Matters 27:28

לפני 2 years27:28

27:28

In this episode of the Future of Application Security, Harshil speaks with Curtis Koenig , Head of Application Security at Gen , a multinational software company that provides cybersecurity software and services. They discuss why it's key to be able to articulate why security matters and how it impacts business goals, and what Curtis has learned about how different industries approach risk. They also talk about how security can help engineering be more efficient by speaking their language, various metrics that can assess your training and communication, and what the future of LLMs and security looks like. Topics discussed: Curtis's background in various industries and what he's learned about how culture, goals, and risk vary. How learning about a company's culture and goals first can help you translate how security matters to them. How to create a security strategy roadmap, how often to revisit those goals, and how to incorporate frameworks to sell across the business. How security can help engineering be more efficient by speaking their language and translating information into actionable tasks. What metrics to track that can help you learn more about how well your training and operations are working. How LLMs are helping with software development today, and why they can introduce more security issues if developers aren't thinking wisely about using it.…

1
EP 51 — Ping Identity’s Arthur Loris on How to Tell Better Stories About Your Product Security Success 27:10

לפני 2 years27:10

27:10

In this episode of the Future of Application Security, Harshil speaks with Arthur Loris , Senior Manager, Product Security at Ping Identity , a company that provides self-hosted identity access management (IAM) solutions. They discuss what product security constitutes at Ping Identity, the biggest challenge to great product security, and how security teams need more strategic, tactical plans to achieve their goals. They also talk about better approaches to risk remediation and why it's more effective to tell the story about how your security efforts improved the organization instead of just generating tickets. Topics discussed: How Ping Identity defines product security. The biggest challenge to product security, which involves building good partnerships with the engineering team. How security teams can be better messengers of tasks that are created by the threat landscape. A better approach to risk remediation and how to to think about it at scale. Better ways of measuring your security efforts, and why telling a story about your impact — like how much money you saved — is more effective than simply generating tickets. How security teams can flatten the learning curve when understanding the development process. What the future of product security will look like, and why it should include an increased focus on strategy.…

1
EP 50 — DryRun Security’s James Wickett on Aligning Incentives and Speaking the Same Language with Developers and Security 31:08

לפני 2 years31:08

31:08

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day , Eric speaks with James Wickett , co-founder and CEO of DryRun Security , a company that provides security products for developers. They discuss the misaligned incentives between developers and security and how teams can learn how to speak the same language to increase value. They also talk about how the SLIDE Model helps with context analysis, why you should focus less on control and more on context and composition in your security, and how organizations can close their knowledge gaps. Topics discussed: Some of the frictions between security and developers, including how incentives are often misaligned and how each team has a different focus. How to talk the same language so that security and developers can build relationships that bring value to their organizations. What the SLIDE Model is and how it can help you better understand the context of your security actions and your priorities. How organizations can fill in their knowledge gaps and why it's key to return to first principles in a world of automation and tooling. How security impacts an organization through control, composition, and context, and why organizations should lessen their dependence on control. How security is like barbeque, and why Oklahoma is a great analogy for a DevSec model.…

1
EP 49 — Semgrep’s Colleen Dai on Building Security Strategies and Relationships with Other Teams 20:14

לפני 2 years20:14

20:14

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day , Eric speaks with Colleen Dai , Senior Security Researcher at Semgrep , an open source static analysis tool. They discuss strategies security teams can take to reduce false positives, use secure defaults to eliminate bug classes, and reduce complexity in security decision-making. They also talk about ways to build the relationships between security, developers, and engineers, which includes aligning on goals, communication, and recognition. Topics discussed: Colleen's background and what her security research role at Semgrep entails. How to use secure defaults to eliminate bug classes and reduce the complexity in security decisions. How to reduce false positives by writing rules and checks, especially ones that are customized to your organization. How to better align the goals of security and developers by focusing on creating good software — and good software is secure software. How to build relationships with engineers through communication and recognition, not just talking through Jira tickets. Why security and developers still struggle with cross-site scripting and how it can be fixed.…

1
EP 48 — Chaotic Good’s Johnathan Kuskos on Testing for Functionality, Priorities, and Better Incident Response 31:10

לפני 2 years31:10

31:10

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day , Eric speaks with Johnathan Kuskos , Founder of Chaotic Good Information Security , a boutique professional services company. They discuss what it's like to be a pen tester, some of the unusual things found during testing, and how the 15 Minutes Rule helps you not waste time during your testing. They also talk about the tradeoffs of security when it comes to “good, fast, or cheap,” simple ways to determine priorities, and how to strengthen relationships between security and developers. Topics discussed: How security and developers can close divides through better communication and more forward thinking. Why security can't necessarily have an approach that's good, fast, and cheap, but how they make compromises to have a bit of all three. How to determine your security priorities, and how to perform a smoke test to see where security overlaps with other departments to identify those priorities. Some of the stranger things found during pen testing, including a git folder on a website. Why vulnerability and exploitability are two different things, and how to assess both. How the 15 Minutes Rules can help you assess as much functionality as possible, and why it sometimes exposes more gaps in playbooks and incident response than intended.…

1
EP 47 — Manicode Security’s Jim Manico on Addressing OWASP Top Ten Issues Through Better Security and Developer Partnerships 26:38

לפני 2 years26:38

26:38

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day , Eric speaks with Jim Manico , Founder and CEO of Manicode Security , a secure coding education firm. They discuss the various challenges around certain items on the OWASP Top Ten list, including server side request forgery and access control, and how security and developers can partner for better logging and alerting. They also talk about the courses Jim offers and why the biggest one in demand today is AI and security. Topics discussed: What are the biggest changes in the OWASP Top Ten, and the challenges that accompany two of the list’s issues: server side request forgery and access control. What issue is Jim surprised to see on the OWASP Top Ten. How developers and security can work more closely together to create a better approach to logging and alerting. Why the best approach to DevOps is to have it as a service and a liaison team, not as a merger of individuals from across the organization. Why training on AI and security is increasing in demand today. How security professionals and developers are like professional wrestling superstars.…

1
EP 46 — TuSimple’s Madjid Nakhjiri on the Evolving Need for Automotive Cybersecurity 24:03

לפני 2 years24:03

24:03

In this episode of the Future of Application Security, Harshil speaks with Madjid Nakhjiri , Head of Product Security and Lead Security Architect at TuSimple , a global autonomous driving technology company. They discuss the current landscape of automotive security today, why the industry is expanding its safety initiatives to cyber security initiatives, and the standards rising up to ensure that security. They also discuss the challenges to threat analysis and remote testing for vehicles, and what role VSOCs and AI will play in the future of automotive security. Topics discussed: An overview of the current landscape of automotive security, and how the automotive industry, which already has a long history of safety initiatives, it's now turning its attention to cyber security. The standards that are being put in place for automotive companies around the world, and how companies are trying to meet those standards. Why the automotive industry needs experienced product security practitioners in order to perform effective architecture analysis. The challenges to performing threat detection and remote pen testing on vehicles, and why threat analysis needs to be as automated and virtualized as possible. What the future of automotive security looks like, why we'll see a rise in VSOCs, and what role AI will play.…

ברוכים הבאים אל Player FM!

Player FM סורק את האינטרנט עבור פודקאסטים באיכות גבוהה בשבילכם כדי שתהנו מהם כרגע. זה יישום הפודקאסט הטוב ביותר והוא עובד על אנדרואיד, iPhone ואינטרנט. הירשמו לסנכרון מנויים במכשירים שונים.

תקשיבו ל-500+ נושאים

דומה לFuture of Application Security

Amazon eGift Card - Bright Balloons (Animated)

Mighty Patch™ Original patch from Hero Cosmetics – The #1 Hydrocolloid Acne Pimple Patch for Shrinking Zits and Whiteheads in 1 use; Nighttime Spot Stickers for Face and Skin (36 Count)

ZELUS Weighted Vest, 6lb/8lb/12lb/16lb/20lb/25lb/30lb Weight Vest with Reflective Stripe for Workout, Strength Training, Running, Fitness, Muscle Building, Weight Loss, Weightlifting, Black(12 lb)

פודקאסטים ששווה להאזין

Future of Application Security « » EP 40 — Steve Springett on Solving Software Supply Chain Security and SBOM Challenges

EP 40 — Steve Springett on Solving Software Supply Chain Security and SBOM Challenges

פודקאסטים ששווה להאזין

ברוכים הבאים אל Player FM!

Amazon Basics Dog and Puppy Pee Pads with Leak-Proof Quick-Dry Design for Potty Training, Standard Absorbency, Regular Size, 22 x 22 Inches, Pack of 100, Blue & White

The Let Them Theory: A Life-Changing Tool That Millions of People Can't Stop Talking About

2025 - American Silver Eagle .999 Fine Silver with our Smyrnacoin Certificate of Authenticity Dollar Uncirculated US Mint

Ailun Screen Protector for iPhone 16 / iPhone 15 / iPhone 15 Pro [6.1 Inch] Display 3 Pack Tempered Glass, Dynamic Island Compatible, Case Friendly [Not for iPhone 16 Pro 6.3 Inch].

The Let Them Theory: A Life-Changing Tool That Millions of People Can't Stop Talking About

דומה לFuture of Application Security

מדריך עזר מהיר

Future of Application Security « »
EP 40 — Steve Springett on Solving Software Supply Chain Security and SBOM Challenges