This week on Security and Compliance Weekly, Matt Alderman, Scott Lyons, and Josh Marpet interview Ben Rothke about the multiple personalities we encounter during compliance and audit engagements.

Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/SCWEpisode13

Hillel Solow is the CTO at Check Point. Much has evolved in a few short years with DevSecOps and application development and security. But just when we think we see everything clearly and have it all figured out, something new changes. Here we will discuss the unique ways organizations are leveraging serverless for their applications and how DevSecOps teams are working together to build out these architectures at a rapid pace in 2020.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ASWEpisode91

In the security news, Car hacking hits the streets, 4 Ring employees fired for spying on customers, MITRE presents ATT&CK for ICS, and Las Vegas suffers cyberattack on the first day of CES!

Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode634

According to Gartner, 70% of businesses are adopting a hybrid cloud and multi-cloud strategy to augment their internal data centers. The challenges of protecting data and using encryption for multiple hybrid, public cloud, and on-premises environments increases complexity, cost, and security risk. As workloads and sensitive data move to the cloud, keeping cryptographic keys, shared secrets and tokens secure is critical to secure public cloud deployments and successful digital transformation.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/PSWEpisode634

Purple teaming reduces the lifespan of vulnerabilities found from pentests by facilitating knowledge transfer between red and blue teams in the remediation phase. PlexTrac provides a single interface through which red teams may report vulnerabilities and blue teams may remediate them. Visit https://www.securityweekly.com/plextrac to claim your free month of PlexTrac. Also, be sure to stop by their booth in the Early Stage Exhibit at RSA next month.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/PSWEpisode634

This week on Enterprise Security Weekly Paul Asadoorian and Matt Alderman interview Britta Glade and Linda Gray Martin about RSA Conference 2020! This segment will give listeners a high-level overview of what to expect at RSA Conference 2020 and will highlight new components of content and programming like the Engagement Zone and the recently announced keynote speaker lineup. The segment will also discuss RSAC 2020's overarching theme - the Human Element - and how it will be intertwined throughout the Conference. To register for RSAC 2020 using our discount code or to book an interview with Security Weekly on-site at RSA Conference visit: https://securityweekly.com/rsac2020

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ESWEpisode167

This week, in the Leadership Articles segment of Business Security Weekly, Matt Alderman, Paul Asadoorian and Jason Albuquerque discuss the following articles: 5 CIO and IT leadership trends for 2020, First Look: Leadership Books for January 2020, Replace Resolutions with Habits and Make Your Life Mean Something Beyond 2020, The Right Way to Form New Habits, How to Handle Speaking In Public When You're Not a Public Speaker, and 5 Questions You Can Ask to Learn About Company Culture in a Job Interview.

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/BSWEpisode157

Utilizing quantitative (vs qualitative) metrics in a security program is the first step in maturing it from a technical novelty to something a business can align with and see value from. Understanding where security fits into risk management.

Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/SCWEpisode12

The Internet gives bad advice sometimes, especially when you are trying to figure out how to build container images. While you may get it to work, typically security will be left out completely. This segment will look at just one aspect of container security, specifically, the FROM directive that tells Docker which image to build from. We'll talk about how to approach this subject with your dev teams and use Anchore to review the security vulnerabilities to help you choose the most secure images!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ESWEpisode167

This week in the Enterprise News segment, Paul Asadoorian, John Strand and Matt Alderman cover the following news stories: Pulse Secure and SecureWave Partnership, BigID raised $50 million to accelerate global sales, channel and product expansion, Tapplock introduced new enterprise fingerprint scanning padlock accessories, Cloudflare for Teams, CORRECTING and REPLACING: NetScout Wins Victory Against Patent Assertion Entity, and acquisitions including Broadcom, Symantec Enterprise Acquiring Cybersecurity Analytics Firm, Mimecast acquiring Segasec, Cloudflare acquiring stealthy startup S2 Systems.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ESWEpisode167

This week, on the Application Security News, Mike Shema and Matt Alderman discuss Featured Flaws and Big Breaches (Cisco kicks off 2020 with 12 CVEs in Cisco Data Center Network Manager), Cloud, Code and Controls (Python is dead. Long live Python!), Learning and Tools (Breaking Down the OWASP API Security Top 10), and Food for Thought (Facebook will stop mining contacts with your 2FA number, 6 Security Team Goals for DevSecOps in 2020, 7 security incidents that cost CISOs their jobs).

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ASWEpisode90

This week on Business Security Weekly, Matt Alderman, Paul Asadoorian and Jason Albuquerque discuss the best and worst of 2019! The best companies and performance of 2019 include Amazon, Apple, and Lululemon. The worst companies and performance of 2019 include Facebook, Boeing, and Pacific Gas and Light.

Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/BSWEpisode157

Utilizing quantitative (vs qualitative) metrics in a security program is the first step in maturing it from a technical novelty to something a business can align with and see value from. Understanding where security fits into risk management.

Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/SCWEpisode12

This week on Application Security Weekly, Mike Shema and Matt Alderman discuss Privacy by Design - The 7 Foundational Principles. This discussion includes these topics: Proactive not Reactive; Preventative not Remedial, Privacy as the Default, Privacy Embedded into Design, Full Functionality - Positive-Sum, not Zero-Sum, End-to-End Security - Lifecycle Protection, Visibility and Transparency, Respect for User Privacy, and OWASP API Security Project.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ASWEpisode90

In the security news, mysterious Drones are Flying over Colorado (watchout Mr. Alderman), 7 Tips for Maximizing Your SOC, The Most Dangerous People on the Internet This Decade, North Korean Hackers Stole 'Highly Sensitive Information' from Microsoft Users, Critical Vulnerabilities Impact Ruckus Wi-Fi Routers, & The Coolest Hacks of 2019!

Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode633

Global conversations around acceptable norms of behavior in cyberspace (particularly for states), attribution, accountability, and deterrence (though we have not done well on the last one), recent attacks, and the processes that are dealing with setting rules of the road in cyberspace.

Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode633

Emerging technologies such as Virtual, Augmented and Mixed Reality are inevitably gaining momentum and helping businesses gain competitive advantage. These technological advancements are giving rise to digital transformation as well as digital risks. The bigger question is who will protect these technologies. While the world is catching up on the business aspects and the real use cases, Silicon Valley startups are already gearing up to combat the risks born alongside emerging tech's benefits. The Valley companies are utilizing the same technologies to combat the associated risks. My Quest to protect these Brave New Virtual Worlds has taken me around the world and connected me to the geniuses at Wallarm. In this segment, I will talk about WHY I believe Wallarm, XRSI and companies alike are the ones moving fast to protect the Immersive Technologies.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/PSWEpisode633

The history of security can be traced back to a variety of different sources. The amount of articles on the topic is dizzying. Most will cite names of early phone phreaks, Kevin Mitnick, Kevin Poulsen, Steve Jobs, Steve Wozniak and quickly transition to many other more recent "hacks" or breaches. Our goal is to not review the history of hacking. This is the history of security. We've carefully chosen key events and research to discuss the very beginnings of security, and their impact and lessons for today's ever-evolving security landscape.

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/PSWEpisode632

It was once said that if Security and Compliance were in a relationship the status would be "It's Complicated". This discussion will aim to help you understand this relationship and how it can be beneficial or a mere distraction to an organization's overall security posture. - Define "Secure" and "Compliant". - Does compliance merely raise awareness about security shortcomings? - What is the relationship between Security and Compliance? - Being Secure and being Compliant are mere points in time, how can we best develop a process to ensure we are always striving to a secure and compliant state? - How does Security impact and/or influence Compliance? - How does Compliance impact and/or influence Security? - How do you balance these extremes: "We will be Secure and ignore compliance" vs. "We will be compliant but ignore security"

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/PSWEpisode632

Each year the team at Counterhack Challenges makes available the Holiday Hack Challenge. Led by Ed Skoudis, and created by some of the most talented security professionals in the industry, it is not to be missed. Tune in to hear the details, or at least some information, about this year's Holiday Hack Challenge!

Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode631

Penetration testing has evolved quite a bit in the past year. As defenses shift, and in some cases get much better, attack techniques and landscapes have changed as well. - What has changed in the past year with regards to penetration testing? - What is adversary simulation? What are the benefits? Is the offering and consumption of this service an indication that organizations are getting better at building effective security programs? - How has the increased popularity of breach and attack simulation tools impacted penetration testing? - Has the MITRE attack framework impacted penetration testing? If so, how? - Many advanced penetration testers seem to be keeping their tools private as to avoid detection by endpoint security products. Is this happening, and if so what is the impact? Should we share more? Less? - With so many tools available today for penetration testing, what can blue teams and internal red teams do to prep for an external penetration test?

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/PSWEpisode631

- Given that DevOps is a process and its execution requires many different tools, how do we get started "doing DevOps"? - What about DevOps allows us to produce more secure applications? - What concepts inside of DevOps do most people lose site of? - What are the major challenges involved in taking an application from traditional development to DevOps? - What are some of the best approaches to making an application more resilient to threats - To ORM or not to ORM? - Which services do you implement yourself vs. using a cloud service? - How do I choose the best secrets vault? - What should I use an orchestrator for and what should I not use an orchestrator for? - How do I build a secure API for my app? - Thoughts on GraphQL vs. REST security implications? Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode632

It's often said that attackers need only to get it right once, where defenders have to be right all of the time. Those of us who have worked in a security role as a defender know we don't always get it right, in fact, there are often many exposures in our defenses. This segment will aim to help defenders learn tactics and techniques that are effective and try to answer some of the following questions: - How do you prioritize your defensive efforts? - How do you best detect attacks? - How do you best protect against attacks? - We always say "patch your stuff" but how often should you patch? Which systems should you patch? - What techniques work best to defend against email phishing? - How do you provide a "good enough" level of security for your Active Directory? - What are the fundamentals of defense? How do they differ per environment and organization? - How do you get management to buy-in to your security plans and spending?

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/PSWEpisode631

Jason Rolleston, Chief Product Officer at Kenna Security & Michael Roytman, Chief Data Scientist at Kenna Security join Paul, Matt, and Jeff on this week's episode of ESW to discuss how risk-based vulnerability management is transforming the vulnerability management industry by enabling enterprises to understand the true risk of their infrastructure and applications, saving them time and resources by prioritizing efforts around actions that reduce the most risk.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/ESWEpisode166

DevSecOps is all the rage, but what does it really mean? How do you achieve the integration of Security into DevOps? This segment explores the people and process challenges of DevSecOps and where to integrate security seamlessly into the DevOps pipeline.

Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode166