In this episode of the Modern Security Podcast, we’re joined by Laksh Raghavan, founder of Cyb3rSyn Labs, to discuss the power of systems thinking in cybersecurity and how it can transform your approach to solving complex security challenges. Laksh shares insights on the connections between vulnerability management, human behavior, and security leadership, drawing on real-world examples and case studies.
Key Takeaways:
The Role of Systems Thinking in Cybersecurity: Learn how systems thinking helps you connect the dots across seemingly unrelated security problems.
Vulnerability management and the importance of addressing core issues: Discover why many security problems are just systems of larger systemic issues.
In this episode of the Modern Security Podcast, we're joined by Alex Smolen, the Director of Security at LaunchDarkly, to discuss the challenges and strategies in building effective security programs. Clint and Alex explore the burdens of security questionnaires, the importance of empowering security teams, and the need for a shift in how risk is managed. Alex shares insights on the ineffectiveness of traditional security practices, the value of documentation, and the concept of a security data lake. The discussion also touches on the build vs. buy dilemma in security tools and the importance of continuous learning in the field. Takeaways -Security questionnaires are often seen as a chore and rarely lead to meaningful change. -Empowering security teams to fix vulnerabilities is crucial for effective risk management. -Risk management should focus on enabling businesses to operate at an acceptable level of risk. -Compliance efforts, like SOC 2 and ISO certifications, are important but do not directly reduce risk. -Security questionnaires often fail to provide valuable insights into vendor security practices. -Approval workflows can slow down processes; alternative methods like audit logs may be more effective. -Establishing security invariants can help maintain a consistent security posture across the organization. -A security data lake can provide a comprehensive view of security assets and vulnerabilities. -Documentation of data flows and vendor usage is more valuable than traditional security questionnaires. -Continuous learning and adaptation are essential for security professionals. Chapters 00:00 The Burden of Security Questionnaires 02:12 Building a High-Performing Security Program 04:30 Empowering Security Teams 07:00 Prioritizing Security Fixes 10:25 Principles of Defining Security 15:14 Defining Security Metrics & Goals 19:30 The Ineffectiveness of Security Questionnaires 30:50 Security "Marketing" 35:48 The Build vs. Buy Dilemma 37:52 Rethinking Approval Workflows 45:39 Asset Security Data Lake 1:01:11 The 'Nouns' at LaunchDarkly 1:09:27 Build vs Buy 1:16:21 Final Thoughts and Advice
Sandesh Anand, former Engineering Manager of InfoSec at Razorpay, shares his insights on scaling security programs and leveraging AI in application security. He discusses his experience at Razorpay, where he built the security program from scratch, and highlights the importance of understanding and addressing the pain points of engineering stakeholders. Sandesh emphasizes the value of secure defaults and secure guardrails in eliminating classes of issues by construction. He also explores the effectiveness of leveraging non-security teams for security initiatives and the importance of aligning security work with business objectives. Additionally, he provides strategies for prioritizing security and emphasizes the need for a long-term view of security. In this conversation, Sandesh shares insights on leveraging security incidents as opportunities for improvement, the importance of aligning security initiatives with developer pain points, and the role of technology in scaling application security. Sandesh also discusses his work at Seezo.ai, an AI-first application security company, and their focus on automating security design reviews. Key takeaways include the value of integrating security tools with existing developer workflows, the benefits of moving to golden images for container security, and the need to leverage technology to scale security initiatives.
Takeaways
- Understand and address the pain points of engineering stakeholders when building a security program.
- Implement secure defaults and secure guardrails to eliminate classes of issues by construction.
- Leverage non-security teams and processes to multiply the impact of security initiatives.
- Align security work with business objectives and product roadmaps.
- Use burn down charts and clear risk ranking to prioritize security work.
- Take a long-term view in security and focus on continuous improvement Security incidents can be opportunities for improvement and can lead to better security practices and appreciation for security teams.
- Aligning security initiatives with developer pain points, such as on-call responsibilities or compliance requirements, can increase buy-in and adoption.
- Technology plays a crucial role in scaling application security, and solutions that automate manual security processes can improve efficiency and effectiveness.
- Moving to golden images for container security can simplify vulnerability management and reduce the risk of security incidents.
- Integrating security tools with existing developer workflows, such as Jira or business intelligence platforms, can increase visibility and engagement with security initiatives.
00:00 Introducing Sandesh Anand
03:10 Challenges of Scaling Security Programs
12:39 Leveraging Non-Security Teams
16:29 Security Teams as Force Multipliers
18:50 Prioritizing Security Work
21:36 Incorporating Security into the Product Roadmap
23:33 Security as a Journey
24:30 Turning Incidents into Opportunities
30:25 Gaining Stakeholder Buy-In
37:07 Lessons Learned
41:23 Automating Security Design Reviews
In this extended segment from our last episode of the #modernsecuritypodcast we talk with Mike Hanley, CSO and SVP of Engineering at Github about the philosophy and implementation of Secure Guardrails in software development.
In this episode, Clint interviews Mike Hanley, Chief Security Officer and SVP of Engineering at GitHub. They discuss the importance of balancing engineering and security, and how GitHub focuses on building secure defaults. Mike also shares how GitHub uses AI internally, including the use of GitHub Copilot for code generation and other AI capabilities in their product features. They explore the potential impact of AI on cybersecurity and the need for organizations to embrace AI to enhance productivity and security. The conversation explores the potential of AI in developer tools and its impact on security. It emphasizes the importance of human oversight and the need to address legacy code and infrastructure. The future of shifting left and the role of AI in security education are also discussed. The conversation concludes with a discussion on AI's potential in code refactoring and the future of cybersecurity and development. Takeaways -Balancing engineering and security is crucial for effective and secure software development. -Building secure defaults and embedding security in the development process can lead to better security outcomes. -AI can be used to enhance productivity and security in software development, such as with GitHub Copilot. -AI has the potential to transform workflows in areas like incident response and code scanning. AI has tremendous potential in developer tools and is still in the early stages of development. -AI can improve security practices but should not replace human oversight and traditional security measures. -The future of shifting left involves integrating security practices earlier in the development process. -Fine-tuning AI for custom use cases and addressing legacy code and infrastructure are important challenges. -AI can play a significant role in security education and code refactoring. -The future of cybersecurity and development will involve a combination of AI and human expertise. Chapters 00:00 Introduction and Background 03:15 Balancing Engineering and Security 08:10 Building Secure Defaults 13:41 The Role of AI at GitHub 25:19 AI Applications in Security 32:02 Impact of GitHub Copilot 32:30 The Potential of AI in Developer Tools 34:04 The Impact of AI on Security 36:18 The Importance of Human Oversight 39:09 The Future of Shifting Left 40:21 Fine-Tuning AI for Custom Use Cases 41:36 Addressing Legacy Code and Infrastructure 43:20 The Need for AI in Security 45:32 The Role of AI in Security Education 46:42 AI's Potential in Code Refactoring 50:03 The Future of Cybersecurity and Development
In this episode, Clint and Rob Wood, Chief Information Security Officer at the Centers for Medicare and Medicaid Services (CMS), discuss scaling and managing security at a massive scale in a government setting. They explore the challenges of working with vendors, incentivizing behavior, and building centralized platforms and data ingestion pipelines.
Chapters
00:00 Introduction and Scaling Security at Massive Scale
09:13 Context and Incentives in Government
19:19 Incentivizing Behavior and Initiatives
38:50 Building a Centralized Platform as a Service
47:23 Data Ingestion Pipeline and Security Data Lake
57:27 Onboarding Data Sources and Teams
58:26 Moving Away from Legacy Infrastructure
59:25 Focus and Clean Pipelines
01:00:21 Making Security a People-Aligned Function
In this next episode of the #modernsecuritypodcast, Clint and Letty Lourenco discuss the importance of user experience in security and how to create secure and user-friendly products. They explore the concept of secure by default and the need for secure defaults and self-service options. The conversation concludes with advice on educating and onboarding users, making security usable, and collecting user feedback. Takeaways -User experience is crucial in security, and products should be designed with secure defaults and self-service options. -Building a cross-functional security team that includes both security experts and developers can help create robust and user-friendly security solutions. -Applying product principles, such as secure by default and actionable guidance, can enhance the user experience in security. -Leveraging established design patterns and information architecture can help create effective and reusable self-service patterns in security. Effective communication and clear instructions are crucial in security to ensure users understand what actions to take. -Just-in-time guidance can enhance the user experience by providing relevant instructions in the context of the task at hand. -Learning from other industries and their guidance patterns can help improve security communication and design. -The user experience design process involves collaboration, research, testing, and iterative feedback to create effective and usable security solutions. -Educating and onboarding users from the beginning helps establish security practices and make security a priority. -Making security usable for users requires removing complexity and using language and analogies that resonate with them. -Collecting user feedback and listening to users' needs and concerns is essential for improving security solutions. Chapters
00:00 - Secure by Default 04:12 - Building a Cross-Functional Security Team 11:20 - User Experience in Security 24:10 - Security-Flavored User Experience Strategies and Examples 45:38 - Applying Right Size Privilege Principle 50:02 - Creating an Effective and Reusable Self-Service Pattern 53:54 - Effective Communication and Clear Instructions 57:22 - Just-in-Time Guidance 59:14 - Learning from Other Industries 01:03:02 - User Experience Design Process 01:09:31 - Iterative Feedback and Design Review 01:12:23 - Educating and Onboarding Users 01:13:51 - Making Security Usable for Users 01:15:19 - Abstracting Complexity and Collecting User Feedback
In this episode of the Modern Security Podcast we were joined by Jamie Finnigan, Director of Product Security @HashiCorp , and discussed how the security team prioritizes their time, rolling out developer-friendly security tooling, and much more. 2:08 - Intro to Jamie Finnigan 7:41 - The Product Security Org at HashiCorp 11:27 - How do you determine what to focus on? 16:40 - What does success look like for security at HashiCorp 20:50 - The difference between outputs and outcomes 25:52 - The Creation of Bandit 30:37 - HashiCorp Product Security Model 34:14 - Developer-Friendly Security Tooling 39:56 - Tool selection 46:09 - Eliminating SSRF via Secure Defaults 53:22 - Overview of the Secure Defaults Approach 59:16 - Empathy in Security
In this episode of the Modern Security Podcast, we interviewed John Steven about scaling security teams and implementing secure by default culture. 6:23 - Intro to John Steven 9:28 - Interesting efforts with AppSec & ProdSec to scale security 10:20 - How to embrace secure defaults 24:01 - Threat Modeling problems 43:02 - Secure Control Efficacy Pyramid 58:50 - Overcoming secure default friction 1:04:12 - Advice for CISOs and startups
For our first episode of The Modern Security Podcast, we had a wide ranging conversation with Dev Akhawe, Head of Security at Figma, on:
3:50 - The rise of security *engineering*
22:42 - Career advice
29:08 - How secure defaults can effectively scale your security team’s effectiveness, eliminating classes of vulnerabilities, and how to embrace them at your company
38:41 - What makes a security tool great
1:01:25 - How to automatically get continuous visibility into the code your company is writing and scale just-in-time developer education
#modernsecuritypodcast
