The Security Table

In this episode of The Security Table, Chris, Izar, and Matt discuss an article that discusses threat modeling in the context of hardware. They explore the intersection of hardware and software security, the importance of understanding attack surfaces, and the challenges posed by vulnerabilities in hardware components, such as speculative execution faults and the impact of supply chain security. Join the conversation as they examine the critical points in the ongoing dialogue around hardware and software security integration.FOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

Join us in this episode of The Security Table as we dive into the world of cybersecurity, starting with a nostalgic discussion about our favorite security-themed movies like 'Sneakers,' 'War Games,' and 'The Matrix.' We then shift gears to explore a critical topic in modern computing: the vulnerabilities and implementation issues of Secure Boot. Discover the intricate details of key management, human errors, and the challenges of maintaining trust in hardware and software systems. The conversation extends to the practicalities of password management, passkeys, and the broader implications of securing digital identities. FOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

Join Chris, Izar, and Matt as they sit around the Security Table to dissect and discuss the different stages of dealing with security incidents. In this episode, they explore the developer's stages of grief during an incident, and discuss a recent large-scale IT incident. They share insights from their multi-decade experience in security, analyze the fragility of current systems, and discuss the role of luck and probability in security failures. FOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

In this episode of 'The Security Table,' we are back from our midsummer break to discuss OpenSSH regression vulnerability. We dig into the nuances of this race condition leading to remote code execution, explore the chain of security updates, and the role of QA in preventing such regressions. We debate the necessity of SSH in modern cloud-native environments and its alternatives. Plus, we answer the critical question of who should catch these vulnerabilities first — QA teams, pentesters, or automated tools? FOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

In this episode Chris, Matt, and Izar discuss the current state of security conferences and gatherings for professionals in the field. They discuss the value and viability of different types of gatherings, the importance of networking and community-building at events, innovative approaches to conference formats and the need for something more engaging and participatory that caters to both introverts and extroverts.Personal experiences and preferences for conference attendance and speaking engagements are discussed along with hybrid approaches that combine presentations with facilitated discussions and interactive elements.FOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

In this episode of the Security Table, Chris, Izar, and Matt delve into the evolving landscape of cybersecurity. The episode has a humorous start involving t-shirts and Frogger as a metaphor for the cybersecurity journey, the conversation shifts to the significant topic of cybersecurity being at a crossroads as suggested by a CSO Online article. They explore the concept of moving from a product-centric to an architectural-centric approach in cybersecurity, discussing the design and integration of inherent capabilities rather than relying on add-on products. The hosts look into the complexities of security and privacy, analyzing their intersections, the challenges of privacy threat modeling, and the importance of understanding the broader ecosystem in which data interacts. The episode concludes with a lively discussion on the evolving nature of security and privacy regulations, the impact of complexity, and the need for continuous threat modeling. Article mentioned in this episode: Cybersecurity at a crossroads: Time to shift to an architectural approach  FOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

In this episode of 'The Security Table,' hosts Chris Romeo, Izar Tarandach, and Matt Coles are joined by Brook Schoenfield, a seasoned security professional, to share insights and stories from his extensive career. The conversation covers Brook's experience in writing books on security, lessons learned from his 40-year career, and personal anecdotes about his life as a musician, including playing with legends like Bo Diddley and Chuck Berry. Brook highlights the importance of ensemble work in both security and music.Books written by Brook Schoenfield:Secrets Of A Cyber Security Architect (Auerbach, 2019) https://brookschoenfield.com/?page_id=331Securing Systems: Applied Security Architecture https://brookschoenfield.com/?page_id=245FOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

In this episode of 'The Security Table,' hosts Chris Romeo, Matt Coles, and Izar Tarandach discuss the CISA Secure by Design Pledge, a recent initiative where various companies commit to improving software security practices. The hosts critique the pledge, arguing that many of the signatory companies have long been focused on software security, making the pledge redundant for them. They dissect specific goals of the pledge, such as increasing multi-factor authentication (MFA) and reducing default passwords, and express concerns about their actual impact. Despite their skepticism of the pledge’s effectiveness and measurability, they do acknowledge CISA's intention behind the pledge is to move the industry forward.Secure by Design pledge:  https://www.cisa.gov/securebydesign/pledgeFOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

The script delves into a multifaceted discussion encompassing critiques and praises of book-to-movie adaptations like 'Hitchhiker's Guide to the Galaxy', 'Good Omens', and 'The Chronicles of Narnia'. It then transitions to a serious examination of developers' evolving role in security, advocating for 'shift left' and DevSecOps approaches. The conversation navigates through challenges developers encounter in security practices, stressing the necessity of a DevSecOps framework, secure coding languages, and executive support for fostering a robust security culture within organizations.Chris, Izar and Matt begin the episode with a lighthearted discussion about books turned into movies, including Hitchhiker's Guide to the Galaxy and The Chronicles of Narnia series. The main topic of conversation on today’s episode is an article titled "Why Developers Will Take Charge of Security, Tests in Production" by Lorraine Lawson, which interviews Larry Meshrom. The article suggests that developers should take on more responsibility for security, including testing in production environments, as security teams are often perceived as a blocker and don't understand the day-to-day work of developers. The guys question whether developers truly want to take on more security responsibilities, given the constantly evolving nature of security threats and the time it takes to stay up-to-date. They also discuss the role of product managers in driving security and privacy prioritization, and the need for executives to understand the business value of investing in security. The hosts argue that while mature organizations have governance processes in place to enforce security, smaller companies may lack such mechanisms. Ultimately, it is concluded that product managers are best positioned to communicate the business value of security to executives, as they are closest to understanding customer needs and revenue drivers. They propose that the industry should focus on educating and empowering product managers to prioritize security and privacy, and to make the case for investing in these areas to executives. This approach could help bridge the gap between security teams and developers, and drive a culture of security within organizations.Link to article:  https://thenewstack.io/why-developers-will-take-charge-of-security-tests-in-prod/FOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

Chris, Matt and Izar share their thoughts on an article published by Carnegie Mellon University’s Software Engineering Institute. The list from the article covers various threat modeling methodologies such as STRIDE, PASTA, LinDoN, and OCTAVE methodology for risk management. They emphasize the importance of critical thinking in the field, provide insights into strengths, applications, and limitations of each method, and highlight the significance of annotated threat models for application security. Mentioned in this Episode:Article: https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/Podcast episode: Nobody's Going to Mess with Our STRIDE https://www.youtube.com/watch?v=TDFRe_icFmY&pp=ygUSdGhlIHNlY3VyaXR5IHRhYmxlFOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!