The Security Table

Izar, Matt, and Chris discuss the effectiveness of bug bounty programs and delve into topics such as scoping challenges, the ethical considerations of selling exploits, and whether it is all just bug bounty theater. The hosts share their insights and opinions on the subject, providing a thought-provoking discussion on the current state of bug bounties in the security industry.FOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

Security experts Matt, Izar, and Chris discuss the newly released Threat Modeling Capabilities document, highlighting the importance of measurable goals for organizations. They delve into the collaborative effort behind the document, share personal stories, and invite feedback for further refinement. The podcast explores topics such as the distinction between capabilities and maturity in threat modeling, team improvement through focusing on capabilities, and the evolution of threat modeling capabilities.

Chris, Izar, and Matt address the complexities of open-source component usage, vulnerability patches, civic responsibility, and licensing issues in this Security Table roundtable. Sparked by a LinkedIn post from Bob Lord, Senior Technical Advisor at CISA, they discuss whether software companies have a civic duty to distribute fixes for vulnerabilities they discover in open-source components. They also examine if there is a need to threat model every third-party component and consider the implications of certain licenses for security patches. This is a discussion that needs to be had by anyone using open-source components in their code. Listen in and engage as we learn and think through this important issue together!Links:Bob Lord’s post about Open Source Responsibility:https://www.linkedin.com/posts/lordbob_just-a-quick-thought-on-open-source-if-you-activity-7146137722095558657-z_RIFOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

Join us for the final episode of The Security Table for 2023. Chris, Izar, and Matt answer fan mail, make fun predictions for the upcoming year, discuss their resolutions for improving cybersecurity, and make a call to action to global listeners. Highlights include the reach of the podcast, explaining Large Language Models (LLMs), Quantum LLMs, Software Bill of Materials (SBOM), and the importance of teaching secure coding from high school level up. Chris, Izar, and Matt share their passion for making cybersecurity more accessible, practical, and effective through critical discussions and innovative ideas.FOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

Sander Schulhoff of Learn Prompting joins us at The Security Table to discuss prompt injection and AI security. Prompt injection is a technique that manipulates AI models such as ChatGPT to produce undesired or harmful outputs, such as instructions for building a bomb or rewarding refunds on false claims. Sander provides a helpful introduction to this concept and a basic overview of how AIs are structured and trained. Sander's perspective from AI research and practice balances our security questions as we uncover where the real security threats lie and propose appropriate security responses.Sander explains the HackAPrompt competition that challenged participants to trick AI models into saying "I have been pwned." This task proved surprisingly difficult due to AI models' resistance to specific phrases and provided an excellent framework for understanding the complexities of AI manipulation. Participants employed various creative techniques, including crafting massive input prompts to exploit the physical limitations of AI models. These insights shed light on the need to apply basic security principles to AI, ensuring that these systems are robust against manipulation and misuse.Our discussion then shifts to more practical aspects, with Sander sharing valuable resources for those interested in becoming adept at prompt injection. We explore the ethical and security implications of AI in decision-making scenarios, such as military applications and self-driving cars, underscoring the importance of human oversight in AI operations. The episode culminates with a call to integrate lessons learned from traditional security practices into the development and deployment of AI systems, a crucial step towards ensuring the responsible use of this transformative technology.Links:Learn Prompting: https://learnprompting.org/HackAPrompt: https://www.hackaprompt.com/Ignore This Title and HackAPrompt: Exposing Systemic Vulnerabilities of LLMs through a Global Scale Prompt Hacking Competition: https://paper.hackaprompt.com/FOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

Join Izar, Matt, and Chris in a broad discussion covering the dynamics of the security community, the evolving role of technology, and the profound impact of social media on our lives. As the trio considers what they are most thankful for in security, they navigate a series of topics that blend professional insights with personal experiences, offering a unique perspective on how these elements intersect in the modern world.Chris begins by highlighting the importance of collaboration and learning within the ever-expanding security community. Shifting to broader security concerns, Izar emphasizes the value of mentoring and the potential for institutionalizing it through platforms like OWASP. Matt critiques over-relying on AI. He advocates for tool-assisted solutions rather than tool-performed ones and stresses the importance of accurately representing AI's capabilities.In a particularly engaging segment, the panelists explore the influence of social media and technology on personal well-being. They share anecdotes and observations on the pursuit of simplicity in a tech-driven world, discussing the concept of 'social media sobriety' and social media's impact on happiness. They conclude with a collective call to action, urging viewers to engage in positive change through volunteering, mentoring, and contributing to open-source projects. This discussion is a must-watch for anyone interested in the intersection of technology, security, and societal trends.FOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

Patrick Garrity, a cybersecurity expert known for his innovative data visualizations, dives deep into the nuances of CVSS 4.0. He discusses the critical enhancements and metrics introduced in this version, emphasizing the need for context in vulnerability assessments. The conversation tackles common misconceptions about CVSS and its implications for future versions, including 5.0. Garrity advocates for transparency and collaboration between open source and commercial vendors to achieve better vulnerability scoring accuracy. It's a must-listen for anyone navigating the complexities of cybersecurity!

Aditi Sharma joins Matt, Izar, and Chris around the Security Table to discuss Software Bill of Materials (SBOMs). The team discusses potential advantages as well as challenges of SBOMs in different contexts such as SaaS solutions, physical products, and internal procedures. The episode also explores the importance of knowing what software components a company is consuming and the significance of SBOM for vulnerability management and risk posture. The team concludes by stressing that while SBOM has great potential value, the value realization is still a work in progress.Links:Chris' LinkedIn post about the SBOM cycle: https://www.linkedin.com/posts/securityjourney_where-is-the-part-where-the-vulnerabilities-activity-7128757968740777986-0PQVFOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

Join Chris, Matt, and Izar for a lively conversation about an article that offers 20 points of "essential details" to look for in a Software Bill of Materials (SBOM). They dissect and debate various points raised in the article, including generating SBOMs, the necessary components, and how to gauge the quality of this digital inventory. Their critique is both insightful and humorously candid, and they will offer you a tour through the often complex world of software documentation.Hear about topics ranging from open source dependency tree, the necessity – or not – of manual SBOM generation, and the importance of a Vulnerability Exploitability Exchange (VEX) document alongside an SBOM. You will hear why they think an SBOM with a VEX can transform and simplify risk assessment procedures by providing clear and actionable insights for threat management. Links:Forbes: 20 Tech Experts Share Essential Details To Look For In An SBOMhttps://www.forbes.com/sites/forbestechcouncil/2023/10/09/20-tech-experts-share-essential-details-to-look-for-in-an-sbom/FOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!

Matt, Chris, and Izar discuss the recently published "NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations." They review each point and critically analyze the document's content, pointing out areas where the terminology might be misleading or where the emphasis should be shifted. As they work through the top ten list, several trends and larger conversations appear out of the individual points. The trio delves into the nuances of system configurations, emphasizing the risks associated with default settings that expose insecure protocols. Systems should not provide options that are inherently insecure! They also touch upon the challenges of network segmentation in the era of software-defined networking and the implications of poor patch management. They highlight the importance of understanding the difference between configuration problems and design flaws, particularly in password management and storage. The discussion provides insights into the complexities of cybersecurity and the challenges of ensuring that systems are both user-friendly and secure. The dynamic exchange underscores the importance of continuous learning and adaptation in the ever-evolving field of cybersecurity.Helpful Links:NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations     https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278aFOLLOW OUR SOCIAL MEDIA:➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube ChannelThanks for Listening!