In this episode of "Secrets of AppSec Champions," titled "Auditing Your Security Program," host Chris Lindsey converses with Roddy Bergeron, a cybersecurity fellow at SherWeb. They tackle several pressing topics in the realm of cybersecurity auditing, starting with the financial repercussions of poor data management. A friend's experience underscores the importance of sending condensed data rather than raw data to avoid increased cloud storage costs. This leads to a broader discussion about data lifecycle policies, retention, and the necessity of consulting legal teams to navigate varying regulatory requirements. They emphasize the importance of proper data integrity measures, like using tamper-proof formats and effective backup strategies such as the three, two, one methodology and worm media.

The conversation then shifts towards the evolving regulatory landscape, highlighting Cybersecurity Maturity Model Certification (CMMC) and its mandate for third-party auditors to certify companies accessing government contracts. Roddy underscores the benefits of external audits in identifying blind spots and ensuring compliance, a practice likened to the financial industry's audit requirements. He shares his rich background in government auditing, nonprofit work, and managed service providers, providing a nuanced perspective on the interconnected risks in IT environments. Roddy offers insights into key cybersecurity practices, stressing how external audits can mitigate risks, identified as crucial in a complex digital landscape.

The episode wraps up with a focus on the human element in cybersecurity. Roddy Bergeron emphasizes the need for emotional intelligence and continuous learning in incident response, pointing out that technical prowess alone is insufficient. He shares his hardest lesson: the necessity of prioritizing the human side of incident response, recognizing the profound impact of cybersecurity incidents on people's lives and careers. The conversation concludes with an invitation from Chris for listeners to subscribe and review the podcast, as they reflect on the importance of humility and ongoing improvement in the ever-evolving cybersecurity field.

Additional information:
This episode has been provided by Mend.io

Chris Lindsey's LinkedIn account: https://www.linkedin.com/in/chris-lindsey-39b3915/
AppSecHive Public Community: https://www.linkedin.com/company/appsec-hive

In Episode 07 of Secrets of AppSec Champions, PenTesting with Nat Shere, Chris Lindsey hosts seasoned penetration tester Nathaniel Shere, who currently serves as the Technical Services Director at Craft Compliance. Nathaniel shares his journey into penetration testing, starting from his master's in cybersecurity and leading to over a decade of experience in the field. The duo delves into the pressing issues within the security industry, such as the high levels of stress, the pressure to remain updated, and the often exaggerated emphasis on industry certifications. They both agree that certifications, while useful for exposure, can sometimes be blown out of proportion, potentially watering down the actual requirements.

The discussion extends to technical aspects, highlighting the importance of error handling, visibility of dependencies, and the complexity of exploiting vulnerabilities like SQL injection. Nathaniel recounts memorable experiences, including the development of a Python script that uncovered critical security issues, and stresses the value of detecting and monitoring potential threats. The episode provides an in-depth look at the various penetration testing methodologies—white box, black box, and gray box—and the necessity of using accurate environments that mirror production settings. Both speakers emphasize the hacker's perspective in revealing security flaws and the role of secure coding practices and multi-factor authentication in strengthening security postures.

Chris and Nathaniel also touch on the ethical implications and collaborative benefits of penetration testing. Nathaniel highlights the importance of providing prioritized information to developers and the value of pen testing in offering true risk assessments. They agree on the need for external penetration testing for unbiased evaluations and recommend internal pen testers collaborate with external experts for broader exposure. Altogether, this episode offers listeners a balanced view of the technical and human elements crucial to successful penetration testing.

| ❇️ Key Topics with Timestamps
00:00 Career Progression in Cybersecurity Consultancy

05:03 Unexpected Access: Default Credentials and Security Breach

08:52 The Value of Penetration Testing in Development

12:19 Burp Suite: Demonstrating Data Theft Capabilities

14:59 Developers Overlooking Security Vulnerabilities: Common Mindset Mistakes

19:06 The Efficiency of Whitebox Testing in Application Assessment

21:52 Penetration Testing Reports and Web-Based Security Issues: An Internship Anecdote

26:12 The Importance of Internal and External Pen Testing

30:18 Managing Stress in Cybersecurity Career

32:50 The Value of Certifications in Security Learning

34:19 Promoting Shows: A Guide to Engaging Audiences

Additional information:
This episode has been provided by Mend.io

Chris Lindsey's LinkedIn account: https://www.linkedin.com/in/chris-lindsey-39b3915/
AppSecHive Public Community: https://www.linkedin.com/company/appsec-hive

Welcome to Episode 06 of "Secrets of AppSec Champions," titled "Working With Your CISO," featuring host Chris Lindsey and guest Yaron Levi, the Chief Information Security Officer (CISO) at Dolby Labs.

In this episode, Yaron Levi, with over 15 years of experience in various security functions, provides insights into the multifaceted role of a CISO. He discusses the relatively young profession, highlighting its diverse structures and responsibilities which include enabling businesses while managing risk and regulatory compliance.

The conversation delves into foundational aspects of security programs, such as governance, risk, compliance, and the importance of maintaining a robust defense posture. Yaron underscores the necessity for continuous learning and collaboration within the security field and emphasizes that the CISO's role is more about enabling safe business operations rather than strictly enforcing rules.

One of the key discussions revolves around the commonality of security threats, the significance of basic security measures, and how a substantial number of breaches stem from simple vulnerabilities like exposed credentials and misconfigurations. Yaron also emphasizes the importance of integrating security education for software developers and engaging software architects in mentoring roles.

The episode sheds light on the productive nature of bug bounty programs and responsible disclosure platforms for vulnerability testing. Yaron advocates for encouraging young individuals to engage in ethical hacking through structured channels.

The episode also touches on AI's impact on software development and security, reiterating a balanced approach to leveraging new technologies safely. The importance of simulations and tabletop exercises to prepare for security incidents is discussed, with example scenarios like ransomware attacks being used to test and improve response times.

Finally, Yaron stresses the importance of communication, especially in remote environments, urging employees to over-communicate any security concerns. He shares his experience of starting his role during the pandemic and highlights the significance of building trust remotely.

Chris Lindsey wraps up the episode by thanking Yaron Levi for his valuable insights and encourages listeners to subscribe, rate, and review the podcast to stay updated on future episodes.

00:00 Striving for 'Good Enough' in Business

06:01 Intentional Outreach and Security Measures: A Reminder

07:49 The Crucial Role of CISO in Cybersecurity and Software Development

12:49 Security: When, Not If

14:08 Prioritizing Cybersecurity Fundamentals: Key Threats Remain

19:50 The Minecraft Generation: Using Energy for Pen Testing

21:52 Building Bug Bounty Environment and Tabletop Exercises

25:36 Learning from a Ransomware Event Mishap

27:38 Challenges to Standardizing the CISO Role

33:15 Reframing the Role of Security: Protection Over Punishment

Additional information:
This episode has been provided by Mend.io

Chris Lindsey's LinkedIn account: https://www.linkedin.com/in/chris-lindsey-39b3915/
AppSecHive Public Community: https://www.linkedin.com/company/appsec-hive