Name: Good Enough: Practical Zero Trust Posture in The Software Supply Chain
Start: 2024-10-02T15:10:00Z
End: 2024-10-02T15:10:59.000Z
Location: BrightTALK
Rating: 5

Learn how software-driven organizations use GitGuardian to strengthen their overall security posture and comply with application security frameworks and standards. 

GitGuardian, founded in 2017, has become the leader in automated secrets detection and is now focused on providing a comprehensive code security platform. It's raised $56M from top investors, including co-founders of GitHub and Docker. Its policy engine helps security teams monitor and enforce rules across all their VCS, DevOps tools, and infrastructure-as-code configurations. GitGuardian offers Secrets Detection, Infra as Code Security, and Honeytoken capabilities all in one platform.

In this episode of The Security Repo Podcast, we look at security automation and how we can engineer our way to better security overall.

We are joined, once again by Huxley Barbee, who has been a fixture of the security community for over 20 years. Professionally, he was a security consultant working with customers in finance, insurance, manufacturing, and higher education. Currently, he leads the security engineering group at a fintech company. Beyond the day job, he is also active in the security and hacker community. He started attending DEF CON in the late 90s, has spoken at many conferences throughout the US, and is the lead organizer for BSidesNYC. He lives in New York. You should connect with him on social media, buy him a drink, or both.

We start with a great discussion of what to automate and what not to automate when thinking about security.  From there, we explore the role of AI in the security tool belt and how we can best leverage it to improve our posture. By the end, we get some updates about BSides NYC and elsewhere. 

Links from this episode:
Previous Appearance:  
   • Building Conferences and Communities ...  

Socials:
  / jhbarbee  

@huxley@infosec.exchang

BSides NYC:
https://bsidesnyc.org/

Security Automation And Leveraging AI To Deal With Security At Scale - Huxley Barbee

In this episode of The Security Repo Podcast, we take a look at the role developer training and awareness have in improving security.

We are joined by Chris Lindsey, Application Security Evangelist at Mend.io. He is a seasoned speaker who has appeared at conferences, webinars, and private events.  Chris draws on expertise from more than 15 years of direct security experience leading and building security programs and over 35 years of experience leading teams in programming software, solutions, and security architecture.

We start with how training and awareness are the start of the process but not all that is needed. From there, we discuss developer tooling vs security tooling and what gaps exist.  By the end, we get into AI and how to think about a future with auto-remediation.

Developer Awareness Training and AI Assisted Tooling for Improving Security - Chris Lindsey

The current state of application security often leaves us reacting to data breaches and unauthorized disclosures well after they have occurred. How do we change this reactive reality? 

In this webinar, we’ll discuss this and other questions:

- What are the CISO/security and privacy team absolutes or non-negotiables?
- How has modern AppSec failed these constituents?
- What are design decisions, and how do they impact the strength of an architecture?
- How do data flow diagrams enrich and simplify the process?
- What are security and privacy patterns, and how are they used?
- What are the most important things to measure with security/privacy by design?

By adopting these principles, development teams can shift from a reactive to a proactive stance, ensuring their software products are robust, trustworthy, and aligned with the highest security standards.

Links mentioned in the webinar:
https://devici.com

https://www.securityjourney.com/resources/application-security-podcast

https://securitytable.buzzsprout.com/

https://threatmodel.buzzsprout.com/

https://appsec.beehiiv.com/

https://www.gitguardian.com/files/devsecops-blueprint

Designing Secure and Private Software by Default with Chris Romeo from devici

In this episode of The Security Repo Podcast, we dive deep into a rather troubling phenomenon: scammers who target senior citizens. 

We are joined by Anita Nikolich,  a speaker and a university-based cybersecurity researcher specializing in network security and cryptocurrency analytics. She joins us as the founder and co-principal Investigator of DART, a collective of researchers, security experts, game designers, and community-based organizations who have come together to combine their expertise and passion to develop the Deception Awareness and Resilience Training (DART) platform.

 We discuss real-world examples, the realities of scammers and cybercrime, and why they target the people they attack. We also get into how the DART collective is working to ensure we raise awareness in a way that affects the most people without being too heavy-handed. Anita shares some free resources to help protect the people you love and tells us how we can get involved to help.

Learn more at 
https://dartcollective.net/
https://dartcollective.net/deepcover/

DeepCover & DART Academy: Fighting Scammers Through Educating Seniors - Anita Nikolich

Today we sit down with Bobby Kuzma, Director of Offensive Cyber Operations at Pro Circular and adjunct professor at the University of Washington. Bobby shares his unique journey into the world of penetration testing, including how he accidentally acquired his CISSP certification. We delve into the fascinating world of offensive security, discussing the highs and lows of pen testing, the importance of creativity in cybersecurity, and Bobby’s current work on leveraging AI to enhance security testing. Tune in for an insightful conversation filled with real-world stories, expert advice, and a look at the future of cybersecurity.

Behind the Scenes of Offensive Security with Bobby Kuzma

In this episode of The Security Repo, we sit down with Jossef Harush Kadouri, a pioneer in software supply chain security and founder of Dustico, now part of Checkmarx. Jossef shares his journey from startup to acquisition, detailing the ever-evolving landscape of supply chain attacks. We explore how malicious actors are exploiting open-source ecosystems, the challenges of maintaining secure software, and practical steps developers and organizations can take to protect themselves. Whether you're a seasoned security professional or new to the field, this episode offers valuable insights into safeguarding your software's supply chain.

The Frontline of Cybersecurity: Defending Against Supply Chain Intrusions - Jossef Harush Kadouri

Today we welcome J Wolfgang Goerlich, an advisory CISO, mentor, and strategist. We delve into the intricacies of security design frameworks and the importance of building and maintaining relationships in the cybersecurity field. Wolfgang shares his expertise on creating effective security programs, fostering trust within teams, and navigating the challenges of the CISO role. Tune in to gain valuable insights on cybersecurity strategy and the significance of collaborative relationships in achieving security goals.

Show Notes: 
Linkedin:   / jwgoerlich  
X / Twitter: https://x.com/jwgoerlich 
Website: https://jwgoerlich.com/ 
Securing Sexuality: https://www.securingsexuality.com/

Frameworks and Relationships: J Wolfgang Goerlich on Security Strategy

Join us for a roundtable on GenAI's dual role in cybersecurity. Experts from GitGuardian, Snyk, Docker, and Protiviti, with Redmonk, discuss threat mitigation versus internal tool adoption, securing coding assistants, leveraging LLMs in supply chain security, and more. Gain valuable insights on harnessing GenAI to enhance your DevSecOps practices.

How to augment DevSecOps with AI?

Join us for a comprehensive webinar on self-hosted solutions, featuring industry experts Romain Jouhannet from GitGuardian, Adrian Mouat from Chainguard and Chuck D'Antonio from Replicated.

The discussion will delve into:

Challenges of On-Prem Deployments: We will explore the complexities and distribution challenges associated with on-prem solutions.
Secure & Scalable On-Prem Experiences: We'll discuss how to deliver robust and scalable on-prem deployments, addressing the intricacies involved.
Integration of SaaS and On-Prem: Can these environments coexist and benefit each other? The session will cover best practices from on-prem development that can enhance SaaS offerings.
This session is ideal for organizations prioritizing robust data security and privacy in their operations.

Delivering Security on Your Terms: An Intro to Self-Hosted

In this episode of The Security Repo, we are thrilled to welcome Sonya Moisset, a Senior Advocate at Snyk and a renowned expert in DevSecOps, cybersecurity, and AI. With a wealth of experience as a public speaker, mentor, and top contributor to the tech community, Sonya shares her deep insights into the evolving landscape of AI in cybersecurity.

Join us as we dive into the pressing issues surrounding generative AI and large language models (LLMs), including the concept of shadow AI, the risks of using AI tools without proper oversight, and real-world examples of security breaches involving AI. Sonya discusses the importance of implementing robust security policies and fostering an open dialogue within organizations to mitigate these risks.

We also explore fascinating topics such as prompt injection attacks, the role of AI in both offensive and defensive cybersecurity strategies, and the emerging frameworks guiding ethical AI use. Whether you're a security professional, a developer, or simply curious about the intersection of AI and cybersecurity, this episode offers valuable knowledge and practical advice.

Tune in to learn how to navigate the complexities of AI in your organization and stay ahead in the fast-paced world of cybersecurity.


Show Links 
Sonya Moisset social media links
Linkedin:  

 / sonyamoisset  
X (Twitter): https://x.com/SonyaMoisset


Introduction: 0:00
What are the security risks with AI and LLMs: 1:10 
Prompt Injection Car Dealership: 6:39
Prompt Injection: 8:46 
Guardrails for AI: 16:00 
Using AI for Red Teaming: 25:19 
Regulations for AI security 32:16 
Best and Worst: 34:10

Navigating AI in Cybersecurity: Insights from Sonya Moisset

Join us this week as we host Eric Fourrier, co-founder and CEO of GitGuardian. Discover the journey of GitGuardian from a side project to a leading code security platform. Eric shares insights on the startup's growth, the integration of AI in security, and the future of protecting digital assets. Tune in for an engaging discussion on advancing code security in our digital world.

Show Notes:
GitGuardian https://gitguardian.com
State of Secrets Sprawl Report https://www.gitguardian.com/state-of-... 
GitGuardian Blog https://blog.gitguardian.com

Eric Fourrier Socials 
Linkedin:  

 / ericfourrier  

intro: 0:00 
Origin of GitGuardian: 0:55
Why wasn't secrets detection a big problem: 5:08
State of Secrets Sprawl Report: 09:50 
Can we solve secret leakage: 18:08
Finding secrets outside source code: 22:22
The evolution of GitGuardian: 25:18
Single pane of glass: 30:15
The problem of remediation: 32:55
The role of AI in security tools: 36:10
Best and Worst: 42:25

The Secrets behind GitGuardian: Building a security platform with Eric Fourrier

AI-assisted coding tools increase your delivery speed… and unfortunately security risks as well.

In this session, Sonya Moisset, Staff Security Advocate of Snyk (and 4x GitHub Star & GitHub Security Ambassador) will dive into:

- Presenting an overview of AI in development and common AI security risks.
- Use GenAI tools to build a coffee shop demo app and exploit AI-generated vulnerabilities, including SQL injection, cross-site scripting, directory traversal, and more.
- And give you some effective strategies to mitigate and fix AI-generated vulnerabilities.

If you are working with AI as your copilot then this webinar is for you!

Code Fast, Secure Smarter: The Dual Path of AI Development

Open-source components forever changed how we build software, but they are also a prominent security threat, nothing illustrated this better than the recent XZ library incident where the world narrowly avoided a massive supply chain attack.

Join Gene Gotimer, DevOps Engineer at Praeses and Mackenzie Jackson to discuss how we can keep our open-source supply chains secure as we discuss:

- Security implications of vulnerable open-source components
- How using automation can help us move toward a secure supply chain
- How to discover and detect vulnerable components

Securing the Supply Chain - Automating our Way Out of Security Whack-a-Mole

In this video, we explore AI package Hallucination. This threat is a result of AI generation tools hallucinating open-source packages or libraries that don't exist. 

In this video, we explore why this happens and show a demo of ChatGPT creating multiple packages that don't exist. We also explain why this is a prominent threat and how malicious hackers could harness this new vulnerability for evil. It is the next evolution of Typo Squatting. 

Introduction: 0:00
What is AI package Hallucination: 0:12
Sacrifice to the YouTube Gods: 0:33
How AI models find relationships: 0:45 
Lawyer uses hallucinated legal cases: 1:18
How we use open-source packages: 1:39
How ChatGPT promotes packages: 2:17 
Example of AI Package Hallucination: 2:51
Why is package hallucination a security risk: 3:46
How many packages are hallucinated? 5:37
Protection measures against AI Package Hallucination: 6:18

Understanding AI Package Hallucination: The latest dependency security threat

In this engaging episode of "The Security Repo," host Dwayne McDaniel and esteemed guest Rachel Stephens, delve into the rapidly evolving world of security tooling, with a special focus on the buzz around Application Security Posture Management (ASPM). They tackle the complexities and confusions surrounding the burgeoning category of security solutions, offering listeners a clear-eyed view of what ASPM means for developers, security professionals, and the tech industry at large. Through a candid and enlightening conversation, they explore the history and potential future of security practices, the push towards simplification and consolidation of tools, and the real challenges of effectively managing security risks in today's dynamic digital environments. Join us for a thought-provoking discussion that demystifies ASPM and provides valuable insights into the direction of security tooling and practices.

Show Notes: 
Learn more about ASPM - https://blog.gitguardian.com/good-app...

Learn more about RedMonk https://redmonk.com/

Unpacking ASPM: Trends, Truths, and the Future of Security Tools

In this episode of the Security Repo podcast, we take a dive into the intriguing world of hacking the hackers with Vangelis Stykas. Stykas, a notable figure in cybersecurity, shares his experiences and methodologies for compromising C2 servers—central nodes used by hackers to control malware. He reveals how simple web application vulnerabilities can lead to significant breaches in the security of these servers. The discussion also covers the ethical and legal nuances of Stykas' work, including the challenges and risks involved in targeting these digital underworld operatives. Additionally, Stykas touches on his professional journey, including his role as the CTO of Atropos, a company specializing in web application and API security. This episode promises to uncover key discoveries about the shadowy aspects of cybersecurity and the ongoing battle between hackers and those who hack them.

Hacking the Hackers: The Art of Compromising C2 Servers with Vangelis Stykas

Understanding our supply chain means understanding all the components that make it. But this is harder than it appears. Open-source components make up 80 - 90% of our application's source code, but we must also remember that our open-source components are also made from open-source components, it's like supply chain inception. 

SCA or Software Composition Analysis is a security tool that looks at your entire supply chain and outlines vulnerabilities, including transitive or downstream dependencies. 

In this video, we discuss real-world implications of supply chain risk and break down how an SCA tool fits into your security position. 

Introduction  0:00 
Risks of dependencies 0:20
Log4J Example 2:25
UA Parsjer Example 3:15
Event-stream example  4:01
SCA tools 4:40

Understanding Supply Chain Risk - Using SCA to protect your application

We all want to have the best security posture possible, especially when it comes to our mission-critical applications. This is also true for any software we publish that is used in the software supply chain. Every security team dreams of fully implementing Zero Trust as the standard across the whole of the organization and having flawless defenses.

In reality, though, security is a never-ending journey, as the landscape constantly shifts at an ever-accelerating rate. Defending the perimeter used to be the goal, but in the ultra-interconnected world of services, cloud platforms, and open-source dependencies, we need to rethink how we defend ourselves and our customers.

We need to stop unrealistically striving for perfection and get back to basics to make sure we are guarding against the most likely, most common, and most costly threats that continue to emerge.

In this webinar, we will cover:

Understanding the threats throughout the Software Supply Chain
The benefits and realities of implementing Zero Trust
Thinking through trust, attestation, and scanning
Finding the right balance of time and effort for security ROI
Thinking past compliance and defending against the most likely scenarios
Join Chris Lindsey, Application Security Evangelist at Mend.io, and Dwayne McDaniel, Sr. Developer Advocate at GitGuardian, for an hour of conversation and learning.

Good Enough: Practical Zero Trust Posture in The Software Supply Chain

Developers

DevSecOps

Cyber Defence

Cyber Crime

Cyber Attacks

Cyber Incident Response

Software Defined

Secure Cloud

Secure Development

Cloud computing has exploded over the past few years, delivering a previously unimagined level of workplace mobility and flexibility. The cloud computing community on BrightTALK is made up of thousands of engaged professionals learning from the latest cloud computing research and resources. Join the community to expand your cloud computing knowledge and have your questions answered in live sessions with industry experts and vendor representatives.

Cloud Computing

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Get powerful end user computing insights from influential EUC experts. Connect with thought leaders and colleagues to get the most up-to-date knowledge on effective approaches to get non-programmers to create working applications.

End User Computing

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Good Enough: Practical Zero Trust Posture in The Software Supply Chain

Presented by

About this talk

More from this channel