Adam Shostack — The Jenga View of Threat Modeling
Play episode · 31 min

Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author, and game designer. He has taught threat modeling at a wide range of commercial, non-profit, and government organizations. Adam joins us to discuss his new white paper called the Jenga View of Threat Modeling. For season 7 and beyond, we've launched [...]

The post Adam Shostack — The Jenga View of Threat Modeling appeared first on Security Journey Podcasts.

Brakeing Down Security Podcast
Brakeing Down Security Podcast
Bryan Brake, Amanda Berlin, Brian Boettcher
Phil Beyer - Bio (CISO at Etsy) Importance on books about behavioral science. “Thinking Fast and Slow”: “Predictably irrational”: Influence: the Psychology of Persuasion: Brain at Work: Atomic habits: Tiny habits: New leaders 100 day action plan: Podcasts: Manager Tools Podcast: Career Tools Podcast: Seth Godin Akimbo: Masters of scale: Habit stacking - Temptation bundling - Availability Heuristic: Brian’s Recommendations: Extremely Popular Delusions and the Madness of Crowds: Big 9: Bryan’s Book Recommendations: Malcolm Gladwell’s Talking to Strangers: The Effective Manager by Mark Horstman: ADKAR: A Model for Change in Business, Government and our Community Improved interviews online First 90 days as CISO First 90 day plan: Capability Assessment: Socratic method: Impacts to make Building rapport with new directs Creating a new relationship ‘budget’ with manager/board, colleagues Planning your strategy to make meaningful change in the org as a whole Check out our Store on Teepub! Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email #AmazonMusic: #Brakesec Store!: #Spotify: #Pandora: #RSS: #Youtube Channel: #iTunes Store Link: #Google Play Store: Our main site: #iHeartRadio App: #SoundCloud: Comments, Questions, Feedback: Support Brakeing Down Security Podcast by using our #Paypal: OR our #Patreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : #Stitcher Network: #TuneIn Radio App: #cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP
42 min
CISO-Security Vendor Relationship Podcast
CISO-Security Vendor Relationship Podcast
Mike Johnson and David Spark
Can a Robot Be Concerned About Your Privacy?
All links and images for this episode can be found on CISO Series ( I want AI to be efficient, but I also want my space. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Rebecca Weekly (@rebeccalipon), senior director of hyperscale strategy and execution, senior principal engineer, Intel. Thanks to this week's podcast sponsor, Intel. Intel’s new suite of security features in the upcoming Xeon Scalable platform improves data confidentiality and integrity in a world that increasingly relies on it. Features like Intel SGX further enable confidential computing scenarios — crucial for organizations in regulated industries to meet growing security requirements and protect sensitive data. On this week's episode Why is everybody talking about this now "The lack of women in cybersecurity leaves the online world at greater risk," stated Naomi Schalit of The Conversation. Mollie Chard of Capgemini shared the article that generated a lot of conversation. Naomi hit many issues we've discussed before like diversity offers different viewpoints, which is critical for building a cybersecurity program. I would like to focus on the dynamic of the security team. I've been in testosterone-fueled environments and things change dramatically when just one woman enters the room. And it changes even more when there are more women. What is that dynamic, why is it valuable, and what's the danger of the all-male environment? Well that didn’t work out the way we expected At the end of every show I ask our guests, "Are you hiring?" And prior to COVID, almost everyone said desperately, "YES, we're hiring." That has changed dramatically for the worse since COVID started. Emma Brighton has a story on InfoSecurity Magazine about the real shortage that's happening. Problems she points to are the need to secure more communications channels, security people being offloaded to do IT support, and the competition for skilled talent. What is COVID doing to our security environment and our staff? What's Worse?! Everyone in the loop or out of the loop? Please, Enough. No, More. Today's topic is security on the chipset. We have never talked about this on the show, but now we've got someone from Intel and it seemed appropriate now would be the time to do just that. What have we heard enough about chip-level security, and what would we like to hear a lot more? Are we having communication issues Will the fight to maintain privacy always be in conflict? The people who collect data always want more information so they can get greater insights. Outside of regulations, they have no incentive to maintain privacy. As we're collecting more and more information automatically and artificial intelligence systems are making decisions for us, can AI systems be made privacy aware while still being effective at gaining insights? What would that even look like?
34 min
7 Minute Security
7 Minute Security
Brian Johnson
7MS #437: Homecoming and Home ioT Security - Part 3
Hello! This episode is a true homecoming in that I actually recorded it from home. Yay! WARNING!!! WARNING!!! This episode contains a ton of singing. If you don't like singing, do not listen!!! With that said, I wanted to follow up on part 1 and 2 of this series and share some additional cool tools that others have told me about in regards to securing and monitoring all your ioTs! * Home Assistant - is described on its Wikipedia page as "a free and open-source home automation software designed to be the central control system in a smart home or smart house." You can quickly grab the HA image and dump it on an SD card with Balena Etcher and be up and running in minutes. I found HA a bit overkill/complicated for my needs, but my pal Hackernovice (on 7MS Slack) says this video demonstrates why he really loves it. * Prometheus, recommended by our pal Mojodojo101, is "a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true." I found a great RPi install guide that will help you get it up and running in a snap. I love the capabilitiesand possibilities of Prometheus, but much like Home Assistant, it quickly got to "more than I need" territory. The final thing we talk about today is trying to answer this question: with so many of my ioTs tied to some cloud app/service, how do I keep these accounts themselves as secure as possible? Songs sung in this episode include: * Follow Through by Gavin DeGraw * Livin' on a Prayer * The Look that Says You Love Me (Brian Johnson) * Goodness of God
40 min
Defense in Depth
Defense in Depth
Allan Alford and David Spark
Measuring the Success of Your Security Program
All links and images for this episode can be found on CISO Series ( How does a CISO measure the performance of their security program? Sure, there are metrics, but what are you measuring against? Is it a framework or the quality of protection? How do you tell if your program is improving and growing? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Chad Boeckmann (@SDS_Advisor), CEO, TrustMAPP. TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs. On this episode of Defense in Depth, you’ll learn: * The process is very systematic. Start with knowing your risks, how you're going to track them, and the controls you're going to put them in place to manage them. Simple to say, hard to do. * Security risk is just one of a multitude risks a business faces. * Data's whereabouts is a moving target. Having confidence in its location and protections is key to managing overall risk. * Constantly be asking who has access to the data and what communications processes are you using to share that information between humans and machines. * Discuss with leadership as to how you will judge success and what metrics you will use. C-suite will need to lead the discussion with security providing guidance as to what they can and can't measure. * If you're measuring security's performance this is a great opportunity for security to tell its story and prove its value, ultimately setting it up for increased budget and participation from others. * An informal metric for success could be how often is security getting invited to informal meetings. * Overall positive sentiment of security by non-security employees. * How well are you able to build (are people eager to work with you?) and maintain your staff? * Another "out of the box" metric to consider are opportunity costs. How many contracts are you losing because you were incapable of meeting a potential customer's security standards? * Strong debate as to what is the goal of a security program: Risk reduction or risk management? It's very possible that you are currently managing risk well and the additional cost to reduce risk is not necessary.
27 min
AWS TechChat
AWS TechChat
AWS TechChat
Episode 75 - Amazon EventBridge & Amazon AppFlow Special
In this themed episode of AWS TechChat, I am joined by Gabe Hollombe and we look at two relatively new AWS Services - Amazon EventBridge and Amazon AppFlow. We start the show revisiting a messaging foundation and what are the gaps Amazon EventBridge fills in our product portfolio. We discuss that Amazon EventBridge is a serverless event bus that makes it easy to connect applications together using data from your own applications, SaaS applications, and AWS services before contrasting Amazon EventBridge to Amazon CloudWatch Events. Then we pivot to Amazon EventBridge Schema Registry which allows you to discover, create, and manage OpenAPI schemas for events on Amazon EventBridge. You can find schemas for existing AWS services, create and upload custom schemas, or generate a schema based on events on an event bus. Lastly we talk about Amazon AppFlow, an even newer AWS service. Amazon AppFlow allows you to securely transfer data between SaaS applications like Salesforce, Marketo, and Slack with AWS services like Amazon Simple Storage Service (S3) and Amazon Redshift in just a few clicks. Speakers: Shane Baldacchino - Edge Specialist Solutions Architect, ANZ, AWS Gabe Hollombe - Principal Developer Advocate, AWS Resources: Amazon EventBridge Amazon CloudWatch Events Amazon EventBridge Schema Registry Amazon AppFlow AWS Events: AWS Modern Applications Online Series AWSome Day Online Conference AWS Data, Databases, and Analytics Online Series AWS Builders Online Series on-demand AWS Summit Online on-demand - AWS Events and Webinars -
45 min
More episodes
Clear search
Close search
Google apps
Main menu