SharkTalk™
Discussing cutting edge information security issues with renowned authors, speakers, technologists, executives, contributors and pragmatists in the information security arena.
Call Us : +1-866-369-CERT (2378)
Email : info@securisksolutions.com
Episode 0x04 :: MIles to go (in Security) before we sleep Michael Howard
Principal Security Program Manager, MicrosoftMano Paul (dash4rK) discusses cutting edge application security with Michael Howard the man instrumental in building the Security Development Lifecycle (SDL) program at Microsoft. What gets Michael Howard out of bed every morning? What is Michael an expert on besides security? If you have to choose one book to read on security, what would Michael's top pick be and why? What is the one word Michael uses to define software/application security today? Michael talks about the need for a totally different mindset, moving from security features (acls, crypto etc) to security arounds threats and discusses the evolution of the SDL (Security Development Lifecycle) program from the Secure Windows Initiative (SWI) to the Trustworthy Computing (TWC) initiative within Microsoft which goes beyond just technical security. Though he gets the press about the SDL program, he gives credit to the incredible team that works on the SDL and shares as to when he thinks the SDL be a complete mess. With a charter to improve the SDL looking for patterns and efficacy of tools, listen to Michael as he answers if there is a ever a typical day in security and describes his job description in a single word. Michael shares some thoughts on how the Writing Secure Code book he coauthored with David Leblanc, that won him the 2003 RSA innovation award, came about. He shares on what led Michael and David to write the book Writing Secure Code. When asked - Now What, Michael - Michael talks about the polymorphic threat scenarios that are to be watched for in the paradigm of cloud computing and agile development methodologies and shares references that one can use to get up-to-date with security in these burgeoning trends.Listen to Michael as he defines application security today in a single word and concludes by sharing how threats have moved from the network layer and the host layer (OSes) to the application layer with evidence of continuing movement toward the people layer, who though are the strongest force in security can also be the weakest link!
Episode 0x03 :: Fabric of the global economy Tom Brennan
Board Member, Open Web Application Security Project (OWASP) FoundationMano Paul (dash4rK) discusses cutting edge application security with Tom Brennan (known as Semper Fidelis), OWASP Foundation Board Member and a voracious technovore who defines application security as the fabric of the global economy. Hear Tom share his story of how he moved from securing the country as a Marine to securing corporate information security today. With a bouncer-in-the-bar kind of magnetism around him, he shares the need to have the blend of security knowledge that includes physical security that can lead to the breach of a network. He also shares how he, an ex FBI Infragard board member got plugged into application security, which he calls 'Hacker Space'. His tells us the benefits of a process to address security removing Fear, Uncertainty and Doubt (FUD) as a motivator can be achieved from one his significant contributions to the OWASP community which is the testing guide that he jokingly calls 'How to hack websites' document. Education and collaborative community without hidden agendas, he feels are critical for application security and provides interesting insights into the idea that 'Hackers are people too'. Other topics you will hear are that whitehat hacker is not really an oxymoron and software assurance is largely tied to insecure programming of code. Finally, he share with us what he thinks we can learn from the movie Sneakers and shares some of the references he uses to remain the Semper Fi technovore, he is.
Episode 0x02 :: It is all about Scale Jeremiah Grossman
CTO, Whitehat SecurityMano Paul (dash4rK) discusses cutting edge web security with Jeremiah Grossman, CTO and Founder of Whitehat Security. The 2007 CTO of Security defines web security to be all about scale - scaling the people, the process and the technology, highlighting that there is a need for innovative ideas. He shares with us his journey from being the HackerYahoo to CTO of Whitehat Security and sheds light on what is good for job security may not be really good for actual security. Also hear him tell you the real reason as to why he named his company Whitehat Security. Jeremiah highlights that a complete security solution is one that has taken into account, the people, the process and the technology and shares why scanners that come up green with regard to security often fall short of discerning subtle semantic business logic flaws which require gray matter. Finally Jeremiah gives us insight into the references he uses to keep a pulse on the industry. In conclusion, listen to Jeremiah as to why he feels a search for the word 'Jeremiah' online will result in his blog coming up first in the search results, even superseding that of the Biblical prophet named Jeremiah.
Episode 0x01 :: The wave of the Future Robert 'RSnake' Hansen
CEO, SecTheory and Founder, ha.ckers.orgMano Paul (dash4rK) discusses cutting edge web security with Robert (RSnake) Hansen, CEO of SecTheory and Founder of ha.ckers.org. RSnake defines application security to be the wave of the future and shares on duality of the roles he has to play as CEO of Security and the Founder of ha.ckers.org, highlighting that a tricky balance is needed for security professionals to be a blackhat and a whitehat at the same time. Hear him explain why casinos hire cheats. RSnake also shares the story behind the origin and evolution of the acclaimed Cross-site Scripting (XSS) cheat sheet, talking about the vulnerability itself. He also talks about Clickjacking as a problem that is looming on the horizon, one that needs to be dealth with when the other vectors like CSRF and XSS have been fixed. Finaly, RSnake gives us insight into the references he uses to be technically sharp and his latest eBook which is about arming the good guys is entitled Detecting Malice which is available for purchase at http://www.detectmalice.com.