CSCP S4EP17 – Adam Shostack – Threat modelling in past and future with Adam Shostack from vulnerability to ASPM and modern application security

Join cybersecurity expert Adam Shostack on the Cybersecurity and Cloud Podcast as he discusses Application Security Posture Management (ASPM), threat modeling, and proactive strategies for enhancing software security. Learn about the impact of government regulations, CISA’s approaches to vulnerability management, and balancing security with profit. Don’t miss these insights to stay ahead in the cybersecurity landscape.
Join cybersecurity expert Adam Shostack on the Cybersecurity and Cloud Podcast as he discusses Application Security Posture Management (ASPM), threat modeling, and proactive strategies for enhancing software security. Learn about the impact of government regulations, CISA’s approaches to vulnerability management, and balancing security with profit. Don't miss these insights to stay ahead in the cybersecurity landscape.

CSCP S4EP17 – Adam Shostack – Threat modelling in past and future with Adam Shostack from vulnerability to ASPM and modern application security

Phoenix Security
Phoenix Security
CSCP S4EP17 - Adam Shostack - Threat modelling in past and future with Adam Shostack from vulnerability to ASPM and modern application security
Loading
/
Join cybersecurity expert Adam Shostack on the Cybersecurity and Cloud Podcast as he discusses Application Security Posture Management (ASPM), threat modeling, and proactive strategies for enhancing software security. Learn about the impact of government regulations, CISA’s approaches to vulnerability management, and balancing security with profit. Don't miss these insights to stay ahead in the cybersecurity landscape.

CSCP S4EP17 – Adam Shostack – Threat modelling in past and future with Adam Shostack from vulnerability to ASPM and modern application security

Phoenix Security
Phoenix Security
CSCP S4EP17 - Adam Shostack - Threat modelling in past and future with Adam Shostack from vulnerability to ASPM and modern application security
Loading
/

Notes

Phoenix Security
Phoenix Security
CSCP S4EP17 - Adam Shostack - Threat modelling in past and future with Adam Shostack from vulnerability to ASPM and modern application security
Loading
/

 

Join us in this insightful episode of the Cybersecurity and Cloud Podcast, where host Francesco Cipollone sits down with the pioneer of threat modeling, Adam Shostack. Dive into the intricacies of Application Security Posture Management (ASPM), effective threat modeling practices, and the innovative solutions offered by Phoenix Security (ASPM). Gain valuable knowledge on how to improve your organization’s security posture and stay ahead of evolving threats.

Sponsored by Phoenix Security: This episode is brought to you by Phoenix Security, leaders in vulnerability management from code to cloud. Take control of your security with Phoenix Security ASPM and see firsthand how to prioritize and act on critical vulnerabilities with a free 14-day license available at Phoenix Security – Request a Demo.

We delve into threat modeling and software security, touching on the profound implications of the White House’s recent report on memory-safe programming languages. We also dissect the systemic challenges of self-regulation in the cybersecurity market, especially in the aftermath of significant incidents like the SolarWinds attack. Adam shares his valuable insights on CISA’s latest strategies to tackle vulnerabilities at their origin, emphasizing the critical need for proactive and systemic solutions in bolstering cybersecurity practices. In another segment, we examine the complexities surrounding software security regulation and self-regulation in both the US and Europe. Drawing parallels to the automotive industry, we discuss how software companies are held accountable for the components they use, similar to how car manufacturers are responsible for their parts. The conversation highlights the Biden administration’s executive order requiring vendors to self-attest to software security when selling to the US government and compares this to established regulatory frameworks like SEC regulations. We also address the balance between proactive and reactive regulatory measures, referencing historical efforts such as Microsoft’s Trustworthy Computing initiative and discussing the unique challenges faced by sectors like medical devices, where security and functionality must be meticulously balanced.

 

Key Discussion Points:

Threat Modeling and Application Security/ASPM: An in-depth look at threat modeling and its crucial role in enhancing application security.
White House Report on Memory-Safe Programming Languages: Exploring the implications of the recent White House report and its impact on software security practices.
Self-Regulation vs. Government Regulation: Analysis of the challenges and benefits of self-regulation in the cybersecurity market, particularly post-SolarWinds.
CISA’s Strategies on Vulnerability Management: Insights into CISA’s proactive approaches to tackling vulnerabilities at their origin.
US and European Software Security Regulations: Comparing US and European approaches to software security regulation and the accountability of software companies.
Biden Administration’s Executive Order: The requirement for vendors to self-attest to software security and its broader implications.
Historical Context: Reflecting on past efforts like Microsoft’s Trustworthy Computing initiative and their relevance today.
Balancing Security and Functionality: The unique challenges faced by sectors like medical devices in maintaining both security and functionality.

What’s Inside This Episode:

00:01 – Introduction: Francesco Cipollone introduces the podcast and guest, Adam Shostack, a leader in threat modeling and application security.
00:22 – Role in Threat Modeling: Adam discusses his contributions to the field of threat modeling and the importance of simplifying and organizing the process.
02:00 – Background and Career: Adam shares his extensive experience in application security, including his work at Microsoft and current role at Shostack and Associates.
03:00 – State of Application Security and Threat Modeling: Discussion on the current state of application security and the significance of the White House report on memory-safe programming languages and ASPM.
04:00 – Regulatory Influences and Vulnerability Management: Insights into how government regulations are influencing application security and the challenges in managing vulnerabilities.
06:00 – Historical Context of Software Security and ASPM: Reflection on historical security practices and the evolution of software security.
08:00 – SolarWinds SEC Lawsuit: Detailed discussion on the SEC lawsuit against SolarWinds and the importance of accurate security statements.
10:00 – Challenges in Implementing Security Measures: The difficulties organizations face in implementing effective security measures and the necessity of having a comprehensive asset inventory.
12:00 – Government Regulations and Market Self-Regulation: Debate on the effectiveness of market self-regulation versus government mandates in shaping the future of application security.
14:00 – Balancing Profit and Security: The conflict between maintaining profit margins and investing in security, and the role of commercial support in sustaining open-source software security.
16:00 – Open Source Software and Commercial Support: Discussion on the need for commercial support for open-source software and the impact of regulations on the open-source community.
18:00 – Self-Regulation in Software Security: The role of self-attestation in software security and the thin line between self-regulation and government mandates.
20:00 – Responsibilities of CISOs and Corporate Accountability: The critical responsibilities of CISOs in communicating security risks and how regulatory measures push for better accountability.
22:00 – Microsoft’s Security Evolution: Reflection on Microsoft’s journey in improving software security and the importance of initiatives like the Security Development Lifecycle (SDL).
24:00 – EU AI Act and Its Implications: Brief overview of the EU AI Act and its impact on high-risk applications.
26:00 – Dark Gemini and Modern Threats: Teaser for a future episode on Dark Gemini, an advanced AI used for nefarious purposes, and its implications for threat modeling and vulnerability management.
28:00 – Weaponization of Vulnerabilities: Discussion on the rapid weaponization of vulnerabilities and the need for systemic fixes in software security.
30:00 – Closing Thoughts: Summary of the discussion on ASPM, threat modeling, and Phoenix Security, emphasizing the positive impact of ongoing changes in security practices.
33:00 – Positive Message and Conclusion: Adam’s positive message about the future of software security and Francesco’s emphasis on the importance of proactive measures. Information on where to find more about Adam Shostack and his work.

Connect with Adam

Adam Shostack Adam is the author of Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn from Star Wars. He’s a leading expert on threat modeling, a consultant, expert witness, and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft.

His accomplishments include:

Helped create the CVE. Now an Emeritus member of the Advisory Board.
Fixed Autorun for hundreds of millions of systems.
Led the design and delivery of the Microsoft SDL Threat Modeling Tool (v3).
Created the Elevation of Privilege threat modeling game.
Co-authored The New School of Information Security.

Cyber Security and Cloud Podcast hosted by Francesco Cipollone

Twitter @FrankSEC42
Linkedin: linkedin.com/in/fracipo 
#CSCP #cybermentoringmonday cybercloudpodcast.com 

Follow us on social media to get the latest episodes:

Website: http://www.cybercloudpodcast.com/
Linkedin: https://www.linkedin.com/company/35703565/admin/  

Twitter: https://twitter.com/podcast_cyber   

Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 
You can listen to this podcast on your favourite player:
Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  

Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ 

Resources and Links:

Adam Shostack’s About Page
Elevation of Privilege Game
The New School of Information Security
Threat Modeling: Designing for Security (Amazon UK)
Threats: What Every Engineer Should Learn from Star Wars (Amazon UK)
The New School of Information Security (Amazon UK)
Phoenix Security
Cybersecurity and Cloud Podcast

#Cybersecurity, #appsec #productsecurity #prodsec  #aspm

Podcast

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Follow us on social media to get the latest episodes:

Discuss this podcast with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

More episodes

Join us as we dive into the future of Application Security (AppSec) and Vulnerability Management with James Berthoty. Discover insights on the evolution of AppSec, challenges in managing software vulnerabilities, and the role of Application Security Posture Management (ASPM) in today’s API-driven cloud environment. Listen now for expert analysis and practical solutions in cybersecurity.
Explore the evolving landscape of application security and ASPM with Marius Poskus, VP at Glow Financial Services. Discover insights on the adoption of open-source code and AI, cultural shifts for DevSecOps, and challenges in maintaining consistent security programs. Sponsored by Phoenix Security, leaders in vulnerability management. Listen now for strategic approaches to managing application security and prioritizing critical issues to align with business goals. #Cybersecurity #AppSec #ProductSecurity #ASPM
Join cybersecurity expert Adam Shostack on the Cybersecurity and Cloud Podcast as he discusses Application Security Posture Management (ASPM), threat modeling, and proactive strategies for enhancing software security. Learn about the impact of government regulations, CISA’s approaches to vulnerability management, and balancing security with profit. Don’t miss these insights to stay ahead in the cybersecurity landscape.
“Discover the crucial role of threat modeling in application security with insights from Irene Michlin, application security lead at Neo4j. Learn how integrating developer perspectives and leveraging AI can enhance your security practices. Join the conversation on the Cybersecurity and Cloud Podcast and explore actionable strategies for robust application security. #Cybersecurity #ThreatModeling #ApplicationSecurity #AI #DevSecOps”
Delve into Application Security Program Management (ASPM) with Akira Brand on the Cybersecurity and Cloud Podcast. Discover how her unique opera background enriches her approach to security, enhancing application safety in a cloud-driven world. Tune in for expert insights on evolving AppSec to product security, the critical role of threat modeling, and strategies for building a resilient security culture.
Generated by Feedzy
Derek

Derek Fisher

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
ShieldPRO