Synopsis

This microcast episode was recorded live from hackfest.ca 2012, on location in Quebec. The conference is a phenomenal success for the challenges they face (primarily non-English speaking region, small market, etc) but they've managed to attract a ridiculous amount of people to this conference, awesome speakers, and have one of the best 'War games' scenarios I've ever seen... listen to these two guys talk about how they make this happen.

Guests

• Steven McElrea (@Longferret) - contributed and supporting organizer, key cog in the hackfest.ca wheel!
• "Martin" - he's responsible for a lot of the design and infrastructure behind the War Games that were conducted here.

Synopsis

This episode is special because it's been a long-time-in-the-making interview with Brad Arkin of Adobe. This is the organization that many of the hacker community like to hate, and pick on - without realizing the monumental task of securing the software that Brad's team is responsible for. Brad's official title at Adobe is Engineering Senior Director but in real life one of the responsibilities his team is tasked with is doing product security for products like Adobe Flash and Reader ... Brad's take on software security and how he got the bug problem under control at Adobe is worth a listen!

Guest

Brad Arkin - Engineering Senior Director at Adobe - Brad has a long history of being involved in the Information Security world, particularly software security and has held many interesting roles from Cigital, to a technical director at @Stake, to working his way through Adobe since 2008. Brad can be found on LinkedIn, here: http://www.linkedin.com/pub/brad-arkin/1/2a8/4.

Synopsis

LIVE from day 2 of the ISSA International conference 2012, in Anaheim, California I cornered Eric Cowperthwaite after a much-anticipated year-long wait... and we talked about his prediction that in the next 2 years many of the traditional IT employees will be employed as either business-IT resources in the enterprise, or IT-technical resources at an IT outsource or cloud provider... Eric's predictions tend to be right on the money so it'll be interesting if some of the things he advocates in this microcast come true!  Only time will tell.

Guest

• 
  Eric Cowperthwaite - Eric is the Chief Security Officer at Providence Health & Services, and a strong advocate of pragmatic security.  Eric has a long history from Army Recruiter, to outsource services delivery with EDS, to his many years of service to the ISSA and Providence Health & Services.  In addition to being a good friend and colleague, Eric has a snarky sense of humor, and tends to be not afraid of speaking his mind ... and as it turns out his predictions become reality in the near future.  Eric can be found on Twitter as @e_cowperthwaite, and on LinkedIn.

Syhopsis

When I caught up with these two gentlemen in Amsterdam over the week of Black Hat 2012, I knew we wouldn't run out of things to talk about!  We ended up chatting for quite some time, and I think you'll find this conversation interesting from hearing of David's recent work with Oracle, and Jim's perspective on "the fix"... I kept the conversation going and am probably at last partially responsible for how long this podcast ended up being.  It's well worth the time, in my opinion, as we cover the following topics:

• Attacking Oracle (David's talk had to be shelved, but he talks about ways to attack Oracle via putting a string into a numeric query - by manipulating the meta-environment)
• Jim & David talk about how to do sane SQL Injection protection (bind everything!)
• David talks about some contrived ways of hacking Oracle databases, that are 'outside the business logic' and explains why validation is still important
• Jim brings up structural validation of inputs (useful white-listing)
• David brings up that his exploits from 2007 are STILL working in 2012 - terrifying
• "Parameterize it, or jeopardize it" - Jim's campaign to rid the world of SQL Injection
• David talks about unconventional database forensics that identify attacks via weblogs
• Vendors have upped their game to protect applications, developers are still writing bad code
• Jim Manico "We are entering the golden age of hackers" ... does this mean better security?!
• David discusses how if MS had stopped development of NEW features, WinNT4 would be 'secure' by now... but innovation & features will continue to drive forward - security suffers
• Jim asks "does the [development] framework of the future, consider security as a built-in?"

Guests

• Jim Manico - One of the people who holds OWASP together, Jim is an enthusiastic espouser of the Web App Security word.  You can find him providing training, practical advice, and code knowledge all over the place, particularly for the OWASP organization.
• David Litchfield - David has been taking Oracle to task over their claims of database security for years, and continues to be a driving force behind penetration testing, database forensics, and all things Oracle security.

Synopsis

This week we went free-form with two of my favorite InfoSec insiders ...people you probably follow on Twitter but can't quite place.  Here are some of the topics covered this week:

• The Apple UDID theft - what really happened, why, and what more is there to this story?
• Information vs. DISinformation...the battle for online trust
• Speaking of distrust - where do you go post-breach?
• InfoSec intelligence is a lot harder to do than just reading mailing lists and Twitter, there's a ton to this (scratching the surface)
• Change management's impact and possible salvation for IT and InfoSec
• Legacy systems and why they are the ball and chain, and why we can't nuke them
• The user ... how do we get past just hating on the user in InfoSec?

Guests

• @DarthNull - David is a mobile hacked with Intrepidus Group, and active puzzle-solver extraordinaire
• @InfoJanitor - He's a long-time InfoSec guy, working for a 'big company' ...and if he told you more than that, well ...you know.

Synopsis

Today's podcast discussion is with someone who has one of the toughest jobs in the security world... Patrick helps organizations that generate and deliver the power that runs our gadgets and critical systems that maintain life as we know it.  The power grid is not only surprisingly vulnerable due to it's age-old infrastructure, but also surprisingly resilient due to the complex nature of power distribution and generation... there's just a lot more to it than most people realize.

Patrick separates fact from fiction and goes into the pragmatic approach on national electric grid security - where we realize that it's really worse than we believed from a cyber security perspective, but better than we know because as you read this the electric grid is under constant attack, but it's still transmitting clean power.

I urge you to listen to this podcast, and then engage Patrick (@PatrickCMiller) or I in discussion... 

Guest

• Patrick C. Miller - 

President & CEO of EnergySec

Principal Investigator of National Electric Sector CyberSecurity Organization (NESCO)

Links:

• NESCO - US Dept. of Energy (DoE) Office of Electricy Delivery & Energy Reiliability - http://energy.gov/oe/services/cybersecurity/nesco
• EnergySec - A 501(c)(3) not-for-profit organization formed to support organizations within the energy sector in securing their critical technology infrastructures -  http://www.energysec.org/

Synopsis

This episode is a mini-episode recorded live from the social media lounge at HP Discover Las Vegas 2012.  It was an incredible show, where I caught up with Marc and Matt - two guys who are really from opposite side of today's deploy vs. secure coin.  Somehow we quickly dove into DevOps and picked up right where my conversation with the incomprable Gene Kim left off in episode 20.  Ironically, we discussed how to deploy faster (sound familiar?) and still get security and quality into the scope of delivery... this isn't a product pitch but it's two HP guys talking about how products impact software quality, security and overall delivery speed.

Guests

• Marc Blackmer  - Senior Solutions Marketing Manager (HP Enterprise Security Products) - Marc is a seasoned veteran of the Information Security industry with experience going back to high technician days in 1998.  Since 2006 Marc has held various technical and engineering roles at ArcSight and has come to learn the SEIM industry better than anyone I know.  Marc is one of the rare people who 'gets' how products solve actual problems.
• Matt Morgan Vice President and General Manager, HP Software Cloud and Hybrid IT - Matthew Morgan is the vice president and general manager of product marketing for the HP Software Cloud and Hybrid IT software organization, a $2.5B software business delivering solutions used by 100,000s of users to successfully define, deliver, and manage business software in a cloud and mobile world.  Matt has 20 years of experience in the Internet and IT business application industry. In his time at HP Software, he had held multiple executive roles including leading the commercialization of HP Application Lifecycle Management, launching HP's first mobile testing and monitoring solutions, and leading a shift to digital marketing operations.

Synopsis

In this episode we ask the big question of "Can security be a part of the 'build/deploy faster!' culture?"  We discuss the need to separate out high/low risk code, understanding how to deploy dormant components of the applications, proper testing strategies and branching/merging in a world where faster isn't just an ask, it's a need to stay competitive.

A huge thank you to all my guests for their time and expert insight.  The combined talent and experience of my 3 guests is something you should absolutely take a listen to, as these gentlemen really know what they're talking about - whether it's Information/Application Security, or DevOps ... this is a discussion that bridges both with expert precision.

Guests

• Nick Galbreath - Nick's Linked-In profile says he's been at 5 early to very early startups, all sold, IPO'd or huge - all dealing with massive scaling in load and large data sets.  FaceBook now owns a half-dozen of his patents on social graphs, and Google is using some of his code in Chrome!  On top of that, he's written a book on cryptography too... when he's not out building start-ups, Nick's speaking/teaching or hacking away at code to find better, bigger exploits and fixes.
• James Wickett - James is an innovative thought leader in the DevOps and Information Security communities, and has a passion for helping big companies work like start-ups to deliver products in the cloud.  He got his start in technology when he ran a web startup company as a student, and James is currently employed as a Senior DevOps Engineer working on launching cloud-based products for the Embedded Software division of Mentor Graphics.  James' bio is linked here.
• Olivier Saudan - Olivier is a software security analyst with 10 yeras experience in operations (including Information Security) and a significant development background.  He keeps his identity and employer a mystery due to the nature of his work, and the need for discretion.

Links:

• Recent podcast on DevOps with Gene Kim (part 1 [Episode 10], part 2 [Episode 20])
• Nick Galbreath's "Client9" - http://www.client9.com
• James Wickett's blog - http://blog.wickett.me

Synopsis

This episode was recorded in June '12, live from the show floor at HP Discover Las Vegas, 2012 and the talk of the town was once again DevOps.  Gene and I have had 2 prior conversations on the topic, but we're once again tackling the impact of DevOps on the IT and security relationship and overall business value.  We tip our hats to several people including Josh Corman (Rugged DevOps), David Mortman, James Wickett, Nick Galbreath and Mr. Daniel Blander for their prior contributions and supporting work on the topic.  Gene talks about some of the mechanisms we have available to us to bridge that IT Security-to-developer-to-operations gap that's holding us back from true business value.  Fun fact- studies have found that when you wake up a developer at 2am to solve an issue, problem resolution times plummet!

Enjoy the podcast, and go grab Gene's books when they're available... comments are welcome!

Guest

• Gene Kim - Gene is finishing up the third and fourth books, "When IT Fails: The Novel" and "The DevOps Cookbook," [highly recommended reads for any IT professional who aspires to high performance] scheduled to be published in August 2012. Both are the culmination of over 13 years of researching both high-performing and low-performing IT organizations, as well as benchmarking over 1500 IT organizations to help inform what behaviors simultaneously advance business and information security objectives.  LinkedIn profile, just in case you have never had the pleasure -http://realgenekim.me.

Links

• 
  Gene Kim's publisher website (mentioned in the podcast) - ITRevolution.com

Synopsis

This episode is special, not because it's more Info Security stuff, but because we take a far departure from the world of bits and bugs to the world of the pick-pocket and thief.  Sitting down with Bob Arno is a real pleasure, as he has the storytelling ability and knowledge to educate and open your eyes to a world where nothing is as it seems and anyone can be separated from their valuables.  Yes - this extends into the world of Information Security, and there are lessons to learn.

In this episode Bob and I talk about picking pockets, keeping yourself safe, and the world of criminal activity in the physical and digital world... Bob is also speaking at Hacker Halted, Miami 2012 so if you listen to this episode and are thinking about going ... there's a contest coming!  Stay tuned... and you can win an excusive, private dinner with Bob in Miami!

Guest

Bob Arno is widely known as the "World's foremost legal pick-pocket".  He's performed on stage, on television and has provided advice to travelers on how to keep from being roused... Bob is a speaker, entertainer, author, and special lecturer to law enforcement agencies. He has been profiled or quoted on NPR, CNN, MSNBC, ABC’s 20/20, The Travel Channel, The Learning Channel, Discovery, Court TV, in The New York Times, USA Today, Fortune, Kiplinger’s, National Geographic Traveler, Law and Order, and others. He has lectured for the Police Departments of Chicago, San Diego, Houston, Las Vegas, Detroit, Honolulu, Anaheim, and many abroad; for the California Tourism Safety & Security Conference, the International Tourism Safety and Security Conference, and many others; for Kroll & Associates, RSA Security Conference and Expo, and more. He taught an accredited course at the Connecticut State Police Training Academy.

Links

• Bob's main site: http://www.bobarno.com
• Amazing YouTube video - Traveling Europe (Naples, Italy) and unmasking the pickpocket tactics: http://www.youtube.com/watch?v=mUHAQnyVveg
• Travel advice from Bob Arno: http://www.justluxe.com/travel/luxury-vacations/feature-1702026.php

Synopsis

I caught up with my friend Kellman Meghu at BSides Detroit as the conference was coming to a close and we finally got to sit down and have a fun conversation about chaos, and what sorts of things enterprises can realistically do to increase security today.  We both work for vendors so we talked about "shiny blinky boxes", when things fail, and the notion of resiliency.  Fun conversation ensues ... with a random sprinkling of security buzzwords.

Kellman's famous quote is from this episode is "I can hand you this tool, and that doesn't suddenly make you any more secure than if you hand me a hammer I suddenly become a carpenter."  Wise words to live by folks, wise words indeed.  Spend a few minutes with Kellman and I, and see why he's one of my favorite people to interview.

Guests

• Kellman Meghu - Kellman Meghu is Head of Security Engineering (Canada and Central US) for Check Point Software Technologies Inc., the worldwide leader in securing the Internet. His background includes over 15 years of experience deploying application protection and network-based security. Since 1996 Mr. Meghu has been involved with consultation on various network security strategies to protect ISP's in Southern Ontario as well as security audits and security infrastructure deployments for various Commercial and Governmental entities across Canada and the Central United States.  You can find him on Twitter and LinkedIn ... I highly recommend a conversation, he's a very smart guy.
  

Links

Synopsis

Greetings fans, this episode promises to be a great one with the likes of Adam Shostack starting off talking about what the whole concept of "New School Security" is all about, and how it differs from the way we've all done it for the past 15+ years.  Adam and I talked through some new interesting ideas for moving the information security community and discipline forward, and even commented on how we can start to overcome the security community's focus on 'secrecy' when things go wrong.  How do security professionals understand what the desired outcomes should be, then start to move towards implemting pragmatic approaches to move closer to those desired outcomes - because in the end it's really about business and getting it done, not about 'security'.

You will be sorry if you miss this episode!

Guest

• Adam Shostack - Adam Shostack is a principal program manager on the Usable Security team in Trustworthy Computing. As part of ongoing research into classifying and quantifying how Windows machines get compromised, he recently led the drive to change Autorun functionality on pre-Win7 machines; the update has so far improved the protection of nearly 400 million machines from attack via USB. Prior to Usable Security, he drove the SDL Threat Modeling Tool and the Elevation of Privilege threat modeling game as a member of the SDL core team. Before joining Microsoft, Adam was a leader of successful information security and privacy startups, and helped found the CVE, the Privacy Enhancing Technologies Symposium and the International Financial Cryptography Association. He is co-author of the widely acclaimed book, The New School of Information Security.

Links

• Adam on Twitter: @AdamShostack
• The New School Security blog: http://newschoolsecurity.com/

Synopsis

Last winter, on a frigid afternoon I got a chance to sit down with 2 of my favorite Iowa locals, Kevin and Kenneth to talk about the tenuous relationship between QA and Information Security.  Earlier in the day I had given a workshop on software security testing (of the web variety) to a ViViT user group, and with that topic and their questions/concerns fresh in my mind I settled down for a 30 minute conversation with Kevin and Kenneth ... we essentially continued the conversation from Episode 3 (please give that a listen if you haven't yet to get a background).

Some of the questions we tackled included "Which team within the software development or security organization is best positioned to test the security of applications?", and "Can Information Security ever really thoroughly test an application without the full context?" ...and much more.

Give this episode a listen!

Guests

• Kevin Riggins - @kriggins - Kevin is a veteran of the Information Security community with many years experience in vast IT systems and a quality, development and systems background as well.
• Kenneth Johnson - @patories - Kenneth has been in the Information Security field for the last six years, with five of those years working as an IT Analyst for Principal Financial Group. He graduated in 2007 with a BS degree in Information Systems Security from ITT Tech, and he is currently attending Iowa State to pursue a Ph.D in Information Assurance, with a specialization in Digital Forensics, Incident Response and Malware Analysis.

Greetings friends!  I am taking some time to do something a little out of the ordinary right now... I'm coming to you from beautiful Las Vegas, Nevada and HP Discover 2012 where the theme is Make it matter.

Rather than doing yet another blog post on how beautiful the show floor is, and how amazing the content is going to be, I've recorded a little bit of audio, about 6:30 miutes or so to give you a feel for what we're up to, what's going on, and why I'm downright giddy with excitement.

Synopsis

This episode of Down the Rabbithole microcast (~15 minutes length) was recorded live at the Ohio Information Security Summit.

Albert and Paul were kind enough to sit down with me and discuss metrics and process - and essentially what demonstrating "good security" means to an enterprise.  "Can we ever get there?"  Where is there?  Understanding the basics of security, measurement, and whether if we really do a great job, Information Security can work itself out of a job ... those are some heavy topics for a mini-podcast.  Enjoy!

Feedback is always welcome

Guests

• Paul Elwell - Security Specialist for a Fortune 500 company
• Albert School - Application Security Specialist and Penetration Tester at a Fortune 500 company