Look for any podcast host, guest or anyone
Showing episodes and shows of

Chris Romeo

Shows

The Security TableThe Security TableNumb to Data Breaches, and How it Impacts Security of the Average FeatureIn this episode of the Security Table with Chris Romeo, Izar Tarandach, and Matt Coles, the team dives into the evolving landscape of modern security approaches. They discuss the shift from strategy to tactics, the impact of data breaches, and why people are becoming numb to such incidents. The episode also touches on the importance of understanding the business side of security and the role of product managers as security champions. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!2024-09-1832 minThe Security TableThe Security TableInnovations in Threat Modeling?In this episode of The Security Table, hosts Chris Romeo, Izar Tarandach, and Matt Coles dive into the evolving concept of threat models, stepping beyond traditional boundaries. They explore 'Rethinking Threat Models for the Modern Age,' an article by author Evan Oslick. Focusing on user behavior, alert fatigue, and the role of psychological acceptability, they debate whether broader human factors should integrate into threat modeling. FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!2024-08-2831 minThe Threat Modeling PodcastThe Threat Modeling PodcastGavin Klondike -- Threat modeling for large language model applicationsIn this episode of the Threat Modeling Podcast, host Chris Romeo takes listeners on a journey through the intricate world of threat modeling. Joined by senior security consultant Gavin Klondike, the episode delves into Gavin's experiences and insights into threat modeling, particularly in the context of artificial intelligence and machine learning. Gavin shares a detailed case study, discussing methodologies, strengths, weaknesses, and the importance of holistic threat modeling processes. The conversation also highlights the challenges posed by large language models (LLMs), and Gavin provides a comprehensive threat model for LLM applications, exploring various vulnerabilities and mitigations. Links f...2024-08-0251 minThe Security TableThe Security TableSecurity, Stories, Jazz and Stage Presence with Brook SchoenfieldIn this episode of 'The Security Table,' hosts Chris Romeo, Izar Tarandach, and Matt Coles are joined by Brook Schoenfield, a seasoned security professional, to share insights and stories from his extensive career. The conversation covers Brook's experience in writing books on security, lessons learned from his 40-year career, and personal anecdotes about his life as a musician, including playing with legends like Bo Diddley and Chuck Berry. Brook highlights the importance of ensemble work in both security and music.Books written by Brook Schoenfield:Secrets Of A Cyber S...2024-06-0452 minThe Security TableThe Security TableDebating the CISA Secure by Design PledgeIn this episode of 'The Security Table,' hosts Chris Romeo, Matt Coles, and Izar Tarandach discuss the CISA Secure by Design Pledge, a recent initiative where various companies commit to improving software security practices. The hosts critique the pledge, arguing that many of the signatory companies have long been focused on software security, making the pledge redundant for them. They dissect specific goals of the pledge, such as increasing multi-factor authentication (MFA) and reducing default passwords, and express concerns about their actual impact. Despite their skepticism of the pledge’s effectiveness and measurability, they do acknowledge CIS...2024-06-0139 minThe Application Security PodcastThe Application Security PodcastDustin Lehr -- Culture Change through Champions and GamificationDustin Lehr, Senior Director of Platform Security/Deputy CISO at Fivetran and Chief Solutions Officer at Katilyst Security, joins Robert and Chris to discuss security champions. Dustin explains the concept of security champions within the developer community, exploring the unique qualities and motivations behind developers becoming security advocates. He emphasizes the importance of fostering a security culture and leveraging gamification to engage developers effectively. They also cover the challenges of implementing security practices within the development process and how to justify the need for a champion program to engineering leadership. Dustin shares insights from his career transition from a...2024-04-1645 minThe Application Security PodcastThe Application Security PodcastMukund Sarma -- Developer Tools that Solve Security ProblemsMukund Sarma, the Senior Director for Product Security at Chime, talks with Chris about his career path from being a software engineer to becoming a leader in application security. He explains how he focuses on building security tools that are easy for developers to use and stresses the importance of looking at application security as a part of the broader category of product security. Mukund highlights the role of collaboration over security mandates and the introduction of security scorecards for proactive risk management. He and Chris also discuss the strategic implementation of embedded security functions within development teams. Discover...2024-04-0246 minThe Application Security PodcastThe Application Security PodcastChris Hughes -- Software TransparencyChris Hughes, co-founder of Aquia, joins Chris and Robert on the Application Security Podcast to discuss points from his recent book Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, co-authored with Tony Turner. The conversation touches on the U.S. government in the software supply chain, the definition and benefits of software transparency, the concept of a software bill of materials (SBOM), and the growth of open-source software. The episode also covers crucial topics like compliance versus real security in software startups, the role of SOC 2 in setting security baselines, and the importance...2024-01-2039 minThe Security TableThe Security TableAppSec ResolutionsJoin us for the final episode of The Security Table for 2023. Chris, Izar, and Matt answer fan mail, make fun predictions for the upcoming year, discuss their resolutions for improving cybersecurity, and make a call to action to global listeners. Highlights include the reach of the podcast, explaining Large Language Models (LLMs), Quantum LLMs, Software Bill of Materials (SBOM), and the importance of teaching secure coding from high school level up. Chris, Izar, and Matt share their passion for making cybersecurity more accessible, practical, and effective through critical discussions and innovative ideas.FOLLOW OUR SOCIAL MEDIA: 2024-01-0947 minThe Application Security PodcastThe Application Security PodcastArshan Dabirsiaghi -- Security Startups, AI Influencing AppSec, and Pixee/Codemodder.ioArshan Dabirsiaghi of Pixee joins Robert and Chris to discuss startups, AI in appsec, and Pixee's Codemodder.io. The conversation begins with a focus on the unrealistic expectations placed on developers regarding security. Arshan points out that even with training, developers may not remember or apply security measures effectively, especially in complex areas like deserialization. This leads to a lengthy and convoluted process for fixing security issues, a problem that Arshan and his team have been working to address through their open-source tool, Codemodder.io.Chris and Arshan discuss the dynamic nature of the startup world. Chris...2023-12-0557 minThe Security TableThe Security TableLooking Back, Looking ForwardJoin Izar, Matt, and Chris in a broad discussion covering the dynamics of the security community, the evolving role of technology, and the profound impact of social media on our lives. As the trio considers what they are most thankful for in security, they navigate a series of topics that blend professional insights with personal experiences, offering a unique perspective on how these elements intersect in the modern world.Chris begins by highlighting the importance of collaboration and learning within the ever-expanding security community. Shifting to broader security concerns, Izar emphasizes the value of mentoring and the...2023-11-2946 minThe Security TableThe Security TableAn SBOM LifecycleAditi Sharma joins Matt, Izar, and Chris around the Security Table to discuss Software Bill of Materials (SBOMs). The team discusses potential advantages as well as challenges of SBOMs in different contexts such as SaaS solutions, physical products, and internal procedures. The episode also explores the importance of knowing what software components a company is consuming and the significance of SBOM for vulnerability management and risk posture. The team concludes by stressing that while SBOM has great potential value, the value realization is still a work in progress.Links:Chris' LinkedIn post about the...2023-11-1445 minThe Application Security PodcastThe Application Security PodcastChris John Riley -- MVSP: Minimum Viable Secure ProductChris John Riley joins Chris and Robert to discuss the Minimum Viable Secure Product. MVSP is a minimalistic security checklist for B2B software and business process outsourcing suppliers. It was designed by a team that included experts from Google, Salesforce, Okta, and Slack. The MVSP objectives are targeted at startups and other companies creating new applications, helping such organizations meet security standards expected by larger enterprises like Google. The MVSP is designed to be accessible for users, as a way to streamline the process of vendor assessment and procurement from the start to the contractual control stages.2023-11-0750 minThe Security TableThe Security TableThe Future Role of Security and Shifting off the TableThe Security Table gathers to discuss the evolving landscape of application security and its potential integration with development. Chris posits that application or product security will eventually be absorbed by the development sector, eliminating the need for separate teams. One hindrance to this vision is the friction between security and engineering teams in many organizations.Many people think that security incidents have negative implications on brand reputation and value. Izar points out that, contrary to popular belief, major security breaches, such as those experienced by Sony and MGM, do not have a lasting impact on stock prices...2023-10-1754 minThe Application Security PodcastThe Application Security PodcastHasan Yasar -- Actionable SBOM via DevSecOpsHasan Yasar believes that everyone shares the responsibility of creating a secure environment, and this can only be achieved by working collaboratively. He underscores the idea that security is not an isolated endeavor but a collective effort, urging everyone to come together and build a world where safety and security are paramount.Yasar also shares his thoughts about education and security. He highlights the need for integrating security concepts right from the foundational levels of teaching programming languages. By introducing concepts like input validation and sanitization early on, students can be better equipped to handle security challenges...2023-10-1648 minThe Application Security PodcastThe Application Security PodcastVarun Badhwar -- The Developer Productivity TaxVarun Badhwar is a three-time founder, a luminary in the cyber security industry, and a clear communicator. He joins Chris and Robert on the Application Security Podcast to discuss scanning with context, SBOM plus VEX, and the developer productivity tax. The concept of a "Developer Productivity Tax" acknowledges the challenges developers face when bombarded with a plethora of vulnerabilities. This "tax" represents the drain on developers' time and resources as they navigate through a myriad of potential threats, many of which lack actionable context. The inefficiencies arising from this process can lead to significant delays in software development, emphasizing...2023-10-1038 minThe Application Security PodcastThe Application Security PodcastOWASP Board of Directors DebateThe Application Security Podcast presents the OWASP Board of Directors Debate for the 2023 elections. This is a unique and engaging discussion among six candidates vying for a position on the board. Throughout the debate, candidates address pressing questions about their priorities as potential board members, the future direction of OWASP, and strategies for community growth and vendor neutrality. Topics such as vendor agnosticism, the allocation of profits from global OWASP events, and the importance of community involvement are among the critical issues discussed.The questions presented by Chris and Robert include:What experience do you have...2023-10-031h 02The Application Security PodcastThe Application Security PodcastItzik Alvas -- Secrets Security and ManagementItzik Alvas, Co-founder and CEO of Entro, is an expert on secrets security.Itzik joins Chris and Robert to discuss the significance of understanding and managing secrets, emphasizing the importance of knowing how many secrets an organization has, where they are located, and their potential impact. He elaborates on the three pillars of secrets management: listing and locating secrets, classifying and understanding their potential blast radius, and monitoring them for any abnormal behavior.The conversation takes a turn towards the future of secrets management, where Itzik believes there's a need for a shift in mentality. He...2023-09-2637 minThe Security TableThe Security TableThe Hamster Wheel of Scan and FixMatt and Izar join in a debate with Chris Romeo as he challenges the paradigm of "scan and fix" in application security. Chris references a LinkedIn post he made, which sparked significant reactions, emphasizing the repetitive nature of the scan and fix process. His post critiqued the tools used in this process, noting that they often produce extensive lists of potential vulnerabilities, many of which might be false positives or not appropriately prioritized. He underscores the need for innovation in this domain, urging for a departure from the traditional methods. Izar gives some helpful historical context at t...2023-09-2656 minThe Security TableThe Security TableThreat Modeling ConferenceThe Security Table gathers to discuss the upcoming ThreatModCon 2023 (https://www.threatmodelingconnect.com), the inaugural and only conference dedicated entirely to threat modeling.ThreatModCon 2023 Sunday, October 29, 2023Marriott Marquis Washington, DCThe Threat Modeling Conference will cover various aspects of threat modeling, from AI integration to privacy concerns, from a brief history of threat modeling to hands-on workshops. The sessions will emphasize learning, interaction, and applying knowledge in real-world scenarios. ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~...2023-09-1932 minThe Security TableThe Security TableAppSec vs. ProdSecChris Romeo, Matt Coles, and Izar Tarandach attempt to demystify the concepts of Application Security (AppSec) and Product Security (ProdSec). They find that even defining and differentiating both concepts is challenging. Various articles exist about AppSec and ProdSec, but the industry is generally confused about these terms. Discussing the role of hardware in product security initiates an animated debate. Questions arise about whether the presence of hardware makes something more of a "product" and how software-only products differ from those with hardware components. Supply chain challenges, the significance of hardware in security considerations, and the potential overlap b...2023-09-1237 minThe Security TableThe Security TableThe Return on Investment of Threat ModelingThe Security Table team dialogues about the importance of data and metrics in understanding and communicating risk. After Matt defines ROI, Izar emphasizes that while data is crucial, it doesn't always come in numerical form. Instead, risk can be expressed in various ways, such as trends, and doesn't necessarily need to be quantified in traditional terms. Chris stresses that executives need tangible metrics and data to make informed decisions, especially when communicating with legal teams and other stakeholders.They then talk about visibility and understanding the attack surface. Izar explains that the attack surface represents an organization's...2023-08-2933 minThe Application Security PodcastThe Application Security PodcastDan Küykendall -- Why All Application Security Products SuckDan Küykendall visits The Application Security Podcast to discuss his series "Why All AppSec Products Suck" and explain why software companies should understand the uses and limitations of any security tool. The series aims to highlight the limitations of each tool and to help users make informed decisions when selecting the right tools for their needs. In this field, there is no such thing as an expert; there is always something new to learn.Dan, Chris, and Robert remember the late Kevin Mitnick, a well-known figure in the cybersecurity community. They share their personal experiences with M...2023-08-2249 minThe Security TableThe Security TableSecure by Design"Secure by Design" has garnered attention with the release of a document by CISA. What does it mean? How does it fit with Threat Modeling? And do you know if Secure by Design will answer our need for secure software?"Secure by Design" means a system is designed with secure principles. The system should come pre-hardened and pre-secured, ensuring users don't have to configure it for security after installation. On the other hand, "Secure by Default" means that the system is configured correctly for security right out of the box.The hosts explore what it...2023-08-1539 minThe Security TableThe Security TableSecurity Champions as the Answer to Engineering Hating SecurityWhat happens when engineers transform into security champions? Is this beneficial, and what are the implications of this transformation? Izar reveals his transition from a naysayer to a supporter of security champions, and Chris and Matt seek to understand his current position. They explore the position of Security Champion and discuss the components of a good security champion program.Matt defines security champions as developers with influence who can be a bridge between security and engineering. They receive advanced training and bring resources to their team to lead them to effective threat modeling. While security champion programs...2023-08-0143 minThe Security TableThe Security TableLack of Reasonable, or Everything That Is Wrong with Security RequirementsHow do you determine what constitutes "reasonable security" when evaluating vendors? Is “reasonable” a measure of compliance to a set standard? Is it reasonable to expect mature threat modeling practices? Some expectations are too high to be reasonable, but the minimum standard that both parties agree upon doesn’t seem like enough.Join the hosts of the Security Table as they discuss the importance of a reasonable security standard, one that both a vendor and the buyer can agree upon.Izar bemoans the vetting process for software vendors that can be overburdened with paperwork and checkb...2023-06-2934 min