2min chapter

CSCP S4EP18 - James Berthoty - What The heck is ASPM and the evolution of Product security

Cyber Security & Cloud Podcast

notes

CHAPTER

Navigating Container Security and Organizational Mindsets

This chapter explores the challenges of communication between application security and security operations teams in managing container security. It also highlights the importance of vendor contributions to innovation in the face of skepticism from the security community.

00:00

Transcript

Episode notes

Join us for an engaging episode as we welcome James Berthoty, a seasoned cybersecurity professional with a diverse background spanning sysadmin, DevOps, and security engineering roles. James takes us through his journey across different organizations, including his current role at PagerDuty, where he tackles the intricate challenges of FedRAMP compliance. Listen in as James shares insights on the rapid evolution of the Application Security (AppSec) industry, driven by the need for infrastructure professionals to interact with application code in today’s API-driven cloud environment. We also explore the disparity in innovation recognition among security solution providers and the difficulties of staying current in this fast-paced industry.

Sponsored by Phoenix Security: This episode is brought to you by Phoenix Security, leaders in vulnerability management from code to cloud. Take control of your security with Phoenix and see firsthand how to prioritize and act on critical vulnerabilities with a free 14-day license available at Phoenix Security - Request a Demo.

We also discuss the complex challenges of managing visibility and actionability within cybersecurity, particularly in handling software vulnerabilities. Learn about the evolution of patch management and the inefficiencies of the Common Vulnerabilities and Exposures (CVE) system, which often leads to false positives. This conversation sheds light on the market's tendency to prioritize quantity over quality in vulnerability detection tools and the potential shift towards more precise, less noisy solutions. Effective testing and benchmarking tools, like insecure testing repositories and OWASP projects, are also highlighted as a means to enhance the reliability of security tools. Finally, we explore the broader landscape of security tools and frameworks, including the stringent requirements of FedRAMP and the balance between flexible and opinionated tools. Through case studies and real-world examples, we discuss the significance of asset management, the evolving landscape of security tools, and the importance of transparency in marketing. The episode wraps up with a look at managing open-source supply chain risks and the crucial role of entities like Tidelift in providing paid maintenance services, reflecting the industry's shift towards better security practices. Don't miss this comprehensive exploration of the current state and future trends in the cybersecurity and software security industry.

Episode Highlights:

•Application Security and ASPM: We delve into the complex challenges of Application Security Posture Management (ASPM), focusing on managing visibility and actionability within cybersecurity, particularly in handling software vulnerabilities.

•Vulnerability Management: Learn about the evolution of patch management and the inefficiencies of the Common Vulnerabilities and Exposures (CVE) system, which often leads to false positives.

•Effective Testing Tools: This conversation sheds light on effective testing and benchmarking tools, like insecure testing repositories and OWASP projects, to enhance the reliability of security tools.

•FedRAMP and Security Tools: Explore the stringent requirements of FedRAMP and the balance between flexible and opinionated tools in the broader landscape of security frameworks.

•Asset Management: Through case studies and real-world examples, we discuss the significance of asset management in vulnerability management and the evolving landscape of security tools.

•Open Source Supply Chain Risks: The episode wraps up with a look at managing open-source supply chain risks and the crucial role of entities like Tidelift in providing paid maintenance services, reflecting the industry’s shift towards better security practices.

What's Inside This Episode:

00:54 - Host Introduction: Francesco Cipollone introduces the episode and guest James Berthoty.
01:27 - Guest Introduction: James Berthoty shares his background and journey in cybersecurity.
02:07 - Managed Detection Response Insights: James discusses his experience and insights from working in managed detection response.
05:16 - AppSec Industry Evolution: Discussion on the rapid changes in AppSec and the impact of new technologies.
09:28 - The Challenge of Vulnerability Management: Francesco and James delve into the complexities of modern vulnerability management.
12:32 - Tool Integration and Market Trends: The conversation shifts to the integration of various security tools and market trends.
20:21 - Security Operations Challenges: The struggle of handling CSPM alerts and the role of security operations.
27:01 - Asset Management Importance: The critical role of asset management in vulnerability management and its implications.
31:48 - Market Evolution and Tool Adaptation: Discussion on how security tools need to adapt to evolving market demands.
35:50 - Reachability Analysis and SBOM: The importance of reachability analysis and the challenges of maintaining secure software supply chains.
44:50 - Positive Outlook on Security Discussions: Concluding thoughts on the positive impact of increased security discussions and market involvement.
46:09 - Closing Remarks: Francesco wraps up the episode and provides information on how to follow James Berthoty.

Connect with James Berhoty

Website: Latiotech
LinkedIn: James Berthoty

James Berthoty is a passionate security professional writer and creator of Latio Tech, dedicated to transforming security teams into integral contributors to product development, embodying the true essence of DevSecOps. As a former Security Engineer at PagerDuty, James leverages his extensive experience in sysadmin, DevOps, and cloud security to drive innovative security practices and ensure robust application security.

Driven by his mission to connect people with the right products, James founded Lacio Tech, a platform that provides insights and reviews on emerging security technologies and startups. His hands-on experience in both startup environments and large enterprises equips him with a unique perspective on the challenges and solutions in the cybersecurity landscape.

Residing in Tampa, Florida, James balances his professional life with his personal passions. He lives with his wife, Alexxus, and their three children. By day, he leads DevSecOps initiatives at ReliaQuest, and by night, he pursues a PhD in Philosophy and indulges in video gaming. His commitment to continuous learning and his multifaceted interests make him a dynamic and influential figure in the cybersecurity community.

Connect with James:

Follow Cyber Security and Cloud Podcast