The Security Table

Matt, Izar, and Chris discuss the United Kingdom's new minimum security standards for all Internet-connected consumer products. They highlight three key aspects of these new standards:Banning of Universal Default and Easily Guessable Passwords: The hosts agree this is a long-overdue measure, as universal default passwords present a significant security risk. They also touch on challenges such as vendor services requiring default passwords and potential ways to address this, like physical switches for privileged access.Transparency about Security Updates: The hosts discuss the requirement for manufacturers to be clear about how long products will receive security updates. This provision aims to help consumers make better purchasing decisions. In addition, they discuss the challenges it may pose for smaller manufacturers and the potential impact on product pricing.Vulnerability Reports: The hosts discuss a requirement for manufacturers to respond to bug bounty reports within a reasonable timeframe. They note that many companies need help managing this process effectively and express skepticism about whether this requirement will significantly improve the situation.While they acknowledge that some of these requirements may challenge smaller companies, the hosts generally see them as a positive step towards better consumer product security.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

In this episode of the Security Table, the gang discusses reasonable software security. They explore whether current application security tooling, such as dynamic application security testing (DAST), provides a decent return on investment. The group acknowledges that the value of security tools depends on the organization's context and specific needs. They also touch on the importance of understanding a company's risk appetite and how this can inform what is considered reasonable security. The conversation concludes with the idea that reasonable security is not constant but a function with various arguments.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Chris Romeo, Izar Tarandach, and Matt Coles discuss the national cybersecurity strategy, focusing on pillar three, which aims to shape market forces to drive security and resilience. They explore the idea of liability and the goal of shifting the consequences of poor cybersecurity away from the most vulnerable. The trio also considers the influence of GDPR and its impact on the US, comparing it to the European Union's experience.The podcast hosts discuss the need for better security in IoT devices and the potential impact of the policy on the rest of the world, including China. In addition, they express concern about the potential for a tedious and complex liability process similar to the medical industry, which may not ultimately benefit users.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Izar, Matt, and Chris scour the Interwebs for an article to discuss, only to find that each person has chosen an article related to the convergence of AI and cybersecurity. We discuss whether ChatGPT can replace humans with threat modeling, Microsoft's Security Copilot, and the open letter to freeze AI development for six months. AI is the future, and it will significantly impact the security professional's role.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

The Security Table gang continues our discussion about the United States National Cybersecurity Strategy, released in 2023. We cover pillars one and two, defend critical infrastructure, and disrupt and dismantle threat actors.We talk about the importance of defining critical infrastructure and the responsibility of both the private and public sectors in protecting it. We also mention cybersecurity requirements to support national security and public safety and the challenge of getting various agencies and organizations to work together. Finally, the hosts ponder whether social media platforms could be considered critical infrastructure, and they conclude that critical infrastructure comes down to safety, security, and public welfare.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

The United States released a new National Cybersecurity Strategy. The gang gathers to discuss the new strategy and look at it from a practitioner's perspective. We discuss the impact and depth of the malicious actor section, with an increased emphasis on the nation-state and the details shared about nation-state adversaries.  We also get into a debate about a statement made regarding the dependence and need to be placed on the system instead of the end user to make security decisions. Is this strategy a call for big brother disguised as security improvements?Is the US Government truly responsible for securing the Internet? Discussion and debate ensue.We vowed to discuss the whole thing, and with this first episode, we got through the introduction. We will continue with additional episodes until we unpack the entire strategy.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

The gang is back to debate and discuss the definition of application security. We start by figuring out what an application is and then layer security on top of it. We branched into how product security fits against application security and eventually concluded that system security is all-encompassing, but it's an old term. We also learn that Izar is uncomfortable speaking about cybersecurity at cocktail parties. Enjoy!FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

Matt, Izar, and Chris started the conversation by discussing all the acronyms and abbreviations we use in security and then morphed into a discussion of what application security is. While they only scratched the surface of what application security is, this episode will make you think about all the acronyms we use in our industry and how they are received by those that are new and outsiders.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

The gang continues our discussion and debate around the security talent shortage. We consider the issue from the candidate's viewpoint this time, thinking about all the different things candidates have to deal with in being hired, from years of experience, certification, and depth of the interview process. We try to draw some actionable conclusions for hiring managers because, without action, we are just part of the problem.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!

The gang considers whether the security talent shortage is fact or fiction. We've all hired people for security roles at different places and have heard about this "shortage" for years. We discuss the role of the business in building strong apprenticeship programs and the efforts of academia to prepare people for these roles. We don't resolve everything that needs resolution, so we'll be back with part two next week on this same topic.Show notes:https://www.prnewswire.com/news-releases/despite-slowing-economy-demand-for-cybersecurity-workers-remains-strong-301730414.htmlhttps://accesscyber.co/blog/10000-cybersecurity-jobsFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast➜LinkedIn: The Security Table Podcast➜YouTube: The Security Table YouTube Channel Thanks for Listening!