Down the Security Rabbithole Podcast (DtSR)

TL;DR: On this episode, it's just Jim and Rafal talking about how sometimes you just need to take a big step back from your day job and touch some grass. Our chosen profession is, demanding, to say the least. So let's take a minute to acknowledge what we're really thinking. Unfiltered, raw, and straight from our heads to your ears, enjoy.YouTube video: https://youtube.com/live/ULTq1pzckFgHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

TL;DR: This week's pod features a conversation with the Jay Jacobs, whom had previously been on the show talking about this very topic (vulnerability ranking/scoring) many, many years ago. If you missed Episode 297 check it out, it's crazy how far (or not) we've come since that conversation.YouTube Video: https://youtube.com/live/cpL9ZYbwkesHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

TL;DR: John Rafal & Jim as we welcome Dustin Lehr to talk about the state of AppSec and how we got here. We discuss vulnerabilities, accountability, culture, and a host of other things. It's a caffein-fueled episode, so buckle in!Youtube video: https://youtube.com/live/yoBIQ_sIawIHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this discussion, Brian 'Jericho' Martin, a seasoned expert in vulnerability intelligence and founder of attrition.org, dives into the complexities of vulnerability scoring and patching. He passionately debates the shortcomings of CVSS and critiques the CVE process, highlighting why many vulnerabilities remain unnumbered. Brian proposes a new prioritization model for addressing threats and stresses the need for better vendor responsiveness. With a nod to the messy realities of existing systems, he contemplates whether meaningful industry improvements are possible.

In this discussion, Robert "RSnake" Hansen, a renowned security researcher, critiques traditional vulnerability management. He argues that most patching efforts over the last two decades have been futile, as the majority of reported vulnerabilities never get exploited. Hansen reveals that vendor incentives hinder real change and examines the economic motivations behind attacks. He suggests focusing on monetary risk metrics and reevaluating what truly secures systems, emphasizing that the industry's current approach has inflated costs for defenders without impacting attackers.

TL;DR: This week's pod features your favorite hosts reflecting on how security has lost its way. When everything is a catastrophe, nothing is. When every breach is world-ending, none of them matter. Have we completely lost the plot? Prepare to have a good think.YouTube Video: <coming soon>Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

TL;DR: On this week's pod - Sean Scranton and Shawn Tuma make a return appearance to talk about Cyber (Security) Insurance. Some see it as the answer to cyber's problems, while others see it as just another question. Which is it? Is it just a matter of perspective? Listen in and find out!YouTube Video: https://youtube.com/live/GiuheFiFO78Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

TL;DR: This week's pod is all about healthcare-related data that is bought and sold the world over - and how you this data can be utilized while still preserving privacy. In this mind-blowing segment, John Kuhn of Integral joins Jim and I to talk about the vast quantities of data that's bought, sold, and aggregated for healthcare research - and how it can be used for good, while still preserving people's privacy (or what's left of it - debate ensues).YouTube Video: https://youtube.com/live/aa1xKEvhS5E?feature=shareHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

TL;DR: If you've ever wondered what goes through the mind of a top-tier CISO, wonder no longer. This week's episode features Trey Ford talking a little nostalgia, and a little of what's on his mind as a CISO. Fantastic episode, shout out to BugCrowd for the episode.Youtube video: https://youtube.com/live/uFl45Tb93gY?feature=shareHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

TL;DR:  Let's talk, err, lament, Third Party Risk programs. Who has time for these, and is there any real value in identifying 3rd party risks? Or is it just all theater for the lawyers? Paul Farley joins Jim, James and Rafal to chop it up.Dive in with us, and see what you think.YouTube Video: https://youtube.com/live/Le23nkaybfEHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast