Three Buddy Problem

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub, conducting research on China’s efforts to develop its hacking capabilities, artificial-intelligence and cybersecurity research at Chinese universities, the People’s Liberation Army’s efforts to automate software vulnerability discovery, and new policies to improve China’s cybersecurity-talent pipeline. In this episode, Cary expands on a new report -- 'Sleight of Hand' -- that delves into the changing legal landscape for vulnerability disclosure in China, the PRC's weaponization of software vulnerabilities, advanced threat actors in China and that infamous Bloomberg 'rice grain' spy chip story.Links:Sleight of hand: How China weaponizes software vulnerabilitiesDakota Cary on TwitterMoussouris: U.S. Should Resist Urge to Match China Vuln Reporting MandateCSRB Log4j incident report (PDF)CISA China Cyber Threat Overview and Advisories

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Abhishek Arya is director of engineering at Google, overseeing open source and supply chain security efforts that include OSS-Fuzz, SLSA, GUAC and OSV DB. In this episode, Arya talks about some early success experimenting with AI and LLMs on fuzzing and vulnerability management, the industry's over-pivoting on SBOMs, regulations and liability for software vendors, and the long road ahead for securing software supply chains.Links:Abhishek Arya on LinkedInOSS-Fuzz: Continuous fuzzing for open source softwareGoogle Brings AI Magic to Fuzz TestingAI-Powered Fuzzing: Breaking the Bug Hunting BarrierAI Cyber Challenge

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Dr Sergey Bratus is a Research Associate Professor of Computer Science at Dartmouth College and a program manager at DARPA. In this episode, he discusses his pioneering work on securing parsers and patching long-forgotten devices. He also puts the AI hype into context and showers praise on the labor-of-love "citizen science" of hacking all the things.Links:Sergey Bratus Bio

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) DARPA program manager Perri Adams joins the conversation to chat about her love for CTF hacking competitions, the hunt for leapfrog security technologies in DARPA’s Information Innovation Office (I2O), and the goal of the new AI Cyber Challenge (AIxCC) offering $20 million in prizes to teams competing to develop AI-driven systems to automatically secure critical code.Links:DARPA AI Cyber Challenge Aims to Secure Nation’s Most Critical SoftwareAIxCC - AI Cyber ChallengeFollow Perri Adams on Twitter Google Brings AI Magic to Fuzz TestingAI-Powered Fuzzing: Breaking the Bug Hunting Barrier

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Peculiar Ventures chief executive Ryan Hurst joins the show to talk about a career that spanned 20 years at Microsoft and Google, his work building the plumbing for encryption on the web, unsolved problems in BGP security, the hype and promise of AI, and Microsoft's ongoing cloud security hiccups.Links:Projects - Peculiar VenturesRyan Hurst on LinkedInBinarly - AI-powered firmware securitySandboxAQ

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Bessemer Venture Partner's Jason Chan returns to the show for a frank discussion on the state of cyber, including thoughts on Microsoft's prominent security failures, the meaning of layoffs hitting security teams, the excitement around AI, and the long road ahead. The former Netflix security chief also talks about merging of the IT and security functions and the importance of cybersecurity proving its value to the business.Links:Jason Chan, VP, Information Security, NetflixJason Chan on LinkedInFollow Jason on Twitter / XJason Chan - Bessemer Venture Partners — Jason Chan is an operating advisor at Bessemer where he brings over twenty years of experience in cybersecurity and is especially passionate about large-scale systems, cloud security, and improving security in modern software development practices. Most recently, Jason built and led the information security team at Netflix for over a decade. His team at Netflix was known for its contributions to the security community, including over 30 open-source security releases and dozens of conference presentations. He also previously led the security team at VMware and spent most of his earlier career in security consulting. 

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) GitHub security chief Mike Hanley joins the show to discuss merging the CSO and SVP/Engineering roles, securing data and code in an organization under constant attack, the thrilling promise of AI to the future of secure code, the dangers of equating SBOMs to supply chain security, and new SEC reporting rules for CISOs.Links:Michael Hanley on LinkedInGitHub SecurityGitHub Copilot AI pair programmerBig Tech Vendors Object to US Gov SBOM Mandate

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Cenlar FSB security chief Jason Shockey joins the show to discuss the task of securing a financial institution, pivoting from a career in the military to the private sector, the current state of the job market, managing risk from APTs, and the mission of his My Cyberpath project.Links:Jason Shockey on LinkedInMy CyberpathJason Shockey joins Cenlar FSBNIST Cybersecurity Framework

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Faraday chief executive Federico 'Fede' Kirschbaum joins the show to talk about building a startup in the vulnerability management space, the intricacies of the Argentinian hacking culture, stories of exploit writers and mercenary hackers, and the overwhelming U.S.-centric view of the cybersecurity industry.Links:Faraday at Black Hat 2023Fede on LinkedInFederico Kirschbaum on TwitterEkopartyPadding Oracles Everywhere (Rizzo/Duong)

Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Product security executive Kymberlee Price joins the show to gab about life in the trenches at the Microsoft Security Response Center (MSRC), the challenges of maintaining healthy hacker/vendor relationships, the harsh realities of bug-bounty programs, and thoughts on the cybersecurity job market.Links:Kymberlee Price on LinkedInBlueHat Seattle Closing Remarks - YouTubeKeynote: Defenders Assemble - Kymberlee PriceBlueHat | Microsoft