Cyber Security & Cloud Podcast

   Kevin Davis, Global CTO of AWS at Atos. Kevin has extensive experience in cloud technology, security and solutions and has a proven track record in senior roles at Cloudreach and Atos.     In this show, Kevin and Francesco discuss the move to the cloud, challenges in the cloud security pivot and how to leverage the power of the cloud for security controls.   The episode is brought to you by Phoenix Security; get in control of your vulnerabilities from code to cloud with the power of Phoenix. ACT Now on the most important vulnerabilities and reduce your exposure to modern attacks. See it for yourself. Go to https://www.phoenix.security for a free 14-day licence.   1.40 - Kevin Intro 3.00 - Baby Steps into the cloud 6.00 - Shared Responsibility Model 9.00 - Operational Security in the Cloud 11.00 - Traditional Security to Cloud Security 16.00 - Security Governance in Cloud  18.00 - Paradigm Shift - Segmenting units 20.00 - Cloud native Tooling and migrating from traditional to modern 23.00 - Changes in the cloud as software gotcha and pitfalls 26.00 - Consolidated technology stack & Clod environment guardrails 27.30 - Devops and job demands - what is devops in the cloud 28.00 - Security in Devops for cloud - Devsecops  29.00 - People and security - the impact of cloud transformation in cloud 33.00 - Biggest threat in the cloud, cloud security misconfiguration 35.00 - Cloud security observability, logs, AI and investigation 36.00 - Positive message 38:00 - Closing   Kevin https://www.linkedin.com/in/relevantsoft/      Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 Linkedin: linkedin.com/in/fracipo  #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Ollie Whitehouse is the founder BinaryFirefly a boutique British cyber advisory firm with a career spanning over 25 years in applied cyber attack and defence. Ollie's portfolio of advisory positions today includes science advisory positions for UK Government as a member of the Science Advisory Councils for the Home Office and Police, Industry 100 within the National Cyber Security Centre and various Non-Executive Directorships. His operational tenures include over ten and half years at NCC Group where he was Group CTO until the end of 2022, BlackBerry and Symantec. Ollie has given oral evidence to the UK Parliament Joint Committee on the National Security Strategy twice in 2017 and 2022 on matters related to cyber security.   The episode is brought to you by Phoenix Security; get in control of your vulnerabilities from code to cloud with the power of Phoenix. ACT Now on the vulnerabilities that matter most and reduce your exposure to modern attacks. See it for yourself. Go to https://www.phoenix.security for a free 14-day licence.     2:00 - Career and dot com 3:00 - Pen-testing and philosophy  5:00 - Business and Cybersecurity and role of the cyber NED 9:00 - CISO 10:00 - Executive understanding  12:00 - Cybersecurity technicalities - Pen tests and regulation 16:00 - Cybersecurity and regulation in the USA 19:00 - SBOM, Digital Software supply chain 22:00 - Regulators, Board and how they think  26:00 - Assets, different opinions based on generation 30:00 - Non exec hands-on startups vs later stage  35:00 - policy and frameworks, and assessing, quantifying the net value of a control 40:00 - Software vs infrastructure breach why more on software  42:00 - scaling attacks with automation 46:00 - the business perspective  47:00 - Positive message   Ollie Whitehouse https://www.linkedin.com/in/olliewhitehouse/  https://twitter.com/ollieatnowhere  https://bluepurple.binaryfirefly.com/archive  https://bluepurple.binaryfirefly.com/      Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 Linkedin: linkedin.com/in/fracipo  #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Chris Hughes is a Proven Cloud/Cybersecurity leader with nearly 20 years of experience in the Federal and commercial industries. Chris is an active blogger, passionate about all things cyber and a published author of books like Software Transparency.    The episode is brought to you by Phoenix Security; get in control of your vulnerabilities from code to cloud with the power of Phoenix. ACT Now on the vulnerabilities that matter most and reduce your exposure to modern attacks. See it for yourself. Go to https://www.phoenix.security for a free 14-day licence.   1:12 Introductions 4:45 regulation and federal space 6:40 Software supply chain attacks 8:40 SSDF and SBOM 11:06 Software is complex 15:00 Vulnerability to attacks, attacker mindset  17:00 Common supply chain attacks 20:00 Cloud critiques, is cloud secure? 23:00 Business Risk, Quantifications, How to measure everything,  24:00 FAIR and Quantification at scale 25:00 Method to evaluate vulnerability, CISA KEV, EPSS, How to triage 28:00 Why does the software supply chain get attention 30:00 Get connected   Chris Huges   https://www.linkedin.com/in/resilientcyber/  https://podcasts.apple.com/us/podcast/resilient-cyber/id1555928024  https://resilientcyber.substack.com/  FAIR: https://www.opengroup.org/certifications/openfair  Hot to measure anything in cyber risk: https://amzn.eu/d/hBWxJGO    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 Linkedin: linkedin.com/in/fracipo  #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/    Summary Transcript (auto-generated might have some typos)  Hello everyone and welcome back to the cybersecurity and cloud podcast, this is your host Francesco and this is probably the last last episode that we do in 2022 is 29 of December 2022 we're almost on the end of the years but we managed to squeeze in a last episode with chris Hughes and it's an absolute pleasure because we chris we've been interacting a lot of linking teasing each other over a number of topics and we said you know it's the time to come on the show and do a proper episode. So chris, thank you very much for coming on the show. Chris is uh is a consultant to direct robot via and it's been in Air force previously, so it's very heavily involved with a lot of us regulation around storm and around cybersecurity and the U. S. Has faced a lot of change in late and today in the episode we're gonna dig in and explore this. But before digging into the exciting topic of storm and software supply chain chris tell us a little bit more about you, how did you start? How did you get us to the point where you are today? Yeah definitely. I'm happy to give you some background. I start off active duty Air Force you know prior to that I always had an interest in computers and technology but got joined the Air Force and got put in cybersecurity and at the time I didn't really realize the opportunity. You know you're just a young kid you know. Uh And and then like I started really taking an interest in it because it was a fascinating career field and like I've never stopped you know I did four years in the Air Force and then I've been a federal employee with the U. S. Government twice once with the Navy doing cloud and deficit cops. And you know cyber security for them. And then also with an organization known as G. S. A. The General Services Administration which probably isn't too familiar for many. But like if you've heard of Fed ramp, I was part of the Fed ramp team reviewing cloud services coming to the you know us federal market there as a security to me. Um, and as you mentioned, I think we're definitely seeing like an evolution of the regulation in this space, you know, in our, in our environment, in the public sector. You know, we've always had things like Nist and uh, you know, risk management framework, Nist 853 and and you know, think of Nist 871 for defense, industrial base and then see mm see that people are talking about a lot now, thinking about, you know, not just software supply chain but supply chain risk management in general, you're under your suppliers. That was a topic that's gotten a lot of attention as of late and then, you know, obviously software supply chain, you know, it's not necessarily a new topic. You know, you can date new google. Had a white paper recently, they started like an incident from 1980 you know, for something where the United States did something that Russia with software and it's like, wow, this issue has been around for a long time, but it's gotten more and more attention, I think is, you know, we've seen open source adoption kind of accelerate and go, you know, go crazy, everyone's using open source software. Most modern applications are made of open source software and I think people are realizing like, you know, I think prototype for example, had a study showing that in the last three years it's like a 742% increase in software supply chain attacks. So malicious actors are paying attention. And now I think that's making organizations regulators, you know, the industry pay attention and try to respond to this brilliant. And then of course he moved over to cisa and kind of has kept up that, you know, that momentum since then. So I think, you know, definitely solar winds was kind of the watershed moment, I think from an attention perspective and then the cyber street executive order and all the, all the activity has come after that. And as you mentioned, like, you know, I think regulation is going to has and will continue to play a big part in this. Like, you know, without regulation forcing the issue, suppliers are not necessarily incentivized to provide this information that transparency and many, you know, I've been really focused or interested in the economic factors of cyber. Many consider cyber to be a market failure. They said, you know, regulation is required for the, for things to change. Um, and I think it's, you know, it's hard to argue with that because if we just leave it up to the industry, they're not going to necessarily provide this information. Why why would they, you know, just put some additional risk or scrutiny? So, yeah, I think, I think we're definitely seeing a lot of changes And security resolve doesn't seem like a massive cost. So if there isn't a regulation behind it, there isn't a business justification to a ship with a bomb. I think the attack of one of the big topic in cyber that is asset management in general. That is a huge debated and often avoided topic in, cyber or in generally 90 is not even a cyber problem. And I think this one kind of industry has now brought to the topic a problem that is like, what do we do with, what do  

  Anshuman Bhartiya has been in application security for 14 years and is currently the Principal Security Engineer at Thirty Madison. Today with Francesco, they discuss bug bounty, how security approaches differ at big companies and startups, and the state of the industry.    The episode is brought to you by Phoenix Security; get in control of your vulnerabilities from code to cloud with the power of Phoenix. ACT Now on the vulnerabilities that matter most and reduce your exposure to modern attacks. See it for yourself. Go to https://www.phoenix.security for a free 14-day licence.   0:00 Introductions 2:37 State of industry 6:40 Big companies VS start ups 9:36 Anshuman’s blog 16:39 Mindset 17:34 Approach to security testing 24:30 Success story, bug bounty 36:00 Get connected 37:05 Outro    Anshuman Bhartiya https://www.anshumanbhartiya.com/ https://www.linkedin.com/in/anshumanbhartiya/ Twitter @Anshuman_BH    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 Linkedin: linkedin.com/in/fracipo  #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Alex Sidorenko is an experienced risk manager, the host of Risk Awareness Week, and runs a popular blog and Youtube channel called “Risk Academy.” In 2021, Alex was named the Risk Manager of the Year by FERMA for helping save 13 million dollars in insurance premiums. Today, he breaks down the three layers of risk management— basic, standardized, and advanced. He explains that cybersecurity is still at the basic level because industry professionals haven't figured out how to quantify uncertainty to calculate risk and save money.    The episode is brought to you by Phoenix Security; get in control of your vulnerabilities from code to cloud with the power of Phoenix. ACT Now on the vulnerabilities that matter most and reduce your exposure to modern attacks. See it for yourself. Go to https://www.phoenix.security for a free 14-day licence.   0:00 Introductions 3:50 View on risk 6:36 Science of risk management 12:44 NASA study 14:18 three layers risk management—basic, standardized, advanced 18:15 Generators VS users 22:40 Cybersecurity insurance 30:10 Risk Awareness Week 35:30 Environmental risk 38:41 How to Measure Anything in Cybersecurity 43:20 Capture data 45:56 Final positive message 51:00 Outro    Alex Sidorenko https://2022.riskawarenessweek.com/ https://linkedin.com/in/alexsidorenko  https://risk-academy.ru  https://riskacademy.blog/   https://www.youtube.com/channel/UCWE0eYucrQBo1SwKOjbkkSQ Twitter @alexei_sid   Books Mentioned Superforecasting: The Art and Science of Prediction by Philip E. Tetlock How to Measure Anything in Cybersecurity by Douglas Hubbard    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 Linkedin: linkedin.com/in/fracipo  #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Lester Chng is a Veteran who transferred his war gaming military skills to the cooperate world. After being a Naval Combat Officer with the Singapore Navy for twelve years, he runs security exercise programs for a North American financial institution. Lester prepares high-level executives for worst-case scenario security crises. He explains that exercises help buy time, space, and brain processing power during a crisis.    The episode is brought to you by Phoenix Security; get in control of your vulnerabilities from code to cloud with the power of Phoenix. ACT Now on the vulnerabilities that matters most and reduce your exposure to modern attacks. See it for yourself go to https://www.phoenix.security for a free 14 day licence   0:00 Introductions 0:28 Military background and current role 2:48 Simulation exercises 6:32 Involving leaders in security 9:04 Ransom 9:50 Advantages of military skills 14:15 A-ha moments 17:08 Damage control 19:00 Structuring exercise 23:30 Internal investments 26:55 Final positive message 31:00 Outro    Lester Chng https://www.linkedin.com/in/lesterchng/   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 Linkedin: linkedin.com/in/fracipo  #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Amanda Alvarez is the Senior DevSecOps Engineer at Trace3. Francesco and Amanda met online in a Meetup group called “Let’s Talk Software Security!” Today they discuss building an application security program, managing technical debt, and Amanda’s advice for avoiding burnout as a security professional.    The episode is brought to you by Phoenix Security Cloud; get in control of your vulnerabilities from code to cloud with the power of Phoenix. ACT Now on the vulnerabilities that matters most and reduce your exposure to modern attacks  https://www.appsecphoenix.com to get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introductions 3:24 State of Industry 4:00 Cloud adoption 6:57 Vulnerability mangement 9:44 AppSec, CloudSec, patch management 12:17 Asset and vulnerability management 19:52 Feedback loop 23:15 Company polities 28:40 Support from leadership 30:30 Positive message 33:30 Get connected 34:40 Outro    Amanda Alvarez linkedin.com/in/amanda-alvarez-88759ba1   Let’s Talk Software Security! https://www.meetup.com/lets-talk-software-security/     Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 Linkedin: linkedin.com/in/fracipo  #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Larry Maccherone is a Dev[Sec]Ops Transformation Architect at Contrast Security to create a wave of DevSecOps cultural transformation in software development and cybersecurity communities. He previously worked for five years at Comcast, leading their DevSecOps Transformation initiative. When it comes to software, Larry says security and quality are synonymous. He shares his tips and tricks for getting everyone, especially leadership, committed to security.    The episode is brought to you by AppSec Phoenix Ltd with the Phoenix platform; you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com to get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introductions 1:26 Software entrepreneurship 4:18 State of the industry 8:20 Security at software startups 9:35 Work at Comcast 11:30 Control and measuring 17:15 SLA’s 22:26 Management involvement 30:18 Key takeaways— mindst 35:50 Final positive message 38:28 Outro    Larry Maccherone https://www.linkedin.com/in/larrymaccherone/ https://www.transformation.dev/ https://www.contrastsecurity.com/ Twitter @LMaccherone    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Frank Kim is a security consultant, a startup advisor and investor, and a Fellow and Curriculum Director at SANS Institute. He’s been writing curriculum and teaching for SANS for 15 years, sculpting the next generation of CISO leaders and cloud security experts. Today on the podcast, he shares his thoughts on the industry, the gate vs guardrail mentality, and tips for public speaking. The episode is brought to you by AppSec Phoenix Ltd with the Phoenix platform; you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com to get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introductions 2:00 Early career as developer 4:04 Teaching and public speaking 7:50 State of industry 9:58 Rise of cloud and security 11:35 New generation of cyber professionals 13:46 SANS Courses 16:04 Automation and human risks 18:50 Leadership training 21:54 Blueprints for organizations 24:10 Zero trust 26:25 Advice to CISOs 28:55 Prioritize vulnerabilities 34:40 Gates VS guardrails 37:40 Steve Katz 39:40 Final positive message 41:16 Outro   Frank Kim https://www.linkedin.com/in/frank-kim/ https://www.sans.org/profiles/frank-kim/ https://www.frankkim.net Twitter @fykim Mentioned Steve Katz https://www.securityweek.com/ciso-conversations-steve-katz-worlds-first-ciso SANS Institue https://www.sans.org   Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

  Dustin Lehr started his software engineer career, which piqued his interest in cyber security. He is now the Sr. Director of Platform Security at Fivetran and an innovative cyber security leader online, dedicated to bettering the industry. In this podcast, he discusses how companies can build their security teams with new talent that doesn’t have traditional and technical backgrounds. They also discuss the cost of bad security, relationship building, and security championship programs.    The episode is brought to you by AppSec Phoenix Ltd with the Phoenix platform; you can make Vulnerability management for software and organization SMART.  Follow the tag #appsecsmart https://www.appsecphoenix.com to get a free 30-day licence quoting CSCP https://landing.appsecphoenix.com/register   0:00 Introductions 1:28 Early career as a software engineer and DOD 3:12 Quality and security 4:56 State of Industry 7:20 Training and mentoring new talent 12:06 Programs and non-profits growing talent 15:30 Utilizing talent 19:56 Background in psychology and human behaviour 24:40 Security teams must provide value 26:34 Relationship building 28:25 Security tests 31:50 Cost of bad security 36:06 Helping startups 39:50 Final Positive Message 42:36 Outro    Dustin Lehr https://www.linkedin.com/in/dustinlehr/ Twitter @DustinLehr1  "Let’s Talk Software Security!” on meetup.com    Cyber Security and Cloud Podcast hosted by Francesco Cipollone Twitter @FrankSEC42 #CSCP #cybermentoringmonday cybercloudpodcast.com    Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/  
 Twitter: https://twitter.com/podcast_cyber   
 Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/