Resilient Cyber

Nikki - In one of your recent posts you speak about how more organizations are looking to leverage service mesh in their own environments. Can you talk a little bit about why a team may be interested in moving to a more service mesh architecture? Nikki: What do you think may impede or stop an organization from adopting updated networking practices and technologies, like service mesh, and how can they get started adopting it?Chris: What role do you think Service Mesh plays in the push for Zero Trust and maturing security in cloud-native environments?Chris: I've heard you use the team Secure Service Networking, what exactly is this, and is it different than Service Mesh? We know there are the four pillars of Service Networking: Service Discovery, Secure Network, Automate Network, Access Service. What are these exactly? Chris: In the context of micro-services and Kubernetes, how does networking change? Nikki: The field of engineering is growing more and more, we have Infrastructure Engineers, Application Engineers, versus the traditional job roles of Systems or Software Engineers. Do you see an industry trend moving to expanding the engineering field into different disciplines, like Platform Engineers? Or do you think some of these roles are similar but are getting updated titles?Chris: HashiCorp has some excellent offerings such as Terraform, Vault, Consul and so on. What resources can folks use to upskill in these technologies?Nikki: I saw you recently did a talk on securing service level networking for the DoD - do you feel like a lot of those principles apply outside of the DOD or federal space? Or do you see the private sector using more of these technologies?

 Nikki: In some ways I think "software supply chain security" has become almost a buzz word, or buzz phrase? But to me it's more of a concern for security programs at large, since so many products and services are being developed in-house at organizations. What are the top three concerns that CISO's or security leaders should know? Chris: We're obviously seeing a lot of buzz around SBOM, and now VEX. What are your thoughts on where things are headed with software component inventory and SBOM as part of cyber vulnerability management?Chris: You were involved in the CNCF Secure Software Factory Reference Architecture. How was that experience and do you think organizations will be able to adopt the practices and guidance laid out there? There are a lot of moving parts. Nikki: How do you feel about how pentests should be involved in a software supply chain security program? I personally am curious about possible implications and benefits of actively (and consistently) testing dependencies and potentially finding unknown vulnerabilities.Chris: So we've talked about frameworks and guidance. Another big one is SLSA, Supply Chain Levels for Software Artifacts. What are your thoughts on SLSA and it's utility in the broader software supply chain security conversation.Chris: SCRM can be like eating an elephant when you look at CSP's, MSP's, Software, and so on - what are your thoughts for organizations that don't have the resources of say a CitiBank, such as an SMB. Where do they start?Nikki: I think we're still missing the human element of what a software supply chain security program looks like - how do you feel about that? Do you think we need to take more into account how people are using software, from a developer and a user perspective?Chris: There has been a lot of focus on Containers of course in the conversation around Cloud-native ecosystems, coupled with Kubernetes, IaC and so on. Do you think these innovations make the challenge of software supply chain easier, or more difficult to manage?

Chris: For those not familiar with Kubernetes, can you tell us what it is and why there is so much buzz around it?Chris: Kubernetes, while it has many benefits also is a very complex technology, what are some of the key things organizations should keep in mind when using Kubernetes securely?Nikki: What kind of role do you see RBAC playing with Kubernetes? I don't hear a lot of talk around this subject and I'm curious what you think may be the importance of RBAC around KubernetesChris: Any nuances or recommendations to those rolling their own versus using managed Kubernetes offerings?Nikki: What does governance look like around Kubernetes - specifically around large, multi-cluster environmentsChris: From a compliance perspective, what are some resources organizations can use to securely provision and operate Kubernetes from a compliance perspective?Nikki: Can we also chat about Kubernetes API logs when it comes to auditing and assessments?Chris: You lead the Kubernetes Top 10 project with OWASP, can you tell us a bit about that?Nikki: Where do you think kubernetes, clusters, etc are heading? What does the future look like for security teams to not only understand these new technology areas, but to understand how to secure them properly?Chris: Do you feel like security practitioners are keeping pace with the rate of innovative technologies like Kubernetes, and if now, how can we fix that?Chris: We know you are the CTO and Co-Founder of KSOC - tell us a bit about the firm and what you all specialize in and what led you to founding it?

- For folks that are familiar, what is a CI/CD pipeline and why is it becoming such a hot topic in modern software delivery?- Do you think earlier on in the pursuit of DevOps/DevSecOps organizations overlooked the pipeline as an attack vector?- Any thoughts are notable incidents such as SolarWinds, do you think they brought more attention to the build environment?- What are you thoughts on emerging guidance such as SLSA NIST SSDF or 800-161. Do you think these are helping bring attention to best practices on securing pipelines?- In the context of software supply chain security, why do you think pipelines are so critical?- Keeping on the theme of SBOM, what are your thoughts on the rising adoption and push for SBOM, and now VEX and how can pipelines help facilitate that?- Cider has produced some excellent resources such as articles and also CICD Goat - how do you all keep innovating on the knowledge and tooling front and how has it been received by the community?- One of those resources is the Top 10 CICD security risks. Do you want to touch on the list and maybe a couple of the leading risks from the list?- Any recommendations on learning resources for folks wanting to learn more about pipeline security, best practices and why it is important?

This podcast discusses the evolution of cybersecurity as a business risk, the risks of the SEC proposal on cybersecurity disclosure, the convergence of data breaches and cyber stock manipulations, the difference between cyber resiliency and cyber security, and the importance of basic principles in cybersecurity risk management.

- First off, for those not familiar with Containers and Kubernetes, what are they?- Why are organizations increasingly adopting these technologies over traditional forms of compute?- How does Cybersecurity change with Kubernetes and what are some things practitioners should be sure to keep an eye on?- When organizations are adopting Kubernetes they often are faced with options such as rolling their own or using managed Kubernetes offerings, any thoughts there?- I recently read a report that researchers found 380,000 publicly exposed Kubernetes API servers, do you think people simply are spinning up these new technologies with security as an afterthought?- Kubernetes is incredibly complex, do you think this leads to challenges around properly configuring and securing it?- Any thoughts on software supply chain security as it relates to Kubernetes and Containers?- For those looking to learn more about Kubernetes and Container Security, do you have any recommended resources?

- For those unfamiliar with a vCISO, what is it and how is it different than a traditional CISO?- Do you feel like the SMB market is catching on to the necessity of a vCISO and how it is critical to enabling secure business outcomes?- How do organizations go about ensuring they get a qualified vCISO? Any things in particular to watch out for?- For those looking to get started as serving as a vCISO, any recommendations?- You are a great story teller and communicator on LinkedIn. What made you start making your videos?- How important do you think communication is to helping drive secure business outcomes for Cyber professionals?

Chris - Lets start off with discussing what is Purple Teaming exactly, and what is it not?Nikki - The industry can be somewhat siloed between job roles, and purple teaming really breaks down those barriers - do you see purple teaming being adopted more in the industry? Or do you think that too many industry experts hold too closely to their areas of expertise? Chris - People often conflate Red Teaming, Pen Testing and Purple Teaming - how do we help clear up that confusion? Nikki - Purple teaming is supposed to be an iterative continuous process between red teams and blue teams. Do you feel like this continuous flow of information should be consistent between the teams? Do you feel like there is more value in one direction versus another?  Nikki - The purple team concept is centered around blue teams and red teams, but this type of iterative and cooperative concept could be applied outside of red teamers and network defenders. Do you see value between using this type of cooperation between security assessment and audit teams and network defense teams?Chris: You've been someone I have watched who has been really effective at personal branding through platforms like LI. Can you discuss how you approach that and why it is valuable?Chris: For those looking to get into Purple Teaming or more broadly OffSec or even Blue Team, what are some of your primary recommendations resource wise for learning?