Resilient Cyber

Chris: For those not familiar with Kubernetes, can you tell us what it is and why there is so much buzz around it?Chris: Kubernetes, while it has many benefits also is a very complex technology, what are some of the key things organizations should keep in mind when using Kubernetes securely?Nikki: What kind of role do you see RBAC playing with Kubernetes? I don't hear a lot of talk around this subject and I'm curious what you think may be the importance of RBAC around KubernetesChris: Any nuances or recommendations to those rolling their own versus using managed Kubernetes offerings?Nikki: What does governance look like around Kubernetes - specifically around large, multi-cluster environmentsChris: From a compliance perspective, what are some resources organizations can use to securely provision and operate Kubernetes from a compliance perspective?Nikki: Can we also chat about Kubernetes API logs when it comes to auditing and assessments?Chris: You lead the Kubernetes Top 10 project with OWASP, can you tell us a bit about that?Nikki: Where do you think kubernetes, clusters, etc are heading? What does the future look like for security teams to not only understand these new technology areas, but to understand how to secure them properly?Chris: Do you feel like security practitioners are keeping pace with the rate of innovative technologies like Kubernetes, and if now, how can we fix that?Chris: We know you are the CTO and Co-Founder of KSOC - tell us a bit about the firm and what you all specialize in and what led you to founding it?

- For folks that are familiar, what is a CI/CD pipeline and why is it becoming such a hot topic in modern software delivery?- Do you think earlier on in the pursuit of DevOps/DevSecOps organizations overlooked the pipeline as an attack vector?- Any thoughts are notable incidents such as SolarWinds, do you think they brought more attention to the build environment?- What are you thoughts on emerging guidance such as SLSA NIST SSDF or 800-161. Do you think these are helping bring attention to best practices on securing pipelines?- In the context of software supply chain security, why do you think pipelines are so critical?- Keeping on the theme of SBOM, what are your thoughts on the rising adoption and push for SBOM, and now VEX and how can pipelines help facilitate that?- Cider has produced some excellent resources such as articles and also CICD Goat - how do you all keep innovating on the knowledge and tooling front and how has it been received by the community?- One of those resources is the Top 10 CICD security risks. Do you want to touch on the list and maybe a couple of the leading risks from the list?- Any recommendations on learning resources for folks wanting to learn more about pipeline security, best practices and why it is important?

This podcast discusses the evolution of cybersecurity as a business risk, the risks of the SEC proposal on cybersecurity disclosure, the convergence of data breaches and cyber stock manipulations, the difference between cyber resiliency and cyber security, and the importance of basic principles in cybersecurity risk management.

- For those unfamiliar with a vCISO, what is it and how is it different than a traditional CISO?- Do you feel like the SMB market is catching on to the necessity of a vCISO and how it is critical to enabling secure business outcomes?- How do organizations go about ensuring they get a qualified vCISO? Any things in particular to watch out for?- For those looking to get started as serving as a vCISO, any recommendations?- You are a great story teller and communicator on LinkedIn. What made you start making your videos?- How important do you think communication is to helping drive secure business outcomes for Cyber professionals?

- First off, for those not familiar with Containers and Kubernetes, what are they?- Why are organizations increasingly adopting these technologies over traditional forms of compute?- How does Cybersecurity change with Kubernetes and what are some things practitioners should be sure to keep an eye on?- When organizations are adopting Kubernetes they often are faced with options such as rolling their own or using managed Kubernetes offerings, any thoughts there?- I recently read a report that researchers found 380,000 publicly exposed Kubernetes API servers, do you think people simply are spinning up these new technologies with security as an afterthought?- Kubernetes is incredibly complex, do you think this leads to challenges around properly configuring and securing it?- Any thoughts on software supply chain security as it relates to Kubernetes and Containers?- For those looking to learn more about Kubernetes and Container Security, do you have any recommended resources?

Chris - Lets start off with discussing what is Purple Teaming exactly, and what is it not?Nikki - The industry can be somewhat siloed between job roles, and purple teaming really breaks down those barriers - do you see purple teaming being adopted more in the industry? Or do you think that too many industry experts hold too closely to their areas of expertise? Chris - People often conflate Red Teaming, Pen Testing and Purple Teaming - how do we help clear up that confusion? Nikki - Purple teaming is supposed to be an iterative continuous process between red teams and blue teams. Do you feel like this continuous flow of information should be consistent between the teams? Do you feel like there is more value in one direction versus another?  Nikki - The purple team concept is centered around blue teams and red teams, but this type of iterative and cooperative concept could be applied outside of red teamers and network defenders. Do you see value between using this type of cooperation between security assessment and audit teams and network defense teams?Chris: You've been someone I have watched who has been really effective at personal branding through platforms like LI. Can you discuss how you approach that and why it is valuable?Chris: For those looking to get into Purple Teaming or more broadly OffSec or even Blue Team, what are some of your primary recommendations resource wise for learning?

Nikki - You have some really awesome content on LinkedIn around Vulnerability management - one of my favorite posts you made recently was asking "Is vulnerability management dead". Can you explain a little bit about what you mean? I'm curious on your take, because there isn't a ton of modern guidance around vulnerability management  Nikki - One of the biggest challenges I think we face around vulnerability identification, and specifically prioritization, is that a lot of emphasis is put around CVSS scores and CVE ID's specifically. And while an incredibly helpful tool, plenty of vulnerabilities are not ID'ed or are not seen in traditional vulnerability scanners. What do you think the industry can do to better use other tools/techniques to identify and remediate vulnerabilities?  Nikki - Can you talk a little bit about where you think we could use more guidance or leadership around vulnerability management? I really don't hear about it when we talk cloud security or AI/ML, but it still incredibly relevantChris - We know another topic you're passionate about is software supply chain security. Can you share your thoughts on where the industry is headed with SBOM, VEX and other efforts to bring transparency and better governance to the SW supply chain?Chris - You've also written and spoken a fair bit about broader Supply Chain Risk, partners, MSP's, CSP's etc. Do you think organizations are just now waking up to the exponential risk due to the interconnected and as-a-Service orientation we've taken as an industry?Chris - As we mentioned, you do a ton of writing on LinkedIn, as well as your substack distro. How do you keep up the pace and what led you to start the substack originally? Where can people follow it and stay informed? 

- For those not familiar with Threat Modeling, what is it? Also, to clear up potential confusion, what is it not? (e.g. Threat Hunting)- You were part of an effort to create the Threat Modeling Manifesto, can you tell us a bit about that project?- We recently saw NIST both define critical software as part of the Cyber EO and also list Threat Modeling as a key activity for critical software. What are your thoughts on that occurring and if you think that will impact the Threat Modeling community?- Some folks have made comments about Threat Modeling being too cumbersome for methodologies/cultures such as DevOps/DevSecOps. Why do you think that is an opinion among some and is it true? - Can Threat Modeling be applied to any sort of architecture or system? Are there any major differences for same on-prem vs cloud systems?- For organizations looking to get started with Threat Modeling, where do you recommend they start? - Moving on from getting started, have you seen large organizations with successful, or unsuccessful Threat Modeling programs, and what were some major themes either way?