Resilient Cyber

 Nikki: In some ways I think "software supply chain security" has become almost a buzz word, or buzz phrase? But to me it's more of a concern for security programs at large, since so many products and services are being developed in-house at organizations. What are the top three concerns that CISO's or security leaders should know? Chris: We're obviously seeing a lot of buzz around SBOM, and now VEX. What are your thoughts on where things are headed with software component inventory and SBOM as part of cyber vulnerability management?Chris: You were involved in the CNCF Secure Software Factory Reference Architecture. How was that experience and do you think organizations will be able to adopt the practices and guidance laid out there? There are a lot of moving parts. Nikki: How do you feel about how pentests should be involved in a software supply chain security program? I personally am curious about possible implications and benefits of actively (and consistently) testing dependencies and potentially finding unknown vulnerabilities.Chris: So we've talked about frameworks and guidance. Another big one is SLSA, Supply Chain Levels for Software Artifacts. What are your thoughts on SLSA and it's utility in the broader software supply chain security conversation.Chris: SCRM can be like eating an elephant when you look at CSP's, MSP's, Software, and so on - what are your thoughts for organizations that don't have the resources of say a CitiBank, such as an SMB. Where do they start?Nikki: I think we're still missing the human element of what a software supply chain security program looks like - how do you feel about that? Do you think we need to take more into account how people are using software, from a developer and a user perspective?Chris: There has been a lot of focus on Containers of course in the conversation around Cloud-native ecosystems, coupled with Kubernetes, IaC and so on. Do you think these innovations make the challenge of software supply chain easier, or more difficult to manage?

- For folks that are familiar, what is a CI/CD pipeline and why is it becoming such a hot topic in modern software delivery?- Do you think earlier on in the pursuit of DevOps/DevSecOps organizations overlooked the pipeline as an attack vector?- Any thoughts are notable incidents such as SolarWinds, do you think they brought more attention to the build environment?- What are you thoughts on emerging guidance such as SLSA NIST SSDF or 800-161. Do you think these are helping bring attention to best practices on securing pipelines?- In the context of software supply chain security, why do you think pipelines are so critical?- Keeping on the theme of SBOM, what are your thoughts on the rising adoption and push for SBOM, and now VEX and how can pipelines help facilitate that?- Cider has produced some excellent resources such as articles and also CICD Goat - how do you all keep innovating on the knowledge and tooling front and how has it been received by the community?- One of those resources is the Top 10 CICD security risks. Do you want to touch on the list and maybe a couple of the leading risks from the list?- Any recommendations on learning resources for folks wanting to learn more about pipeline security, best practices and why it is important?

This podcast discusses the evolution of cybersecurity as a business risk, the risks of the SEC proposal on cybersecurity disclosure, the convergence of data breaches and cyber stock manipulations, the difference between cyber resiliency and cyber security, and the importance of basic principles in cybersecurity risk management.

- First off, for those not familiar with Containers and Kubernetes, what are they?- Why are organizations increasingly adopting these technologies over traditional forms of compute?- How does Cybersecurity change with Kubernetes and what are some things practitioners should be sure to keep an eye on?- When organizations are adopting Kubernetes they often are faced with options such as rolling their own or using managed Kubernetes offerings, any thoughts there?- I recently read a report that researchers found 380,000 publicly exposed Kubernetes API servers, do you think people simply are spinning up these new technologies with security as an afterthought?- Kubernetes is incredibly complex, do you think this leads to challenges around properly configuring and securing it?- Any thoughts on software supply chain security as it relates to Kubernetes and Containers?- For those looking to learn more about Kubernetes and Container Security, do you have any recommended resources?

- For those unfamiliar with a vCISO, what is it and how is it different than a traditional CISO?- Do you feel like the SMB market is catching on to the necessity of a vCISO and how it is critical to enabling secure business outcomes?- How do organizations go about ensuring they get a qualified vCISO? Any things in particular to watch out for?- For those looking to get started as serving as a vCISO, any recommendations?- You are a great story teller and communicator on LinkedIn. What made you start making your videos?- How important do you think communication is to helping drive secure business outcomes for Cyber professionals?

Chris - Lets start off with discussing what is Purple Teaming exactly, and what is it not?Nikki - The industry can be somewhat siloed between job roles, and purple teaming really breaks down those barriers - do you see purple teaming being adopted more in the industry? Or do you think that too many industry experts hold too closely to their areas of expertise? Chris - People often conflate Red Teaming, Pen Testing and Purple Teaming - how do we help clear up that confusion? Nikki - Purple teaming is supposed to be an iterative continuous process between red teams and blue teams. Do you feel like this continuous flow of information should be consistent between the teams? Do you feel like there is more value in one direction versus another?  Nikki - The purple team concept is centered around blue teams and red teams, but this type of iterative and cooperative concept could be applied outside of red teamers and network defenders. Do you see value between using this type of cooperation between security assessment and audit teams and network defense teams?Chris: You've been someone I have watched who has been really effective at personal branding through platforms like LI. Can you discuss how you approach that and why it is valuable?Chris: For those looking to get into Purple Teaming or more broadly OffSec or even Blue Team, what are some of your primary recommendations resource wise for learning?

Nikki - You have some really awesome content on LinkedIn around Vulnerability management - one of my favorite posts you made recently was asking "Is vulnerability management dead". Can you explain a little bit about what you mean? I'm curious on your take, because there isn't a ton of modern guidance around vulnerability management  Nikki - One of the biggest challenges I think we face around vulnerability identification, and specifically prioritization, is that a lot of emphasis is put around CVSS scores and CVE ID's specifically. And while an incredibly helpful tool, plenty of vulnerabilities are not ID'ed or are not seen in traditional vulnerability scanners. What do you think the industry can do to better use other tools/techniques to identify and remediate vulnerabilities?  Nikki - Can you talk a little bit about where you think we could use more guidance or leadership around vulnerability management? I really don't hear about it when we talk cloud security or AI/ML, but it still incredibly relevantChris - We know another topic you're passionate about is software supply chain security. Can you share your thoughts on where the industry is headed with SBOM, VEX and other efforts to bring transparency and better governance to the SW supply chain?Chris - You've also written and spoken a fair bit about broader Supply Chain Risk, partners, MSP's, CSP's etc. Do you think organizations are just now waking up to the exponential risk due to the interconnected and as-a-Service orientation we've taken as an industry?Chris - As we mentioned, you do a ton of writing on LinkedIn, as well as your substack distro. How do you keep up the pace and what led you to start the substack originally? Where can people follow it and stay informed? 

- For those not familiar with Threat Modeling, what is it? Also, to clear up potential confusion, what is it not? (e.g. Threat Hunting)- You were part of an effort to create the Threat Modeling Manifesto, can you tell us a bit about that project?- We recently saw NIST both define critical software as part of the Cyber EO and also list Threat Modeling as a key activity for critical software. What are your thoughts on that occurring and if you think that will impact the Threat Modeling community?- Some folks have made comments about Threat Modeling being too cumbersome for methodologies/cultures such as DevOps/DevSecOps. Why do you think that is an opinion among some and is it true? - Can Threat Modeling be applied to any sort of architecture or system? Are there any major differences for same on-prem vs cloud systems?- For organizations looking to get started with Threat Modeling, where do you recommend they start? - Moving on from getting started, have you seen large organizations with successful, or unsuccessful Threat Modeling programs, and what were some major themes either way?

Nikki - You have a varied background between being a security engineer, consultant, manager, etc. What made you decide to focus more on the compliance aspects of cybersecurity?Chris - It is often said "Compliance doesn't equal Security". Why do you think this phrase has taken hold, do you think its accurate and how do we evolve beyond it? Nikki -  Based on some of your posts about compliance - one specifically about implementing frameworks and guidance from NIST and the CMMC standards - do you think there's a need in the industry to focus more on implementation guides or do you feel like organizations are to complex to create guides? Chris - On the topic of compliance frameworks, we seem to be so reactionary, with new frameworks coming after incidents etc. and organizations struggle to keep up. Do you think we have a framework sprawl problem?Chris - On the topic of 800-171 and CMMC, there's a lot of talk on the topic of affordability and cost and the impact to the small businesses in the DIB, which has already seen massive consolidation. What are your thoughts on this, and how do we balance compliance/security with the need for a robust DIB of suppliers?Nikki -  What do you think the future of compliance looks like? CMMC and otherwise - do you foresee more legislation around compliance coming down the pike?