Resilient Cyber

- What do you think some of the primary factors are that contributed to GRC not coming along initially with the DevOps movement?- Traditionally, what factors have plagued compliance when it comes to software delivery?- How do some of those factors change in the era of DevOps and Cloud-native?- Do you think regulation has a significant impact, and how can policy and regulation be improved?- How important is it for the workforce aspect of GRC to be addressed when it comes to compliance innovation and new technologies and ways of work?- Can incentives play a part, and if so, what can we do to improve that?- Andres - What was the impetus of the book and can you tell us a bit about the writing experience?- Where can people find out more about the book?

Chris: What do you think some of the fundamental changes of IAM are from on-prem to cloud?Chris: What are some of the key tradeoffs and considerations for using IDaaS offerings?Nikki: There are a lot of solutions out there that discuss zero trust as a product or a service that can be leveraged to 'bake in' zero trust into an environment. But I'm curious on your perspective - do you think we need additional tools to configure zero trust principles, or leverage the technology at hand to implement zero trust?Nikki: There's this move towards passwordless solutions - I can see that being a big boost to zero trust architectures, but I think we're still missing the need for trusted identities, whether it's passwords, pins, or tokens. How do you feel about the passwordless movement and do you think more products will move in that direction?Chris: You've been a part of the FICAM group and efforts in the CIO Council. Can you tell us a bit about that and where it is headed?Chris: It is said Identity is the new perimeter in the age of Zero Trust, why do you think this is and how can organizations address it?Nikki: There was an interesting research publication I read, titled "Beyond zero trust: Trust is a vulnerability" by M. Campbell in the IEEE Computer journal. I like the idea of considering zero trust principles, like least privilege, or limited permissions, as potential vulnerabilities instead of security controls. Do you think the language is important when discussing vulnerabilities versus security controls?Chris: What role do you think NPE's play in the modern threat landscape?Chris: If people want to learn more about the Federal FICAM/ZT Strategies, where do you recommend they begin?

Chris: For those not familiar with CVSS, what exactly is it, and why is vulnerability scoring important?Chris: What are some of the most notable critiques of CVSS?Nikki: I read your article 'A Closer look at CVSS Scores" and have had a lot of similar thoughts. The CVSS SIG is doing great work, and there are other scoring methods out there to help determine the real threat of vulnerabilities. Do you have any advice for organizations that are struggling with the amount of High and Critical vulnerabilities they see based on this scoring method? Chris: Do you think organizations approaching Vulnerability Management using CVSS strictly from base scores is an effective approach?Nikki:  Do you think that the industry needs a shift as far as vulnerability scoring systems? Not from a mathematical or quantification space, because we have some great people working on that. But from the understanding of how those vulnerabilities actually impact their businesses? Nikki: Where do you see vulnerability scoring and vulnerability management activities heading? Do you think we need some other methods for scoring insider threat and accumulating those scores with hardware and software vulnerabilities?Chris: Pivoting a bit from vulnerability scoring, I know you're also involved with groups such as OpenSSF. Can you tell us a bit about that work?Chris: What are your thoughts on Software Supply Chain Security more broadly, in terms of SBOM's, VEX, and the uptick in Software Supply Chain Attacks. Do you think we're trending in the right direction to respond to the rise in these attacks?

Chris: So you're a proponent of a term called RegOps, can you explain what that is to us a bit and how it differs from traditional compliance?Nikki: I'm interested in your background from Solutions Architect, to CTO, to Co-founding and running companies. Do you have any advice for other architects or IT and security practitioners for building up leadership skills and transitioning to business ownership? Chris: Do you think the evolution of Cloud and API enabled platforms is positioning us to innovate in compliance and potentially keep pace with DevSecOps? Nikki: What are some of the biggest reasons that organizations fail audits - do you feel like GRC/compliance and framework adoption is too challenging? Do you think that organizations are underwater with missing controls and where can they start? Chris: We know you're a big proponent of OSCAL and your organization RegScale has contributed to some of the OSCAL working groups. For those not familiar, can you explain what OSCAL is and the potential impact it can have on compliance?Nikki: What do you see as some of the emerging trends around solving compliance issues - do you think we need a mix of tooling, processes, and orienting our practitioners/users to adapt? Or do we have too many different frameworks/guidelines that it can be difficult for us to keep up?Chris: Looking at the future of compliance in say 3-5 years, how different do you think it will be and do you think this push towards automation, API's, codified artifacts and such will change compliance forever?

Nikki - In one of your recent posts you speak about how more organizations are looking to leverage service mesh in their own environments. Can you talk a little bit about why a team may be interested in moving to a more service mesh architecture? Nikki: What do you think may impede or stop an organization from adopting updated networking practices and technologies, like service mesh, and how can they get started adopting it?Chris: What role do you think Service Mesh plays in the push for Zero Trust and maturing security in cloud-native environments?Chris: I've heard you use the team Secure Service Networking, what exactly is this, and is it different than Service Mesh? We know there are the four pillars of Service Networking: Service Discovery, Secure Network, Automate Network, Access Service. What are these exactly? Chris: In the context of micro-services and Kubernetes, how does networking change? Nikki: The field of engineering is growing more and more, we have Infrastructure Engineers, Application Engineers, versus the traditional job roles of Systems or Software Engineers. Do you see an industry trend moving to expanding the engineering field into different disciplines, like Platform Engineers? Or do you think some of these roles are similar but are getting updated titles?Chris: HashiCorp has some excellent offerings such as Terraform, Vault, Consul and so on. What resources can folks use to upskill in these technologies?Nikki: I saw you recently did a talk on securing service level networking for the DoD - do you feel like a lot of those principles apply outside of the DOD or federal space? Or do you see the private sector using more of these technologies?

 Nikki: In some ways I think "software supply chain security" has become almost a buzz word, or buzz phrase? But to me it's more of a concern for security programs at large, since so many products and services are being developed in-house at organizations. What are the top three concerns that CISO's or security leaders should know? Chris: We're obviously seeing a lot of buzz around SBOM, and now VEX. What are your thoughts on where things are headed with software component inventory and SBOM as part of cyber vulnerability management?Chris: You were involved in the CNCF Secure Software Factory Reference Architecture. How was that experience and do you think organizations will be able to adopt the practices and guidance laid out there? There are a lot of moving parts. Nikki: How do you feel about how pentests should be involved in a software supply chain security program? I personally am curious about possible implications and benefits of actively (and consistently) testing dependencies and potentially finding unknown vulnerabilities.Chris: So we've talked about frameworks and guidance. Another big one is SLSA, Supply Chain Levels for Software Artifacts. What are your thoughts on SLSA and it's utility in the broader software supply chain security conversation.Chris: SCRM can be like eating an elephant when you look at CSP's, MSP's, Software, and so on - what are your thoughts for organizations that don't have the resources of say a CitiBank, such as an SMB. Where do they start?Nikki: I think we're still missing the human element of what a software supply chain security program looks like - how do you feel about that? Do you think we need to take more into account how people are using software, from a developer and a user perspective?Chris: There has been a lot of focus on Containers of course in the conversation around Cloud-native ecosystems, coupled with Kubernetes, IaC and so on. Do you think these innovations make the challenge of software supply chain easier, or more difficult to manage?

Chris: For those not familiar with Kubernetes, can you tell us what it is and why there is so much buzz around it?Chris: Kubernetes, while it has many benefits also is a very complex technology, what are some of the key things organizations should keep in mind when using Kubernetes securely?Nikki: What kind of role do you see RBAC playing with Kubernetes? I don't hear a lot of talk around this subject and I'm curious what you think may be the importance of RBAC around KubernetesChris: Any nuances or recommendations to those rolling their own versus using managed Kubernetes offerings?Nikki: What does governance look like around Kubernetes - specifically around large, multi-cluster environmentsChris: From a compliance perspective, what are some resources organizations can use to securely provision and operate Kubernetes from a compliance perspective?Nikki: Can we also chat about Kubernetes API logs when it comes to auditing and assessments?Chris: You lead the Kubernetes Top 10 project with OWASP, can you tell us a bit about that?Nikki: Where do you think kubernetes, clusters, etc are heading? What does the future look like for security teams to not only understand these new technology areas, but to understand how to secure them properly?Chris: Do you feel like security practitioners are keeping pace with the rate of innovative technologies like Kubernetes, and if now, how can we fix that?Chris: We know you are the CTO and Co-Founder of KSOC - tell us a bit about the firm and what you all specialize in and what led you to founding it?

- For folks that are familiar, what is a CI/CD pipeline and why is it becoming such a hot topic in modern software delivery?- Do you think earlier on in the pursuit of DevOps/DevSecOps organizations overlooked the pipeline as an attack vector?- Any thoughts are notable incidents such as SolarWinds, do you think they brought more attention to the build environment?- What are you thoughts on emerging guidance such as SLSA NIST SSDF or 800-161. Do you think these are helping bring attention to best practices on securing pipelines?- In the context of software supply chain security, why do you think pipelines are so critical?- Keeping on the theme of SBOM, what are your thoughts on the rising adoption and push for SBOM, and now VEX and how can pipelines help facilitate that?- Cider has produced some excellent resources such as articles and also CICD Goat - how do you all keep innovating on the knowledge and tooling front and how has it been received by the community?- One of those resources is the Top 10 CICD security risks. Do you want to touch on the list and maybe a couple of the leading risks from the list?- Any recommendations on learning resources for folks wanting to learn more about pipeline security, best practices and why it is important?

This podcast discusses the evolution of cybersecurity as a business risk, the risks of the SEC proposal on cybersecurity disclosure, the convergence of data breaches and cyber stock manipulations, the difference between cyber resiliency and cyber security, and the importance of basic principles in cybersecurity risk management.