The Balancing Act by Security Compass
Simone Curzi - Developer Centric Threat Modeling

Simone Curzi - Developer Centric Threat Modeling

September 12, 2022

Today we are joined by Altaz Valani from Security Compass and Simone Curzi, Principal Consultant at Microsoft, to talk about the role of developers within threat modeling. When we mention threat modeling, what often comes to mind are data flow diagrams created during a security design process. After these diagrams are created and eventually hit the developer backlog, we discover more insights that further evolve the security design. In this way, developers are crucial to an evolving threat model activity. Yet, many questions exist. We try to answer some of those developer questions related to threat modeling.

Useful links from this podcast:

Jason Keirstead - Standardizing on Security Tool Integrations

Jason Keirstead - Standardizing on Security Tool Integrations

August 31, 2022

Today we are joined by Altaz Valani from Security Compass and Jason Keirstead, Distinguished Engineer & Chief Technical Officer of Threat Management at IBM as well as Co-Chair of Open Cybersecurity Alliance. Security tool integrations are largely custom efforts today. That investment alone prevents loose coupling of our security tool architectures and timely delivery of security insights to key decision makers. Jason shares his insights on the work going on at Open Cybersecurity Alliance (OCA) to help solve this problem. The holy grail of an integrated security fabric that shares information across a toolchain can transform our ability to rapidly adapt to a changing threat landscape and allow for early detection of threat actor behavior. Jason shares his vision of how everyone can play a part in making this a reality, from customer procurement to vendor adoption of security standards.

Vaibhav Garg - Developer Centric Threat Modeling

Vaibhav Garg - Developer Centric Threat Modeling

June 30, 2022

Today we are joined by Vaibhav Garg, Executive Director, Cybersecurity & Privacy Research and Public Policy at Comcast, to talk about developer-centric threat modeling. We start by looking at ways to make threat modeling more appealing to developers. We discuss how a security team can help developers participate in threat modeling in the midst of continual change with both development and security teams. Ultimately, a threat modeling program is only as effective as the value it offers to a diverse group of stakeholders. We discuss how to measure and align the value of threat modeling across project, program, and executive levels. We conclude with Vaibhav’s thoughts about where he thinks developer-centric threat modeling is heading over the next 12 to 18 months.

Krish Raja - Bringing Developers Into Your Threat Modeling Program

Krish Raja - Bringing Developers Into Your Threat Modeling Program

May 20, 2022

Today we are joined by Altaz Valani from Security Compass and Krish Raja, Managing Director at Kroll Cyber Risk division, to talk about developer-centric threat modeling. We will start by discussing how threat modelers can help developers. We then discuss how to define the value of a threat modeling program and common pitfalls when creating such a program. We close off by discussing where threat modeling is headed in the future.

Simone Curzi - The Challenge of Integrating Threat Modeling into DevOps

Simone Curzi - The Challenge of Integrating Threat Modeling into DevOps

March 28, 2022

Today we are joined by Simone Curzi, Principal Consultant at Microsoft, to talk about some of the challenges we face today with conducting threat modeling. We will discuss how value creation in threat modeling is tied to the developer community and, ultimately, to the business. Our discussion will then look at how threat modeling must continue to evolve in light of our DevOps delivery cycles. We will conclude with a brief discussion on how organizations can operationalize a threat modeling practice.

Spencer Koch - The Importance of a Good Threat Modeling Practice

Spencer Koch - The Importance of a Good Threat Modeling Practice

March 21, 2022

Today we are joined by Spencer Koch, Offensive Security Professional at Reddit, to talk about building a threat modeling practice. We will examine when threat modeling should be done and the associated challenges. We will then turn our attention to the connection between threat modeling and secure coding in the developer space. In conclusion, we will explore some measures of success and where threat modeling is headed as the practice continues to add value and adapt to a changing software development paradigm that is more agile and cross-functional.

Kyle Lai - Managing the Change From CMMC 1.0 to CMMC 2.0

Kyle Lai - Managing the Change From CMMC 1.0 to CMMC 2.0

March 15, 2022

Today we are once again joined by Kyle Lai, Founder and CISO of KLC Consulting, to talk about CMMC. We will start by discussing the differences between CMMC 1.0 and CMMC 2.0 and discuss the timeline for CMMC 2.0 rulemaking. Our discussion will also look at CMMC 2.0 both from an assessor’s perspective and a Defense contractor’s perspective. Specifically, how an assessor should manage the change if they are already invested in CMMC 1.0 and next steps for a Defense contractor to do before CMMC 2.0 rulemaking is complete. CMMC impacts a broad ecosystem and being aware of the changes can help organizations prepare for the transition.

Kim Wuyts - Privacy Threat Modeling with LINDDUN

Kim Wuyts - Privacy Threat Modeling with LINDDUN

December 23, 2021

Today we are joined by Kim Wuyts from KU Leuven, to talk about privacy threat modeling. We will start by discussing what LINDDUN is and the difference between privacy threat modeling and security threat modeling. We will then discuss how a framework like LINDDUN can be used in DevSecOps pipelines as part of an evolving knowledge base. For those who wish to provide feedback to the LINDDUN team, Kim will share some ways that you can reach out to her team. Privacy is a critical part of our software that is often neglected. With new regulations and standards emphasizing both privacy and security, we need a consistent approach to help guide policy creation and software development activities.

 

Nick Deshpande - Data Governance

Nick Deshpande - Data Governance

December 20, 2021

Today we are joined by Nick Deshpande to talk about data governance and security. We will start by introducing the concept of data governance and the business importance of data governance. We will dig deeper and discuss who is responsible for creating and managing a data governance program. When looking at data governance as an enabler, we will turn our attention to three use cases: DevSecOps, Threat Modeling, and Zero Trust. In concluding, Nick will share his thoughts on where he sees data governance evolving over the next 12-18 months.

 

Kyle Lai - Complying With CMMC

Kyle Lai - Complying With CMMC

December 17, 2021

Today we are joined by Kyle Lai, Founder and CISO of KLC Consulting, to talk about CMMC. We will start by discussing the governance and ownership aspects of CMMC. Once a CMMC program has kicked off, teams usually have to overcome some challenges. We will discuss the top challenges with achieving CMMC compliance. In an era of DevSecOps, we will turn our attention to the importance of automation and conclude by discussing the impact of CMMC in the near future.

Podbean App

Play this podcast on Podbean App