In Episode 07 of Secrets of AppSec Champions, PenTesting with Nat Shere, Chris Lindsey hosts seasoned penetration tester Nathaniel Shere, who currently serves as the Technical Services Director at Craft Compliance. Nathaniel shares his journey into penetration testing, starting from his master's in cybersecurity and leading to over a decade of experience in the field. The duo delves into the pressing issues within the security industry, such as the high levels of stress, the pressure to remain updated, and the often exaggerated emphasis on industry certifications. They both agree that certifications, while useful for exposure, can sometimes be blown out of proportion, potentially watering down the actual requirements.

The discussion extends to technical aspects, highlighting the importance of error handling, visibility of dependencies, and the complexity of exploiting vulnerabilities like SQL injection. Nathaniel recounts memorable experiences, including the development of a Python script that uncovered critical security issues, and stresses the value of detecting and monitoring potential threats. The episode provides an in-depth look at the various penetration testing methodologies—white box, black box, and gray box—and the necessity of using accurate environments that mirror production settings. Both speakers emphasize the hacker's perspective in revealing security flaws and the role of secure coding practices and multi-factor authentication in strengthening security postures.

Chris and Nathaniel also touch on the ethical implications and collaborative benefits of penetration testing. Nathaniel highlights the importance of providing prioritized information to developers and the value of pen testing in offering true risk assessments. They agree on the need for external penetration testing for unbiased evaluations and recommend internal pen testers collaborate with external experts for broader exposure. Altogether, this episode offers listeners a balanced view of the technical and human elements crucial to successful penetration testing.

| ❇️ Key Topics with Timestamps
00:00 Career Progression in Cybersecurity Consultancy

05:03 Unexpected Access: Default Credentials and Security Breach

08:52 The Value of Penetration Testing in Development

12:19 Burp Suite: Demonstrating Data Theft Capabilities

14:59 Developers Overlooking Security Vulnerabilities: Common Mindset Mistakes

19:06 The Efficiency of Whitebox Testing in Application Assessment

21:52 Penetration Testing Reports and Web-Based Security Issues: An Internship Anecdote

26:12 The Importance of Internal and External Pen Testing

30:18 Managing Stress in Cybersecurity Career

32:50 The Value of Certifications in Security Learning

34:19 Promoting Shows: A Guide to Engaging Audiences

Additional information:
This episode has been provided by Mend.io

Chris Lindsey's LinkedIn account: https://www.linkedin.com/in/chris-lindsey-39b3915/
AppSecHive Public Community: https://www.linkedin.com/company/appsec-hive

Welcome to Episode 06 of "Secrets of AppSec Champions," titled "Working With Your CISO," featuring host Chris Lindsey and guest Yaron Levi, the Chief Information Security Officer (CISO) at Dolby Labs.

In this episode, Yaron Levi, with over 15 years of experience in various security functions, provides insights into the multifaceted role of a CISO. He discusses the relatively young profession, highlighting its diverse structures and responsibilities which include enabling businesses while managing risk and regulatory compliance.

The conversation delves into foundational aspects of security programs, such as governance, risk, compliance, and the importance of maintaining a robust defense posture. Yaron underscores the necessity for continuous learning and collaboration within the security field and emphasizes that the CISO's role is more about enabling safe business operations rather than strictly enforcing rules.

One of the key discussions revolves around the commonality of security threats, the significance of basic security measures, and how a substantial number of breaches stem from simple vulnerabilities like exposed credentials and misconfigurations. Yaron also emphasizes the importance of integrating security education for software developers and engaging software architects in mentoring roles.

The episode sheds light on the productive nature of bug bounty programs and responsible disclosure platforms for vulnerability testing. Yaron advocates for encouraging young individuals to engage in ethical hacking through structured channels.

The episode also touches on AI's impact on software development and security, reiterating a balanced approach to leveraging new technologies safely. The importance of simulations and tabletop exercises to prepare for security incidents is discussed, with example scenarios like ransomware attacks being used to test and improve response times.

Finally, Yaron stresses the importance of communication, especially in remote environments, urging employees to over-communicate any security concerns. He shares his experience of starting his role during the pandemic and highlights the significance of building trust remotely.

Chris Lindsey wraps up the episode by thanking Yaron Levi for his valuable insights and encourages listeners to subscribe, rate, and review the podcast to stay updated on future episodes.

00:00 Striving for 'Good Enough' in Business

06:01 Intentional Outreach and Security Measures: A Reminder

07:49 The Crucial Role of CISO in Cybersecurity and Software Development

12:49 Security: When, Not If

14:08 Prioritizing Cybersecurity Fundamentals: Key Threats Remain

19:50 The Minecraft Generation: Using Energy for Pen Testing

21:52 Building Bug Bounty Environment and Tabletop Exercises

25:36 Learning from a Ransomware Event Mishap

27:38 Challenges to Standardizing the CISO Role

33:15 Reframing the Role of Security: Protection Over Punishment

Additional information:
This episode has been provided by Mend.io

Chris Lindsey's LinkedIn account: https://www.linkedin.com/in/chris-lindsey-39b3915/
AppSecHive Public Community: https://www.linkedin.com/company/appsec-hive

In the episode "Reactive to Proactive" of the podcast Secrets of AppSec Champions, host Chris Lindsey engages with Shashank Balasubramanian, the Head of Application Security at Tripadvisor. Shashank has been managing the application security program at Tripadvisor for over four years, during which he has overseen the transition from a reactive to a proactive security approach. The conversation delves into the distinct characteristics of reactive vs. proactive security programs, highlighting the importance of integrating security measures early in the development process and fostering strong relationships between security teams and developers.

They discuss the significance of implementing the right security tools, such as Software Composition Analysis (SCA) tools, to address third-party vulnerabilities effectively and integrating these tools into the CI/CD pipeline. Shashank emphasizes the value of building a security-aware culture within the development teams through regular training and the establishment of a Security Champion program. These champions, who are trained in security best practices, help scale the security team's efforts by embedding themselves within various development teams, facilitating a proactive approach to security.

The episode also touches on the importance of executive engagement and effective communication regarding the security landscape. By providing detailed reports and metrics to executives, security teams can ensure there is a clear understanding of the program's ROI and reduce the likelihood of surprise incidents. This high-level visibility and proactive security posture ultimately lead to a more robust and efficient security program, enabling the organization to address vulnerabilities before they become significant issues. The conversation sheds light on practical strategies and tools that can help security professionals transition from reactive to proactive security measures, fostering a more secure and resilient organization.

Additional Links:
This podcast has been provided by: Mend.io

Chris Lindsey's LinkedIn account for daily content: https://www.linkedin.com/in/chris-lindsey-39b3915/
AppSecHive - Public community that Chris Lindsey runs: https://www.linkedin.com/company/appsec-hive