In this episode, we discuss the implications of AI technologies like OpenClaw and Moltbot, exploring the potential threats and societal changes that may arise from their integration into daily life. We talk about the nature of AI communication, the concept of agentic AI, and the philosophical questions surrounding the future of human and machine interaction. Per usual our conversation is laced with humor and skepticism about the rapid advancements in AI and their impact on society.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Are cybersecurity technologies really dead, or are reports of their demise greatly exaggerated? Today’s episode is a discussion on how AI is reshaping the classic build vs. buy debate, empowering non-engineers to create working prototypes and potentially reviving the DIY coding culture of pre-open-source days. We also talk about how developers trained on open source are now leveraging AI built from that same foundation, raising questions about innovation and originality in modern programming.

Build vs Buy is Dead - AI Just Killed It 

Traditional Code Review is Dead

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Dr. Kim Wuyts and Avi Douglen join us in today's episode. Both guests are fresh from their training sessions at Black Hat and DEF CON in Las Vegas and share a quick overview of their experiences. We discuss a newly developed privacy awareness card game called 'Context and Cringe,' which aims to educate participants about privacy issues in a fun and interactive way. We also cover an upcoming training session at Global AppSec DC in November, where attendees will learn practical privacy strategies and get hands-on experience with the card game. Join us as we explore how privacy differs from traditional security concerns in being less precise and more subjective.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

We’re discussing the article, “Agentic AI Threat Modeling Framework: Maestro published back in February of this year on the Cloud Security Alliance blog. We discuss the various layers, patterns, and threats outlined in the framework, comparing it to existing methodologies like STRIDE and PASTA, and evaluate Maestro's structure, its potential complexity for developers, and its overall practicality and usefulness in the threat modeling arena. Listen along as we unravel the intricacies of the framework and share our candid thoughts on its strengths and weaknesses.

Agentic AI Threat Modeling Framework Maestro

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

We’re talking about the rise of "vibe startups" - entrepreneurs hunting for problems to solve rather than building solutions from personal experience. We chat about AI security challenges, questioning whether these are truly new problems or just old security concepts repackaged for the AI era. From prompt injection and guardrails to the scary reality of AI agents acting as humans, we examine whether the industry's obsession with AI is leaving traditional security gaps exposed.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

What are the core competencies that matter most for modern application security teams? Today we discuss understanding code and systems thinking and the crucial ability to assess risk in context - plus why your AppSec team might eventually get absorbed into engineering (and why it could be a good thing). We debate the role of developer mindset in security, the importance of technical depth over tool knowledge, and how to build teams that truly enable rather than gate development. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Today we’re joined by Petra Vukmirovic. Petra, is the head of information security at Numan and co-leader of the Threat Model Library Project. Petra shares her vision for creating a massive, structured dataset of crowdsourced threat models that could revolutionize how the cybersecurity community learns and shares threat modeling knowledge. We explore the complex challenges of convincing companies to share their threat models publicly, diving into concerns about legal liability, competitive advantage, and the fundamental tension between transparency and security risk. Listen along to learn more about this exciting project and its potential impact on the cybersecurity field.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

We’re discussing vibe coding again and how AI-generated code is reshaping software development. We discuss the trustworthiness and maintainability of AI-generated code, examining the challenges of reviewing and integrating automated changes at scale. The conversation spans from practical concerns about code quality to broader implications for open-source projects in an AI-augmented world. We talk about identifying telltale patterns in AI-generated code and why context and traceability are becoming essential for trusting automated systems.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

It’s security conference season and we’re discussing the importance of networking, the value of in-person connections, and sharing insightful tips for delivering effective presentations. From recapping our conference experiences, debating the significance of keynotes, to reminiscing about the impact of classic rock bands like Def Leppard. Listen now to hear about conference experiences, mentoring sessions, and the evolving industry landscape.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

We’re discussing the complexities of the Model Context Protocol (MCP) and its application in AI systems. Join us for an in-depth discussion about MCP, agent-to-agent communication, and potential security vulnerabilities. We wrap up with a thought-provoking conversation on the future of AI safety and the challenges it presents. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Listen in as we debate the differences between threat intelligence and threat modeling. What distinguishes these two concepts in cybersecurity, and how do they inform each other? The conversation explores definitions, real-world examples, and the interconnected relationship between proactive threat modeling and reactive threat intelligence.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Today we delve into the evolving landscape of cybersecurity hiring, debating the merits of prioritizing skills over degrees and experience. From discussing the value of critical thinking and hands-on skills to the potential role of AI in the workforce, the conversation navigates the complexities of hiring practices. We share personal anecdotes, insights from industry articles, and our experiences as hiring managers. Tune in for a humorous and thought-provoking discussion on what really matters when building a successful cybersecurity team.

CISOs Rethink Hiring to Emphasize Skills Over Degrees and Experience article

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

We’re predicting what 2026 has in store for AI and cybersecurity. We explore the wild possibilities of AI integration gone wrong, from people accidentally connecting their AI to sensitive file systems to blaming their AI agents for losing critical data. The conversation takes a thoughtful turn as they debate which jobs might fall to AI automation and if the human touch is still irreplaceable? Examining real examples like the "Y'allbot" weather monitoring system and photorealistic AI actress Tilly Norwood to illustrate how rapidly AI is transforming industries.Tune in and learn how to navigate the AI-powered future responsibly.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Vibe coding, or using AI to generate code by describing what you want. We critically examine the concerns surrounding AI-generated code, including code quality, security risks, and the potential for creating numerous low-quality applications. Our discussion explores whether AI can truly provide foolproof, production-ready code, or if it should be limited to idea generation and prototyping. Catch our candid take on the dangers of relying on AI for software development and the importance of maintaining human expertise in the coding process.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

We’re discussing the complexities of saying 'yes' or 'no' in the context of security decisions in today’s episode and the enduring challenge of integrating security into software development. The conversation swerves into the intriguing idea of a trade-like progression for developers, contrasting it with current knowledge work. The episode culminates in a hit parade of pop culture references, including Star Wars, Star Trek, Firefly, and more. Tune in for a thought-provoking and fun conversation!

Article Link:  How to Say 'No' Well

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

The Cyber Trust Mark, a new FCC program aimed at assuring the security of IoT devices is the topic of discussion today. We discuss various aspects of the Cyber Trust Mark, the history of similar initiatives like UL certification, and the challenges faced by consumers in determining the security of their devices. They also debate the merits and drawbacks of regulations like the EU's Cyber Resilience Act, the importance of secure-by-default design, and the limitations of relying solely on consumers or independent labs to ensure security. Throughout, they explore whether this new mark can genuinely make a difference or if it's just a rehash of old ideas.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Hovercrafts and application security in the new year. We revisit last year's predictions on Quantum LLM, SBOMs, and whether DAST tools will make a comeback. With humor and forward-thinking, we explore what the future might hold for application security, the rise of new technologies, and even the outlandish idea of AppSec being dead. 

Episode mentioned:
AppSec Resolutions - January 9, 2024

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

What makes a conference truly valuable? Is it the unexpected connections and serendipitous meetings of minds, or the chance to break free from the "security echo chamber" by exploring diverse conference experiences? We discuss the considerations that make conferences worth attending and examine whether they are compelling enough to warrant personal investment. Whether large or intimate, each conference provides a distinct journey of learning and interaction.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

We debate the necessity and efficiency of LLMs in finding code vulnerabilities in a C library compared to traditional static code analyzers and fuzzing techniques. The conversation explores broader topics in application security testing, including the evolving landscape of Dynamic Application Security Testing (DAST), fuzzing, and the potential of emerging technologies like Application Detection and Response (ADR).

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

We discuss a controversial LinkedIn post claiming "Threat Modeling is Dead." While the STRIDE methodology may need updating, it remains a valuable "gateway" tool for teaching security concepts to developers without security backgrounds. We discuss how STRIDE serves as a useful categorization system, emphasize that dogmatic approaches to threat modeling are problematic, and argue that what matters most are results rather than strict adherence to any particular methodology. Our conclusion; STRIDE is still alive and relevant, but it could benefit from an update to demonstrate its continued applicability.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

A good discussion today covering two different articles, the first covers CISA's list of product security "bad practices", questioning whether it provides real value or is just content marketing. Then the discussion moves onto an article about Shift Left. The group debates whether it is truly more expensive to fix design flaws versus implementation bugs, noting the difficulty of quantifying the cost difference. They argue that the focus should be on providing proper training and incentives for developers to build secure software, rather than just adding more security tools. 

Articles discussed in the episode:

Product Security Bad Practices

Shift Left Pushback Triggers Security Soul Searching

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

This week we explore the multifaceted concept of obsolescence in technology, detailing its planned, unplanned, and forced forms. We delve into the security implications of outdated or unsupported devices and software, with a spotlight on cloud-connected vehicles and their vulnerabilities. We discuss architectural decisions, regulatory requirements, and real-world incidents like the OnStar hack, reflecting on the need for robust security protocols. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Is everything boring? Chris, Izar and Matt discuss why nothing seems interesting enough lately. Is the excitement of vulnerabilities and ransomware waning? The guys touch on Governance, Risk, and Compliance (GRC) in corporate auditing, the impact of ransomware and the contentious role of cyber insurance, the fading novelty of AI and its influence on security, and examine why essential security tasks might feel mundane yet remain vital. This is a candid conversation you won’t want to miss. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

We’re pulling back the curtain on the technology industry to reveal what life looks like when you're constantly aware of what can go wrong. From the loss of childlike wonder when encountering new tech to the ethical dilemmas posed by autonomous vehicles, we discuss the unique burden of seeing technology's darker possibilities. We’re examining how years of witnessing security breaches and system failures shape a professional outlook that balances innovation with caution.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

What constitutes an expert in the field of threat modeling? Today Matt, Chris and Izar explore cultural references, the intricacies of threat modeling practices, and the criteria that define an expert. The discussion touches on the evolution of threat modeling, the roles of facilitators, and the importance of experience and recognition in the field. The guys humorously debate the challenge of scaling practices in large organizations and share thoughts on how expertise can inspire others. Enjoy this amusing episode complete with tangents on movies, old media technologies, sports analogies, and competitive Excel.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of the Security Table with Chris Romeo, Izar Tarandach, and Matt Coles, the team dives into the evolving landscape of modern security approaches. They discuss the shift from strategy to tactics, the impact of data breaches, and why people are becoming numb to such incidents. The episode also touches on the importance of understanding the business side of security and the role of product managers as security champions. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of the Security Table, our hosts discuss the concept of the 'Shared Fate Model' in cloud security. The conversation explores how this model builds on the shared responsibility model and the implications for cloud service providers and consumers. From robust default security measures to the historical evolution of ISPs, the discussion covers technical and philosophical aspects of cloud infrastructure security. Join us for an informative and engaging session filled with the past and present of internet connectivity and cloud service security.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of The Security Table, hosts Chris Romeo, Izar Tarandach, and Matt Coles dive into the evolving concept of threat models, stepping beyond traditional boundaries. They explore 'Rethinking Threat Models for the Modern Age,' an article by author Evan Oslick. Focusing on user behavior, alert fatigue, and the role of psychological acceptability, they debate whether broader human factors should integrate into threat modeling. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of The Security Table Podcast, hosts ChriS, Izar and Matt dive into the recent statement by CISA's Jen Easterly on the cybersecurity industry's software quality problem. They discuss the implications of her statement, explore the recurring themes in security guidelines, and debate whether the core issue is with people or technology. Join the conversation as they analyze the roles of developers, QA engineers, and emerging AI tools in shaping a secure future, questioning if the industry is on the right path to real change.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of The Security Table, Chris, Izar, and Matt discuss an article that discusses threat modeling in the context of hardware. They explore the intersection of hardware and software security, the importance of understanding attack surfaces, and the challenges posed by vulnerabilities in hardware components, such as speculative execution faults and the impact of supply chain security. Join the conversation as they examine the critical points in the ongoing dialogue around hardware and software security integration.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Join us in this episode of The Security Table as we dive into the world of cybersecurity, starting with a nostalgic discussion about our favorite security-themed movies like 'Sneakers,' 'War Games,' and 'The Matrix.' We then shift gears to explore a critical topic in modern computing: the vulnerabilities and implementation issues of Secure Boot. Discover the intricate details of key management, human errors, and the challenges of maintaining trust in hardware and software systems. The conversation extends to the practicalities of password management, passkeys, and the broader implications of securing digital identities. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Join Chris, Izar, and Matt as they sit around the Security Table to dissect and discuss the different stages of dealing with security incidents. In this episode, they explore the developer's stages of grief during an incident, and discuss a recent large-scale IT incident. They share insights from their multi-decade experience in security, analyze the fragility of current systems, and discuss the role of luck and probability in security failures. 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of 'The Security Table,' we are back from our midsummer break to discuss OpenSSH regression vulnerability. We dig into the nuances of this race condition leading to remote code execution, explore the chain of security updates, and the role of QA in preventing such regressions. We debate the necessity of SSH in modern cloud-native environments and its alternatives. Plus, we answer the critical question of who should catch these vulnerabilities first — QA teams, pentesters, or automated tools? 

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode Chris, Matt, and Izar discuss the current state of security conferences and gatherings for professionals in the field. They discuss the value and viability of different types of gatherings, the importance of networking and community-building at events, innovative approaches to conference formats and the need for something more engaging and participatory that caters to both introverts and extroverts.

Personal experiences and preferences for conference attendance and speaking engagements are discussed along with hybrid approaches that combine presentations with facilitated discussions and interactive elements.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

What do roller coasters and threat modeling have in common? More than you'd think. In this episode, we explore how security professionals view risk differently than everyone else—and why that matters. From roller coaster anxiety to the ethics of identifying danger, we dive into the unique mindset that comes with being a threat modeler. Because once you learn to see threats everywhere, there's no going back.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of the Security Table, Chris, Izar, and Matt delve into the evolving landscape of cybersecurity. The episode has a humorous start involving t-shirts and Frogger as a metaphor for the cybersecurity journey, the conversation shifts to the significant topic of cybersecurity being at a crossroads as suggested by a CSO Online article.

They explore the concept of moving from a product-centric to an architectural-centric approach in cybersecurity, discussing the design and integration of inherent capabilities rather than relying on add-on products. The hosts look into the complexities of security and privacy, analyzing their intersections, the challenges of privacy threat modeling, and the importance of understanding the broader ecosystem in which data interacts. The episode concludes with a lively discussion on the evolving nature of security and privacy regulations, the impact of complexity, and the need for continuous threat modeling.

Article mentioned in this episode:
Cybersecurity at a crossroads: Time to shift to an architectural approach  

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of 'The Security Table,' hosts Chris Romeo, Izar Tarandach, and Matt Coles are joined by Brook Schoenfield, a seasoned security professional, to share insights and stories from his extensive career. 

The conversation covers Brook's experience in writing books on security, lessons learned from his 40-year career, and personal anecdotes about his life as a musician, including playing with legends like Bo Diddley and Chuck Berry. Brook highlights the importance of ensemble work in both security and music.

Books written by Brook Schoenfield:

Secrets Of A Cyber Security Architect (Auerbach, 2019) https://brookschoenfield.com/?page_id=331

Securing Systems: Applied Security Architecture https://brookschoenfield.com/?page_id=245

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

In this episode of 'The Security Table,' hosts Chris Romeo, Matt Coles, and Izar Tarandach discuss the CISA Secure by Design Pledge, a recent initiative where various companies commit to improving software security practices. The hosts critique the pledge, arguing that many of the signatory companies have long been focused on software security, making the pledge redundant for them. They dissect specific goals of the pledge, such as increasing multi-factor authentication (MFA) and reducing default passwords, and express concerns about their actual impact. 

Despite their skepticism of the pledge’s effectiveness and measurability, they do acknowledge CISA's intention behind the pledge is to move the industry forward.

Secure by Design pledge:  https://www.cisa.gov/securebydesign/pledge

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

The script delves into a multifaceted discussion encompassing critiques and praises of book-to-movie adaptations like 'Hitchhiker's Guide to the Galaxy', 'Good Omens', and 'The Chronicles of Narnia'. It then transitions to a serious examination of developers' evolving role in security, advocating for 'shift left' and DevSecOps approaches. The conversation navigates through challenges developers encounter in security practices, stressing the necessity of a DevSecOps framework, secure coding languages, and executive support for fostering a robust security culture within organizations.

Chris, Izar and Matt begin the episode with a lighthearted discussion about books turned into movies, including Hitchhiker's Guide to the Galaxy and The Chronicles of Narnia series. The main topic of conversation on today’s episode is an article titled "Why Developers Will Take Charge of Security, Tests in Production" by Lorraine Lawson, which interviews Larry Meshrom. The article suggests that developers should take on more responsibility for security, including testing in production environments, as security teams are often perceived as a blocker and don't understand the day-to-day work of developers. 

The guys question whether developers truly want to take on more security responsibilities, given the constantly evolving nature of security threats and the time it takes to stay up-to-date. They also discuss the role of product managers in driving security and privacy prioritization, and the need for executives to understand the business value of investing in security. The hosts argue that while mature organizations have governance processes in place to enforce security, smaller companies may lack such mechanisms. 

Ultimately, it is concluded that product managers are best positioned to communicate the business value of security to executives, as they are closest to understanding customer needs and revenue drivers. They propose that the industry should focus on educating and empowering product managers to prioritize security and privacy, and to make the case for investing in these areas to executives. This approach could help bridge the gap between security teams and developers, and drive a culture of security within organizations.

Link to article:  https://thenewstack.io/why-developers-will-take-charge-of-security-tests-in-prod/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Chris, Matt and Izar share their thoughts on an article published by Carnegie Mellon University’s Software Engineering Institute. The list from the article covers various threat modeling methodologies such as STRIDE, PASTA, LinDoN, and OCTAVE methodology for risk management. They emphasize the importance of critical thinking in the field, provide insights into strengths, applications, and limitations of each method, and highlight the significance of annotated threat models for application security.

Mentioned in this Episode:
Article: https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/

Podcast episode: Nobody's Going to Mess with Our STRIDE https://www.youtube.com/watch?v=TDFRe_icFmY&pp=ygUSdGhlIHNlY3VyaXR5IHRhYmxl

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Matt, Izar, and Chris delve into the complexities of open source security. They explore the topics of trust, vulnerabilities, and the potential infiltration by malicious actors. They emphasize the importance of proactive security measures, the challenges faced by maintainers, and propose solutions like improved funding models and behavior analysis for enhancing security within the open source ecosystem.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Matt, Izar, and Chris take issue with a controversial blog post that criticizes STRIDE as being outdated, time-consuming, and does not help the right people do threat modeling. The post goes on to recommend that LLMs should handle the task. The trio counters these points by highlighting STRIDE's origin, utility, and adaptability. Like any good instrument, it is important to use the right tools in the right context. 

They also touch upon the common misconceptions about threat modeling, the misuse of tools like the Microsoft Threat Modeling Tool, and the benefits of collective threat modeling practices. Throughout, they defend the foundational role of STRIDE in threat modeling, promote the value of including diverse perspectives in the threat modeling process, and encourage looking beyond narrow toolsets to the broader principles of threat analysis.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Chris, Matt, and Izar discuss a recent Secure by Design Alert from CISA on eliminating SQL injection (SQLi) vulnerabilities. The trio critiques the alert's lack of actionable guidance for software manufacturers, and they discuss various strategies that could effectively mitigate such vulnerabilities, including ORMs, communicating the why, and the importance of threat modeling. They also explore potential ways to improve the dissemination and impact of such alerts through partnerships with organizations like OWASP, the various PSIRTs, and ISACs, and leveraging threat intelligence effectively within AppSec programs. Ultimately, the trio wants to help CISA maximize its effectiveness in the software security industry.

Link to CISA SQLi Alert:
Secure by Design Alert: Eliminating SQL Injection Vulnerabilities in Software -- https://www.cisa.gov/sites/default/files/2024-03/SbD%20Alert%20-%20Eliminating%20SQL%20Injection%20Vulnerabilities%20in%20Software_508c.pdf

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Dive into the contentious world of AI in software development, where artificial intelligence reshapes coding and application security. We spotlight the surge of AI-generated code and the incorporation of copy-pasted snippets from popular forums, focusing on their impact on code quality, security, and maintainability. The conversation critically examines the diminishing role of traditional quality assurance measures versus the growing reliance on automated tools and AI, highlighting potential compromises between development speed and security integrity.

The discussion broadens to consider the future of software security tools in an AI-dominated era, questioning whether AI-generated code could make static application security testing (SAST) tools obsolete or introduce new challenges requiring more human oversight. The debate intensifies around the trustworthiness of AI in handling complex business logic and security policies without introducing vulnerabilities.

The dialogue concludes by reflecting on the balance between innovation and caution in software development. As AI advances, the conversation centers on ensuring it enhances rather than compromises application security, offering insights, anecdotes, and a dose of humor along the way. Stay tuned for more thought-provoking discussions on the intersection of AI and software security.

Helpful Links:
Article: "New study on coding behavior raises questions about impact of AI on software development" at GeekWire -- https://www.geekwire.com/2024/new-study-on-coding-behavior-raises-questions-about-impact-of-ai-on-software-development/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Matt, Chris, and Izar talk about ensuring security within the developer toolset and the developer experience (DevEx). Prompted by a recent LinkedIn post by Matt Johansen, they explore the concept of "secure by default" tools. The conversation highlights the importance of not solely relying on tools but also considering the developer experience, suggesting that even with secure tools, the ultimate responsibility for security lies with the developers and the organization.

The trio also discusses the role of DevEx champions in advocating for security within development processes, emphasizing the need for a balance between security and usability to prevent developers from seeking workarounds. They touch upon integrating security into the developer workflow, known as "shifting left," and the potential downsides of overburdening developers with security responsibilities.

There's a recurring theme of the complexity and challenges in achieving a "secure by default" stance, acknowledging the difficulty in defining and implementing this concept. The conversation concludes with an acknowledgment that while progress is being made in understanding and implementing security within DevEx, there's still a long way to go, and the need for further clarification and discussion on these topics is evident.

Matt Johansen's Original Post:
https://www.linkedin.com/posts/matthewjohansen_i-really-feel-like-a-lot-of-security-problems-activity-7170811256856141825-lKyx

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Is the cybersecurity industry facing a security problem or a software quality problem? In this episode, we’re tackling the controversial claim that AI advancements could make security teams obsolete—and uncover the deeper issues plaguing software development. The conversation reveals an uncomfortable truth: software companies often transfer the risk of vulnerabilities to customers, creating a system where there's little incentive to invest in security by design. Can AI bridge this gap, or do we need fundamental changes in how we approach software development and regulation?

Article: Ex-CISA head thinks AI might fix code so fast we won't need security teams

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Chris, Izar, and Matt tackle the first point of the recent White House report, "Back to the Building Blocks: a Path toward Secure and Measurable Software." They discuss the importance of memory safety in software development, particularly in the context of critical infrastructure. They also explore what memory safety means, citing examples like the dangers of using C over safer alternatives such as Java, Rust, or Go.

The debate covers the effectiveness of government recommendations on software development practices, the role of memory safety in preventing security vulnerabilities, and the potential impact on industry sectors reliant on low-level programming languages like C and C++. The dialogue highlights different perspectives on the intersection of government policy, software development, and cybersecurity, providing valuable insights into the challenges and importance of adopting memory-safe programming practices.

Helpful Links:

BACK TO THE BUILDING BLOCKS: A PATH TOWARD SECURE AND MEASURABLE SOFTWARE - https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf

Dance Your PhD 2024 winner, WELI, Kangaroo Time: https://youtu.be/RoSYO3fApEc

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Matt, Izar, and Chris discuss the impact of fear, uncertainty, and doubt (FUD) within cybersecurity. FUD is a double-edged sword - while it may drive awareness among consumers, it also leads to decision paralysis or misguided actions due to information overload. The saturation of breach reports and security threats also desensitizes users and blurs the line between vigilant security practices and unnecessary panic. Fear-based security strategies do not foster a secure environment.

The proliferation of smart devices and the internet of things (IoT) make many everyday objects potential targets for cyber-attacks. However, media sensationalism surrounds these vulnerabilities, and there is a lack of follow-through in educating consumers about realistic risks and protective measures. This gap underscores the need for reliable sources of cybersecurity info that can cut through the FUD, offering actionable insights rather than contributing to fear.

They also explore the practice of weaponizing security in competitive markets. Some companies leverage security breaches, or the lack thereof, to differentiate themselves in the marketplace. These marketing strategies highlight "superior" security features while pointing out competitors' breaches. While such tactics might draw attention to security considerations, they also risk confusing what constitutes meaningful cybersecurity practices. The industry needs to balance competitive advantage with ethical responsibility and consumer education. Who will fill the gap?

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Prompted by fan mail, Chris, Izar, and Matt engage in a role-playing scenario as a VP of engineering, a security person, and a product manager. They explore some of the challenges and competing perspectives involved in prioritizing application security. They highlight the importance of empathy, understanding business needs and language, and building relationships within an organization while dealing with security threats and solutions. They end with insights into the role of AI in AppSec, its prioritization, and its limitations.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Matt, Izar, and Chris have a lively discussion about how security experts perceive open-source software. Referencing a post that described open source as a 'hive of scum and villainy,' the team dissects the misconceptions about open source software and challenges the narrative around its security. They explore the complexities of the software supply chain, the notion of 'inheritance' when it comes to security vulnerabilities, and the impact of transitive dependencies. They also discuss reputation systems, dependency injection, and the reality of accepting responsibility for incorporated software packages and their security issues. Tune in for these and other thoughtful insights about the interplay between open source solutions and security aspects in software development.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!