We Hack Purple Podcast

In this episode of the We Hack Purple podcast host Tanya Janca met with her colleague from IANs Faculty: Mick Douglas, founder of InfoSec Innovations! We talked about EVERYTHING AppSec and definitely could haveeasily  talked at least 2 more hours! He explained what honey pots/honey files/honey links are, and how to use them. Creating a "tamper evident" network and system, as well as how marketing people have really messed up the term "shift left" for the rest of us. Not only that, but the episode had TONS of laughs! 

Mick's Bio:

Mick Douglas has over 10 years of experience in information security and is currently the Managing Partner for InfoSec Innovations. He specializes in PowerShell, Unix, Data Visualization, Hardware, and Radio Hacking and teaches SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling and SEC555: SIEM with Tactical

Very special thanks to our sponsor: Luta Security!

Luta Security is the global leader in transforming how governments and organizations work with friendly hackers to bolster their security. LutaSecurity can manage end-to-end vulnerability disclosure and bug bounty programs or train your existing staff to maximize your security investment. Visit LutaSecurity.com/services to get started today!

Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

#appsec #wehackpurple #shehackspurple

In this episode of the We Hack Purple Podcast we meet Olivia Rose, founder Rose CISO Group,  www.RoseCISOGroup.com.

We talked about the fact that "consulting rules!", mentoring opportunities, and how CISOs and AppSec people have to fight to do their jobs all day, every day. Olivia dove into how to translate what do you, as a cyber security expert, to the executive board and other folks who are brilliant, but not-so-technical. She also gave us the secrets for how to make leadership care about the security work you do, the goals you have, and so much more!

She told us all about about her mentoring program, and that the deadline to apply is December 30, 2022 (for mentors)! Mentees have until January 21, 2023. So get crackin' on those applications. You can apply here to be a mentor or a mentee. Or both!

Olivia also gave us the heads up on her newest adventure, the Rose CISO Group! Her new company offers virtual Chief Information Security Officer (CISO) services, boardroom and leadership communications, assessment services, keynote speaking, event presentations; and career and executive coaching... All led by experienced enterprise CISOs!

Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

#appsec #wehackpurple #shehackspurple

The importance of open source security management made headlines in 2017 when the Equifax breach resulted in the compromise of the personal information of millions of users. The breach was attributed to the use of a known vulnerable version of the Apache Struts open source framework. Since then, we’ve seen a rise in the disclosure (and exploitation) of vulnerabilities in open source software, such as the famous Log4Shell vulnerability that was dubbed as the “worst security flaw of the decade”. 

This resulted in studies being conducted and determining that open-source components make up more than half of an application codebase. The security implications of such a ratio can be significant. While organizations spend considerable time and effort ensuring that the custom code developed by them is secure, usually little to no consideration is put into evaluating the security of the used open-source components. This presentation will introduce Software Composition Analysis (SCA) - the process of identifying vulnerabilities in open-source dependencies. We’ll discuss the criteria you should consider when selecting an SCA solution and the importance of integrating such tools in your DevOps pipelines. 

Rana is an application security engineer consultant currently working at C3SA. She has a diverse professional background with experience in software development, quality assurance and pentesting. She holds a Bachelor and Master’s degree in Mathematics and Computer Science from the University of Ottawa. She has spoken about her research and work at several local and international conferences. In her non-existent free time, you can find her posting educational videos and holding workshops through her Academy and YouTube channel. She has received several awards and honorable mentions for her research and contributions to the cybersecurity community. 

Speaker Links: 
Youtube Channel: https://www.youtube.com/c/RanaKhalil101 
Academy: https://ranakhalil.com/ 
Twitter: https://twitter.com/rana__khalil 
LinkedIn: https://www.linkedin.com/in/ranakhalil1/ 
Medium Blog: https://ranakhalil101.medium.com/

In this episode of the We Hack Purple Podcast we meet Gemma Moore , co-founder and director of Cyberis. Gemma is an expert in penetration testing and red teaming. She started her career in cyber security nearly twenty years ago, working her way up from a junior penetration tester to running the penetration testing practice in a specialist consultancy by 2011. She is a founding director of the information security consultancy, Cyberis.

Over her career, she has held CREST certifications in Infrastructure, Applications and Simulated Attack, and now focuses most of her efforts on planning, running and executing red team and purple team exercises.

In recognition of her outstanding level of commitment to the technical information security industry and the highest level of excellence in CREST examinations, Gemma was selected to receive a lifetime CREST Fellowship award in 2017.  

Gemma was a contributing author to the BCS’ “Penetration Testing: A guide for business and IT managers”  

Gemma was named “Best Ethical Hacker” in the 2018 Security Serious Unsung Heroes industry awards, and has been honoured by SC Magazine as one of its 50 Most Influential Women in Cybersecurity, and by IT Security Guru magazine as one of its Most Inspiring Women in Cyber.  

We talked about everything to do with Red Teaming and PenTester, especially what the difference was between the two, risks involved, setting scope, and several funny and scary stories! We also talked about what people are trying to achieve with a red teaming exercise, and how things can go terribly wrong when we blame everything on the user. This was through and through a fantastic conversation.

You can learn more by reading in Gemma’s blog!

Join us in the We Hack Purple Community:  A fun and safe place to

learn and share your knowledge with other professionals in the field.

Subscribe to our newsletter! 

Find us on Apple Podcast, Overcast + Pod

#TanyaJanca #SheHacksPurple #AppSec #CyberSecurity 

In this episode of the We Hack Purple Podcast we meet Anshuman Bhartiya, a Principal Security Engineer who also happens to be an avid AppSec blogger (https://www.anshumanbhartiya.com/) and conference speaker.

We talked about how the SAST industry seems to be divided into two camps, as well as “the old guard” who used to say no to everything, versus newer ways of working towards better AppSec, such as using empathy and enablement, rather than a stick. Anshuman is a huge fan of automation (I mean, who isn’t?) and he covered many ways we could use it for better security, including vulnerability management. We covered how vulnerability management tends to have 3 phases (finding bugs, fixing bugs,
then retesting to ensure they are fixed) and how step two appears to be the most difficult. We ended on inventory, cool new tools that are out, and how there’s still more work we can do in this area to make it even better. All and all, this is a great
episode!

Here are some links you will need to keep track of Anshuman
and the great content he releases:
• https://www.anshumanbhartiya.com/
• https://www.linkedin.com/in/anshumanbhartiya/
• https://twitter.com/anshuman_bh

Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field.

Subscribe to our newsletter!

Find us on Apple Podcast, Overcast + Pod

In this episode of the We Hack Purple Podcast we meet Vitaly Unic, the head of AppSec Research at Bright. We talked about creating an application security program with realistic goals, what works and what does not work. We dove into how to roll out a tool and get the most value, and then took a deep dive into how DASTs are built. How does a DAST find vulnerabilities, how does it discover the attack surface, and what, exactly, is an endpoint? Listen to learn more!

Join us in the We Hack Purple Community:
A fun and safe place to learn and share your knowledge with other professionals in the field.

Subscribe to our newsletter! https://newsletter.wehackpurple.com/

Find us on Apple Podcast, Overcast + Pod

#TanyaJanca #SheHacksPurple #AppSec #CyberSecurity

 In this episode of the We Hack Purple Podcast we meet one of host Tanya Janca’s professional mentors; Sherif Koussa of Software Secured and Reshift Security.

In this episode we talked about how we could prevent the next Log4J. We covered government regulations, industry compliance, tooling, SBOMs, inventory, incident response, and more! Check it OUT! 

Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field.

Subscribe to our newsletter! 

Find us on Apple Podcast, Overcast + Pod 

In this episode of the We Hack Purple Podcast we meet another of host Tanya Janca’s friends; Yael Nagler , founder of Yass Partners!

Yael has built a career advising large businesses about processes and risk. In this episode she covered:
- How to use Situational Awareness
- Ten Steps to win at corporate!
- How to talk so CISOs will listen. How to listen so CISOs will talk.
- What are CISOs being asked.
- Why helping others is the best feeling in the entire world.

Join us in the We Hack Purple Community:
https://community.wehackpurple.com/ 
A fun and safe place to learn and share your knowledge with other professionals in the field.

Subscribe to our newsletter! https://newsletter.wehackpurple.com/

In this episode of the We Hack Purple Podcast we meet James Tabron the director of Engineering at Twilio!

James switched from security to engineering recently, and wanted to share how startups and large companies can both start their SOC2 compliance programs. He shed a lot of light on where to start, common challenges, how much value can be gained from SOC two, and even how to automate the process. He also confirmed our on-going assumptions that good soft skills and specifically empathy were the most important things to look for when hiring someone to run an effective compliance program. Tune in to learn more!

Join us in the We Hack Purple Community!
A fun and safe place to learn and share your knowledge with other professionals in the field.

Subscribe to our newsletter!

 In this episode of the We Hack Purple Podcast we meet another of host Tanya Janca’s friends; Caroline Wong of Cobalt Security!

Caroline  has worked in security, and specialized in AppSec, for a very long time. She explained what Pentesting-as-a-Service actually is, how to hire a good pentester, and when this service might be your best choice. Tanya quizzed her quite a bit, but Caroline really is the expert; she even wrote a book on the topic! This episode also covers; defending against ransomware, why Pentesting-as-a-Service is not the same as a bug bounty, and how the OWASP Top Ten really hasn’t changed that much over the years.

Tune in to learn more!

Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field.

Subscribe to our newsletter! 

 In this episode of the We Hack Purple Podcast we meet another of host Tanya Janca’s friends; Nicole Dove of Riot Games!

Nicole is a BISO (Business Information Security Officer) and told us everything we need to know about this role, including; how to get this job, how to be great at it, and the huge value that it provides to companies. We also talked about software supply chain security, SBOMS, the LinkedIn Learning Course she just made, and how she’s going to be speaking at RSA Conference

PS Nicole has her OWN podcast, “Urban Girl, Corporate World”. Check it out!

Join us in the We Hack Purple Community:
A fun and safe place to learn and share your knowledge with other professionals in the field.

Subscribe to our newsletter!

In this episode of the We Hack Purple Podcast we meet Sherif Mansour, ex-chair of the OWASP Board of Directors.

Having recently finished his 4-year term of volunteering for the largest application security community on the planet, he had a tiny bit of spare time for our host, Tanya Janca.

Sherif talked about some of his favourite accomplishments within OWASP, his career and a special project with the OpenSSF: The Alpha-Omega Project to Improve Software Supply Chain Security for 10,000 OSS Projects!

Watch or listen to hear more!

Join us in the We Hack Purple Community: A fun and safe place to
learn and share your knowledge with other professionals in the field.

Subscribe to our newsletter!

Welcome back to season 2 of the We Hack Purple Podcast!

In this episode We Hack Purple Community member Ashely Burke takes us on a non-technical journey into #InfoSec. 

Learn about navigating the job market, figuring out your special skills, how to handle imposter syndrome and much more. 

Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter!

Welcome back to season 2 of the We Hack Purple Podcast! In this episode host Tanya Janca  learns about Threat Modelling with guest Adam Shostack.  He covers his new white paper (Fast, Cheap and Good: An Unusual Tradeoff Available in Threat Modeling) about how to do threat modeling that is cheap, fast AND good!

Adam's WhitePapers: https://shostack.org/resources/whitepapers 
Adam's "New Thing" newsletter: https://shostack.org/contact

Join the We Hack Purple Cyber Security Community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! 

 Jeff Williams from Contrast Security takes our questions about their new Serverless Scanning Tool and gives a demo to show just how easy it is.  Video demo can be found here: https://youtu.be/R4NkfbNw5Ys

Learn more here: https://www.contrastsecurity.com/contrast-serverless-application-security 

Join our online community here: community.wehackpurple.com 
Our online courses in #AppSec and Secure Coding: academy.wehackpurple.com 

All too often, the AppSec team or security team is a person of one. 
How can you add more people to the team with out a massive increase to the budget?
Persuasion!
This talk was given at SecTor (Toronto) Nov 2021. 
Scaling your Team is part of our Application Security Program at Academy.WeHackPurple.Com 

 Host Tanya Janca   learns what it’s like to do Cybersecurity Product testing and reviews at Security Weekly Labs with guest Adrian Sanabria! 

Thank you to our sponsor Checkmarx! https://www.checkmarx.com/

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security

Don’t forget to check out We Hack Purple Academy’s NEW courses,

Join our Cyber Security community: https://community.wehackpurple.com/ A safe place to learn and share your knowledge with other professionals in the field.

Subscribe to our newsletter here: https://newsletter.wehackpurple.com/

Find us on Apple Podcast, Overcast + Pod 

 Host Tanya Janca  learns what it’s like to found and run a small business (Zimana Analytics) focused on data analytics, with guest Pierre DeBois!

Thank you to our sponsor Checkmarx! https://www.checkmarx.com/

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security

Don’t forget to check out We Hack Purple Academy’s NEW courses,

Join our Cyber Security community: https://community.wehackpurple.com/ A safe place to learn and share your knowledge with other professionals in the field.

Subscribe to our newsletter here: https://newsletter.wehackpurple.com/

Find us on Apple Podcast, Overcast + Pod 

 Host Tanya Janca  learns what it’s like to be a physical penetration tester, with guest Deviant Ollam. Famous for hacking banks, elevators and basically any physical security device, he will share how he got to where he is today! Check out his Twitter while you’re at it!

Thank you to our sponsor 10Security

NEW Secure coding Course here!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security.

Don’t forget to check out  We Hack Purple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com . 

Find us on Apple Podcast, Overcast + Pod 

 Host Tanya Janca learns from Sunny Wear about penetration testing with a live demonstration! Sunny shows off her custom app, Burp Tool Buddy, which shows you how to use and configure burp suite Pro. And it's a STEAL at $4.99!! https://twitter.com/SunnyWear

Thank you to our sponsor 10Security

NEW Secure coding Course here!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security.

Don’t forget to check out  We Hack Purple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com . 

Find us on Apple Podcast, Overcast + Pod