devsec ops

In episode 72 of the We Hack Purple Podcast host Tanya Janca brings Scott Helme back on because she just cannot get enough when it comes to security headers! You can watch and listen to his first episode here (https://wehackpurple.com/podcast/episode-69-with-scott-helme/). In this episode we focus on the “new” security headers from Scott’s great blog article where he first introduced the public to them (https://scotthelme.co.uk/coop-and-coep/). The new security header’s focus on protecting us from side-channel attacks like Spectre and Meltdown, and we really honed in on how to configure each one, and why we would need or want them. The features are powerful, and we discussed building up to using them, for best results.

Part of the reason that Scott built SecurityHeaders.com was to contribute to solving the problem of ‘how do we get the message out there’. SecurityHeaders.com is an educational tool rather than any kind of definitive or perfect security assessment tool, but it’s still incredibly useful. He’s working hard to raise awareness, and podcast episodes like this can help. 

One of the most striking things Scott hears when teaching his and Troy Hunt’s ‘Hack Yourself First’ course when they talk about headers like CSP and HSTS, is: “Wow, I didn’t know this existed!” There is a huge gap that we need to bridge in security between these things existing, and people knowing they exist and then actually using them. This is a bug hurdle for folks like us.

We also talked a bit about how all of these security headers are able to create reports and tell you what’s up with your app. Lucky for us, Scott built Report-URI so we can receive those reports with ease! 

Scott also has another free tool he created: https://crawler.ninja/ too, where he scans the top 1 million sites every day and looks at various things, including their use of security headers. As an example, you can see this list of sites using a CSP from today: https://crawler.ninja/files/csp-sites.txt

Scott also creates reports using his crawler data that showing trends over time and changes in the usage of security features like various security headers: https://scotthelme.co.uk/tag/crawler-report/

Very special thanks to our sponsor: Women’s Society of Cyberjutsu! 

Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting Opportunities, Celebration, and more.  Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: https://womenscyberjutsu.org/page/CyberCon2023

Join We Hack Purple!

Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

In episode 74 of the We Hack Purple Podcast, host Tanya Janca talks to guest Ray Espinoza from Inspectiv! During the podcast we honed in on how to build a positive security culture, which has several important ingredients; Security Champions, Empathy, explaining ‘the why’, sharing information in both technical and non technical formats, and storytelling! We talked about training, we talked about metrics, we talked about how to get your point across in an effective way, without scaring people’s pants off. If you want to hear about creating a successful security champions programs, how to ‘win’ more often, and what pitfalls to avoid, this episode is especially helpful!

We ended the conversation with several calls to action for audience members abounding including more people in cyber. Young people, old people, new-to-cyber people, every race of people, every gender; we really mean EVERYONE. Ray also (very generously) offered listeners to connect with him online so he could help them find mentors and meet people. This episode was great!

A bit more about Ray:
Ray Espinoza is Vice President and Chief Information Security Officer at Inspectiv, Inc. With over 15 years of both tactical and security leadership experience, Ray has a proven track record of successfully building effective security programs for top companies that include eBay, Cisco, Amazon and Cobalt.io.

Prior to joining Inspectiv, Ray served as VP of Cloud Security at Medallia where he was responsible for developing and executing Medallia’s multi-cloud security strategy. Outside of work, Ray is the head strength and conditioning coach and an assistant football coach at Camas High School. 

Where to find Ray!
LinkedIn - https://www.linkedin.com/in/ray-espinoza-b399821/
Twitter - https://twitter.com/RayEspinozaSec

Causes and Groups Ray (and Tanya) supports:
• Raîces Cyber
• Black Girls Hack
• Black Girls in Cyber

Very special thanks to our sponsor: Day of Shecurity!  This annual event advocates for inclusion & diversification of gender in cybersecurity, AND it’s very soon. Day one is May 18th (virtual) and day two is May 19th, in person in Redwood City, California, United States. Tickets are FREEEEEEEEE!
View the agenda here: https://guides.dayofshecurity.com/view/314270378/
If you’re not sure, you can see videos from previous events here: https://www.youtube.com/c/DayofShecurity.

Join We Hack Purple!

Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

In this episode of the We Hack Purple podcast host Tanya Janca met with Anant Shrivastava! We talked about securing the entire software supply chain (including your CI/CD and where you get your packages from), and how it is more than just buying a software composition analysis (SCA) tool. He explained the new and very different risks of securing a mobile app versus a regular web app or an API, that’s he’s more of an ops than a dev person, and how the risks are all coming together now that many of us are doing DevOps. He shared his numerous open source projects, such as:
Code vigilant: https://codevigilant.com/,
TamerPlatform : https://tamerplatform.com/ and
HackingArchivesOfIndia https://hackingarchivesofindia.com/. 

 Anant’s Bio:
Anant Shrivastava is an experienced information security professional with over 15 years of corporate experience. He has expertise in Network, Mobile, Application and Linux Security. He is the founder of Cyfinoid Research, a cyber security research firm and has previously served as Technical Director at NotSoSecure Global Services, a boutique cyber security consultancy. He is a frequent speaker and trainer at international conferences such as BlackHat, Nullcon, and c0c0n. Additionally, Anant leads the open source projects Tamer Platform and CodeVigilant and maintains the Hacking Archives of India. He also participates in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info and his blog is here  https://blog.anantshri.info/!

Very special thanks to our sponsor: The Diana Initiative!

The Diana Initiative is seeking sponsors for their annual event happening Monday August 7, 2023 in Las Vegas - https://www.dianainitiative.org/sponsor/ for more information

The Diana Initiative Call For Presentations opens on March 1, if you have a topic you want to share submit at tdi.

The Diana Initiative Is: A diversity-driven conference committed to helping all underrepresented people in Information Security. This year the theme is “Lead the Change.” You can submit to be a speaker at tdi . mobi / CFP or if your company would like to support the event by sponsoring check out https://www.dianainitiative.org/sponsor/

Join We Hack Purple!

Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!