secure code

Ron Woerner, CISSP, CISM, is the President and Chief Security Officer at Cyber-AAA, plus a Senior Security and Risk Consultant for Forrester Research. With over 20 years of experience in IT and Security experience, Ron works with leaders worldwide to advise on security, compliance, and privacy.

Ron joins to discuss how organizations should adapt tools and methodologies for their business' maturity, how to have impactful security champion mentors, and how security teams can successfully work with other teams.

• Welcome to The Security Champions Podcast [0:10]
•  Ron Woerner’s Security Journey [1:20] 
• Zero Trust Architecture [4:50]
• Using Tools Based On Business Maturity [10:30]
• Successful Security Mentorship [15:30]

Episode Resources: 

• cyber-aaa.com
• cybersecurity.bellevue.edu

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Podcast sponsored by Security Journey, Secure Coding Training for Developers and Everyone in the SDLC. Learn more at securityjourney.com.

FOLLOW US to stay up-to-date with new content!

• Twitter (twitter.com/SecurityJourney)
• LinkedIn (linkedin.com/company/security-journey)
• YouTube (youtube.com/c/securityjourney)
• Online (securityjourney.com)
• CONTACT: hello@securityjourney.com

In episode 72 of the We Hack Purple Podcast host Tanya Janca brings Scott Helme back on because she just cannot get enough when it comes to security headers! You can watch and listen to his first episode here (https://wehackpurple.com/podcast/episode-69-with-scott-helme/). In this episode we focus on the “new” security headers from Scott’s great blog article where he first introduced the public to them (https://scotthelme.co.uk/coop-and-coep/). The new security header’s focus on protecting us from side-channel attacks like Spectre and Meltdown, and we really honed in on how to configure each one, and why we would need or want them. The features are powerful, and we discussed building up to using them, for best results.

Part of the reason that Scott built SecurityHeaders.com was to contribute to solving the problem of ‘how do we get the message out there’. SecurityHeaders.com is an educational tool rather than any kind of definitive or perfect security assessment tool, but it’s still incredibly useful. He’s working hard to raise awareness, and podcast episodes like this can help. 

One of the most striking things Scott hears when teaching his and Troy Hunt’s ‘Hack Yourself First’ course when they talk about headers like CSP and HSTS, is: “Wow, I didn’t know this existed!” There is a huge gap that we need to bridge in security between these things existing, and people knowing they exist and then actually using them. This is a bug hurdle for folks like us.

We also talked a bit about how all of these security headers are able to create reports and tell you what’s up with your app. Lucky for us, Scott built Report-URI so we can receive those reports with ease! 

Scott also has another free tool he created: https://crawler.ninja/ too, where he scans the top 1 million sites every day and looks at various things, including their use of security headers. As an example, you can see this list of sites using a CSP from today: https://crawler.ninja/files/csp-sites.txt

Scott also creates reports using his crawler data that showing trends over time and changes in the usage of security features like various security headers: https://scotthelme.co.uk/tag/crawler-report/

Very special thanks to our sponsor: Women’s Society of Cyberjutsu! 

Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting Opportunities, Celebration, and more.  Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: https://womenscyberjutsu.org/page/CyberCon2023

Join We Hack Purple!

Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

TOPIC: Building a 100% Open Source DevSecOps Stack for Product Teams

GUEST: Abhisek Datta
He has been a Security researcher in the past. Currently he is dabbling more on the development & product side of things. He is an OSS contributor and Platform & Security engineer. Can still read/write C & x86 ASM.

Episode Summary:
In this episode we dive deep into the challenges and opportunities of creating and maintaining a 100%  open source DevSecOps stack. Tune in as to find a store house of information for Product teams on how to approach security automation for their products using only open source security tools & products.

Recommended reading/viewing, Paper(in this topic) for practitioners:

https://medium.com/chargebee-engineering/building-appsec-pipeline-for-continuous-visibility-d430beb0a78f

https://medium.com/chargebee-engineering/building-policy-gate-for-devsecops-using-open-policy-agent-999dd734744a

I would love to hear your suggestions and feedbacks, please DM me. If you liked this episode, please share with others in the community. It always means a lot!

If you’re interested in a security challenge that you’re facing or would like to hear from a specific speaker/team, let me know. Buzz me on Twitter or LinkedIn; checkout my handles below:

• Twitter: @NeeluTripathy
• LinkedIn: neelutripathy