- CISO Series Newsletter
- Posts
- Do These Jeans Make My Vulnerabilities Look Too Big?
Do These Jeans Make My Vulnerabilities Look Too Big?
Do These Jeans Make My Vulnerabilities Look Too Big?
We're celebrating one year of the CISO/Security Vendor Relationship Podcast. Thank you to my co-host, Mike Johnson, all our guests, and all the fans for listening, sharing, commenting, and contributing to the series. It honestly does not get done without you. Thank you.
This week's episode of CISO/Security Vendor Relationship Podcast
Do These Jeans Make My Vulnerabilities Look Too Big?
Mike Johnson and our guest Fredrick Lee (AKA "Flee"), CSO of Gusto, discuss:
Lean on OWASP tools and the community for any appsec effort.
We played out a "how do you do appsec with zero budget" exercise and everyone lauded the efforts of OWASP. It is very possible to build your appsec program on their top 10 recommendations and their free open source tools.
CISOs are attracted to builders, not finders.
A pen tester is responsibly disclosing company vulnerabilities to get noticed by CISOs. While the effort is commendable, the severity of the vulnerability is more at issue. If you truly want to attract CISOs, show what you can actually build. That will get their attention.
Being good in security is not just about your skill, but also your ethics.
Unless you're a hired pen tester, proving you can hack into a system and cause havoc may show your hacking skills, but it doesn't show your security demeanor. CISOs don't find that attractive or desirable.
Please stop with the random capitalization (editor note).
As I've mentioned on the show before, there are rules to sentence structure, punctuation, and capitalization. The one that is probably abused the most is capitalization of product features. Product names, not features, are to be capitalized.
Special thanks to this week's CISO/Security Vendor Relationship Podcast sponsor, Tenable.
Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more:
.
David Spark and Allan Alford, co-hosts of
Defense in Depth
.
This THURSDAY, Allan and Dave in Grand Rapids
June 6th, Grand Rapids, MI - 2019 West Michigan IT SummitYour last reminder that Allan Alford and I will be recording a live version of the CISO/Security Vendor Relationship Podcast as the closing keynote for the all-day conference on IT and security. Our guest will be Dan Lohrmann, former CISO/CSO/CTO of the state of Michigan. The event is free, but you do need to REGISTER.
Next FRIDAY, Allan and Dave in Dallas
June 14th, Dallas, TX - From Hiring to Buying: What Do CISOs Want?Come join this open discussion I'll be leading with Allan about hiring and selling in cybersecurity. Please REGISTER
Video extra from CISO/Security Vendor Relationship Podcast
Hey Security, Developers Want to Write Secure Code
Here's a post-show interview Mike Johnson conducted with Fredrick Lee (AKA "Flee"), CSO of Gusto, for this week's episode of the CISO/Security Vendor Relationship Podcast.
Flee and Mike talk about how to get developers more interested, trained, and excited about writing secure code.
The idea behind an Advanced Persistent Threat is both intriguing and a little distracting. It sounds like the title of a Tom Clancy novel – maybe a sequel to Clear and Present Danger.Designed to penetrate a network, operate while hidden for a long time, all the while receiving commands from an outside agent, an APT is more sophisticated than everyday malware and tends to be deployed against large targets.More on CISO Series.
SUBSCRIBE TO BOTH PODCASTS
Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.
If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.