View this email in your browser

CISO Series Podcast
We Take Software Security Seriously, As Long As It Ships on Time

Since software has eaten the world, should software engineers have already inherited cybersecurity? It's easy to see this as an ideal transition. But given the pressures to ship, can we expect these engineers to prioritize security from day one, even if it risks delaying a product?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest Jeremy Epling, chief product officer, Vanta.

What is the future of cybersecurity?

Software ate the world. Is it also about to eat cybersecurity? On his blog, Venture in Security, Ross Haleliuk argued that cybersecurity should be treated as an inherent aspect of software quality, suggesting that engineers are vital to shaping secure software. This makes sense when you see security vulnerabilities as bugs. It’s better to address them earlier in the development cycle to avoid compromising security for speed. This will be an essential workflow as security integrates into the design process. As an industry, we must keep shifting left, embracing proactive vulnerability detection to balance security with business pressures like product-market fit and delivery timelines.

Designing the outcomes we want

Over the last few years, we’ve seen CISA driving best practices in the industry. Their most recent push concerns Secure by Design principles targeting cross-site scripting (XSS) vulnerabilities. While such efforts are seen as a step forward in promoting basic security hygiene, organizations must prioritize risks relevant to their context rather than following blanket recommendations. While companies with mature security practices may already manage XSS effectively, CISA’s call to action is a crucial reminder for smaller or less security-conscious organizations. The agency’s guidance is data-driven, focusing on vulnerabilities still widely exploited, and aims to raise awareness where it's most needed.

The promise and peril of AI

AI is rapidly finding its way across all industries, and security is no exception. This technology is simultaneously seen as both a tool for unprecedented threat prediction and a potential weapon for attackers. While we account for these risks, fear-driven narratives around AI don’t help anyone. Instead, embrace its potential to accelerate security outcomes. This requires proof of quality in AI-driven solutions rather than vague promises. Look to develop solutions based on ethical AI practices. 

Is open-source open to more threats?

The industry is becoming more aware of the risks in open-source software, sparked by a recent incident where a malicious maintainer introduced a backdoor into the xz-utils compression utility, as covered by Aeva Black at Cyberscoop. Open source trust lies in the hands of the maintainer and those reviewing the code. Proper oversight is necessary. Small projects, where we rely on the code author to also review their own code, are a recipe for disaster. A second set of eyes is critical. There are also systemic challenges faced by maintainers, such as lack of compensation and support, despite their crucial role in global software infrastructure. To ensure secure and reliable open-source ecosystems, addressing these issues requires better oversight, tools, and recognition for maintainers.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Erik Bloch at Arbiter for providing our “What’s Worse” scenario.

Listen to the full episode.

Thanks to our podcast sponsor, Vanta

Subscribe
Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

Cyber Security Headlines Newsletter - Every weekday

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Edward Frye, head of security, Luminary Cloud.

Thanks to our Cyber Security Headlines sponsor, Vanta

Super Cyber Fridays!
Securing AI Workflows

You can't fully embrace AI if you don't know what it takes to secure it.

I recently spoke with Niv Braun, co-founder and CEO of Noma Security, about the AI supply chain. We delved into the unique workflows of data and AI teams, their tools, and the emerging security challenges in this rapidly evolving field. To tackle these challenges effectively, CISOs must bridge the language gap between security and AI teams. Tune in to learn about the common breaches, collaboration strategies, and the principles of securing AI implementations.

We're going to be discussing the topic of "Hacking the AI Supply Chain: An hour of critical thinking about what's new and familiar about securing the foundations of your AI applications." It's all happening this Friday, December 6th, 2024 on our show Super Cyber Friday. Joining us in the conversation will be Caleb Sima, builder, WhiteRabbit.

Tune in to learn about the common breaches, collaboration strategies, and the principles of securing AI implementations.

It’s all going down at 1 PM ET/10 AM PT.

REGISTER HERE for December 6th, 2024, Super Cyber Friday

Thanks to our Super Cyber Friday sponsor, Noma Security

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.