-
CSCP S4EP17 - Adam Shostack - Threat modelling in past and future with Adam Shostack from vulnerability to ASPM and modern application security
- 2024/06/16
- 再生時間: 33 分
- ポッドキャスト
-
サマリー
あらすじ・解説
Join us in this insightful episode of the Cybersecurity and Cloud Podcast, where host Francesco Cipollone sits down with the pioneer of threat modeling, Adam Shostack. Dive into the intricacies of Application Security Posture Management (ASPM), effective threat modeling practices, and the innovative solutions offered by Phoenix Security. Gain valuable knowledge on how to improve your organization's security posture and stay ahead of evolving threats. Sponsored by Phoenix Security: This episode is brought to you by Phoenix Security, leaders in vulnerability management from code to cloud. Take control of your security with Phoenix and see firsthand how to prioritize and act on critical vulnerabilities with a free 14-day license available at Phoenix Security - Request a Demo. We delve into threat modeling and software security, touching on the profound implications of the White House's recent report on memory-safe programming languages. We also dissect the systemic challenges of self-regulation in the cybersecurity market, especially in the aftermath of significant incidents like the SolarWinds attack. Adam shares his valuable insights on CISA's latest strategies to tackle vulnerabilities at their origin, emphasizing the critical need for proactive and systemic solutions in bolstering cybersecurity practices. In another segment, we examine the complexities surrounding software security regulation and self-regulation in both the US and Europe. Drawing parallels to the automotive industry, we discuss how software companies are held accountable for the components they use, similar to how car manufacturers are responsible for their parts. The conversation highlights the Biden administration's executive order requiring vendors to self-attest to software security when selling to the US government and compares this to established regulatory frameworks like SEC regulations. We also address the balance between proactive and reactive regulatory measures, referencing historical efforts such as Microsoft's Trustworthy Computing initiative and discussing the unique challenges faced by sectors like medical devices, where security and functionality must be meticulously balanced. Key Discussion Points: Threat Modeling and Application Security: An in-depth look at threat modeling and its crucial role in enhancing application security.White House Report on Memory-Safe Programming Languages: Exploring the implications of the recent White House report and its impact on software security practices.Self-Regulation vs. Government Regulation: Analysis of the challenges and benefits of self-regulation in the cybersecurity market, particularly post-SolarWinds.CISA’s Strategies on Vulnerability Management: Insights into CISA's proactive approaches to tackling vulnerabilities at their origin.US and European Software Security Regulations: Comparing US and European approaches to software security regulation and the accountability of software companies.Biden Administration’s Executive Order: The requirement for vendors to self-attest to software security and its broader implications.Historical Context: Reflecting on past efforts like Microsoft's Trustworthy Computing initiative and their relevance today.Balancing Security and Functionality: The unique challenges faced by sectors like medical devices in maintaining both security and functionality. What's Inside This Episode: 00:01 - Introduction: Francesco Cipollone introduces the podcast and guest, Adam Shostack, a leader in threat modeling and application security.00:22 - Role in Threat Modeling: Adam discusses his contributions to the field of threat modeling and the importance of simplifying and organizing the process.02:00 - Background and Career: Adam shares his extensive experience in application security, including his work at Microsoft and current role at Shostack and Associates.03:00 - State of Application Security and Threat Modeling: Discussion on the current state of application security and the significance of the White House report on memory-safe programming languages.04:00 - Regulatory Influences and Vulnerability Management: Insights into how government regulations are influencing application security and the challenges in managing vulnerabilities.06:00 - Historical Context of Software Security: Reflection on historical security practices and the evolution of software security.08:00 - SolarWinds SEC Lawsuit: Detailed discussion on the SEC lawsuit against SolarWinds and the importance of accurate security statements.10:00 - Challenges in Implementing Security Measures: The difficulties organizations face in implementing effective security measures and the necessity of having a comprehensive asset inventory.12:00 - Government Regulations and Market Self-Regulation: Debate on the effectiveness of market self-regulation versus government mandates in shaping the future of application security.14:00 - Balancing Profit and Security: The conflict between maintaining ...