-
CSCP S4EP18 - James Berthoty - What The heck is ASPM and the evolution of Product security
- 2024/07/28
- 再生時間: 46 分
- ポッドキャスト
-
サマリー
あらすじ・解説
Join us for an engaging episode as we welcome James Berthoty, a seasoned cybersecurity professional with a diverse background spanning sysadmin, DevOps, and security engineering roles. James takes us through his journey across different organizations, including his current role at PagerDuty, where he tackles the intricate challenges of FedRAMP compliance. Listen in as James shares insights on the rapid evolution of the Application Security (AppSec) industry, driven by the need for infrastructure professionals to interact with application code in today’s API-driven cloud environment. We also explore the disparity in innovation recognition among security solution providers and the difficulties of staying current in this fast-paced industry. Sponsored by Phoenix Security: This episode is brought to you by Phoenix Security, leaders in vulnerability management from code to cloud. Take control of your security with Phoenix and see firsthand how to prioritize and act on critical vulnerabilities with a free 14-day license available at Phoenix Security - Request a Demo. We also discuss the complex challenges of managing visibility and actionability within cybersecurity, particularly in handling software vulnerabilities. Learn about the evolution of patch management and the inefficiencies of the Common Vulnerabilities and Exposures (CVE) system, which often leads to false positives. This conversation sheds light on the market's tendency to prioritize quantity over quality in vulnerability detection tools and the potential shift towards more precise, less noisy solutions. Effective testing and benchmarking tools, like insecure testing repositories and OWASP projects, are also highlighted as a means to enhance the reliability of security tools. Finally, we explore the broader landscape of security tools and frameworks, including the stringent requirements of FedRAMP and the balance between flexible and opinionated tools. Through case studies and real-world examples, we discuss the significance of asset management, the evolving landscape of security tools, and the importance of transparency in marketing. The episode wraps up with a look at managing open-source supply chain risks and the crucial role of entities like Tidelift in providing paid maintenance services, reflecting the industry's shift towards better security practices. Don't miss this comprehensive exploration of the current state and future trends in the cybersecurity and software security industry. Episode Highlights: •Application Security and ASPM: We delve into the complex challenges of Application Security Posture Management (ASPM), focusing on managing visibility and actionability within cybersecurity, particularly in handling software vulnerabilities. •Vulnerability Management: Learn about the evolution of patch management and the inefficiencies of the Common Vulnerabilities and Exposures (CVE) system, which often leads to false positives. •Effective Testing Tools: This conversation sheds light on effective testing and benchmarking tools, like insecure testing repositories and OWASP projects, to enhance the reliability of security tools. •FedRAMP and Security Tools: Explore the stringent requirements of FedRAMP and the balance between flexible and opinionated tools in the broader landscape of security frameworks. •Asset Management: Through case studies and real-world examples, we discuss the significance of asset management in vulnerability management and the evolving landscape of security tools. •Open Source Supply Chain Risks: The episode wraps up with a look at managing open-source supply chain risks and the crucial role of entities like Tidelift in providing paid maintenance services, reflecting the industry’s shift towards better security practices. What's Inside This Episode: 00:54 - Host Introduction: Francesco Cipollone introduces the episode and guest James Berthoty.01:27 - Guest Introduction: James Berthoty shares his background and journey in cybersecurity.02:07 - Managed Detection Response Insights: James discusses his experience and insights from working in managed detection response.05:16 - AppSec Industry Evolution: Discussion on the rapid changes in AppSec and the impact of new technologies.09:28 - The Challenge of Vulnerability Management: Francesco and James delve into the complexities of modern vulnerability management.12:32 - Tool Integration and Market Trends: The conversation shifts to the integration of various security tools and market trends.20:21 - Security Operations Challenges: The struggle of handling CSPM alerts and the role of security operations.27:01 - Asset Management Importance: The critical role of asset management in vulnerability management and its implications.31:48 - Market Evolution and Tool Adaptation: Discussion on how security tools need to adapt to evolving market demands.35:50 - Reachability Analysis and SBOM: The importance of reachability analysis and the challenges of ...