Language: English

Abstract

DevSecOps, the integration of security practices into the DevOps methodology, has become a prominent topic in the field of information security in recent years. This approach emphasizes the collaboration between development, operations, and security teams throughout the software development lifecycle.

In this episode, we had the opportunity to speak with Sam Sehgal, co-chair for the DevSecOps Working Group (WG) at the Cloud Security Alliance (CSA). Sam shed light on the six pillars that form the foundation of the DevSecOps methodology and highlighted the vital role played by the WG in driving the integration of security practices within the realms of DevOps and cloud computing.

Language: English

Abstract

The Quantum-safe security working group is a Cloud Security Alliance research wg that was created to promote awareness and education on the challenges of Quantum computing. In this episode we spoke to the working group leaders in order to better understand Quantum security challenges and how the security  community can overcome these challenges. 

This is the first episode in a series of episodes that will be dedicated to CSA research efforts and the working groups that produce the next generation best practices and researches.

Guest Title:  CISO at DarioHealth

Language: English

Abstract

Many of the CISOs are often approached by early stage startups asking to be given a chance. Is it worth it? isn't it too risky? 

Working with security start-ups can assist the CISO’s to accomplish their goals with many benefits, as long as risks are mitigated.

In this episode we spoke with Shahar Gaiger Maor, CISO at DarioHealth to summarize how security startups can be your weapon of choice as a CISO.

Link: https://www.linkedin.com/pulse/security-start-ups-design-shahar-geiger-maor

Topic: Researching Cloud giants security mechanisms 

Language: English

Abstract

The leading cloud providers these days are storing growing parts of human knowledge and businesses , and therefore their services require to be top notch in security and most of the time, they actually provide very resilient security services. But every now and then, a talented security researcher finds vulnerabilities even on the most mature services - In this episode we spoke with Vladi Sandler & Gafnit Amiga from Lightspin regarding the AWS RDS vulnerability they recently discovered and what is the process of researching cloud provider vulnerabilities and how to do responsible disclosure.  As a bonus, we also discussed the open-source tools released by Lightspin and the way they can help organizations protect their cloud resources.

https://blog.lightspin.io/aws-rds-critical-security-vulnerability

https://recon.cloud  -  Free CNAPP tool

https://github.com/lightspin-tech/red-detector - EC2 vulnerability scanner 

https://github.com/lightspin-tech/red-kube - K8S Adversary Emulation

Guest Title: CEO & Co-Founder at Canonic

Topic: Analyzing SaaS Applications Threats

Language: English

Abstract

The 2022 history of security incidents proved that SaaS services present major security challenges for organizations. As SaaS adoption grows - more attack vectors are being discovered.

In this episode we spoke with Boris Gorin, Co-founder and CEO at Canonic about the attack vector of malicious apps inside SaaS services and the Canonic AppTotal portal for analyzing 3rd party applications.

Guest Title: CEO & Co-Founder at Cider Security

Topic: Threats on CI/CD pipeline 

Language: English

Abstract

The main attraction point in cloud for most organizations is the ability to produce scalable and resilient applications - faster. One of the main foundations for that is the ability to create CI/CD pipelines that will automate the integration of new code to old code and the deployment of the code to the various testing and production environments. But as organizations continue to adopt CI/CD - there is an increasing number of attacks on the pipelines.

In this episode we spoke with Guy Flechter, Co-founder and CEO at Cider Security - on CI/CD relevant threats and risks and incidents that happened in the past and things we can learn from them.

Guest Title: CEO & Co-Founder at RackN

Topic: Automating Infrastructure Pipelines

Language: English

Abstract

In modern applications, Infrastructure automation is an important piece in the puzzle. Manual infrastructure management and security tasks in the volume required for modern application will probably lead to mistakes, misconfigurations and non compliance platforms. 

In this episode we spoke with Rob Hirschfeld, CEO and Co-Founder at RackN, about Infrastructure as code and how organizations should automate their infrastructure pipeline.

Guest title: CTO, Armosec

Topic: Securing K8’s Deployments

Language: English

Abstract

As K8’s adoption grows and matures, we sat down with Leonid Sandler, CTO and Co-Founder of ARMO, to talk about K8’s security - starting from the shared responsibility model, going through the initial configuration and deployment, and all the way to building a runtime protection solution. 

ARMO github page - https://github.com/armosec/kubescape

Guest title: Customer Cyber Security Director, Ericsson North America; Fellow & Lecturer, Yuval Ne'eman Workshop for Science, Technology and Security, Tel-Aviv University 

Language: English

Abstract

The 5th generation of cellular networks is not just an upgrade of previous generations such as LTE. 5G is changing the cellular networks infrastructure, deployment, orchestration, operations and security. 5G infrastructure, and Private Networks, blur the traditional distinction between IT, 3GPP, Wi-Fi and Cellular, providing incredible functionality, while creating new challenges.

In this episode we spoke with Niv David, Customer Cyber security director at Ericsson North America, about the innovation of 5G networks and how it is changing the networking infrastructure and cloud usage.

Guest title: Co-Founder, Seemplicity

Language: English

Abstract

As organizations develop more software, and in faster cycles, greater responsibility is laid on security teams who have a full-stack responsibility for infrastructure, applications, IT services and many other aspects in the business.

In this episode we spoke with Ravid Circus co-founder and CPO at Seemplicity to understand how security teams can efficiently scale their risk reduction efforts and interact with their counterparts productively by using digital workflows  for security operations.

Guest title:  CISO, Riseup

Language: English

Abstract

The growing number of fintech companies represent a shift in the market from traditional banking &  financing to new models and tools that are empowered by technology. But fintech companies face security challenges - they need to provide customers and financial partners with assurance & security at a level of giant institutes - while being young and small companies.

In this episode we spoke with Alex Gestin, CISO for Riseup - about the challenges of Fintech companies and how Riseup builds environments that provide assurance and trust with regulators, consumers and other banks.

Guest title:  Co-Founder and CTO at Anjuna

Language: English

Abstract

Confidential computing is one of the more interesting technologies that is developed today.

The combination of using secure hardware features, advanced cryptography with tight virtualization integration enables us to protect data at untrusted environments and protect from very illusive threats such as government access and malicious insiders.

In this episode we spoke with Yan Michalevsky, Co-Founder and CTO at Anjuna, regarding confidential computing and why we should pay attention to it.

Guest title: Senior Product Line Manager, VMware

Language: English

Abstract

As k8’s adoption grows and flourish, organizations are starting to ask themselves how they should manage the complex network settings inside K8’s.

Services mesh is a technology that adds a layer of networking & security capabilities on top of traditional K8’s environment.

In this episode we discuss service mesh technology, its past and its future with Oren Penso, Senior product line manager in VMware and he provided us with interesting insights on the future on networking & microservices architecture.

Guest title: Co-founder and CVO at Cynergy

Language: English

Abstract

Small and medium businesses are currently the most vulnerable sector in the market. They don’t have the knowledge and awareness to secure their own operations, and security vendors and IT services companies often neglect this sector.

In this episode we spoke with Alex Peleg, CVO at Cynergy, on the challenges of securing SMB and how regulators, Security vendors and the security community should bridge the gap of knowledge and awareness in the SMB market.

Guest title: Co-Founder and CEO at Profero

Language: English

Abstract

Incident response and forensics of cloud breaches is one of the most challenging topics in Information security. In this episode, (recording date Aug 2021) Omri Segev Moyal, co-founder & CEO at Profero, shares fascinating stories regarding recent incidents his team was involved in and provides insights, recommendations and best practices that are really eye opening for any organization out there. 

Guest Title: Host of DIY Cyber Guy Podcast

Abstract: 

Many IT & security professionals are asking what Is the best way to enter the world of cloud computing. In this episode we continue our conversation with David W. Schropfer from DIY cyber guy  about the cloud computing career paths

Guest Title: Host of DIY Cyber Guy Podcast

Abstract: 

Many IT & security professionals are asking what Is the best way to enter the world of cloud computing. In this episode we had the privilege of cooperating with David W. Schropfer from the successful podcast DIY cyber guy to discuss the career paths that are relevant for beginners or experienced professionals who wish to explore how cloud computing can promote their career.

Guest Title: Co-Founder & CEO at VATA

Abstract: 

Various organizations around the world are struggling to build & mature their devsecops operations. DSOM (Devsecops Maturity Model) is an OWASP project designed to help organizations plan and prioritize their devsecops strategies. In this episode, Hemi Gur-Ary, co-founder at VATA and senior devsecops consultant, shares his insights about DSOM and how organizations can use it for reshaping their devsecops practices.

Guest Title:  Founders at Apolicy (a sysdig company)

Abstract: Infrastructure and policy as code is one of the hottest topics in security today. In this episode we spoke with Eran & Maor, founders at aPolicy (acquired by Sysdig shortly after the recording) ,  about cloud native security and how organizations should use automated policy templates for security CI/CD pipelines.

Guest Title: Co-Founder and CEO, DoControl.io

Topic: Protecting SaaS services using automation & continuous monitoring

Abstract: SaaS services are blooming and organizations are adopting more and more of them. In this episode, we hosted Adam Gavish, co-founder, and CEO at DoControl - an innovative startup that is reshaping the way we govern and monitor SaaS applications -  about the business case of SaaS services, the market gaps, and how organizations should catalog, protect and monitor their SaaS portfolio.

Guest: Oz Avenstein

Guest Title: Founder & CEO @ Avensec - Cloud & Application Security

Topic: Securing API Services

Abstract

The applicative infrastructure is becoming more and more complex due to different requirements, design patterns, and technologies. In many of these cases, one of those requirements is to connect other parties to systems, and in other cases, to connect systems to other parties. Nowadays, the most common connection method is to use Application Programming Interfaces (APIs). In this episode we spoke with Oz Avenstein, co-author of the CSA Security Guidelines for Providing and Consuming APIs about the guidelines creation process and how organizations should secure access to API resources.

Guest: Gadi Naor 

Guest Title: VP Software Engineering, Cloud Security @ Rapid7

Topic: Cloud Native Security Foundations

Abstract

Lately, The CNCF (Cloud Native Computing Foundation) released the cloud native security whitepaper: the first release of security guidelines for organizations who adopt cloud native approaches. In order to better understand the guidelines, we hosted Gadi Naor, VP Software Engineering, Cloud Security @ Rapid7, and co-author of the guidelines, for a conversation about what is cloud native security and why & how organizations should adopt this approach.

Guest: Tzachi Zornstain

Guest Title: Co-Founder & CEO, Dustico

Topic: Software Package Dependencies Attacks

Abstract

Supply chain and software dependencies attacks are becoming more popular, and organizations are having a hard time coping with those types of vectors. In this episode, we spoke with Tzach Zornstain, Co-Founder at Dustico, about the difference between malicious software and vulnerable software, and how organizations should use 3rd party software for the development of their own applications securely.

Guest: Yinon Costica

Guest title: VP Product 

Abstract

Wiz is the new star in the cloud security market, founded by veterans with a proven record and raised over $100M in less than a year of operations. In this episode, we talked with Yinon Costica, Co-Founder and VP Product at Wiz, about cloud security challenges, how is Wiz different from others, and how are they going to disrupt the market. 

‍‍

Attendees

Guest: Malgorzata (Gosia) Steinder
Guest title: CTO of Hybrid Cloud Research. IBM research
Topic: Compliance automation and zero trust containers

Abstract

Continuous monitoring, containers, zero trust, confidential computing - those are all examples of technologies that will be the main focus in the upcoming years. In this episode, we hosted Malgorzata (Gosia) Steinder, CTO of Hybrid Cloud Research at IBM, who provided her vision on how all those technologies mentioned above, should be integrated into highly secure applications deployments.

Links: 

• NIST OSCAL standard: https://pages.nist.gov/OSCAL/
• Automated compliance Open Source tool  by IBM  https://github.com/IBM/compliance-trestle
• Security monitoring open source tool by IBM:  https://www.ibm.com/blogs/research/2020/01/sysflow/
• workload identity: https://developer.ibm.com/solutions/security/articles/protecting-data-using-secret-management-trusted-service-identity/

Guest: Assaf Keren

Guest Title: VP, Enterprise Cyber Security

Company: PayPal

Abstract

PayPal is one of the most interesting organizations in the world in terms of security. The combination of online presence with the unique line of business is making PayPal one of the most secure hi-tech companies and one of the most innovative financial institutions. 

In this episode, we hosted Assaf Keren, VP of enterprise cyber security, for a discussion about PayPal’s cloud journey from traditional on-premise to the multi-cloud / multi-locations giant they are now, and how COVID-19 is changing Paypal’s digital journey with their customers & employees.

Guest: Asaf Hecht 

Guest Title: Security research team leader

Company: CyberArk 

Abstract

With the growth of cloud services, more knowledge is gathered on vulnerabilities and misconfigurations in cloud infrastructure. A great deal of this knowledge is coming from cloud security researchers. In this episode, we host Asaf Hecht, Security research team leader At Cyberark, for a conversation about cloud security research and the vulnerabilities they disclose are various cloud vendors. 

Guest: Ohad Maislish 

Guest Title: Co-Founder & CEO 

Company: env0

Abstract

Infrastructure as code is one of the most interesting technologies in the market. It enables organizations to deploy heavy workloads within seconds and avoid risky configuration mistakes. In this episode, we talked with Ohad Maislish, Co-Founder and CEO at env0, about infrastructure as code technology, how and where it is being used, and how env0 helps organizations to better utilize this technology.

Timing

0:00 introducing our guest

2:26 What is infrastructure as a code

10:16 Examples for practical deployment of IaaC

13:55 How IaaC is helping governance 

19:20 IaaC behind the scenes

25:18 IaaC in a multi-cloud environment

28:40 Summary and last words

Guest: Benjy Portnoy

Guest Title: Sr. Director, Solution Architects

Company: Aqua Security

Abstract

A cloud-native security strategy entails protecting the infrastructure, build, and running workloads. In this episode, we spoke with Benjy Portnoy, Sr Director of Solution Architects at Aqua Security regarding cloud-native security fundamentals. We also delve into various attacks identified in the recently published Cloud Native Threat Report by Aqua's security research team, Nautilus.

Timing

0:00 introducing our guest

2:50 what is cloud native security

5:11 Sorting out between CWPP, CSPM & DevSecOps

8:01 Protecting the build, the platform and workload

10:30 Understanding what is CASB 

12:45 diving into the kinsing attack

29.11 Summary and last words

Guest: Eitan Satmary

Guest Title: CISO 

Company: Tufin

Abstract

Being a CISO is challenging, being a CISO at a security vendor is even more challenging. In this episode we host Eitan Satmary, CISO for Tufin, to talk about the good and bad of being a CISO in a cyber security vendor. We will talk about CISO's ability to influence innovation and product roadmap in the company and how the transition from on-prem offering to SaaS offering changed the company's security posture.

Timing:

0:00 introducing our guest

4:20 CISO in a security company:  influence the innovation team

10:30 the relationship between CISO and the sales department

12:30 the company journey of adding cloud capabilities

15:00 CISO’s first steps

20:11 Risk management considerations for SaaS companies

25:00  Summary and final thoughts

Attendees

Guest: Arick Goomanovsky

Guest title: Co-Founder & Chief Business Officer

Company: Ermetic

Abstract

In cloud platforms, identity and permissions are the most important control that customers get to implement. Network segmentation and other traditional controls are often ineffective and access to resources is determined by a mixture of roles & policies. This mixture can become very complex and difficult to lock down. In this episode, we are hosting Arick Goomanovsky, Chief Business Officer at Ermetic, to discuss Cloud identity and access challenges, and to review real life examples of what can happen when neglecting identity and access entitlements in cloud infrastructure.

Mail to: info@ermetic.com

Timing:

0:00  Introducing our guest and Ermetic

2:21  Understanding Identity Governance

4:40  Cloud identity challenges

10:55 Dealing with identity challenges by adding visualization and analysis of permissions

16:30 Who are the organizational stakeholders relevant?

22:01 Examples for IAM challenges and outbreaks

22:25 Example 1: Protecting sensitive resources

26:25 Example 2: Third party access

29:49 Example 3: The visibility challenge when using SSO

31:30 Summary and final words

Guest: Ofer Maor

Guest title: Co-Founder & CTO 

Company: Mitiga

Abstract

The recent increase of cloud based attacks gives us an opportunity to examine new attack vectors and how attackers exploit new services. In this episode we talked with Ofer Maor, Co-Founder at Mitiga, about new attack vectors in cloud computing and how attackers exploit new services such as marketplaces, community repos and other examples.

Timing:

0:00 Introducing our guest and Mitiga

3:32 Preparing for cloud incident response 

7:15 Cloud attack vector - malicious AMI

11:00 More attack vectors on marketplaces

13:18 Github attack vectors

18:15 attack vector - Business email compromise on 365

25:44 how to mitigate cloud incidents

27:58 Summary and last words

Guest: Dalit Ben Israel

Guest title: Partner, head of IT & Data protection practice

Company: Naschitz Brandes Amir

 In the cloud era, the information security officer's new best friends are the lawyers in the legal department.   Legal matters such as cross border data transfers, contractual controls and privacy laws becoming critical in cloud migrations. In this episode we talk with Dalit Ben Israel, Partner at NBlaw, about the legal challenges of cloud computing: cross border transfers, the rise of privacy laws and proper contract management and monitoring. 

Timing:

0:00 - Opening

2:03 - Introduction of our guest

4:95 - Considerations of data center location and the effect of the Schrems2 judgement invalidating the Privacy shield

12:50 - The roles and responsibilities of cloud providers and customers 

15:27 - Choosing cloud providers - why do we need lawyers in the process and the obligation to enter into DPAs

20:00 - Specific challenges with SaaS and agreements with subprocessors

22:12 – Negotiating cloud contracts - what are the challenges? minimizing risks.

30:32 - Dispute resolution and venue of jurisdiction

33:24 - Ongoing contract monitoring

36:10 - Summary

 Connect with Dalit here:

Email: marketing@nblaw.com

Website: www.nblaw.com

Agenda

Opening words  - 5 min 

1. introducing the podcast  - Moshe / Ariel 
2. Introducing our guest - Ariel
3. Introducing myself - Moshe
4. Introducing the topic and context of the podcast - Moshe 

Security challenges  

People

• • Shortage in manpower:  There are missing jobs for cyber professional and especially application security
  • Shortage in knowledge: security professional lag behind learning new technologies

Process

• • Malicious insider - one of the biggest challenges for cloud providers
  • Shared responsibility model collapsing
  • Privacy laws are creating islands of data - Privacy laws are limiting the transfer of data
  • Jurisdiction, Court orders and government access to data - as cloud provider host more data - they are a target for more & more government interest

Technology

• • API security best practices - there will be more & more API’s, we did not master how to protect them
  • Encryption and key management - the holy grail for holding your own encryption keys is fading
  • Multi tenancy - we don't have clear practices on building multi tenant applications
  • Identity based access controls - network access controls are useless in cloud computing, but our ability to create granular access controls based on identity is not mature yet 
  • Multi tenancy 
  • Continuous monitoring
  • Automation and devops - Security automation is still maturing. We still don't know how to integrate developers and operation without breaking best practices
  • Using the wrong tools 

Closure (5 min)

1. Moshe - Summersing 
2. Ariel - closing 

Guest: Shira Shamban

Guest title: CEO & Co-Founder

Company: Solvo

Abstract

In modern cloud environments, Identity and Access Management controls are crucial controls. Many of the access decisions are now made not based on networking structure but rather on roles and permissions. In this episode we talk (again) with Shira Shamban, founder at Solvo about cloud IAM challenges - why is it so hard to get IAM right and how Solvo is planning to revolutionize the IAM management process. 

Timing:

0:00 Introducing our guest

3:00 Introducing cloud identity challenges 

6:20 Why role management is not enough

11:40 Why we fail to create least-privilege-roles  

15:10 How to manage IAM securly - the people angle

18:13 How to manage IAM securly - the process angle

21:08 How to manage IAM securly - the technology angle

31:08 Summary and last words

Guest: Dima Revelis

Guest title: Senior Devops engineer

Company: MoonActive

Abstract

DevsecOps is accelerating fast as the new buzzword for modern information security practices. In this episode we use the expertise of Dima Revelis in order to dive deep into understanding DevOps practices, what is CI/ CD pipeline and which security tools are relevant for all of those new practices.

Timing:

0:00 - Introducing our guest

2:50 - What is devops

7:50 - What is deployment pipeline

14:20 - What is CI and which security testing can be implemented

17:20 - What is CD and which security consideration 

18:40 - Dive deeper into security testing - QA, code review, static & dynamic   analysis

20:45 - So much automation, do we still need manual testing? 

22:30 - Additional security aspects: using Jenkins, authentication and authorization, secret management

26:40 - Availability considerations and disaster recovery

33:30 - Summary and final words

Guest: Yoad Dvir

Guest title: Security Lead, Central and Eastern Europe

Company: Microsoft

Abstract

Microsoft security portfolio has been growing and diversifying in the last couple of years, adding more capabilities at various areas of information security. In order to better understand Microsoft strategy and offering, we talked with Yoad Dvir, Cyber Security Lead at Microsoft, about the Microsoft new security pillars:  Monitoring, Threat Protection and Information Protection.

Timing:

 0:00 - Introducing our guest

5:45  - Introducing Microsoft security strategy

12:50 - Security monitoring pillars - Azure monitor, Sentinel, Azure analytics and more

21:10 - Microsoft Threat Protection family - Cloudapp, O365 ATP, Defender ATP, Azure ATP

30:50 - diving deeper into Cloudapp

35:30 - Microsoft Information Protection 

44:00 - summary and last words

Guest: Liran Tal

Guest title: Developer Advocate

Company:  Synk

Abstract

Open source software takes a big part in our daily lives, and also in our development environments. Many applications developers rely on open source libraries &  tools and integrating it into their code. This is a great improvement for developers allowing them to innovate quickly and efficiently. But all this good comes with a big responsibility - open source software should be carefully examined in order to make sure its reliability. In this episode we talk with Liran Tal from Synk about the growing importance of adding security evaluation of open source software in the development cycle.

Timing:

 0:00 introducing our guest

5:50 what is the challenge of open-source security

10:05 - open source security - the people angel

16:00 - open source security - the process angel

24:55 - open source security - the technology angel

29:42 summary and last words

Guest: Eran Feigenbaum

Guest title:  CSO, Oracle Cloud

Abstract

The first generation of cloud services began about 15 years ago and stretched until now, but it came with many built-in challenges due to lack of maturity and the fact that security was added on top and not present from the start. In this episode we talk with Eran Feigenbaum, CISO of Oracle cloud about the next generation of cloud services - how can we build cloud that is more secure,, immuned to miss-configuration and other pitfalls that are relevant to today's cloud services.

Timing:

0:00 introducing our guest

5:40 Generation one of cloud infrastructure

8:40 so what is second generation of cloud infrastructure

10:30 how Oracle is planning to change the cloud market

11:40 how second generation cloud services can help with common mistakes such as misconfiguration

13:35 what cloud provider should do in order to increase security

16:05 how cloud providers can  be proactive with their customers

19:00 handling miss-configuration such as open buckets and lost API’s keys

23:40 summary and last words

Guest: Menny Barzilay

Guest title: Partner @ Herzog Strategic, CTO, ICRC, Tel Aviv University

Abstract

For our 20’ish episode we spoke with a very special guest, the one and only - Menny Barzilay.  Menny is one of the most interesting speakers in the cyber landscape, he is an expert in simplifying complex concepts, integrating interesting stories and great examples into stimulating review of technology challenges we are facing as a community.

In this episode we talk with Menny about Privacy - why it is so hard to define what exactly is privacy in the modern age, what people miss about the concepts of privacy and how this affects our everyday lives. This talk will make you laugh, will make you sad and definitely will make you think. We hope you will enjoy listening to it as much as we enjoyed recording it. 

Comment: since this is more of a lecture and not a regular podcast, we didn't add our regular podcast timing. Enjoy!

Timing:

0:00 introducing our guest

5:25 Privacy 

Guest: Or Kamara

Guest Title:  Senior team lead 

Company:  Synk

Abstract

Cloud computing can bring interesting and new attack vectors. In this episode, we talk with Or Kamara, Senior team lead at Synk, about the Capital-one hacking and what can be learned from the event in order to better protect our networks. We will analyze the attack step by step and add mitigating controls that can help in preventing the next attack.

Timing:

0:35 Introducing our guest

4:10 introducing the story the capital one hack 

5:45 The phases of the Capital One hack

7:50 The first misconfiguration - servers exposed to the internet unintentionally

11:05 the SSRF vulnerability and understanding meta-data service

19:38 Using API keys for browsing S3 and how to mitigate it

26:00 things that Capital One did right and additional insights

28:00 how should developers and IT 

30:50 shifting from traditional security to new cloud security mindset

36:00 summary and final words

Guest: Bar Hofesh

Guest Title:  Co-Founder

Company:  Neurolegion

Abstract

Application security is among the hardest things to get right. In this episode we are talking with Bar Hofesh from Neurolegion about the world of automated security testing - what are the challenges, what are the different stages of integration and delivery and how to perform each stage correctly.

Timing:

0:50 - introducing our guest

2:58 - the need to automate security testing - the challenge of developing faster

7:15 - so what is testing automation - describing the process - the code  integration stage

13:50  - security testing the packing and delivery stage

18:50 - testing live application stage

20:20 - appsec finding strategy - what do when found an alert

22:20 - Static analysis vs. dynamic analysis

24:58 - emerging technologies - RASP, IAST

30:50 - Is there still room for manual penetration testing?

34:05 - summary and last words

Guest: Oz Avenstein

Guest Title:  Founder

Company:  Avensec

Abstract

Penetration tests are one of the strongest controls that we use. It is testing the overall resilience of our application and allows us to be more confident in our workloads. But in the cloud era, cloud applications pen testing needs to be coordinated with the providers. In this episode we talk with Oz Avenstein, an application security expert, about the challenges of cloud penetration testing and how to do it correctly.

Timing:

0.50 introducing our guest

3.40 How is cloud penetration tests different from regular pen tests?

5.01 elaborating about IaaS/PaaS particular pen test policies 

8.45 pen testing SaaS applications 

11.05 relaying on 3rd party pen testing

12.02 cloud pen test considerations and phases

17.35 the actual pen testing 

21.20 the reporting phase

23.40 incorporating pen test into applications development cycle 

34:00 Summary and last words

Guest: Ori Troyna

Guest title: Global head of product security at Payu

Company: Payu

Abstract

Payu, a global fintech gaint acquired Zooz , a small payment startup.  In this episode we talk with Ori Troyna, Global head of product security at Payu about the challenges that such a merger between two very different companies with different engineering methodologies and how they cope with those challenges.

Timing:

1.14 Ori introduce himself

11.40 challenges of merging small companies into financial giants. Integrating different technologies stacks into one. 

 18.33 how to build the organizational structure the consolidate the different companies and technology stacks

 21.30 understanding the acquisition considerations of PayU and its effect on security considerations 

 27.0 solving the consolidation challenges - the people angel. Moving to tribes and clans and providing security goals

 34.30 the difference between product security and IT security 

 36.0 solving the consolidation challenges - the process angel. How to integrate different tribes and clans to create one joint development backlog and mature devops 

 46.40 solving the consolidation challenges - the technology angel. Building global infrastructure that support multiple projects 

53.22 summary and last words

Guest: Tal Arad

Guest title: Former CISO

Company: CEVA logistics

Abstract

Consuming SaaS from various vendors can be a challenging task, the first challenge is to distinguish who are the mature providers that you can trust your data with, and the second challenge is auditing them and their services. In this episode we talk with Tal Arad, former CISO of CEVA logistics about the challenges of selecting SaaS providers and how to auditing them wisely.

Timing:

0:35 introducing our guest

02:30 Introducing Ceva Logistics and the CISO challenges

5:55 How to get started in as a new CISO 

9:20 Challenges with SaaS providers - distinguishing between mature and immature

Providers

16:15 tips for selecting SaaS providers

22:30 what happens when something happens and choosing providers carefully

24:50 Tips for managing ongoing relationships with SaaS providers

34:27 Summary and final words

Guest: Oded Hareven

Guest title:  Founder & CEO

Company:  A-Key-Less

Abstract

Application Secret management is becoming one of the biggest challenges for application security. With cloud, CI/CD and micro services architecture we discover that we are using a growing number of encryption keys, API keys, SSH keys tokens and connection strings. In this episode we talk with Oded HarEven, Founder at A-Key-Less about the challenges of secret management and the way to build secure secret management solution.

Timing

Guest: Vladi Sandler

Guest title: Cloud Security team leader

Company: cymotive.com

Abstract

Gaining trust and developing awareness with customers is one of the hardest challenges for providers. It is almost an art. In this episode we talk with Vladi Sandler from Cymotive about creating healthy relationships with customers and how a mixture of personal awareness and technical proficiency are crucial in the customer-provider relationships.

Timing:

0:25 introducing our guest

03:30 Introducing Cymotive  

5:55 Cymotive challenges with their market targets

10:10 relevant Security teams for protecting automotive 

11:50 The concepts of car security

13:55 Challenges when creating trust - The people angle

17:48 Challenges when creating trust - The process angle

22:00 Challenges when creating trust - The technology angle

27:50 Summary and final words

Guest: Tsachi Lutaty

Guest title: R&D manager

Company: PlainID

Abstract

In the past years we have reached important progress in authentication. Multi factor authentication and Identity  Federation solved many of the identity authentication challenges. So it is now time to focus on the second aspect of Identity & Access Management - the aspect of Identity Authorization.  In this podcast we are talking with Tsachi Lutaty, R&D manager for PlainID, about the move from Role based access controls to Policy based access controls and how organizations can better engineer their authorization scheme and policies.

Timing:

0:41 introducing our guest

1:25 Introducing PlainID 

2:45 Authorization challenges - what are modern authorization challenges

8:00 Role based access control vs. Attribute / Policy  based access control 

15:30 Existing authorization standards  

18:58 How can we better engineer authorization system - The technology angle

26:15 How can we better engineer authorization system - The process angle

29:30 How can we better engineer authorization system - The people angle

32:50 Summary and final words

Guest: Eliav Gnessin

Guest title: CTO

Company: DeviceTone

Abstract

 IOT present one of the hottest topics in the industry today. In this episode we talk with Eliav Gnessin, CTO for DeviceTone, about securely engineering IOT solution end to end. During the episode Eliav guides us through IOT journey starting from the chipset of the device itself and all the way up to the IOT cloud based management. Eliav will explain about different implementations consideration, latest developments in the market and the efforts made by chipmakers & cloud provider to create more secure IOT.

Timing

Guest: Nir Valtman

Guest title:  Product security lead

Company:  Finastra

Abstract

Fintech companies drive cloud security forward by setting the highest bar of requirements on cloud providers. In this episode we talk with Nir Valtman, Product security leader at Finastra about the challenges of Fintech companies and dive into API Authentication and Authorization best practices and building eco-system that can support trust between banks and young fintech companies.

Timing

Guest: Shira Shamban

Guest title:  Cloud Security

Company:  Check Point (Dome9)

Cloud providers has invested heavily in adding visibility, monitoring and logging capabilities of networking and administrative activities. In this session with talk with Shira Shamban, a cloud security expert from Check Point about the challenges of collecting the different logs exist in cloud platforms and the challenges of gaining insights from them.

Abstract

Cloud providers has invested heavily in adding visibility, monitoring and logging capabilities of networking  and administrative activities. In this session with talk with Shira Shamban, a cloud security expert from Check Point about the challenges of collecting the different logs exist in cloud platforms  and the challenges of gaining insights from them.

Guest: Beau Woods

Guest title:  Member

Company:  We-Are-The-Cavalry, Atlantic Council

Abstract

IOT devices such as Medical embedded devices, autonomous vehicle and smart homes are currently the Achilles heel of information security. The technology is advancing fast, but the security frameworks are not advancing at the same pace. In this episode we talk with Beau woods, founder for I-am-the-cavalry, about the steps governments, regulators and vendors should take in order to produce safer IOT devices.

Timing

Guest: Damir Savanović

Guest title: Senior researcher

Company: Cloud Security Alliance

Abstract

Creating trust is one of the major challenges for cloud providers and consumers, without trust customers will not be able to move workloads into cloud environments, but trust is a very elusive term that is hard to achieve. In  this episode we talk with Damir Savanović from the Cloud Security Alliance on how cloud providers and consumers can use certifications for increasing trust and how is CSA preparing to the new requirements of continuous monitoring that are arriving with the new EU cyber laws.

Timing

Guest: Olaf Streutker

Guest title: CISO Advisor

Company: ABN Amro

Abstract

The Cloud Octagon Model is a new framework for cloud adoption (mostly SaaS adoption). The model was designed in cooperation between ABN-Amro and the Cloud Security Alliance and assists organizations to identify, represent, and assess risks in the context of their cloud implementation across multiple factors by introducing a logical approach to holistically dealing with security aspects involved in moving to the cloud.

Link to CSA Cloud Octagon Model:

https://cloudsecurityalliance.org/artifacts/cloud-octagon-model/

Timing

Guest: Guy Flechter

Guest title: CISO

Company: AppFlayer

Abstract

One of the biggest challenges facing software companies is how to make sure security policies are enforced across the development cycle without holding R&D ability to innovate. In this episode, Guy Flechter, CISO for Appsflyer, will elaborate on the way he  is providing R&D guidelines and support while keeping them motivated and committed to security.

Timing

Guest: Demi Ben Ari

Guest title: CTO

Company: Panorays

Abstract

K8 is rapidly becoming the leading orchestration tool and infrastructure for many companies applications. K8 bring tremendous advantages, provide operations with flexibility and enabling multi cloud deployments. But with all that good there are also challenges. In this podcast we talk with Demi Ben Ari, Founder and R&D at Panorays, A saas company that deployed K8 as infrastructure for fleet of scanners and crawlers. Demi will share his experience with the platform and steps he took in order to utilize most benefits from K8.

Guest: Evgeny Zislis

Guest title:  CTO

Company:  ProdOPS

Abstract

Over 90% of IaaS/PaaS security incidents happens on consumer fault. Cloud platforms are complicated, with steep learning curve and it is easy to make mistakes. In this podcast, we talk with Evgeny Zislis, CTO for ProdOPS about the common IaaS/PaaS security mistakes and misconfigurations, categorize them and talk about measures to reduce those mistakes and identify them on time. 

Timing:

0:00 – 2:10 - intro and introducing our guest

2:10 -   31:05 - What are the common cloud misconfiguration and mistakes 

• Improper security group configuration
• Object storage negligence - open buckets on s3
• Insecure storing of API/Access Keys - config file in open Github repo is not the best place to store access keys
• Vulnerable servers exposed (exposing your 5 years old, not updated linux server is not recommended)
• Fail to segregate different services into different accounts / vpc / subnets
• Everyday use of root account and relying on one account only

31:05 -  34:20  Avoiding cloud misconfigurations:  the process angle

34:20 -  38:33 Avoiding cloud misconfigurations:  the people angle

38:33 -  49:00 Avoiding cloud misconfigurations:  the technology angle   

49.00 – 52:00 Summary and conclusions

Guest: Yuval Reut, 

Guest title:  CIO & CISO 

Company:  Riskified 

Micro-services can bring enormous benefits into the organizations – giving flexibility and driving innovation. But Micro-services are also challenging from a security point of view. In this podcast, Yuval Reut, CIO & CISO for Riskified, will share his experience of moving an entire monolith application to a group of integrated micro services.

Timing:

0:00 – 3:39 - intro and learning about Riskified

3:39 - 9:55 - CISO & CIO positions at SaaS startups

9:55 - 12:20 - moving from Monolith to Microservices – reasons for the move.

12:20 - 19:30 - technology challenges when moving to Micro services

19:30 - 25:00 - People challenges when moving to Micro services

25:00 – 29:35 - Process challenges when moving to Micro services       

29.40 – 33:00 - Summary and conclusions

Guest: Ory Segal, Puresec

Guest title:  CTO & Co-Founder at PureSec

Company:  Puresec is the global leader in serverless architectures security.

Serverless functions are one the most interesting things that is happening in architecture of application development. With Serverless, application developers can stop worry about the underlying infrastructure and scalability of the application, but they must address other risks at application level. In this podcast we are interviewing Puresec CTO, Ory Segal , co-author of the top 12 risks to serverless applications

Timing

0:00 – 2:35 – intro

2:35 – 8:05 - what are Serverless functions

8:05- 12:20 - how Serverless is different (security wise)

12:20 -  19:40 - Serverless risks & threats

19:40 -  24:00 - common mistakes and misconfiguration with Serverless

24:00 – 29:30 - Serverless effect on people, process and technology

29:30 – 37:00 – Summary and conclusions