Cyber Security & Cloud Podcast artwork

CSCP S03EP23 - Chris Hughes - Demystifying Application Security Programs

Cyber Security & Cloud Podcast

English - February 19, 2023 22:26 - 31 minutes - 58 MB
Technology News Tech News Homepage Download Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: CSCP S03EP22 - Anshuman Bhartiya - Demystifying Application Security Programs
Next Episode: CSCP S03EP24 - Ollie Whitehouse - Vulnerabilities - SBOM and the evolution of the Cyber ned


 


Chris Hughes is a Proven Cloud/Cybersecurity leader with nearly 20 years of experience in the Federal and commercial industries. Chris is an active blogger, passionate about all things cyber and a published author of books like Software Transparency. 


 


The episode is brought to you by Phoenix Security; get in control of your vulnerabilities from code to cloud with the power of Phoenix. ACT Now on the vulnerabilities that matter most and reduce your exposure to modern attacks. See it for yourself. Go to https://www.phoenix.security for a free 14-day licence.


 


1:12 Introductions


4:45 regulation and federal space


6:40 Software supply chain attacks


8:40 SSDF and SBOM


11:06 Software is complex


15:00 Vulnerability to attacks, attacker mindset 


17:00 Common supply chain attacks


20:00 Cloud critiques, is cloud secure?


23:00 Business Risk, Quantifications, How to measure everything, 


24:00 FAIR and Quantification at scale


25:00 Method to evaluate vulnerability, CISA KEV, EPSS, How to triage


28:00 Why does the software supply chain get attention


30:00 Get connected


 


Chris Huges


 


https://www.linkedin.com/in/resilientcyber/ 


https://podcasts.apple.com/us/podcast/resilient-cyber/id1555928024 


https://resilientcyber.substack.com/ 


FAIR: https://www.opengroup.org/certifications/openfair 


Hot to measure anything in cyber risk: https://amzn.eu/d/hBWxJGO 


 


Cyber Security and Cloud Podcast hosted by Francesco Cipollone


Twitter @FrankSEC42


Linkedin: linkedin.com/in/fracipo 


#CSCP #cybermentoringmonday cybercloudpodcast.com 


 


Social Media Links 
Follow us on social media to get the latest episodes:
Website: http://www.cybercloudpodcast.com/
You can listen to this podcast on your favourite player:
Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463  
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ 
Linkedin: https://www.linkedin.com/company/35703565/admin/  



Twitter: https://twitter.com/podcast_cyber   



Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/ 


 


Summary Transcript (auto-generated might have some typos) 


Hello everyone and welcome back to the cybersecurity and cloud podcast, this is your host


Francesco and this is probably the last last episode that we do in 2022 is 29 of December 2022


we're almost on the end of the years but we managed to squeeze in a last episode with chris


Hughes and it's an absolute pleasure because we chris we've been interacting a lot of linking


teasing each other over a number of topics and we said you know it's the time to come on the


show and do a proper episode. So chris, thank you very much for coming on the show. Chris is


uh is a consultant to direct robot via and it's been in Air force previously, so it's very heavily


involved with a lot of us regulation around storm and around cybersecurity and the U. S. Has


faced a lot of change in late and today in the episode we're gonna dig in and explore this. But


before digging into the exciting topic of storm and software supply chain chris tell us a little bit


more about you, how did you start? How did you get us to the point where you are today? Yeah


definitely. I'm happy to give you some background. I start off active duty Air Force you know


prior to that I always had an interest in computers and technology but got joined the Air Force


and got put in cybersecurity and at the time I didn't really realize the opportunity. You


know you're just a young kid you know. Uh And and then like I started really taking an interest in


it because it was a fascinating career field and like I've never stopped you know I did four years in


the Air Force and then I've been a federal employee with the U. S. Government twice once with


the Navy doing cloud and deficit cops. And you know cyber security for them. And then also with


an organization known as G. S. A. The General Services Administration which probably isn't too


familiar for many. But like if you've heard of Fed ramp, I was part of the Fed ramp team


reviewing cloud services coming to the you know us federal market there as a security to me.


Um, and as you mentioned, I think we're definitely seeing like an evolution of the regulation in


this space, you know, in our, in our environment, in the public sector. You know, we've always


had things like Nist and uh, you know, risk management framework, Nist 853 and and you know,


think of Nist 871 for defense, industrial base and then see mm see that people are talking about


a lot now, thinking about, you know, not just software supply chain but supply chain risk


management in general, you're under your suppliers. That was a topic that's gotten a lot of


attention as of late and then, you know, obviously software supply chain, you know, it's not


necessarily a new topic. You know, you can date new google. Had a white paper recently,


they started like an incident from 1980 you know, for something where the United States did


something that Russia with software and it's like, wow, this issue has been around for a long


time, but it's gotten more and more attention, I think is, you know, we've seen open source


adoption kind of accelerate and go, you know, go crazy, everyone's using open source software.


Most modern applications are made of open source software and I think people are realizing like,


you know, I think prototype for example, had a study showing that in the last three years it's like


a 742% increase in software supply chain attacks. So malicious actors are paying


attention. And now I think that's making organizations regulators, you know, the industry pay


attention and try to respond to this brilliant. And then of course he moved over to cisa and kind


of has kept up that, you know, that momentum since then. So I think, you know, definitely solar


winds was kind of the watershed moment, I think from an attention perspective and then the


cyber street executive order and all the, all the activity has come after that. And as you


mentioned, like, you know, I think regulation is going to has and will continue to play a big part in


this. Like, you know, without regulation forcing the issue, suppliers are not necessarily


incentivized to provide this information that transparency and many, you know, I've been really


focused or interested in the economic factors of cyber. Many consider cyber to be a market


failure. They said, you know, regulation is required for the, for things to change. Um, and I think


it's, you know, it's hard to argue with that because if we just leave it up to the industry, they're


not going to necessarily provide this information. Why why would they, you know, just put some


additional risk or scrutiny? So, yeah, I think, I think we're definitely seeing a lot of changes And


security resolve doesn't seem like a massive cost. So if there isn't a regulation behind it, there


isn't a business justification to a ship with a bomb. I think the attack of one of the big


topic in cyber that is asset management in general. That is a huge debated and often


avoided topic in, cyber or in generally 90 is not even a cyber problem. And I think this one


kind of industry has now brought to the topic a problem that is like, what do we do with, what do


 

Twitter Mentions