O'Reilly Security Podcast - O'Reilly Media Podcast
43 episodes - English - Latest episode: over 6 years ago - ★★★ - 2 ratingsSecurity insight and analysis.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Rich Smith on redefining success for security teams and managing security culture
December 06, 2017 11:50 - 50 minutes - 48.6 MBThe O’Reilly Security Podcast: The objectives of agile application security and the vital need for organizations to build functional security culture. In this episode of the Security Podcast, I talk with Rich Smith, director of labs at Duo Labs, the research arm of Duo Security. We discuss the goals of agile application security, how to reframe success for security teams, and the short- and long-term implications of your security culture. Here are some highlights: Less-disruptive security...
Christie Terrill on building a high-caliber security program in 90 days
November 22, 2017 13:15 - 27 minutes - 26.2 MBThe O’Reilly Security Podcast: Aligning security objectives with business objectives, and how to approach evaluation and development of a security program. In this episode of the Security Podcast, I talk with Christie Terrill, partner at Bishop Fox. We discuss the importance of educating businesses on the complexities of “being secure,” how to approach building a strong security program, and aligning security goals with the larger processes and goals of the business. Here are some highligh...
Susan Sons on building security from first principles
November 08, 2017 11:55 - 17 minutes - 16.9 MBThe O’Reilly Security Podcast: Recruiting and building future open source maintainers, how speed and security aren’t mutually exclusive, and identifying and defining first principles for security. In this episode of the Security Podcast, O’Reilly’s Mac Slocum talks with Susan Sons, senior systems analyst for the Center for Applied Cybersecurity Research (CACR) at Indiana University. They discuss how she initially got involved with fixing the open source Network Time Protocol (NTP) project, ...
Charles Givre on the impetus for training all security teams in basic data science
October 25, 2017 13:30 - 27 minutes - 26.3 MBThe O’Reilly Security Podcast: The growing role of data science in security, data literacy outside the technical realm, and practical applications of machine learning. In this episode of the Security Podcast, I talk with Charles Givre, senior lead data scientist at Orbital Insight. We discuss how data science skills are increasingly important for security professionals, the critical role of data scientists in making the results of their work accessible to even nontechnical stakeholders, and...
Andrea Limbago on the effects of security’s branding problem
October 12, 2017 14:24 - 26 minutes - 25.3 MBThe O’Reilly Security Podcast: The multidiscliplinary nature of defense, making security accessible, and how the current perception of security professionals hinders innovation and hiring. In this episode of the Security Podcast, I talk with Andrea Limbago, chief social scientist at Endgame. We discuss how the misperception of security as a computer science skillset ultimately restricts innovation, the need to make security easier and accessible for everyone, and how current branding of sec...
Window Snyder on the indispensable human element in securing your environment
September 28, 2017 15:14 - 16 minutes - 16.1 MBThe O’Reilly Security Podcast: Why tools aren’t always the answer to security problems and the oft overlooked impact of user frustration and fatigue. In this episode of the Security Podcast, I talk with Window Snyder, chief security officer at Fastly. We discuss the fact that many core security best practices aren’t easy to achieve with tools, the importance of not discounting user fatigue and frustration, and the need to personalize security tools and processes to your individual environme...
Chris Wysopal on a shared responsibility model for developers and defenders
September 13, 2017 17:00 - 36 minutes - 34.7 MBThe O’Reilly Security Podcast: Shifting secure code responsibility to developers, building secure software quickly, and the importance of changing processes. In this episode of the Security Podcast, I talk with Chris Wysopal, co-founder and CTO of Veracode. We discuss the increasing role of developers in building secure software, maintaining development speed while injecting security testing, and helping developers identify when they need to contact the security team for help. Here are som...
Scott Roberts on intelligence-driven incident response
August 30, 2017 11:00 - 27 minutes - 26.8 MBThe O’Reilly Security Podcast: The open-ended nature of incident response, and how threat intelligence and incident response are two pieces of one process. In this episode of the Security Podcast, I talk with Scott Roberts, security operations manager at GitHub. We discuss threat intelligence, incident response, and how they interrelate. Here are some highlights: Threat intelligence should affect how you identify and respond to incidents Threat intelligence doesn't exist on its own. It r...
Jack Daniel on building community and historical context in InfoSec
August 17, 2017 11:55 - 42 minutes - 41.2 MBThe O'Reilly Security Podcast: The role of community, the proliferation of BSides and other InfoSec community events, and celebrating our heroes and heroines. In this episode of the Security Podcast, I talk with Jack Daniel, co-founder of Security Bsides. We discuss how each of us (and the industry as a whole) benefits from community building, the importance of historical context, and the inimitable Becky Bace. Here are some highlights: The indispensable role and benefit of community buil...
Jay Jacobs on data analytics and security
August 02, 2017 11:05 - 28 minutes - 27.4 MBThe O’Reilly Security Podcast: The prevalence of convenient data, first steps toward a security data analytics program, and effective data visualization. In this episode of the Security Podcast, Courtney Nash, former chair of O’Reilly Security conference, talks with Jay Jacobs, senior data scientist at BitSight. We discuss the constraints of convenient data, the simple first steps toward building a basic security data analytics program, and effective data visualizations. Here are some high...
Katie Moussouris on how organizations should and shouldn’t respond to reported vulnerabilities
July 19, 2017 13:45 - 32 minutes - 30.8 MBThe O’Reilly Security Podcast: Why legal responses to bug reports are an unhealthy reflex, thinking through first steps for a vulnerability disclosure policy, and the value of learning by doing. In this episode, O’Reilly’s Courtney Nash talks with Katie Moussouris, founder and CEO of Luta Security. They discuss why many organizations have a knee-jerk legal response to a bug report (and why your organization shouldn’t), the first steps organizations should take in formulating a vulnerability...
Alex Pinto on the intersection of threat hunting and automation
July 05, 2017 14:40 - 44 minutes - 42.3 MBThe O’Reilly Security Podcast: Threat hunting’s role in improving security posture, measuring threat hunting success, and the potential for automating threat hunting for the sake of efficiency and consistency. In this episode, I talk with Alex Pinto, chief data scientist at Niddel. We discuss the role of threat hunting in security, the necessity for well-defined process and documentation in threat hunting and other activities, and the potential for automating threat hunting using supervised...
Amanda Berlin on defensive security fundamentals
June 21, 2017 14:10 - 33 minutes - 32.1 MBThe O’Reilly Security Podcast: How to approach asset management, improve user education, and strengthen your organization’s defensive security with limited time and resources. In this episode, I talk with Amanda Berlin, security architect at Hurricane Labs. We discuss how to assess and develop defensive security policies when you’re new to the task, how to approach core security fundamentals like asset management, and generally how you can successfully improve your organization’s defensive ...
Kimber Dowsett on developing and maturing a vulnerability disclosure program
June 07, 2017 10:35 - 32 minutes - 31.6 MBThe O’Reilly Security Podcast: Key preparation before implementing a vulnerability disclosure policy, the crucial role of setting scope, and the benefits of collaborative relationships. In this episode, I talk with Kimber Dowsett, security architect at 18F. We discuss how to prepare your organization for a vulnerability disclosure policy, the benefits of starting small, and how to apply lessons learned to build better defenses. Here are some highlights: Gauging readiness for a vulnerabil...
Kelly Shortridge on overcoming common missteps affecting security decision-making
May 24, 2017 10:35 - 29 minutes - 28.4 MBThe O’Reilly Security Podcast: How adversarial posture affects decision-making, how decision trees can build more dynamic defenses, and the imperative role of UX in security. In this episode, I talk with Kelly Shortridge, detection product manager at BAE Systems Applied Intelligence. We talk about how common cognitive biases apply to security roles, how decision trees can help security practitioners overcome assumptions and build more dynamic defenses, and how combining security and UX coul...
Dave Lewis on the tenacity of solvable security problems
May 10, 2017 12:00 - 13 minutes - 12.9 MBThe O’Reilly Security Podcast: Compounding security technical debt, the importance of security hygiene, and how the speed of innovation reintroduces vulnerabilities. In this episode, I talk with Dave Lewis, global security advocate at Akamai. We talk about how technical sprawl and employee churn compounds security debt, the tenacity of solvable security problems, and how the speed of innovation reintroduces vulnerabilities. Here are some highlights: How technical sprawl and employee churn...
Parvez Ahammad on applying machine learning to security
April 26, 2017 11:55 - 44 minutes - 42.7 MBThe O’Reilly Security Podcast: Scaling machine learning for security, the evolving nature of security data, and how adversaries can use machine learning against us. In this special episode of the Security Podcast, O’Reilly’s Ben Lorica talks with Parvez Ahammad, who leads the data science and machine learning efforts at Instart Logic. He has applied machine learning in a variety of domains, most recently to computational neuroscience and security. Lorica and Ahammad discuss the challenges o...
Katie Moussouris on procuring and processing bug reports
April 12, 2017 17:45 - 31 minutes - 30.7 MBThe O’Reilly Security Podcast: The five stages of vulnerability disclosure grief, hacking the government, and the pros and cons of bug bounty programs. In this episode, I talk with Katie Moussouris, founder and CEO of Luta Security. We discuss the five stages of vulnerability disclosure grief, hacking the government, and the pros and cons of bug bounty programs. Here are some highlights: The five stages of vulnerability disclosure grief There are two kinds of reactions we see from organi...
Allison Miller on making security better and easier for everyone
March 29, 2017 12:15 - 32 minutes - 31.6 MBThe O’Reilly Security Podcast: Focusing on defense, making security better for everyone, and how it takes a village. In this episode, I talk with Allison Miller, product manager for secure browsing at Google and my co-host of the O’Reilly Security conference, which is returning to New York City this fall. We discuss the importance of having an event focused solely on defense, what we’re looking forward to this year, and some notable ideas and topics from the call for proposals. Here are so...
Scout Brody on crafting usable and secure technologies
March 15, 2017 11:19 - 13 minutes - 13.2 MBThe O’Reilly Security Podcast: Building systems that help humans, designing better tools through user studies, and balancing the demands of shipping software with security. In this episode, O’Reilly Media’s Mac Slocum talks with Scout Brody, executive director of Simply Secure. They discuss building systems that help humans, designing better tools through user studies, and balancing the demands of shipping software with security. Here are some highlights: Building systems that help humans...
Jessy Irwin on making security understandable for everyone
March 01, 2017 14:50 - 36 minutes - 35.2 MBThe O’Reilly Security Podcast: Speaking other people’s language, security for small businesses, and how shame is a terrible motivator. In this episode, I talk with Jessy Irwin, VP of security and privacy at Mercury Public Affairs. We discuss how to communicate security to non-technical people, what security might look like for small businesses, and moving beyond shame. We also meet her neighborhood gang of grannies who’ve learned how to hack back. Here are some highlights: Speaking other ...
Doug Barth and Evan Gilman on Zero Trust networks
February 15, 2017 11:00 - 35 minutes - 34 MBThe O’Reilly Security Podcast: The problem with perimeter security, rethinking trust in a networked world, and automation as an enabler. In this episode, I talk with Doug Barth, site reliability engineer at Stripe, and Evan Gilman, Doug’s former colleague from PagerDuty who is now working independently on Zero Trust networking. They are also co-authoring a book for O’Reilly on Zero Trust networks. They discuss the problems with traditional perimeter security models, rethinking trust in a ne...
Susan Sons on maintaining and securing the internet’s infrastructure
February 01, 2017 12:15 - 17 minutes - 16.9 MBThe O’Reilly Security Podcast: Saving the Network Time Protocol, recruiting and building future open source maintainers, and how speed and security aren’t at odds with each other. In this episode, O’Reilly’s Mac Slocum talks with Susan Sons, senior systems analyst for the Center for Applied Cybersecurity Research (CACR) at Indiana University. They discuss how she initially got involved with fixing the open source Network Time Protocol (NTP) project, recruiting and training new people to hel...
Steven Shorrock on the myth of human error
January 18, 2017 12:20 - 33 minutes - 32.1 MBThe O’Reilly Security Podcast: Human error is not a root cause, studying success along with failure, and how humans make systems more resilient. In this episode, I talk with Steven Shorrock, a human factors and safety science specialist. We discuss the dangers of blaming human error, studying success along with failure, and how humans are critical to making our systems resilient. Here are some highlights: Humans are part of complex sociotechnical systems For several decades now, human er...
Fang Yu on machine learning and the evolving nature of fraud
January 04, 2017 11:00 - 27 minutes - 26.4 MBThe O’Reilly Security Podcast: Sniffing out fraudulent sleeper cells, incubation in money transfer fraud, and adopting a more proactive stance. In this episode, O’Reilly’s Jenn Webb talks with Fang Yu, cofounder and CTO of DataVisor. They discuss sniffing out fraudulent sleeper cells, incubation in money transfer fraud, and adopting a more proactive stance against fraud. Here are some highlights: Catching fraudsters while they sleep Today's attackers are not using single accounts to cond...
Cory Doctorow on the real-life dangers of DRM
December 21, 2016 16:50 - 47 minutes - 45.3 MBThe O’Reilly Security Podcast: DRM in unexpected places, artistic and research hindrances, and ill-anticipated consequences. In this best of 2016 episode, I revisit a conversation from earlier this year with Cory Doctorow, a journalist, activist, and science fiction writer. We discuss the unexpected places where digital rights management (DRM) pops up, how it hinders artistic expression and legitimate security research, and the ill-anticipated (and often dangerous) consequences of copyright...
Ame Elliot on designing for usable security and privacy
December 07, 2016 12:20 - 19 minutes - 18.4 MBThe O’Reilly Security Podcast: Designing for security and privacy, noteworthy tools, and the real-world consequences of design. In this episode, O’Reilly’s Mary Treseler talks with Ame Elliot, design director at Simply Secure. They discuss designing for security and privacy, noteworthy tools, and the real-world consequences of design. Here are some highlights: Designing for usable security and privacy Privacy and security are tightly interrelated. Privacy, or confidentiality, is one tech...
Richard Moulds on harnessing entropy for a more secure world
November 23, 2016 12:45 - 29 minutes - 28.4 MBThe O’Reilly Security Podcast: Randomness, our dependence on entropy for security and privacy, and rating entropy sources for more effective encryption. In this episode, I talk with Richard Moulds, vice president of strategy and business development at Whitewood Encryption. We discuss whether random number generation is as random as some might think and the implications that has on securing systems with encryption, how to harness entropy for better randomness, and emerging standards for eva...
Gilad Rosner on privacy in the age of the Internet of Things
November 23, 2016 12:20 - 35 minutes - 34.3 MBThe O’Reilly Hardware Podcast: Safeguarding against new privacy risks. In this episode of the O’Reilly Hardware Podcast, Jeff Bleiel and I speak with Gilad Rosner, a privacy and information policy researcher, and the founder of the Internet of Things Privacy Forum. Rosner is also the author of the recently-published free O’Reilly ebook, “Privacy and the Internet of Things.” Discussion points: Current concerns about how widely information collected by IoT devices will be shared Current a...
Efrain Ortiz on digital disease control
November 09, 2016 11:00 - 34 minutes - 32.7 MBThe O’Reilly Security Podcast: Thinking like an epidemiologist, using data and patterns, and escaping reactive tendencies. In this episode, I talk with security architect Efrain Ortiz. We discuss how epidemiology can be applied to infosec, the parallels between using data and patterns to diagnose disease and find endpoint problems, and how to think like an epidemiologist in order to get out of reactive approaches to security at your own organization. Here are some highlights: Epidemiologi...
Brendan O’Connor on security as a monoculture
October 26, 2016 15:50 - 40 minutes - 39.1 MBThe O’Reilly Security Podcast: Building cathedrals, empowering the watchers, and breaking out of the security monoculture. In this episode, I talk with Brendan O’Connor, a security researcher, lawyer (but not your lawyer) and owner of security consulting firm Malice Afterthought. We discuss creating a culture that celebrates collaborative teamwork over harried heroes, how monitoring and checklists really can save lives, and breaking out of the security monoculture. Here are some highlights...
Dan Kaminsky on creating an NIH for the security industry
October 12, 2016 11:35 - 28 minutes - 27.5 MBThe O’Reilly Security Podcast: Coarse-grained security, embracing the ephemeral, and empathy for everyone. In this episode, I talk with Dan Kaminsky, founder and chief scientist at White Ops. We discuss what a National Institutes of Health (NIH) for security would look like, the pros and cons of Docker and ephemeral solutions, and how the mere act of listening to people better can improve security for everyone. Here are some highlights: Creating an NIH for security research The hard trut...
Josh Corman on the challenges of securing safety-critical health care systems
September 28, 2016 13:15 - 49 minutes - 47.1 MBThe O’Reilly Security Podcast: Where bits and bytes meet flesh, misaligned incentives, and hacking the security industry itself. In this episode, I talk with Josh Corman, co-founder of I Am the Cavalry and director of the Cyber Statecraft Initiative for the non-profit organization Atlantic Council. We discuss his recent work advising the White House and Congress on the many issues lurking in safety-critical systems in the health care industry, the misaligned incentives across health care, r...
Kyle Rankin on modern server hardening for the cloud
September 14, 2016 11:50 - 33 minutes - 32 MBThe O’Reilly Security Podcast: Modern server hardening, institutional inertia, and new approaches to desktop security. In this episode, I talk with Kyle Rankin, vice president of engineering operations at Final, a credit card startup. We discuss old versus new approaches to server hardening in light of the cloud, how institutional inertia thwarts change, and the new security-minded desktop OS Qubes. Here are some highlights: Organizational inertia and security To me, a pretty big problem...
Meredith Patterson on using language to build trustworthy systems
August 31, 2016 11:00 - 33 minutes - 31.7 MBThe O’Reilly Security Podcast: The origins of LangSec, rigidity vs. robustness, and using game theory to make security better for everyone. In this episode, I talk with Meredith Patterson, a software engineer and leader of the Langsec Conspiracy. We discuss the origins of LangSec, rigidity versus robustness, and game theory as it applies to organizational approaches to security. Here are some highlights: The origins of LangSec One evening I was having dinner with another fellow grad stud...
Cory Doctorow on legally disabling DRM (for good)
August 17, 2016 14:20 - 47 minutes - 45.4 MBThe O’Reilly Security Podcast: The chilling effects of DRM, nascent pro-security industries, and the narrative power of machines. In this episode, I talk with Cory Doctorow, a journalist, activist, and science fiction writer. We discuss the EFF lawsuit against the U.S. government, the prospect for a whole new industry of pro-security businesses, and the new W3C DRM specification. Here are some highlights from our discussion around DRM: How to sue the government: Taking on the DCMA We [E...
Chris Eng on the challenges of improved application security
August 03, 2016 11:30 - 29 minutes - 28.2 MBThe O’Reilly Security Podcast: Vulnerabilities in assembled software and the need for immediate developer feedback. In this episode, I talk with Chris Eng, vice president of research at Veracode, a software security-as-a-service business. We discuss Veracode’s research on application security across a broad spectrum of industries, the challenges of securing modern “assembled” software, and making it easier for developers to bake in security from the get-go. Here are some highlights: Soft...
Guy Podjarny on making open source more secure
July 20, 2016 11:00 - 30 minutes - 29.1 MBThe O’Reilly Security podcast: DevOps, risk reduction, and vulnerabilities in open source. In this episode, I talk with Guy Podjarny, founder of Snyk, a developer tooling company focused on securing open source alongside building a business. We discuss the parallel paths between the transformation from Ops teams to DevOps and where security teams are right now, building security tools focused on the people who will be using them, and who owns the problem of vulnerabilities in open source. ...
Eleanor Saitta on security as a product of shared human outcomes
July 06, 2016 11:15 - 26 minutes - 25.7 MBThe O’Reilly Security Podcast: Systems, design, and emergent social structures. In this episode, I talk with Eleanor Saitta, a security architect at Etsy. We talk about how security isn’t really about what happens to computers—it’s about what happens to the people using those systems; the relationship between design and security; and shifting the industry’s focus to think about security as a product of shared human outcomes. Here are some highlights: Security is about what happens to peop...
Jay Jacobs on the importance of statistical literacy in security
June 22, 2016 15:00 - 28 minutes - 54.5 MBThe O’Reilly Security Podcast: Statistical literacy, machine learning, and data visualization. In this episode of the Security Podcast, I talk with Jay Jacobs, senior data scientist at BitSight. We discuss the disparity between intuition and analytics in data science, the limitations of unsupervised machine learning, and the challenges of creating effective data visualizations. Here are some highlights: Intuition vs. analytics It comes down to this battle between intuition versus data an...
Jack Whitsitt on the need to band together to make security better for everyone
June 08, 2016 11:00 - 24 minutes - 46.5 MBThe O’Reilly Security Podcast: Language as a uniter (or divider), the illusion of control, and how security is made of people. In this episode, I talk with Jack Whitsitt, senior strategist at EnergySec. We discuss the ways in which language can either divide or unite people and organizations, the illusion of control when it comes to security, and how any model or framework for security must include people in order to have any chance of success. Here are some highlights: Language can unit...
Allison Miller on the need for defenders to step out of the shadows and share their stories
May 26, 2016 11:50 - 37 minutes - 72.1 MBThe O’Reilly Security Podcast: Risk as an emergent property of complex systems, the downsides of security by obscurity, and the new O’Reilly Security Conference. In this inaugural episode of the O’Reilly Security Podcast, I talk with Allison Miller, a product manager at Google and my co-chair for the new O’Reilly Security Conference. We discuss her evolving understanding of the nature of risk and fraud in complex systems; the role of humans in technical systems; the cultural downsides of se...
Ari Gesher and Kipp Bradford on security and the Internet of Things
December 03, 2015 00:00 - 44 minutes - 81.3 MBThe O’Reilly Hardware Podcast: Evolving expectations for privacy. In this episode of our newly renamed Hardware Podcast, I talk with Ari Gesher, engineering ambassador at Palantir Technologies, and Kipp Bradford, research scientist at the MIT Media Lab. Gesher is the co-author of The Architecture of Privacy: On Engineering Technologies that Can Deliver Trustworthy Safeguards. Bradford is co-author of Distributed Network Data: From Hardware to Data to Visualization, and he's spoken twice at...