Security Conversations
118 episodes - English - Latest episode: 16 days ago - ★★★★★ - 39 ratingsSecurity Conversations covers the business of cybersecurity, from the lens of veteran journalist and storyteller Ryan Naraine. Thoughtful conversations with security practitioners on threat intelligence, zero trust, securing cloud deployments, penetration testing, bug bounties, advancements in offensive research and targeted malware espionage activity.
Connect with Ryan on Twitter (Open DMs).
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Cris Neckar on the early days of securing Chrome, chasing browser exploits
April 11, 2024 17:00 - 54 minutes - 50.2 MBEpisode sponsors: Binarly, the supply chain security experts (https://binarly.io) XZ.fail backdoor detector (https://xz.fail) Cris Neckar is a veteran security researcher now working as a partner at Two Bear Capital. In this episode, he reminisces on the early days of hacking at Neohapsis, his time on the Google Chrome security team, shenanigans at Pwn2Own/Pwnium, and the cat-and-mouse battle for browser exploit chains. We also discuss the zero-day exploit marketplace, the hype and promise ...
Costin Raiu joins the XZ Utils backdoor investigation
April 05, 2024 19:00 - 51 minutes - 45.3 MBEpisode sponsors: Binarly, the supply chain security experts (https://binarly.io) XZ.fail backdoor detector (https://xz.fail) Malware paleontologist Costin Raiu returns for an emergency episode on the XZ Utils software supply chain backdoor. We dig into the timeline of the attack, the characteristics of the backdoor, affected Linux distributions, and the reasons why 'Tia Jan' is the handiwork of a cunning nation-state. Based on all the clues available, Costin pinpoints three main suspects -...
Katie Moussouris on building a different cybersecurity businesses
January 19, 2024 17:00 - 29 minutes - 24 MBEpisode sponsors: Binarly, the supply chain security experts (https://binarly.io) FwHunt (https://fwhunt.run) Katie Moussouris founded Luta Security in 2016 and bootstrapped it into a profitable business with a culture of equity and healthy boundaries. She is a pioneer in the world of bug bounties and vulnerability disclosure and serves in multiple advisory roles for the U.S. government, including the new CISA Cyber Safety Review Board (CSRB). In this episode, Moussouris discusses Luta Securi...
Costin Raiu: The GReAT exit interview
January 15, 2024 18:00 - 1 hour - 85.9 MBEpisode sponsors: Binarly, the supply chain security experts (https://binarly.io) FwHunt (https://fwhunt.run) Costin Raiu has spent a lifetime in anti-malware research, working on some of the biggest nation-state APT cases in history, including Stuxnet, Duqu, Equation Group, Red October, Turla and Lazarus. In this exit interview, Costin digs into why he left the GReAT team after 13 years at the helm, ethical questions on exposing certain APT operations, changes in the nation-state malware ...
Danny Adamitis on an 'unkillable' router botnet used by Chinese .gov hackers
January 05, 2024 16:00 - 34 minutes - 33.1 MBEpisode sponsors: Binarly, the supply chain security experts (https://binarly.io) FwHunt (https://fwhunt.run) Danny Adamitis is a principal information security engineer at Black Lotus Labs, the threat research division within Lumen Technologies. On this episode of the show, we discuss his team's recent discovery of an impossible-to-kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously ...
Allison Miller talks about CISO life, protecting identities at scale
December 21, 2023 18:00 - 38 minutes - 28.9 MBEpisode sponsors: Binarly, the supply chain security experts (https://binarly.io) FwHunt (https://fwhunt.run) Allison Miller is founder and CEO of Cartomancy Labs and former CISO and VP of Trust at Reddit. She has spent the past 20 years scaling teams and technology at Bank of America, Google, Electronic Arts, PayPal/eBay, and Visa International. In this conversation, we discuss the convergence of security with fraud prevention and anti-abuse, the challenges and complexities in IAM implement...
Rob Ragan on the excitement of AI solving security problems
December 07, 2023 14:30 - 51 minutes - 39.5 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Rob Ragan, principal architect and security strategist at Bishop Fox, joins the show to share insights on scaling pen testing, the emergence of bug bounty programs, the value of attack surface management, and the role of AI in cybersecurity. We dig into the importance of proactive defense, the challenges of consolidating security tools, and the potential of AI in augmenting human intelligence. The conversation explores...
Seth Spergel on venture capital bets in cybersecurity
November 21, 2023 17:30 - 28 minutes - 16.4 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Seth Spergel is managing partner at Merlin Ventures, where he is responsible for identifying cutting-edge companies for Merlin to partner with and invest in. In this episode, Seth talks about helping startups target US federal markets, the current state of deal sizes and valuations, and the red-hot sectors in cybersecurity ripe for venture investment.
Dan Lorenc on fixing the 'crappy' CVE ecosystem
November 14, 2023 13:00 - 41 minutes - 38.8 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Dan Lorenc is CEO and co-founder of Chainguard, a company that raised $116 million in less than two years to tackle open source supply chain security problems. In this episode, Dan joins Ryan to chat about the demands of building a "growth mode" startup, massive funding rounds and VC expectations, fixing the "crappy" CVE and CVSS ecosystems, managing expectations around SBOMs, and how politicians and lobbyists are fra...
Cisco Talos researcher Nick Biasini on chasing APTs, mercenary hackers
November 07, 2023 21:00 - 31 minutes - 29 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Nick Biasini has been working in information security for nearly two decades. In his current role as head of outreach for Cisco Talos Intelligence Group, he leads a team of threat researchers tasked with tracking nation-state APTs, mercenary hacker groups and ransomware cybercriminals. In this episode, Biasini talks about the cryptic world of threat actor attribution, the rise of PSOAs (private sector offensive actors)...
Allison Nixon on disturbing elements in cybercriminal ecosystem
November 01, 2023 18:00 - 48 minutes - 40.3 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Allison Nixon is Chief Researcher at Unit 221B and a trailblazer in the world of cybercrime research. In this episode, we deep-drive into the shadowy dynamics of underground criminal communities, high-profile ransomware attacks, teenage hacking groups breaking into big companies, and the challenges of attribution and law enforcement. Allison sheds light on why companies continue to be vulnerable targets and what they'r...
Dakota Cary on China's weaponization of software vulnerabilities
September 15, 2023 20:45 - 55 minutes - 49.6 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub, conducting research on China’s efforts to develop its hacking capabilities, artificial-intelligence and cybersecurity research at Chinese universities, the People’s Liberation Army’s efforts to automate software vulnerability discovery, and new policies to improve China’s cybersecurity-talent pipeline. In this episode, Cary expands on a ne...
Abhishek Arya on Google's AI cybersecurity experiments
September 12, 2023 23:00 - 33 minutes - 29.9 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Abhishek Arya is director of engineering at Google, overseeing open source and supply chain security efforts that include OSS-Fuzz, SLSA, GUAC and OSV DB. In this episode, Arya talks about some early success experimenting with AI and LLMs on fuzzing and vulnerability management, the industry's over-pivoting on SBOMs, regulations and liability for software vendors, and the long road ahead for securing software supply ...
Dr Sergey Bratus on the 'citizen science' of hacking
August 31, 2023 13:00 - 40 minutes - 33 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Dr Sergey Bratus is a Research Associate Professor of Computer Science at Dartmouth College and a program manager at DARPA. In this episode, he discusses his pioneering work on securing parsers and patching long-forgotten devices. He also puts the AI hype into context and showers praise on the labor-of-love "citizen science" of hacking all the things.
DARPA's Perri Adams on CTF hacking, new $20M AI Cyber Challenge
August 20, 2023 14:00 - 26 minutes - 24.3 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) DARPA program manager Perri Adams joins the conversation to chat about her love for CTF hacking competitions, the hunt for leapfrog security technologies in DARPA’s Information Innovation Office (I2O), and the goal of the new AI Cyber Challenge (AIxCC) offering $20 million in prizes to teams competing to develop AI-driven systems to automatically secure critical code.
Ryan Hurst on tech innovation and unsolved problems in security
August 16, 2023 14:00 - 42 minutes - 33.6 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Peculiar Ventures chief executive Ryan Hurst joins the show to talk about a career that spanned 20 years at Microsoft and Google, his work building the plumbing for encryption on the web, unsolved problems in BGP security, the hype and promise of AI, and Microsoft's ongoing cloud security hiccups.
Jason Chan on Microsoft's security problems, layoffs and startups
August 07, 2023 14:00 - 27 minutes - 18.4 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Bessemer Venture Partner's Jason Chan returns to the show for a frank discussion on the state of cyber, including thoughts on Microsoft's prominent security failures, the meaning of layoffs hitting security teams, the excitement around AI, and the long road ahead. The former Netflix security chief also talks about merging of the IT and security functions and the importance of cybersecurity proving its value to the bus...
GitHub security chief Mike Hanley on secure coding, AI and SBOMs
August 02, 2023 14:00 - 40 minutes - 41.8 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) GitHub security chief Mike Hanley joins the show to discuss merging the CSO and SVP/Engineering roles, securing data and code in an organization under constant attack, the thrilling promise of AI to the future of secure code, the dangers of equating SBOMs to supply chain security, and new SEC reporting rules for CISOs.
Jason Shockey, Chief Information Security Officer, Cenlar FSB
July 26, 2023 15:00 - 33 minutes - 28.4 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Cenlar FSB security chief Jason Shockey joins the show to discuss the task of securing a financial institution, pivoting from a career in the military to the private sector, the current state of the job market, managing risk from APTs, and the mission of his My Cyberpath project.
Federico Kirschbaum on a life in the Argentina hacking scene
July 19, 2023 13:00 - 42 minutes - 31 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Faraday chief executive Federico 'Fede' Kirschbaum joins the show to talk about building a startup in the vulnerability management space, the intricacies of the Argentinian hacking culture, stories of exploit writers and mercenary hackers, and the overwhelming U.S.-centric view of the cybersecurity industry.
Kymberlee Price reflects on life at the MSRC, hacker/vendor engagement, bug bounties
July 12, 2023 16:15 - 48 minutes - 43.4 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Product security executive Kymberlee Price joins the show to gab about life in the trenches at the Microsoft Security Response Center (MSRC), the challenges of maintaining healthy hacker/vendor relationships, the harsh realities of bug-bounty programs, and thoughts on the cybersecurity job market.
OpenSSF GM Omkhar Arasaratnam on open-source software security
July 05, 2023 13:30 - 36 minutes - 27.6 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) New General Manager of the Open Source Security Foundation (OpenSSF) Omkhar Arasaratnam joins Ryan for a candid conversation on the challenges surrounding open-source software security, lessons from the Log4j crisis, the value of SBOMs, and the U.S. government efforts at securing America's software supply chains.
Serial entrepreneur Rishi Bhargava on building another cybersecurity company
April 10, 2023 22:00 - 32 minutes - 26 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Rishi Bhargava and the team of entrepreneurs behind Demisto’s $560 million exit are back at it with a new startup building technology in the customer identity market. The new company, called Descope, raised an abnormally large $53 million seed-stage funding round with ambitious plans to take on rivals big and small in the customer identity and authentication space. On this episode of the podcast, Bhargava joins Ryan ...
Claude Mandy on CISO priorities, data security principles
March 06, 2023 14:30 - 35 minutes - 25.7 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Symmetry Systems executive Claude Mandy joins the show to discuss a career in the security trenches, life as a CISO during the WannaCry crisis, and first principles around data security. We dig into the emerging Data Security Posture Management (DSPM) category and how it extends the Zero Trust philosophy to hybrid cloud data stores.
Sidra Ahmed Lefort dishes on VC investments and cyber uncertainties
February 15, 2023 15:30 - 31 minutes - 26.5 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Munich Re Ventures investment principal Sidra Ahmed Lefort joins Ryan Naraine for a frank discussion on the state of VC funding in cybersecurity, the rise (and coming correction) in the land of security 'unicorns', the massive early-stage funding rounds and what they mean, layoffs and contractions, and the places in security still ripe for innovation.
Paul Roberts on wins and losses in the 'right to repair' battle
January 19, 2023 14:00 - 47 minutes - 65.4 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) SecuRepairs.org co-founder Paul Roberts joins the show to discuss his passion for the right to repair consumer electronic devices, the big-ticket lobbyists working to undermine the movement, and how changing consumer spending patterns are helping to rack up regulatory wins.
Katie Moussouris on where bug bounties went wrong
December 08, 2022 22:00 - 33 minutes - 27.5 MBEpisode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) Luta Security founder and chief executive Katie Moussouris joins the show to dish on the bug-bounty ecosystem, the abuse of hacker labor, and the common mistakes made by even the most mature security programs. A security industry pioneer, Moussouris argues for better use of bug bounty metrics to drive decisions and a heavy focus on reducing duplicate vulnerability submissions.
Robinhood CSO Caleb Sima on a career in the security trenches
November 08, 2022 15:00 - 30 minutes - 22 MBEpisode sponsors: - Binarly (https://binarly.io) - FwHunt (https://fwhunt.run) Caleb Sima is a cybersecurity lifer now responsible for security at Robinhood, a mobile stock trading platform. Caleb joins Ryan on the show to discuss the early hacking scene in Atlanta, building SPI Dynamics in a webapp security powerhouse, the evolution of attack surfaces, the CISO's changing priorities, and more...
Charlie Miller on hacking iPhones, Macbooks, Jeep and Self-Driving Cars
October 18, 2022 17:00 - 59 minutes - 50.2 MBEpisode sponsors: - Binarly (https://binarly.io) - FwHunt (https://fwhunt.run) Famed hacker Charlie Miller joins Ryan on the podcast to discuss a career in vulnerability research and software exploitation. Charlie talks about hacking iPhones and Macbooks at Pwn2Own, the 'No More Free Bugs' campaign, the Jeep hack that led to a recall and his current work securing Cruise's self-driving fleet. Plus, an interesting take on iOS Lockdown Mode.
JAG-S on big-game malware hunting and a very mysterious APT
October 17, 2022 21:00 - 52 minutes - 39.1 MBEpisode sponsors: Binarly (https://binarly.io/) and FwHunt (https://fwhunt.run/) - Protecting devices from emerging firmware and hardware threats using modern artificial intelligence. SentinelLabs malware hunter Juan Andres Guerrero-Saade (JAG-S) returns to the show to discuss how big-game attribution has changed over the years, the nation-state APT landscape, Mudge and the nightmares facing CISOs, and a mysterious actor named Metador.
Chainguard's Dan Lorenc gets real on software supply chain problems
October 13, 2022 15:00 - 47 minutes - 34.8 MBEpisode sponsors: Binarly (https://binarly.io/) and FwHunt (https://fwhunt.run/) - Protecting devices from emerging firmware and hardware threats using modern artificial intelligence. Dan Lorenc and a team or ex-Googlers raised $55 million in early-stage funding to build technology to secure software supply chains. On this episode of the show, Dan joins Ryan to talk about the different faces of the supply chain problem, the security gaps that will never go away, the decision to raise an unusu...
Vinnie Liu discusses a life in the offensive security trenches
August 07, 2022 17:00 - 1 hour - 155 MBA conversation with Bishop Fox chief executive Vinnie Liu on the origins and evolution of the pentest services business, the emerging continuous attack surface management space, raising $75m as a 'growth mode' investment, cybersecurity's people problem, and much more...
Down memory lane with Snort and Sourcefire creator Marty Roesch
July 25, 2022 15:00 - 1 hour - 53.1 MBNetwork security pioneer Marty Roesch takes listeners on a trip down memory lane, sharing stories from the creation of Snort back in the 1990s, the startup journey of building Sourcefire into an IDS/IPS powerhouse and selling the company for $2 billion, the U.S. government killing a Check Point acquisition, and his newest adventure as chief executive at Netography.
Subbu Rama, co-founder and CEO, BalkanID
June 01, 2022 17:00 - 34 minutes - 18.2 MBSerial entrepreneur Subbu Rama joins the show to talk about building a cybersecurity business, addressing the problem of entitlement sprawl and raising seed funding for intelligent access governance technology.
Project Zero's Maddie Stone on the surge in zero-day discoveries
May 10, 2022 19:15 - 42 minutes - 28.9 MBMaddie Stone is a security researcher in Google's Project Zero team. Over the last few years, she has publicly tracked the discovery and disclosure of zero-day malware attacks seen in the wild. On this episode, Maddie joins Ryan to chat about three years of zero-day exploitation data, the nuances around 0day disclosures, the never-ending struggle to mitigate memory corruption attacks and the need for transparency among affected vendors.
Prof. Mohit Tiwari on the future of securing data at scale
May 06, 2022 07:00 - 46 minutes - 33 MBSymmetry Systems co-founder Mohit Tiwari has been studying data security and control flow access for more than a decade. On this episode of the podcast, he discusses his transition from academia to data security entrepreneurship, first principles around the data security and privacy, the exploding DSPM (data security posture management) space, and the mission to solve one of cybersecurity's biggest problems.
Google's Shane Huntley on zero-days and the nation-state threat landscape
April 04, 2022 13:00 - 40 minutes - 75.5 MBDirector at Google's Threat Analysis Group (TAG) Shane Huntley joins the show and talks about lessons from the 2009 Aurora attacks, the surge in zero-day discoveries, the usefulness of IOCs, North Korean APT operations, private sector mercenary hackers, the expanding nation-state threat actor map, and much more...
Lamont Orange, CISO, Netskope
March 21, 2022 17:00 - 26 minutes - 21.7 MBNetskope security chief Lamont Orange joins the show to chat about the changing role of the Chief Information Security Officer (CISO), managing security as a business enabler, the cybersecurity skills shortage, and his own unique approach to security leadership.
Haroon Meer on the business of cybersecurity
March 19, 2022 17:00 - 1 hour - 56.2 MBThinkst founder and CEO Haroon Meer joins Ryan Naraine on the show to talk about building a successful cybersecurity company without venture capital investment, fast-moving attack surfaces and the never-ending battle to mitigate memory corruption issues.
Tony Pepper, co-founder and CEO, Egress
February 22, 2022 19:00 - 19 minutes - 21.8 MBChief executive officer at Egress Tony Pepper joins the show to talk about entrepreneurship in the fast-paced age of modern computing, the state of e-mail security, and his company's bet on securing the future of messaging in the enterprise.
Microsoft's Justin Campbell on offensive security research
January 08, 2022 19:00 - 27 minutes - 22.8 MBJustin Campbell leads Microsoft’s Offensive Research and Security Engineering (MORSE) team. He joins the show to talk about his team's discovery of a SolarWinds in-the-wild zero-day, the never-ending stream of memory safety vulnerabilities, the evolving 'shift-left' mindset and Redmond's ongoing work to reduce attack surfaces.
Costin Raiu on the .gov mobile exploitation business
December 23, 2021 19:00 - 41 minutes - 37.9 MBGlobal director of Kaspersky's GReAT research team Costin Raiu returns to the show for an indepth discussion on the mobile surveillance business, the technically impressive FORCEDENTRY iOS exploit, the ethical questions facing exploit developers and the role of venture capitalists in the mobile malware ecosystem.
Amanda Gorton, co-founder and CEO, Corellium
December 20, 2021 23:00 - 46 minutes - 42.1 MBCorellium co-founder and chief executive Amanda Gorton joins the show to talk about raising $25 million in Series A funding, the market fit for device modeling and software virtualization products, the trials and tribulations of startup life, and the nuances of operating in the world of offensive security research.
Intel's Venky Venkateswaran on hardware-enabled security
September 09, 2021 20:00 - 35 minutes - 29.6 MBVenky Venkateswaran works on client security and roadmap planning at Intel Corp. On this episode of the podcast, Venky joins Ryan to talk about a reported surge in firmware attacks, Intel's ongoing investments in cybersecurity, the importance of transparency and open documentation, and the company's push to fight ransomware with its flagship TDT (Threat Detection Technology).
Sounil Yu on SBOMs, software supply chain security
July 13, 2021 15:00 - 48 minutes - 55.7 MBEpisode sponsored by SecurityWeek.com JupiterOne CISO Sounil Yu joins the show to sift through the noise and explain the value of SBOMs (software bill of materials), the U.S. government's response to software supply chain security gaps, and what every buyer and seller should be doing to prepare for major changes in the ecosystem.
Algirde Pipikaite, Centre for Cybersecurity, World Economic Forum
July 06, 2021 17:00 - 40 minutes - 25.6 MBEpisode sponsored by MongoDB.com. Algirde Pipikaite, the project lead of the Governance and Policy team at the Center for Cybersecurity at the World Economic Forum, joins the podcast to discuss her work to bridge the gap between cybersecurity experts and decision makers. We chat about communicating risk to different audiences, cybersecurity as a business enabler, and the need for more global private-public collaboration.
Josh Schwartz on red-teaming and proactive security engineering
June 18, 2021 17:00 - 37 minutes - 29.1 MBJosh Schwartz, aka FuzzyNop, oversees offensive security, product engineering, and security engagement functions at Verizon Media (soon to be Yahoo). He shares insights on red-teaming, overcoming the adversarial relationship between red/blue teams. chasing the "feeling" of being secure, and why there's a need for more empathy in cybersecurity. (Episode sponsored by Eclypsium (https://eclypsium.com))
Michael Laventure, threat detection and response, Netflix
June 10, 2021 15:45 - 30 minutes - 22.5 MBNetflix threat detection and response practitioner Michael Laventure joins the show to talk about a simple goal to "do security better." We discuss a transition from .gov security work to the fast pace of Silicon Valley, the culture clashes that can make life difficult, the value of threat-intelligence to a modern security program, and why we should all be optimistic about the future of cybersecurity.
Google's Heather Adkins on defenders playing the long game
May 26, 2021 23:00 - 38 minutes - 31 MBFounding-member of the Google security team Heather Adkins joins the conversation to stress the importance of defenders playing the "long-game," the need for meaningful culture-change among security leaders, the expansion of zero-trust beyond identities and devices, and some thoughts on the future of electronic voting. Sponsored by Eclypsium: Eclypsium ships an enterprise device platform that provides visibility and mitigation for malicious activity all the way down to the firmware and hardwa...
Collin Greene, head of product security, Facebook
May 25, 2021 20:00 - 1 hour - 53.3 MBFacebook product security leader Collin Greene joins the show to discuss philosophies around securing code at scale, the pros and cons of relying on bug-bounty programs, the humbling lessons from being on the wrong side of a malicious hack, and why "shift-left" should be the priority for every defender.