Empowering Developers: Fostering a Culture of Security in AppSec - Danielle Ruderman - CSP #213

In this episode, we explore the crucial role of cultivating a strong security culture to drive change in AppSec, where training and collaboration are key. Our distinguished guest, Danielle Ruderman, discusses the importance of executive support in ensuring that application development isn't just about churning out apps on time, but also about adopting a secure-by-design approach. We also dive into how to empower developers, foster psychological safety, and make security everyone's responsibility. Tune in for actionable insights on transforming your security culture within your applications team and beyond. Segment Resources: • AWS Security Blog How the unique culture of security at AWS makes a difference: https://aws.amazon.com/blogs/security/how-the-unique-culture-of-security-at-aws-makes-a-difference/ • AWS Security Blog How AWS built the Security Guardians program, a mechanism to distribute security ownership: https://aws.amazon.com/blogs/security/how-aws-built-the-security-guardians-program-a-mechanism-to-distribute-security-ownership/ • AWS Security Blog How to build a Security Guardians program to distribute security ownership (part 2): https://aws.amazon.com/blogs/security/how-to-build-your-own-security-guardians-program/ • Application Security in the AWS Well Architected Framework: https://aws.amazon.com/blogs/security/how-to-build-your-own-security-guardians-program/ • AWS Security Blog How to approach threat modeling: https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/ • GitHub: Threat Composer is a simple threat modeling tool to help humans to reduce time-to-value when threat modeling: https://github.com/awslabs/threat-composer • Workshop: Threat Modeling the right way for builders: https://catalog.workshops.aws/threatmodel/en-US Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-213

In this episode, Erika Dean dives into the evolution of attack surface management (ASM) in financial tech. From foundational strategies to future-focused threats, she explores how shifts in the fintech landscape demand deeper organizational awareness, ongoing tabletop exercises, and proactive preparation. This segment is sponsored by Axonius. Visit https://cisostoriespodcast.com/axonius to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-212

Mandy Andress joins our show to discuss leveraging cyber liability insurance for risk reduction. They explore the importance of strong broker relationships and key steps for selecting or renewing a policy—starting with assessing organizational needs. Learn strategies to lower premiums while increasing coverage. Segment Resources: https://www.elastic.co/ This segment is sponsored by Sophos. Visit https://cisostoriespodcast.com/sophos to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-211

In this episode of the CISO Stories Podcast, we’re joined by Mike Miller, a seasoned penetration tester and audit and compliance SME, to explore the real-world impact of incident response controls. From technical to managerial and physical safeguards, Mike shares eye-opening stories from the field—including how he once penetrated a network with nothing more than a dozen doughnuts. We dive into the importance of layered security approaches and practical tips for strengthening incident response frameworks. Don’t miss this blend of humor, insight, and actionable advice for cybersecurity leaders. Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-210

In this episode, we sit down with author and AI expert Rock Lambros to explore the evolving landscape of AI governance. We discuss the risks of AI chatbots, comparing OpenAI and DeepSeek, and examine current and emerging governance frameworks. As AI adoption accelerates, organizations must determine the right guardrails and critical questions to ask. This conversation provides insights into how companies are shaping their AI strategies for a more secure and responsible future. Segment Resources: https://www.youtube.com/@RockOnCyber https://genai.owasp.org https://owaspai.org Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-209

In this episode, we sit down with experienced CISO Gavin Reid to explore the escalating online threats to privacy, focusing on adversaries and companies illicitly scraping website data for profit. We dive into the implications of such unauthorized data collection and its impact on individual and organizational privacy. Reid also shares insights from his team’s involvement in dismantling BadBox, a coordinated global attack exploiting connected TV (CTV) devices, highlighting the intersection of cybersecurity and privacy concerns. HUMAN's Satori threat intelligence team has published the following resources on BadBox: https://www.humansecurity.com/company/satori-threat-intelligence/badbox https://www.humansecurity.com/learn/blog/badbox-peachpit-and-the-fraudulent-device-in-your-delivery-box https://www.humansecurity.com/newsroom/human-disrupts-digital-supply-chain-threat-actor-scheme-originating-from-china Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-208

In this episode of CISO Stories, Jess Hoffman and Sheena Thomas explore the challenges of cloud security in higher education. They discuss trust issues with cloud providers, the importance of understanding data sensitivity, and navigating regulatory compliance. Sheena highlights the vulnerabilities educational institutions face, the value of incident response playbooks, and the balance between trust and risk in cloud services. The conversation underscores the need for due diligence, awareness, and collaboration to secure higher education in the cloud era. This segment is sponsored by Fortinet Cloud Security. Visit https://cisostoriespodcast.com/fortinet to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-207

Jessica Hoffman and Melina Scotto discuss the evolution of cybersecurity, focusing on cloud security, business responsibilities, and the importance of basic cyber hygiene. They highlight the role of communication, consulting, and integrating security into business operations, concluding with advice for future cybersecurity professionals. This segment is sponsored by Fortinet Cloud Security. Visit https://cisostoriespodcast.com/fortinet to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-206

Jess and Adam discuss cloud security challenges for SMBs, emphasizing strategic planning, compliance with regulations like CMMC, and vendor due diligence. They highlight common pitfalls like the illusion of security and inadequate staffing while offering cost-effective solutions like virtual CISOs. Practical tips help SMBs secure their data, navigate legal concerns, and maximize available resources. This segment is sponsored by Fortinet Cloud Security. Visit https://cisostoriespodcast.com/fortinet to learn more about them! Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-205

In this episode, we dive into the critical role of proper configurations in cloud environments and why misconfigurations remain the leading cause of security breaches. From overly permissive access controls to unencrypted data stores and default credentials left unchanged, we explore real-world examples that adversaries exploit. Learn how organizations can mitigate these risks through proactive monitoring, automated tools, and a culture of security-first thinking. Tune in to uncover actionable insights to keep your cloud infrastructure secure. This segment is sponsored by Fortinet Cloud Security. Visit https://cisostoriespodcast.com/fortinet to learn more about them! Segment Resources: CoGuard CLI (Select cloud resources can be scanned with a free account): https://portal.coguard.io/auth/realms/coguard/protocol/openid-connect/auth?clientid=client-react-frontend&redirecturi=https%3A%2F%2Fportal.coguard.io%2F&state=7cd7e2ac-aa64-497d-8957-f0b8be3e2f8d&responsemode=fragment&responsetype=code&scope=openid&nonce=86649c48-03f3-44c1-9612-560d42e049d9 More info on the CoGuard CLI on Github: https://github.com/coguardio/ Open AI grant: https://openai.com/index/empowering-defenders-through-our-cybersecurity-grant-program/ Open AI research results on Github: https://github.com/coguardio/coguardopenairuleautogeneration_research Securing Multi Cloud Environments - Tips from Nadia's co-founder/CTO - blog: https://www.coguard.io/post/securing-multi-cloud-environments Visit https://cisostoriespodcast.com for all the latest episodes! Show Notes: https://cisostoriespodcast.com/csp-204