How to Embrace Penetration Testing: Insights from a Cybersecurity Expert with Gabrielle B (Desjardins)

In this episode of "Build Amazing Things Securely," host Laura Bell Main sits down with Andrew from Teko. Andrew shares his journey from software development to application security, highlighting his burnout experience and subsequent career pivot. He discusses the importance of understanding and integrating into teams' existing processes, using techniques like Rosebud Thorn for cultural and security growth. Andrew emphasizes learning from mistakes, the value of different perspectives in AppSec, and the future direction of the field.Key Points:Andrew's Background: Transition from software development to a focus on data analytics and application security.Burnout and Recovery: Andrew's experience with burnout and how it reshaped his career focus towards people and helping others.Integrating Security into Development: Strategies for seamlessly integrating security measures into existing software development processes.Rose Bud Thorn Technique: Utilizing this method for understanding team dynamics and improving security culture.Future of AppSec: Andrew's insights into the evolving role of application security as a facilitator and enabler within development teams.Homework (Recommended Actions):Reflect on Team Processes: Use the Rosebud Thorn technique to identify areas of strength, growth, and challenges within your team.Learn from Mistakes: Encourage a culture where making and learning from mistakes is valued.Adopt User-Centric Security: Consider how security measures impact the end user and integrate them thoughtfully into your development process.Stay Informed: Keep up with the evolving trends in application security to remain effective and relevant in your field.Relevant Links:https://easyretro.io/templates/rose-bud-thorn/https://tayko.io/https://www.linkedin.com/in/andrew-wheatley-55247225/DYjSn56zeT31N17Upavk

Episode Summary: "Unveiling the Layers of Database Security"In this episode of "Build Amazing Things Securely," host Laura Bell Main engages in a fascinating conversation with Dejan from RavenDB. Broadcasting from Serbia, Dejan provides insightful perspectives on database security, the importance of encryption, and the nuances of building stable, secure database systems. The episode traverses various aspects of database management, emphasizing how ease of use and built-in security can revolutionize database interaction for developers.Key Points1. **The Evolution of RavenDB**: RavenDB's creation was driven by a desire to solve recurring issues in relational databases, aiming for a "boring" yet reliable database experience.2. **Security by Design**: Emphasizes the concept of 'Secure by Default,' ensuring the database is secure upon setup and requires conscious effort to make it less secure.3. **Encryption Challenges**: Discusses the complexities and considerations in database encryption, including performance impacts and the necessity of securing backups.4. **Pragmatic Database Choices**: Advises on choosing database technologies suited to specific needs, urging a balance between innovation and practical application.5. **Transparency and Usability in Security**: Stresses making security features user-friendly to encourage their widespread adoption.Links and Resources- RavenDB Website: Explore more about RavenDB at [RavenDB.net](https://ravendb.net)- GitHub Discussions: Engage with the RavenDB community and find Dan on GitHub discussions for RavenDB.Homework- **Identify Your HIPPO**: Reflect on your own decision-making processes in software development. Recognize personal biases and opinions that might influence your choices.- **Explore RavenDB**: Visit RavenDB's website and GitHub discussions to understand more about their database solutions and community insights.- **Engage with the Podcast**: Subscribe to the podcast, share comments, and suggest potential guests or technologies that you’d like to see featured in future episodes.- **Security Consciousness**: In your projects, assess how security is integrated. Aim for solutions that are secure by design and default, and consider the impact of every step in your operational procedures.

Episode SummaryIn this episode of "Build Amazing Things Securely," host Laura Bell Main interviews Anthony Maley from vouch.io. They delve into Anthony's background, his journey from the UK to Belgium, and eventually to the US, as well as the innovative and secure solutions offered by vouch.io. Anthony discusses the challenges and advancements in creating offline-first, shareable security frameworks, emphasizing the need for human presence in increasingly autonomous technological landscapes.Key Points1. **Anthony Maley's Background**: Co-founder and CEO of vouch.io, Anthony shares his journey from the UK to Belgium and the US, his musical hobbies, and his professional experience in leading tech roles.2. **vouch.io's Mission**: They focus on establishing human presence in autonomous technology, ensuring secure and offline verifiable transactions.3. **Technology Overview**: vouch.io's product endorses existing identities using biometrics and blockchain, enabling offline, secure transactions and ownership assertions in various industries, including automotive and financial services.4. **Security and Privacy**: The discussion covers the importance of data privacy, the avoidance of data centralization, and the ways vouch.io ensures user security.5. **Potential and Challenges**: They explore the vast potential of vouch.io's technology in multiple sectors and the balance between innovation and privacy concerns.Links and Resources- vouch.io website: https://www.vouch.io- Strange Loop Conference, St. Louis: https://www.thestrangeloop.comHomework- Visit vouch.io for more information on the technology and its applications.- Engage with the podcast through likes, subscribes, and comments.- Suggest potential guests or technologies that are making significant impacts across various fields.Additional NotesListeners are encouraged to explore how the intersection of technology and security is evolving and to consider the implications of these advancements in their professional and personal lives.

Episode SummaryIn this episode of "Build Amazing Things Securely," host Laura Bell Main interviews Tanya Janca, a prominent figure in the DevSecOps community. Tanya shares insights from her journey in software development to security, emphasizing the importance of secure software. She discusses common pitfalls in DevSecOps and shares lessons from her extensive experience consulting with over 400 companies.Key PointsTanya Janca's Background: Transition from a software developer to a security professional, now working at Semgrep and focusing on community engagement and training.Common DevSecOps Mistakes: Breaking builds on false positives, neglecting security in the SDLC, and the lack of sharing mistakes within the industry.Approach to Security: Emphasizing practical and incremental approaches to implementing security tools and processes in the development lifecycle.Importance of Sharing Mistakes: Advocating for openness about security failures to learn and improve collectively in the industry.Recommendations for Teams: Start with security training relevant to job roles and gradually integrate security practices throughout the development lifecycle.Links and ResourcesTanya Janca's Blog and Newsletter: SheHacksPurpleSemgrep: WebsiteAyaan's Research: Phone-a-Friend Security ConsultingOne Hour AppSec Program: onehourappsec.comHomeworkEvaluate Security Tools: Assess if they are configured correctly and not just breaking builds on false positives.Improve SDLC Security: Incorporate security practices throughout the development lifecycle, not just in the coding phase.Foster Openness About Mistakes: Share lessons learned from security failures within your organization to foster collective learning.

Episode SummaryIn this episode of "Build Amazing Things Securely," host Laura Bell Main speaks with Joey Stanford, Vice President of Data Privacy and Compliance at Platform.sh. Joey shares his journey from starting as the only person in his role to leading a substantial team focused on privacy and compliance. He emphasizes the importance of building trust with customers and how this aligns with the company's values, including their commitment to environmental sustainability and being good custodians of customer data.Key PointsJoey Stanford's Background: From starting as a solo practitioner in privacy and security to leading a large team.Platform.sh: A cloud-hosting platform offering a fully automated DevOps environment, with a focus on efficiency, performance, and reducing carbon footprint.Approach to Privacy and Compliance: Adopting a GDPR-everywhere model, applying GDPR standards globally, and undergoing third-party certifications to build customer trust.Sustainability in Tech: Linking security and privacy with sustainability, and the company's initiatives towards environmental friendliness.Building Trust with Customers: Emphasizing the importance of being trustworthy and transparent and how this impacts customer relationships and business success.Links and ResourcesPlatform.sh: WebsiteGDPR (General Data Protection Regulation): InformationEcovadis: Sustainability RatingGreenly: Environmental CertificationForrester TEI Report: ResourceHomeworkAdopt a Comprehensive Privacy Framework: Like GDPR, and apply it across all operations, regardless of the region.Focus on Building Trust: Prioritize customer trust in your product and company through transparency and compliance.Consider Environmental Impact: Align security and privacy practices with environmental sustainability.

Episode SummaryIn this episode of "Build Amazing Things Securely," host Laura Bell Main talks with Ben Goodman, founder and CEO of DragonDrop Cloud and the maintainer of Cloud Concierge. Ben discusses his journey from an economics and computer science background to becoming a tech entrepreneur. He shares insights into the importance of automating developer best practices using infrastructure as code tools like Terraform, highlighting the benefits for security, cost, and operational efficiency.Key PointsBen's Background: Transition from economics and data science to technology and entrepreneurship.Automation of Infrastructure as Code: Focusing on solving manual tasks in cloud infrastructure using Terraform.DragonDrop Cloud: Developing a solution to identify and manage changes in cloud infrastructure outside of the infrastructure as code workflow.Challenges in Cloud Security: Discussing the risks of manual changes in cloud environments and the importance of consistent infrastructure management.The Future of Infrastructure as Code: Looking at proactive scanning and CI/CD pipeline integration for cloud deployment.Links and ResourcesDragonDrop Cloud: Visit the WebsiteCloud Concierge: GitHub RepositoryDevOps Days Buffalo: Conference InformationHomeworkEmbrace Infrastructure as Code: Start using tools like Terraform to manage your cloud infrastructure for better security and efficiency.Monitor Cloud Changes: Be vigilant about unauthorized or manual changes in your cloud environment to maintain security and cost control.Contribute to Open Source: Engage with projects like Cloud Concierge to understand and improve cloud infrastructure management practices.

Episode SummaryIn this episode of "Build Amazing Things Securely," host Laura Bell Main interviews Rohit, a product security expert in the gaming industry. Rohit shares his journey from an electronics background into cybersecurity, emphasizing the broad scope and diverse challenges in the field. The conversation delves into the specifics of securing gaming applications, like Zynga's Farmville, highlighting the importance of data integrity and the impact of security breaches on business models.Key PointsRohit's Background: Transition from electronics to cybersecurity, driven by the diverse challenges in security.Security in Gaming: Focuses on infrastructure, application, and data security. Discusses unique challenges in gaming security, like data manipulation and integrity.Collaboration in Security: Emphasizes the partnership between security teams and developers, and the need for security to adapt to different technologies.Security Strategy: Importance of creating guardrails, not gatekeeping, in security practices.Security Awareness: Highlights the growing security consciousness in product companies.Links and ResourcesZynga Games: Zynga's Official WebsiteNot So Secure: Not So Secure's WebsiteHomeworkDevelop Security Checklists: Start with simple security checklists for your projects and evolve them into more automated systems.Embrace Diverse Technologies: Don’t restrict technologies in your projects. Instead, learn to secure a variety of languages and platforms.Collaborate with Security Teams: Engage with security experts early in the development process to incorporate their insights and build secure products.

Episode SummaryIn this episode of "Build Amazing Things Securely," host Laura Bell Main interviews Gabrielle, an offensive security advisor at Desjardins, Canada. Gabrielle shares her unique journey from acting to cybersecurity, detailing the skills and experiences that led her to become a penetration tester. The discussion dives into the nuances of penetration testing, including different methodologies, the importance of communication with development teams, and the value of a penetration tester's external perspective.Key PointsGabrielle's Background: From acting to software development, culminating in a passion for cybersecurity.Penetration Testing Explained: Understanding the process, methodologies (black box, gray box, white box), and the importance of defining scope.Transition to Penetration Testing: Self-training through online resources, competitions, and creating a structured learning program.Collaboration in Pen Testing: Emphasizes teamwork between pen testers and developers for better security outcomes.Advice for Software Teams: Preparing for penetration tests, embracing curiosity, and the benefits of external testing perspectives.Links and ResourcesGabrielle's LinkedIn: Follow Gabrielle on LinkedInGabrielle's Blog: CSS by GBOne Hour AppSec Program: Join the programHomeworkEngage with Pen Testing: If your software is due for a penetration test, engage actively with the process. Provide clear information about your application and be open to feedback.Explore Learning Resources: Check out Gabrielle's blog for practical pen testing tips and her journey into cybersecurity.Participate in the One Hour AppSec Program: Enhance your application security knowledge and skills by joining this program designed for software developers.

Rachael Greaves is the CEO and founder of Castlepoint Systems, a regulatory technology company at the heart of a global push for accountability, privacy, and security in data storage and processing.In this episode, Rachael and Laura dig into the scale of data in our systems, why handling it poorly has real-world consequences, and how explainable AI is an essential part of managing this risk.

Evan Johnson has been through a massive shift. Formerly the Senior Director of Security Engineering at Cloudflare, he is now a co-founder at RunReveal.In this episode, Laura and Evan chat about how you build security in early for a global scale and the lessons Evan has learned from his transition from large to small.