Josh and Kurt talk about the Gentoo security incident. Gentoo did a really good job being open and dealing with the incident quickly. The basic takeaway from all this is make sure your organization is forcing users to use 2 factor authentication. The long term solution is going to be all identity providers forcing everyone to use 2FA. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_104_the_gentoo_security_incident.mp3 Show Notes Gentoo incident timeline Have I Been Pwned Cloudflare Join our Facebook Group ...

Josh and Kurt talk about a Microsoft Research paper titled “The Seven Properties of Highly Secure Devices”. We take a real world view into how to secure our devices. What works, what doesn’t work, and why this list is actually really good. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_103_the_seven_properties_of_highly_secure_devices.mp3 Show Notes 7 Properties of Highly Secure Devices Pwn2Own Kurt’s dryer vent tweet Mars rover filesystem bug The Update Framework (TUF) Join our Facebook Group Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk to Michael Feiertag, the CEO of tCell. We talk about what a Web Application Firewall is, what it does and doesn’t do, and what the future of this technology looks like. We touch on how this affects a DevOps environment. Security has to fit into the existing model, not try to change it. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_102_michael_feiertag_from_tcell.mp3 Show Notes Michael’s LinkedIn Michael’s Twitter tCell Web Application Firewall (WAF) Runtime Application Self Protection (RASP) Join our Facebook Group ...

Josh and Kurt talk about Bird scooters. The implications of the scooters on the city, segways, bicycles. The topic of how these vehicles interact with pedestrians on the road and trails. It’s an example of humans not wanting to follow the rules and generally making the situation annoying for everyone. It’s the old security story of new technology without clear rules. The show ends with some horrifying numbers behind how bad things get before people really care. ...

Josh and Kurt talk about how to be a smart security buyer. We have guest Steve Mayzak walk us through how a the buying process works as well as giving out a ton of great advice. Even if you’re experienced with how to buy security technology you should give this a listen. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_100_your_bad_at_buying_solutions_we_can_help.mp3 Show Notes Buyer training Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

As of late I’ve been seeing a lot of grumbling that security return on investment (ROI) is impossible. This is of course nonsense. Understanding your ROI is one of the most important things you can do as a business leader. You have to understand if what you’re doing makes sense. By the very nature of business, some of the things we do have more value than other things. Some things even have negative value. If we don’t know which things are the most important, we’re just doing voodoo security. ...

Josh and Kurt talk about a number of consumer security issues. The FBI told everyone to reboot their routers which they won’t do. The .app top level domain is a cesspool of malware. Everyone has a cell phone and won’t update them properly. None of this probably matters though. Unless there are real measurable tragedies caused by this tech, people tend not to really care. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_99_consumer_security_is_too_broken_to_fix_and_it_doesnt_matter.mp3 Show Notes FBI says reboot your routers .app cesspool Join our Facebook Group ...

Josh and Kurt talk about the NTSB report from the fatal Uber crash and what happened with Amazon’s Alexa recording then emailing a private conversation. IT decisions now have real world consequences like never before. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_98_when_it_decisions_kill_people.mp3 Show Notes Uber NTSB report Powerpoint and the space shuttle Alexa secret recording Siri unlocks the door 911 operator hangs up Join our Facebook Group Comment on Twitter with the #osspodcast hashtag ...

Josh and Kurt talk about the security of automation as well as automating security. The only way automation will really work long term is full automation. Humans can’t be trusted enough to rely on them to do things right. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_97_automation_humans_are_slow_and_dumb.mp3 Show Notes Tesla hits a firetruck British Tesla passenger Join our Facebook Group Comment on Twitter with the #osspodcast hashtag

After my last post about security spending, I was thinking about how most security teams integrate into the overall business (hint: they don’t). As part of this thought experiment I decided to compare traditional security to something that in modern times has come to be called helicopter parenting. A helicopter parent is someone who won’t let their kids do anything on their own. These are the people you hear about who follow their child to college, to sports practice. They yell at teachers and coaches for not respecting how special the child is. The kids are never allowed to take any risks because risk is dangerous and bad. If they climb the tree, while it could be a life altering experience, they could also fall and get hurt. Skateboarding is possibly the most dangerous thing anyone could ever do! We better make sure nothing bad can ever happen. ...