We Hack Purple Podcast We Hack Purple!

In episode 81 of the We Hack Purple Podcast host Tanya Janca spoke to Diana Kelley, Chief Information Security Officer (CISO) at Protect AI. Diana and Tanya worked together at Microsoft, and to say that Diana is a pillar of the information security industry is somewhat of an understatement. Together they discussed problems with Large Language Models (LLMs) ingesting crappy code, and bad licenses, the OSSF (and it's goodness), and that sometimes people don't even realize they are breaking software licences when they use what an LLM has produced.
We discussed the fact that if a CVE comes out for a library an LLM gave you, but it didn't identify it with the correct name of the library, you wouldn't receive notifications about it. She clarified how ML pipelines are set up, how data scientists work, with insecure juniper laptops all over the place (perhaps a generalization on my part). We discussed how data science seems to be a topic a lot of CISOs are pretending aren't in their domain to protect, but both of us agreed that is not so. They have some of the most valuable data your organization can possess.
We also covered best practices for securing MLSec, the OWASP Top Ten for LLMs, and the new free community her company has started MLSECOPS. She also released an update version of her book, Practical Cyber Security Architecture!
.
Diana Links:
Diana on LinkedInhttps://www.wicys.org/. (of course!)https://mlsecops.com/OSS Jupyter Notebook scanner here: https://nbdefense.ai/https://protectai.com/ Her book https://www.packtpub.com/product/practical-cybersecurity-architecture-second-edition/9781837637164.
Bio: Diana Kelley is the Chief Information Security Officer (CISO) for Protect AI. She also serves on the boards of Cyber Future Foundation, WiCyS, and The Executive Women’s Forum (EWF). Diana was Cybersecurity Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group (now Gartner), a Manager at KPMG, CTO and co-founder of SecurityCurve, and Chief vCISO at SaltCybersecurity.
.
Very special thanks to our sponsor!
Semgrep Supply Chain’s reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.
Get Your Free Trial Here! 
Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Check out Semgrep Code HERE

In episode 80 of the We Hack Purple Podcast host Tanya Janca brings on her long-time friend Ray Leblanc of 'Hella Secure' blog. You may remember him from several Alice and Bob Learn streams, or from his cutting sarcasm on social media.

Ray and Tanya discussed what they always discuss: AppSec. They compared AppSec responsibility versus business responsibility, how to "put it down" at the end of the day in order to avoid burn out, and that 'perhaps Tanya should learn to stay in her lane?' We covered when bug fixes don't get merged and released, the first year of the brand new conference which focuses only on Threat Modelling (ThreatModCon) and that Tanya will be Adam Shostack's teaching assistant for his course that is part of OWASP Global AppSec the first week of November (get tickets here).  Although Ray professes to be bad at threat modelling on the podcast, if you follow any of his work you know that's absolutely untrue, and Tanya teases him accordingly about it.
Ray's Links:
https://www.hella-secure.com/
https://twitter.com/Raybeorn
https://www.linkedin.com/in/raymondlleblanc/
Very special thanks to our sponsor, Semgrep!
Semgrep Supply Chain’s reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.
Get Your Free Trial Here! 
Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! 

Join We Hack Purple! 
Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more! 

In episode 79 of the We Hack Purple Podcast host Tanya Janca spoke to Isabelle Mauny , Field CTO and founder of 42Crunch! Isabelle and Tanya met way back in 2018, at an API Security workshop in Britain, having no idea they would be friends for years to come! Isabelle is extremely passionate about securing APIs, and has volunteered for several different groups and projects in order to try to steer our industry in a more secure direction, including being president of the OpenAPI group and lending her skills to the OWASP DevSlop project to fix up our Pixi app.
Together they discussed several of the challenges when creating secure APIs, including: BOLA (Broken Object Level Authorization), bots, all sorts of other broken authentication (not just object-level), verbose error messages, the fact that APIs are *not* invisible to hackers, and so much more. Isabelle covered how to have a positive security culture, and build out a DevSecOps program that includes API security, what the OpenAPI protocol is, and several inspiring customer success stories. We also talked about her free IDE Plugin that gives you a score out of 100 for security, and how Tanya’s first try at it she only got a score somewhere in the 20’s to start! Of course, we also talked about the OWASP API Security Top Ten, and how that helped bring the important of securing APIs into the mainstream, rather than an obscure thing only AppSec people like Isabelle and Tanya obsess over.
Isabelle also spoke about a webinar she will be on July 13, Mastering Secure API Development with GitHub and 42Crunch, you can sign up here: https://42crunch.com/mastering-secure-api-development-with-github-and-42crunch/
Get to know Isabelle:
Isabelle Mauny, co-founder and Field CTO of 42Crunch, is a technologist at heart. She worked at IBM, WSO2 and Vordel across a variety of roles, helping large enterprises design and implement integration solutions. At 42Crunch, Isabelle manages customer POCs , partners integrations and product training. She is a frequent speaker at conferences and a published author. Isabelle is passionate about APIs and enjoys sharing her experience in podcasts such as this one :)
Isabelle Links!
https://tools.openapis.org
https://42crunch.com/mastering-secure-api-development-with-github-and-42crunch/
https://apisecurity.io
https://github.com/isamauny/codemotion2023/blob/main/RuggedAPIs-Codemotion-2023.pdf
https://42crunch.com/blog/
Very special thanks to our sponsor, Semgrep!
Semgrep Supply Chain’s reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.
Get Your Free Trial Here! 
Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset!

In episode 78 of the We Hack Purple Podcast host Tanya Janca brings Jason Haddix on to talk about artificial intelligence, and (of course) how to hack it! Jason discussed how to use AI for both defense and offence, using plain language (conversational), rather than code, and what a red teaming exercise looks for such a system. We talked about what a large language model looks like, cleaning up data, and how easy it is to get them to do bad things. Jason invited everyone to the AI Village at Def Con this year, and so much more! There was also much love for Daniel Miessler, his articles on AI, and his newsletter Unsupervised Learning (https://danielmiessler.com/newsletter/). Listen to hear the whole thing!
Jason Haddix AKA jhaddix is the CISO and “Hacker in Charge” at BuddoBot, a world-class adversary emulation and red teaming  consultancy. He’s had a distinguished 18-year career in cybersecurity previously serving as the CISO of Ubisoft, Head of Trust/Security/Operations at Bugcrowd, Director of Penetration Testing at HP, and Lead Penetration Tester at Redspin. He has also held positions doing mobile penetration testing, network/infrastructure security assessments, and static analysis. Jason is a hacker, bug hunter and currently ranked 51st all-time on Bugcrowd’s bug bounty leaderboards. Currently, he specializes in recon, web application analysis, and emerging technologies. 


Jason Links!
 https://buddobot.com/
https://twitter.com/BuddoBot
https://www.linkedin.com/company/buddobot/mycompany/
https://twitter.com/Jhaddix
https://www.jhaddix.com/
https://www.linkedin.com/in/jhaddix/
 Jason’s Newsletter: https://executiveoffense.beehiiv.com/
 Jason’s training happening in July: https://tbhmlive.com/
 
Very special thanks to our sponsor!
Semgrep Supply Chain’s reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable. 


Get Your Free Trial Here! 
Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Check out Semgrep Code HERE 


  Join We Hack Purple!
Check out our brand new courses in We Hack Purple Academy (https://academy.wehackpurple.com/). Join us in the We Hack Purple Community (https://community.wehackpurple.com/):  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to 

In episode 77 of the We Hack Purple Podcast host Tanya Janca chats with Brendan Sheairs about her latest obsession; security champions! Brendan has significantly more experience in this area than anyone Tanya has met, so they dug in deep on this topic. We covered a lot in this episode, including;
  •       What the heck are security champions? Why would someone want them?
•    You need building blocks
◦                    Must haves: goals! Who will run it! What problem are they solving?
•    What is the business goal? Or objective? You need a justification to do this!
•    Getting buy in to be allowed to build a program
•    Having fewer bugs in production
•    Moral? Are they happier? Are they missing less work?
•    Biggest challenge, time commitment for champions, and then no one is allowed to work on it
•    You need top down buy in, but then the work happens bottom up
•    10% for champions, what does this mean? What can it look like?
•    Conflicts of interest or alignment with other important things like deadline and bonuses
•    Motivations: Career advancement and financial
•    Things we can do to motivate champions
•    What does a good program look like?
•    If someone leading the program? Someone needs to be responsible for the program, or it will, for sure, fall apart
 
Want More Brendan? Here you go!
•    https://www.linkedin.com/posts/brendan-sheairs_securitychampions-securitychampions-cybersecurity-activity-7064622406937538560-bR59/
•    https://www.synopsys.com/blogs.html
•    https://www.linkedin.com/feed/update/urn:li:activity:7067122079698931714/
•    https://www.linkedin.com/posts/brendan-sheairs_securitychampions-securitychampions-cybersecurity-activity-7051901776257503232--Az7?utm_source=share&utm_medium=member_desktop
 
Very special thanks to our sponsor!
Semgrep Supply Chain’s reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable. 
Get Your Free Trial Here! 
https://semgrep.dev/products/semgrep-supply-chain
Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Check out Semgrep Code HERE (https://semgrep.dev/products/semgrep-code/). 


Join We Hack Purple!

In episode 72 of the We Hack Purple Podcast host Tanya Janca brings Scott Helme back on because she just cannot get enough when it comes to security headers! You can watch and listen to his first episode here (https://wehackpurple.com/podcast/episode-69-with-scott-helme/). In this episode we focus on the “new” security headers from Scott’s great blog article where he first introduced the public to them (https://scotthelme.co.uk/coop-and-coep/). The new security header’s focus on protecting us from side-channel attacks like Spectre and Meltdown, and we really honed in on how to configure each one, and why we would need or want them. The features are powerful, and we discussed building up to using them, for best results.
 
Part of the reason that Scott built SecurityHeaders.com was to contribute to solving the problem of ‘how do we get the message out there’. SecurityHeaders.com is an educational tool rather than any kind of definitive or perfect security assessment tool, but it’s still incredibly useful. He’s working hard to raise awareness, and podcast episodes like this can help. 
 
One of the most striking things Scott hears when teaching his and Troy Hunt’s ‘Hack Yourself First’ course when they talk about headers like CSP and HSTS, is: “Wow, I didn’t know this existed!” There is a huge gap that we need to bridge in security between these things existing, and people knowing they exist and then actually using them. This is a bug hurdle for folks like us.
We also talked a bit about how all of these security headers are able to create reports and tell you what’s up with your app. Lucky for us, Scott built Report-URI so we can receive those reports with ease! 
Scott also has another free tool he created: https://crawler.ninja/ too, where he scans the top 1 million sites every day and looks at various things, including their use of security headers. As an example, you can see this list of sites using a CSP from today: https://crawler.ninja/files/csp-sites.txt
Scott also creates reports using his crawler data that showing trends over time and changes in the usage of security features like various security headers: https://scotthelme.co.uk/tag/crawler-report/


Very special thanks to our sponsor: Women’s Society of Cyberjutsu! 
Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting Opportunities, Celebration, and more.  Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: https://womenscyberjutsu.org/page/CyberCon2023

Join We Hack Purple!
Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!