Youtube Video at: https://www.youtube.com/watch?v=yHPvGVfPgjI

Jay Beale is a principal security consultant and CEO/CTO for InGuardians. He is the architect of multiple open source projects, including the Peirates attack tool for Kubernetes (in Kali Linux), the Bustakube CTF Kubernetes cluster, and Bastille Linux. Jay created and leads the Kubernetes CTF at DEF CON and previously helped in the Kubernetes project's Security efforts. He's co-written eight books and given many public talks at Black Hat, DEF CON, RSA, CanSecWest, Blue Hat, ToorCon, DerbyCon, WWHF, HushCon and others. He teaches the highly-rated Black Hat class, "Attacking and Protecting Kubernetes, Linux, and Containers." He has served on the review board of the O'Reilly Security Conference, the board of Mitre's CVE-related Open Vulnerability and Assessment Language, and been a member of the HoneyNet project. He's briefed both Congress and the White House.

Questions and topics: (please feel free to update or make comments for clarifications) * Kubernetes vs. Docker vs. LXC vs. VMs - why did you settle on K8s? * What's new with k8s? Version 1.33? Do you always implement the latest version in your CTF, or something that is deliberately vulnerable? (https://www.loft.sh/blog/kubernetes-v-1-33-key-features-updates-and-what-you-need-to-know) * When you are making a CTF, what's your methodology? Threat model then verify? Code review? Github pull requests? * Story time; Not the first year you've done this(?), have participants ever surprised you finding something you didn't expect? * If I'm running K8s at my workplace, what should be bare minimum k8s security I should implement? Any security controls that I should implement that might cause performance or are 'nice-to-have' but may run counter to how orgs use k8s that I should be concerned about implementing?

Additional information / pertinent LInks (Would you like to know more?): https://kubernetes.io/ DEF CON Kubernetes CTF: https://containersecurityctf.com/ Black Hat training: https://www.blackhat.com/us-25/training/schedule/index.html#0-day-unnecessary-attacking-and-protecting-kubernetes-linux-and-containers-45335 https://www.bustakube.com/ https://github.com/inguardians/peirates Rory McCune's blog: https://raesene.github.io/ https://www.oreilly.com/library/view/production-kubernetes/9781492092292/ - O'Reilly book: Production Kubernetes

Show points of Contact: Amanda Berlin: https://www.linkedin.com/in/amandaberlin/ Brian Boettcher: https://www.linkedin.com/in/bboettcher96/ Bryan Brake: https://linkedin.com/in/brakeb Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@brakeseced Twitch Channel: https://twitch.tv/brakesec

socvel.com/quiz if you want to play along! Check out the BrakeSecEd Twitch at https://twitch.tv/brakesec

join the Discord: https://bit.ly/brakesecDiscord

Music:

Music provided by Chillhop Music: https://chillhop.ffm.to/creatorcred

"Flex" by Jeremy Blake Courtesy of Youtube media library

Guest Info:

• Name: Bronwen Aker

• Contact Information (N/A): https://br0nw3n.com/

• Time Zone(s): Pacific, Central, Eastern

–Copy begins–

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time based on new information and experiences, and do not represent views of past, present, or future employers.

Recorded: https://youtube.com/live/guhM8v8Irmo?feature=share

Show Topic Summary: By harnessing AI, we can assist in being proactive in discovering evolving threats, safeguard sensitive data, analyze data, and create smarter defenses. This week, we'll be joined by Bronwen Aker, who will share invaluable insights on creating a local AI tailored to your unique needs. Get ready to embrace innovation, transform your work life, and contribute to a safer digital world with the power of artificial intelligence! (heh, I wrote this with the help of AI…)

Questions and topics: (please feel free to update or make comments for clarifications)

1. Things that concern Bronwen about AI: (https://br0nw3n.com/2023/12/why-i-am-and-am-not-afraid-of-ai/) Data Amplification: Generative AI models require vast amounts of data for training, leading to increased data collection and storage. This amplifies the risk of unauthorized access or data breaches, further compromising personal information.

2. Data Inference: LLMs can deduce sensitive information even when not explicitly provided. They may inadvertently disclose private details by generating contextually relevant content, infringing on individuals' privacy.

3. Deepfakes and Misinformation: Generative AI can generate convincing deepfake content, such as videos or audio recordings, which can be used maliciously to manipulate public perception or deceive individuals. (Elections, anyone?)

4. Bias and Discrimination: LLMs may inherit biases present in their training data, perpetuating discrimination and privacy violations when generating content that reflects societal biases.

5. Surveillance and Profiling: The utilization of LLMs for surveillance purposes, combined with big data analytics, can lead to extensive profiling of individuals, impacting their privacy and civil liberties.

6. Setting up a local LLM? CPU models vs. gpu models pros/cons? Benefits?

7. What can people do if they lack local resources? Cloud instances? Ec2? Digital Ocean? Use a smaller model?

8. https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/

• AI coding assets are hallucinating package names

• 5.2 percent of package suggestions from commercial models didn't exist, compared to 21.7 percent from open source or openly available models

• Attackers can then create malicious packages matching the invented name, some are quite convincing with READMEs, fake github repos, even blog posts

• An evolution of typosquatting named "slopsquating" by Seth Michael Larson of Python Software Foundation

• Threat actor "_Iain" posted instructions and videos using AI for mass-generated fake packages from creation to exploitation

Additional information / pertinent LInks (Would you like to know more?):

1. https://www.reddit.com/r/machinelearningnews/s/HDHlwHtK7U

2. https://br0nw3n.com/2024/06/llms-and-prompt-engineering/ - Prompt Engineering talk

3. https://br0nw3n.com/wp-content/uploads/LLM-Prompt-Engineering-LayerOne-May-2024.pdf (slides)

4. Daniel Meissler 'Fabric' - https://github.com/danielmiessler/fabric

5. https://www.reddit.com/r/LocalLLaMA/comments/16y95hk/a_starter_guide_for_playing_with_your_own_local_ai/

6. Ollama tutorial (co-founder of ollama - Matt Williams): https://www.youtube.com/@technovangelist

7. https://mhtntimes.com/articles/altman-please-thanks-chatgpt

8. https://www.whiterabbitneo.com/ - AI for DevSecOps, Security

9. https://blogs.nvidia.com/blog/what-is-retrieval-augmented-generation/

10. https://www.youtube.com/watch?v=OuF3Q7jNAEc - neverending story using an LLM

11. https://science.nasa.gov/venus/venus-facts

Show points of Contact:

Amanda Berlin: https://www.linkedin.com/in/amandaberlin/

Brian Boettcher: https://www.linkedin.com/in/bboettcher96/

Bryan Brake: https://linkedin.com/in/brakeb

Brakesec Website: https://www.brakeingsecurity.com

Youtube channel: https://youtube.com/@brakeseced

Twitch Channel: https://twitch.tv/brakesec

Check out the BrakeSecEd Twitch at https://twitch.tv/brakesec or Youtube: https://youtube.com/c/BDSPodcast join the Discord: https://bit.ly/brakesecDiscord https://arxiv.org/abs/2302.14172 - EPSS whitepaper https://www.linkedin.com/posts/jayjacobs1_epss-threatintel-vulnerabiltymanagement-activity-7308146548767404032-RubN https://www.first.org/epss/ https://events.zoom.us/ev/AmoNH3baC7HVqDlDmgUtd2uCmTCMwJXfkR8mG6I5OxzbW01nhRMQ~AoEYQz5ROK4ybE4iX9b0PL-1utz4z0nbyrTjT4lskH_08_zfesR_Q_rNlA - BHIS training with Bronwen Aker on 03 April 2025 Music: Music provided by Chillhop Music: https://chillhop.ffm.to/creatorcred "Flex" by Jeremy Blake Courtesy of Youtube media library

Check out the BrakeSecEd Twitch at https://twitch.tv/brakesec Join the Discord! https://bit.ly/brakesecDiscord Questions and topics: (please feel free to update or make comments for clarifications) * https://techoreon.com/http-flaw-in-apple-passwords-left-iphones-vulnerable/ * https://darkmarc.substack.com/p/attackers-dont-need-exploits-when * https://www.techzine.eu/news/security/129713/the-browser-is-riddled-with-bugs-2025-may-squash-them/ * https://medium.com/@vanvleet/compound-probability-you-dont-need-100-coverage-to-win-a2e650da21a4 (interesting article on quantifying attack risk by your coverage in MITRE) * https://www.promptfoo.dev/blog/agent-security/ * https://www.socvel.com/quiz/ - 20March2025 edition! * https://secureannex.com/blog/buying-browser-extensions/ - interesting article about browser extensions * https://gist.github.com/c0m4r/45e15fc1ec13c544393feafca30e74de?permalink_comment_id=5298117#gistcomment-5298117 * https://www.bleepingcomputer.com/news/security/-particle-chrome-extension-sold-to-new-dev-who-immediately-turns-it-into-adware/ * https://arealsociety.substack.com/p/you-can-just-take-things-cyber-letters?r=99bhj - oh boy, cyber 'letters of marque' Additional information / pertinent LInks (Would you like to know more?): * VanVleet detection engineering podcast appearance: https://www.youtube.com/watch?v=5DAQkvOyqME * https://medium.com/@vanvleet/technique-analysis-and-modeling-ffef1f0a595a * https://github.com/prodaft/cradle/ * https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/ * https://www.gdatasoftware.com/blog/2025/03/38161-analysis-fin7-anubis-backdoor Show points of Contact: Amanda Berlin: https://www.linkedin.com/in/amandaberlin/ Brian Boettcher: https://www.linkedin.com/in/bboettcher96/ Bryan Brake: https://linkedin.com/in/brakeb Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@BrakeSecEd Twitch Channel: https://twitch.tv/brakesec Music: Music provided by Chillhop Music: https://chillhop.ffm.to/creatorcred "Flex" by Jeremy Blake Courtesy of Youtube media library

Youtube VOD: https://www.youtube.com/watch?v=zu_smyQGvG4

1. https://lcamtuf.substack.com/p/how-security-teams-fail

2. https://cyberintel.substack.com/p/doge-exposes-once-secret-government

3. https://x.com/SteamDB/status/1889610974484705314 – supply chain issues can crop up anywhere… are you blocking people from steam and popular software downloads online?

4. https://www.landh.tech/blog/20250211-hack-supply-chain-for-50k/

5. https://medium.com/@cyberengage.org/rethinking-incident-response-from-picerl-to-dair-7b153a76e044

6. https://www.youtube.com/watch?v=3HRkKznJoZA <- 100 digits of pi

7. https://www.youtube.com/watch?v=rz4Dd1I_fX0 <- periodic table song

Additional information / pertinent LInks (Would you like to know more?):

1. https://www.socvel.com/quiz/

2. https://xphantom.nl/posts/Offensive-Security-Lab/

Show points of Contact:

Amanda Berlin: https://www.linkedin.com/in/amandaberlin/

Brian Boettcher: https://www.linkedin.com/in/bboettcher96/

Bryan Brake: https://linkedin.com/in/brakeb

Brakesec Website: https://www.brakeingsecurity.com

Youtube channel: https://youtube.com/@brakeseced

discord: https://discord.gg/brakesec

Twitch Channel: https://twitch.tv/brakesec

Music: https://chillhop.ffm.to/creatorcred "Flex" by Jeremy Blake

Courtesy of Youtube media library

Check out the BrakeSecEd Twitch at https://twitch.tv/brakesec

Join the Discord! https://discord.gg/brakesec

#youtube VOD (in 1440p): https://www.youtube.com/watch?v=axQWGyd79NM

Questions and topics: Bsides Vancouver discussion Semgrep Community and Academy Building communities What are 'secure guardrails' Reducing barriers between security and developers How to sell security to devs: "hey, if you want to see us less, buy/use this?" "Security is your barrier, but we have goals that we can't reach without your help." https://wehackpurple.com/devsecops-worst-practices-artificial-gates/ How are you seeing things like AI being used to help with DevOps or is it just making things more complicated? Not just helping write code, but infrastructure Ops, software inventories, code repo hygiene, etc? OWASP PNW https://www.appsecpnw.org/ Alice and Bob coming next year!

Additional information / pertinent LInks (Would you like to know more?): shehackpurple.ca Semgrep (https://semgrep.dev/) https://aliceandboblearn.com/ https://academy.semgrep.dev/ (free training) Netflix 'paved roads': https://netflixtechblog.com/how-we-build-code-at-netflix-c5d9bd727f15 https://en.wikipedia.org/wiki/Nudge_theory https://www.perforce.com/blog/qac/what-is-linting https://www.youtube.com/watch?v=FSPTiw8gSEU https://techhq.com/2024/02/air-canada-refund-for-customer-who-used-chatbot/

Show points of Contact: Amanda Berlin: @infosystir @hackershealth Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@BrakeSecEd Twitch Channel: https://twitch.tv/brakesec

Youtube VOD: https://youtu.be/G3PxZFmDyj4

#appsec, #owasp, #ASVS, #joshGrossman, #informationsecurity, #SBOM, #supplychain, #podcast, #twitch, #brakesec, #securecoding, #Codeanalysis

Questions and topics:

1. The background to the topic, why is it something that interests you? How do you convince developers to take your course?

2. What do you think the root cause of the gap is?

3. Who is causing the gaps? ('go fast' culture, overzealous security, GRC requirements, basically everyone?)

4. Where do gaps begin? Is it the 'need' to 'move fast'?

5. What can devs do to involve security in their process? Sprint planning? SCA tools?

6. How have you seen this go wrong at organizations?

7. How important is it to have security early in the product development process?

8. What sort of challenges do you think mainstream security people face in AppSec scenarios?

9. How does Product Security differ from Application Security? (what if the product is an application?)

10. What are the key development concepts that security people need to be familiar with to effectively get involved in AppSec/ProdSec?

11.. How do you suggest a security team approach AppSec/ProdSec? Leadership buy-in Effective/valuable processes Tools should achieve a goal

12. SBOM - NTIA is asking for it, How to get dev teams to care.

13. Key takeaways?

Additional information / pertinent LInks (Would you like to know more?): BlackHat Training: https://www.blackhat.com/us-24/training/schedule/index.html#accelerated-appsec--hacking-your-product-security-programme-for-velocity-and-value-virtual-37218

https://www.walkme.com/blog/leadership-buy-in/

https://www.bouncesecurity.com/

https://www.teamgantt.com/blog/raci-chart-definition-tips-and-example

https://www.cisa.gov/sbom

SCA Tools https://chpk.medium.com/top-10-software-composition-analysis-sca-tools-for-devsecops-85bd3b7512dd

https://semgrep.dev/

https://www.linkedin.com/in/joshcgrossman

https://owasp.org/www-project-application-security-verification-standard/

https://github.com/OWASP/ASVS/tree/master/5.0

https://owasp.org/www-project-cyclonedx/

https://joshcgrossman.com/

PyCon talk about custom security testing: https://www.youtube.com/watch?v=KuNZzDjvMlg

Michal's Black Hat course - Accurate and Scalable: Web Application Bug Hunting: https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-37210

https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-372101705524544

ASVS website: https://owasp.org/asvs

Lightning talk I did recently about OWASP: https://www.bouncesecurity.com/eventspast#f86548cb37cb2a82728b1762bd1b7aee

Show points of Contact: Amanda Berlin: @infosystir @hackershealth Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@brakeseced Twitch Channel: https://twitch.tv/brakesec

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time based on new information and experiences and do not represent views of past, present, or future employers.

Recorded: 08 Apr 2024

Youtube VOD: https://www.youtube.com/watch?v=K8qApvsFtqw

Show Topic Summary:

If you want to get in the mind of a board member, I submit to you my discussion with Mary Gardner we did last night on #brakesec #education. Join Mary and I as we discuss the functions of a board, messaging to various levels of leadership and teams, and what it takes to make that leap to being a CISO. And when you're done, and you need someone to help your org get more mature, contact the team at GoldiKnox. #cybersecurity #informationsecurity #ciso #leadership #GRC

Questions and topics:

1. https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity

   1. "Just 69% of responding board members see eye-to-eye with their chief information security officers (CISOs). Fewer than half (47%) of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations. "

   2. They obviously have different priorities, so what brings everyone to the table to discuss? Are they even worried about security?

2. Tactical goals vs. org goals and aligning them

3. What are boards most worried about these days?

   1. Staying relevant in the face of AI?

   2. What tech will protext them from the newest threats?

4. GRC is forced security, security is completely optional, Compliance requires some sort of security

Additional information / pertinent LInks (Would you like to know more?):

1. Research organizations (gartner, forrester, etc)

2. https://goldiknox.com/

3. https://www.linkedin.com/pulse/board-needs-help-planning-cybersecurity-start-here-daniel-briley-k7xzc

4. https://hbr.org/2022/11/is-your-board-prepared-for-new-cybersecurity-regulations

5. https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-sentenced-three-years-probation-covering-data

Show points of Contact:

Amanda Berlin: @infosystir @hackershealth

Brian Boettcher: @boettcherpwned

Bryan Brake: https://linkedin.com/in/brakeb

Brakesec Website: https://www.brakeingsecurity.com

Youtube channel: https://youtube.com/@brakeseced

Twitch Channel: https://twitch.tv/brakesec

Discord: https://discord.gg/brakesec

Full Youtube VOD: https://www.youtube.com/watch?v=uX7odQTBkyQ

Questions and topics:

1. Let's talk about Mindful Business Podcast

   1. What's the topics you cover?

2. Topic #1: discuss your experiences when you were a new leader.

   1. What worked? What didn't? What would you have done differently?

   2. Do you emulate your manager's style? What have been your go-to management resources?

   3. What is a good piece of advice that you've been given or that you impart to others that relates to leadership?

3. Topic #2: building/Operating SaaS products (we can discuss securing them, what functions should be table stakes (data structures, logging, etc)

4. Topic #3: What are bare minimums for building 'secure' Saas products in your particular field? And how do you balance security with a positive user experience (i. e. getting customers to buy into MFA/OAUTH, OTA updates

5. Topic #4: Do many SaaS products get over-integrated? Is the need for integration override best practices in security?

Additional information / pertinent LInks (Would you like to know more?):

1. Twitter/Mastodon: https://twitter.com/AccidentalCISO https://infosec.exchange/@accidentalciso

2. The Mindful Business Security Show: https://www.mindfulsmbshow.com/ https://twitter.com/mindfulsmbshow

Show points of Contact:

Amanda Berlin: @infosystir @hackershealth

Brian Boettcher: @boettcherpwned

Bryan Brake: https://linkedin.com/in/brakeb

Brakesec Website: https://www.brakeingsecurity.com

Youtube channel: https://youtube.com/@brakeseced

Twitch Channel: https://twitch.tv/brakesec