Guest: Chris Hughes, President / Co-Founder, Aquia
On LinkedIn | https://www.linkedin.com/in/resilientcyber/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
View This Show's Sponsors
___________________________
Episode Notes
In this episode of The Redefining CyberSecurity Podcast, host Sean Martin connects with Chris Hughes, a seasoned author and consultant in cybersecurity. The primary focus is on the intricacies of vulnerability management and software supply chain security, particularly in an era where software pervades every aspect of modern life.
Chris Hughes emphasizes the paramount importance of understanding what is in the software we consume. Software Bill of Materials (SBOM) has emerged as a focal point, akin to ingredient lists in the food industry, highlighting the need for transparency. Hughes argues that transparency is not just about knowing the components; it extends to understanding the risks associated with those components. He illustrates his point by referencing infamous incidents like the Log4j vulnerability, which unveiled the critical gaps in our knowledge of software components.
The conversation also shifts towards the broader challenges in software supply chain security. Hughes discusses the government's push for self-attestation and the role of third-party validators in ensuring software security. While acknowledging the complexities and potential bottlenecks, he underscores the necessity for a balanced approach that combines self-attestation with external validation to foster a secure software ecosystem.
Additionally, Hughes addresses the concept of Secure by Design, advocating for practices that embed security into the software development lifecycle right from the outset. He notes the historical context of this concept, which dates back to the Ware Report, and argues for its relevance even today. Secure by Design entails building security measures inherently into products, thereby reducing the need for perpetual patching and vulnerability management.
Internal risk management within organizations also gets spotlighted. Hughes insists that organizations should maintain an inventory of the software and components they use internally, evaluate their risks, and contribute to the open-source communities they rely on. This comprehensive approach not only helps in mitigating risks but also fosters a resilient and sustainable software ecosystem.
On the topic of platform engineering, Hughes shares his insights on its potential to streamline software development processes and enhance security through standardization and governance. However, he is candid about the challenges, particularly the need to balance standardization with the diverse preferences of development teams.
As the discussion wraps up, Hughes and Martin underline the importance of focusing on contextual risk assessment in vulnerability management, rather than merely responding to static severity scores. Hughes' advocacy for a more nuanced approach to security, balancing immediate risk mitigation with longer-term strategic planning, offers listeners a thoughtful perspective on managing cybersecurity challenges.
Top Questions Addressed
___________________________
Sponsors
Imperva: https://itspm.ag/imperva277117988
LevelBlue: https://itspm.ag/attcybersecurity-3jdk3
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
đź“ş https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
đź“ş https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
NCF Whitepaper: https://tag-app-delivery.cncf.io/whitepapers/platforms/
CNCF Platform Maturity Model: https://tag-app-delivery.cncf.io/whitepapers/platform-eng-maturity-model/
Secure-by-Design at Google: What is the website URL for Secure-by-Design at Google?
https://research.google/pubs/secure-by-design-at-google/
Software Transparency: Supply Chain Security in an Era of a Software-Driven Society (Book): https://a.co/d/0bNaPmF
Effective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystem: https://a.co/d/6xs5saH
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:Â
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
View all episodes
By Sean Martin, ITSPmagazine
5
33 ratings
Guest: Chris Hughes, President / Co-Founder, Aquia
On LinkedIn | https://www.linkedin.com/in/resilientcyber/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
View This Show's Sponsors
___________________________
Episode Notes
In this episode of The Redefining CyberSecurity Podcast, host Sean Martin connects with Chris Hughes, a seasoned author and consultant in cybersecurity. The primary focus is on the intricacies of vulnerability management and software supply chain security, particularly in an era where software pervades every aspect of modern life.
Chris Hughes emphasizes the paramount importance of understanding what is in the software we consume. Software Bill of Materials (SBOM) has emerged as a focal point, akin to ingredient lists in the food industry, highlighting the need for transparency. Hughes argues that transparency is not just about knowing the components; it extends to understanding the risks associated with those components. He illustrates his point by referencing infamous incidents like the Log4j vulnerability, which unveiled the critical gaps in our knowledge of software components.
The conversation also shifts towards the broader challenges in software supply chain security. Hughes discusses the government's push for self-attestation and the role of third-party validators in ensuring software security. While acknowledging the complexities and potential bottlenecks, he underscores the necessity for a balanced approach that combines self-attestation with external validation to foster a secure software ecosystem.
Additionally, Hughes addresses the concept of Secure by Design, advocating for practices that embed security into the software development lifecycle right from the outset. He notes the historical context of this concept, which dates back to the Ware Report, and argues for its relevance even today. Secure by Design entails building security measures inherently into products, thereby reducing the need for perpetual patching and vulnerability management.
Internal risk management within organizations also gets spotlighted. Hughes insists that organizations should maintain an inventory of the software and components they use internally, evaluate their risks, and contribute to the open-source communities they rely on. This comprehensive approach not only helps in mitigating risks but also fosters a resilient and sustainable software ecosystem.
On the topic of platform engineering, Hughes shares his insights on its potential to streamline software development processes and enhance security through standardization and governance. However, he is candid about the challenges, particularly the need to balance standardization with the diverse preferences of development teams.
As the discussion wraps up, Hughes and Martin underline the importance of focusing on contextual risk assessment in vulnerability management, rather than merely responding to static severity scores. Hughes' advocacy for a more nuanced approach to security, balancing immediate risk mitigation with longer-term strategic planning, offers listeners a thoughtful perspective on managing cybersecurity challenges.
Top Questions Addressed
___________________________
Sponsors
Imperva: https://itspm.ag/imperva277117988
LevelBlue: https://itspm.ag/attcybersecurity-3jdk3
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
đź“ş https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
đź“ş https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
NCF Whitepaper: https://tag-app-delivery.cncf.io/whitepapers/platforms/
CNCF Platform Maturity Model: https://tag-app-delivery.cncf.io/whitepapers/platform-eng-maturity-model/
Secure-by-Design at Google: What is the website URL for Secure-by-Design at Google?
https://research.google/pubs/secure-by-design-at-google/
Software Transparency: Supply Chain Security in an Era of a Software-Driven Society (Book): https://a.co/d/0bNaPmF
Effective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystem: https://a.co/d/6xs5saH
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:Â
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
369 Listeners
374 Listeners
637 Listeners
322 Listeners
31 Listeners
8,000 Listeners
175 Listeners
314 Listeners
188 Listeners
73 Listeners
134 Listeners
5,475 Listeners
16,083 Listeners
13 Listeners
2 Listeners
158 Listeners
4 Listeners
0 Listeners