SlideShare ist ein Scribd-Unternehmen logo

Episode 2 Bruce Brody of Cubic Cyber Solutions

Als PPTX, PDF herunterladen
Contrast Security
Contrast Security

In this episode, Jeff Williams interviews Bruce Brody of Cubic Solutions, a leading provider of specialized systems and services in the rapidly changing world of technology. They examine the relationship between federal cybersecurity rules and regulations, and how workforces can stay on top of educating their employees regarding the changing threatscape.

Technologie
1 von 32
THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS, CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Two: Bruce Brody, Cubic Cyber Solutions
JEFF WILLIAMS “How is application security different in the government sector versus the commercial sector?”
BRUCE BRODY “In the government sector, there’s a tremendous amount of interest in the security of an application when it comes to a variety of different operating environment…e.g. Classified vs Unclassified operating environments.”
BRUCE “If it’s going to be in a classified environment, then some very rigorous tests and evaluation need to occur before that application is approved…in unclassified environments, the application does have to withstand some scrutiny and some testing, but it’s not nearly as rigorous.”
JEFF WILLIAMS “I was under the impression that most applications had to get their code reviewed. Is that true for most application, or just a subset?”
BRUCE “Well, a subset operates specifically in very sensitive and classified environments. …an unclassified environment has to go through and Authority to Operate process…and that’s a little less scrutiny on the application and more on the system level performance.”
JEFF “Have you noticed a change in software development in government to more ad-hoc, DevOps-style software development?
BRUCE “Like all programs in government, the intent is there to move in that direction…there are some things going on with the Department of Homeland Security and across various agencies to put some good processes, some better processes, more agile processes in place. Those are moving along.”
JEFF “I’ve seen you’ve written that “there’s no longer any reasonable argument regarding whether or not continuous monitoring is the right move for federal departments and agencies. Why do you think continuous monitoring is so important?”
BRUCE “The government has long had an approach where periodic monitoring was okay [and] periodic scanning doesn’t give you the ability to take a look at a system that’s constantly changing and say if it’s as secure as when you originally authorized it to operate.”
BRUCE “You need to turn periodic into a continuous look at these systems, so that you know that the controls you have put in place to elevate the security level of the systems are continuously in place and operating accordingly.”
JEFF “If you want to actually do [application security] and keep things secure, you’ve got to be doing it continuously.”
BRUCE “It’s a 24/7, 365 kind of approach to security that will [cause] the overall security posture of the federal government to improve.”
JEFF “What about the expense of doing things continuously?”
BRUCE “Well, some people have argued that it takes a lot more money to do application security continuously. But if you do it right, continuous monitoring can actually save you money.”
BRUCE “You’re fixing things before they happen. You’re anticipating. You’re being proactive.”
JEFF “What do you think the effect of continuous security is on the culture of security within a large organization?”
BRUCE “Continuous monitoring puts you on proper footing when it comes to dealing with the risk management profile of an organization. … and when you’re operating on the continuous kind of mode, you’re operating in a mode that keeps everybody alert, awake, alive, and very well tuned-in to the kind of problems that need to be thwarted on a regular basis.”
JEFF “Let’s talk about enterprise-wide impacts on the cultural impact of continuous application security.”
BRUCE “The Department of Defense has actually put some fairly serious directives in place in terms of how to keep the workforce fresh and skilled. And those people who have specific cyber- security responsibilities must have a certain specific qualification.”
JEFF “Back [20 years ago] security was much more positive and driven from overall goals. In the last ten years, I think they’ve taken more of a negative approach to security, like, ‘We’ll pentest to find holes and then say something’s secure.’ How do you feel assurance has evolved?”
BRUCE “You’re right. Nowadays it seems to be about over-emphasizing problems. …the fact of the matter is, we have taken more of a serious kind of a danger approach to the problem these days.”
JEFF “Do you think we’ll every get back to the point when assurance is actually something people care about? I would say the only confidence we have in our systems, and particularly our software, is that they haven’t been hacked yet, which really is a weak assurance argument.”
BRUCE “At the corporate level, you’ll find that whether or not the board cares about security is kind of how it’s viewed across the corporate world. And that’s unfortunate, because very few board members haves security in their background unless it’s actually a security company.”
BRUCE “In the government, the only driver for being more secure is the last crisis that you had to deal with, and the heads that rolled in that crisis, and the processes and budget that was put in place as a result of that crisis.”
BRUCE “We’re always prepared to fight the war we just fought. We’re never prepared to fight the next war.”
JEFF “Yeah. That’s frustrating that we can’t see what’s coming, even in the face of staggering evidence of insecurity.”
JEFF “What are the key metrics you use to make sure you can sleep at night, particularly about your application security programs, but also as your program as a whole?”
BRUCE “What I want to know? I want to have the assurance that my business processes that I’m responsible for assuring, my mission that I’m responsible for delivering, that that mission has not been impeded or obstructed by something that I have some amount of control over.”
JEFF “Any final thoughts?”
BRUCE “We used to spend a lot of time on vulnerabilities, because we thought the more you reduced your vulnerabilities, the less of a target you became to the bad guys or to the threat. Nowadays, that problem has morphed into being threat aware. Threats are more dangerous and becoming more persistent.”
JEFF WILLIAMS WITH BRUCE BRODY

Empfohlen

Pdphe presso final
Pdphe presso finalPdphe presso final
Pdphe presso final
samanthastalenberg
 
Secure Drupal, from start to finish (European Drupal Days 2015)
Secure Drupal, from start to finish (European Drupal Days 2015)Secure Drupal, from start to finish (European Drupal Days 2015)
Secure Drupal, from start to finish (European Drupal Days 2015)
Eugenio Minardi
 
Hack and Tell - wtf is the core mobile divide
Hack and Tell - wtf is the core mobile divideHack and Tell - wtf is the core mobile divide
Hack and Tell - wtf is the core mobile divide
Paul Blundell
 
Outsourcing Lab - Interview
Outsourcing Lab - Interview Outsourcing Lab - Interview
Outsourcing Lab - Interview
Intertek35
 
Episode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.comEpisode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.com
Contrast Security
 
Technical university of ambato elemento uno
Technical university of ambato elemento unoTechnical university of ambato elemento uno
Technical university of ambato elemento uno
Cristian Xavi Valencia
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
Dana Gardner
 
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Mighty Guides, Inc.
 

Empfohlen

Pdphe presso final
Pdphe presso finalPdphe presso final
Pdphe presso final
samanthastalenberg
 
Secure Drupal, from start to finish (European Drupal Days 2015)
Secure Drupal, from start to finish (European Drupal Days 2015)Secure Drupal, from start to finish (European Drupal Days 2015)
Secure Drupal, from start to finish (European Drupal Days 2015)
Eugenio Minardi
 
Hack and Tell - wtf is the core mobile divide
Hack and Tell - wtf is the core mobile divideHack and Tell - wtf is the core mobile divide
Hack and Tell - wtf is the core mobile divide
Paul Blundell
 
Outsourcing Lab - Interview
Outsourcing Lab - Interview Outsourcing Lab - Interview
Outsourcing Lab - Interview
Intertek35
 
Episode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.comEpisode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.com
Contrast Security
 
Technical university of ambato elemento uno
Technical university of ambato elemento unoTechnical university of ambato elemento uno
Technical university of ambato elemento uno
Cristian Xavi Valencia
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
Dana Gardner
 
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Mighty Guides, Inc.
 
Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008
John Gilligan
 
The Black Report - Hackers
The Black Report - HackersThe Black Report - Hackers
The Black Report - Hackers
Dendreon
 
Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest Threat
Chris Ross
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Dana Gardner
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
Abhishek Sood
 
Episode Four: Wayne Jackson of Sonatype
Episode Four: Wayne Jackson of SonatypeEpisode Four: Wayne Jackson of Sonatype
Episode Four: Wayne Jackson of Sonatype
Contrast Security
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
CDM From the Frontlines - CISOs, PMs and Others Share Success Perspectives an...
CDM From the Frontlines - CISOs, PMs and Others Share Success Perspectives an...CDM From the Frontlines - CISOs, PMs and Others Share Success Perspectives an...
CDM From the Frontlines - CISOs, PMs and Others Share Success Perspectives an...
Mighty Guides, Inc.
 
Contrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationContrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nation
David Neville
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in Heaven
Dana Gardner
 
Coolest careers in Cyber Security
Coolest careers in Cyber SecurityCoolest careers in Cyber Security
Coolest careers in Cyber Security
JasminaKadi1
 
Security integration Security Integ.docx
Security integration Security Integ.docxSecurity integration Security Integ.docx
Security integration Security Integ.docx
kenjordan97598
 
Security Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation EntertainmentSecurity Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation Entertainment
Contrast Security
 
Cybersecurity in 2016
Cybersecurity in 2016Cybersecurity in 2016
Cybersecurity in 2016
Ben Finke
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Wendy Knox Everette
 
2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity Survey2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity Survey
Adobe
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
Mighty Guides, Inc.
 
Stepping Up to Operational Safety Excellence
Stepping Up to Operational Safety ExcellenceStepping Up to Operational Safety Excellence
Stepping Up to Operational Safety Excellence
Larry McCraw
 
Safety Changer | QHSE solutions for professionals
Safety Changer | QHSE solutions for professionalsSafety Changer | QHSE solutions for professionals
Safety Changer | QHSE solutions for professionals
Safety Changer
 
GABRIEL_FINAL_RESEARCH_REPORT
GABRIEL_FINAL_RESEARCH_REPORTGABRIEL_FINAL_RESEARCH_REPORT
GABRIEL_FINAL_RESEARCH_REPORT
Gabriel Jr Matthew
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Rustici Software
 

Weitere ähnliche Inhalte

Ähnlich wie Episode 2 Bruce Brody of Cubic Cyber Solutions

Contrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationContrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nation
David Neville
 
Security integration Security Integ.docx
Security integration Security Integ.docxSecurity integration Security Integ.docx
Security integration Security Integ.docx
kenjordan97598
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Wendy Knox Everette
 
Stepping Up to Operational Safety Excellence
Stepping Up to Operational Safety ExcellenceStepping Up to Operational Safety Excellence
Stepping Up to Operational Safety Excellence
Larry McCraw
 

Ähnlich wie Episode 2 Bruce Brody of Cubic Cyber Solutions (20)

Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008
 
The Black Report - Hackers
The Black Report - HackersThe Black Report - Hackers
The Black Report - Hackers
 
Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest Threat
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
 
Episode Four: Wayne Jackson of Sonatype
Episode Four: Wayne Jackson of SonatypeEpisode Four: Wayne Jackson of Sonatype
Episode Four: Wayne Jackson of Sonatype
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
 
CDM From the Frontlines - CISOs, PMs and Others Share Success Perspectives an...
CDM From the Frontlines - CISOs, PMs and Others Share Success Perspectives an...CDM From the Frontlines - CISOs, PMs and Others Share Success Perspectives an...
CDM From the Frontlines - CISOs, PMs and Others Share Success Perspectives an...
 
Contrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationContrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nation
 
DevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in HeavenDevOps and Security, a Match Made in Heaven
DevOps and Security, a Match Made in Heaven
 
Coolest careers in Cyber Security
Coolest careers in Cyber SecurityCoolest careers in Cyber Security
Coolest careers in Cyber Security
 
Security integration Security Integ.docx
Security integration Security Integ.docxSecurity integration Security Integ.docx
Security integration Security Integ.docx
 
Security Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation EntertainmentSecurity Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation Entertainment
 
Cybersecurity in 2016
Cybersecurity in 2016Cybersecurity in 2016
Cybersecurity in 2016
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
 
2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity Survey2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity Survey
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
 
Stepping Up to Operational Safety Excellence
Stepping Up to Operational Safety ExcellenceStepping Up to Operational Safety Excellence
Stepping Up to Operational Safety Excellence
 
Safety Changer | QHSE solutions for professionals
Safety Changer | QHSE solutions for professionalsSafety Changer | QHSE solutions for professionals
Safety Changer | QHSE solutions for professionals
 
GABRIEL_FINAL_RESEARCH_REPORT
GABRIEL_FINAL_RESEARCH_REPORTGABRIEL_FINAL_RESEARCH_REPORT
GABRIEL_FINAL_RESEARCH_REPORT
 

Kürzlich hochgeladen

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Kürzlich hochgeladen (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Episode 2 Bruce Brody of Cubic Cyber Solutions

  • 1. THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS, CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Two: Bruce Brody, Cubic Cyber Solutions
  • 2. JEFF WILLIAMS “How is application security different in the government sector versus the commercial sector?”
  • 3. BRUCE BRODY “In the government sector, there’s a tremendous amount of interest in the security of an application when it comes to a variety of different operating environment…e.g. Classified vs Unclassified operating environments.”
  • 4. BRUCE “If it’s going to be in a classified environment, then some very rigorous tests and evaluation need to occur before that application is approved…in unclassified environments, the application does have to withstand some scrutiny and some testing, but it’s not nearly as rigorous.”
  • 5. JEFF WILLIAMS “I was under the impression that most applications had to get their code reviewed. Is that true for most application, or just a subset?”
  • 6. BRUCE “Well, a subset operates specifically in very sensitive and classified environments. …an unclassified environment has to go through and Authority to Operate process…and that’s a little less scrutiny on the application and more on the system level performance.”
  • 7. JEFF “Have you noticed a change in software development in government to more ad-hoc, DevOps-style software development?
  • 8. BRUCE “Like all programs in government, the intent is there to move in that direction…there are some things going on with the Department of Homeland Security and across various agencies to put some good processes, some better processes, more agile processes in place. Those are moving along.”
  • 9. JEFF “I’ve seen you’ve written that “there’s no longer any reasonable argument regarding whether or not continuous monitoring is the right move for federal departments and agencies. Why do you think continuous monitoring is so important?”
  • 10. BRUCE “The government has long had an approach where periodic monitoring was okay [and] periodic scanning doesn’t give you the ability to take a look at a system that’s constantly changing and say if it’s as secure as when you originally authorized it to operate.”
  • 11. BRUCE “You need to turn periodic into a continuous look at these systems, so that you know that the controls you have put in place to elevate the security level of the systems are continuously in place and operating accordingly.”
  • 12. JEFF “If you want to actually do [application security] and keep things secure, you’ve got to be doing it continuously.”
  • 13. BRUCE “It’s a 24/7, 365 kind of approach to security that will [cause] the overall security posture of the federal government to improve.”
  • 14. JEFF “What about the expense of doing things continuously?”
  • 15. BRUCE “Well, some people have argued that it takes a lot more money to do application security continuously. But if you do it right, continuous monitoring can actually save you money.”
  • 16. BRUCE “You’re fixing things before they happen. You’re anticipating. You’re being proactive.”
  • 17. JEFF “What do you think the effect of continuous security is on the culture of security within a large organization?”
  • 18. BRUCE “Continuous monitoring puts you on proper footing when it comes to dealing with the risk management profile of an organization. … and when you’re operating on the continuous kind of mode, you’re operating in a mode that keeps everybody alert, awake, alive, and very well tuned-in to the kind of problems that need to be thwarted on a regular basis.”
  • 19. JEFF “Let’s talk about enterprise-wide impacts on the cultural impact of continuous application security.”
  • 20. BRUCE “The Department of Defense has actually put some fairly serious directives in place in terms of how to keep the workforce fresh and skilled. And those people who have specific cyber- security responsibilities must have a certain specific qualification.”
  • 21. JEFF “Back [20 years ago] security was much more positive and driven from overall goals. In the last ten years, I think they’ve taken more of a negative approach to security, like, ‘We’ll pentest to find holes and then say something’s secure.’ How do you feel assurance has evolved?”
  • 22. BRUCE “You’re right. Nowadays it seems to be about over-emphasizing problems. …the fact of the matter is, we have taken more of a serious kind of a danger approach to the problem these days.”
  • 23. JEFF “Do you think we’ll every get back to the point when assurance is actually something people care about? I would say the only confidence we have in our systems, and particularly our software, is that they haven’t been hacked yet, which really is a weak assurance argument.”
  • 24. BRUCE “At the corporate level, you’ll find that whether or not the board cares about security is kind of how it’s viewed across the corporate world. And that’s unfortunate, because very few board members haves security in their background unless it’s actually a security company.”
  • 25. BRUCE “In the government, the only driver for being more secure is the last crisis that you had to deal with, and the heads that rolled in that crisis, and the processes and budget that was put in place as a result of that crisis.”
  • 26. BRUCE “We’re always prepared to fight the war we just fought. We’re never prepared to fight the next war.”
  • 27. JEFF “Yeah. That’s frustrating that we can’t see what’s coming, even in the face of staggering evidence of insecurity.”
  • 28. JEFF “What are the key metrics you use to make sure you can sleep at night, particularly about your application security programs, but also as your program as a whole?”
  • 29. BRUCE “What I want to know? I want to have the assurance that my business processes that I’m responsible for assuring, my mission that I’m responsible for delivering, that that mission has not been impeded or obstructed by something that I have some amount of control over.”
  • 31. BRUCE “We used to spend a lot of time on vulnerabilities, because we thought the more you reduced your vulnerabilities, the less of a target you became to the bad guys or to the threat. Nowadays, that problem has morphed into being threat aware. Threats are more dangerous and becoming more persistent.”