Dec 18, 2019
The day after part 1
Keybase halted the spacedrop the
day after the first podcast is complete...
Security failures in implementation
“We need to push this to market, we’ll patch it later!”
Risk management discussion for project managers (PMP)
CIA Triad… where does ‘business goals’ fit? Security is at odds with the bottom line
**Reference Noid’s Bsides Seattle talk and podcast earlier this year.**
Other companies that have made security mistakes in the name of business
Practical Pentest Labs storing passwords in the clear
https://twitter.com/mortalhys/status/1202867037120475136
https://web.archive.org/web/20191207132548/https://twitter.com/mortalhys/status/1202867037120475136
https://twitter.com/piaviation/status/1202994484172218368
T-Mobile Austria partial password issues:
https://www.pcmag.com/news/360301/t-mobile-austria-admits-to-storing-passwords-partly-in-clear
No one was championing security, because no one considered the problems with partial disclosure of the passphrase in an account.
Marketing people on your socMedia accounts do NOT help allay security issues (cause they didn’t have escalation procedures for vuln disclosure)
Insider threats could takeover accounts
Follow-up from last week’s show with Bea Hughes:
I liked the interesting docussion about security and DevOps teams with Bea Hughes in your recent podcast. When you mentioned you are taking your PMP for agile I'm surprised you did not mention the term "product owner". You were asking who cares about security that you, as a security guy can talk to. Bea mentioned that it was the "stakeholders", but in the agile process the "product owner" is the team's advocate for the "stakeholders".
And, you also mentioned "PM", as in project manager. In an agile world, the typical PM role is minimized. Actually, the PM is removed entirely ideally in favor of empowered teams. Empowered teams understand that good products are reliable and secure. (Secure because the security CIA includes "availability" and "integrity" aka reliability.)
As Directory of DevOps for my 4,000 persons strong consulting company I'm working with our security team to push responsibility for security to our development teams. Empowering them to take the time and bear the costs of using security tools prior to release and during system operation is what we are working on now, as we roll into 2020.
**If the ‘product owner’ or ‘empowered team’ does not consider security a priority/requirement, then who champions security? It only becomes a priority when something bad happens, like a breach. **
“Empowered teams”
Some people aren’t fans: https://hackernoon.com/the-surprising-misery-of-empowered-teams-35c3679cf11e
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec