In this eye-opening episode, Reanna Schultz, an experienced Security Operations Center (SOC) team leader, pulls back the curtain on what makes a modern SOC truly effective. Drawing from her six-year journey through various cybersecurity roles, she reveals how SOCs serve as an organization's first line of defense against cyber threats.

The discussion covers essential insights on building a SOC from scratch, the value of managed security service providers (MSSPs), and how AI is reshaping the threat landscape. Schultz emphasizes that successful SOCs aren't just about technical capabilities – they're about building transparent communication, fostering the right team culture, and maintaining strong relationships across the organization.

Whether you're working in a smaller company considering your first SOC or an enterprise looking to enhance your security operations, this episode provides practical insights on evolving your security posture for 2025 and beyond.

Key topics with timestamps:
00:00 Reanna Schultz: Leading Expertise in Security Operations

06:29 Evaluating Security Alerts and Tribal Knowledge

07:33 Identifying Security Gaps with the Pyramid of Pain

13:23 Splunk: Central Big Data Platform for Security Analysis

14:48 Detecting Compromises Through Network Traffic Visibility

20:19 Enhancing Security: Utilizing Both MSSP and SOC

21:06 Affordable Security Solutions: Exploring the MSSP Route

26:31 Balancing Passion with Career Advancement Challenges

30:35 Leading Effectively by Cultivating Passion and Growth

32:21 Integrating Passions: Enhancing Cybersecurity Collaboration

In Episode 11 of Secrets of AppSec Champions, Chris Lindsey and Cassie Crossley delve into the intricate world of supply chain security. Cassie Crossley, Vice President of Supply Chain Security at Schneider Electric, brings her extensive experience in software development and security to the fore, emphasizing the importance of following secure development practices. She advocates for the separation of build and development environments to avoid outdated methods and stresses the significance of modern frameworks like Google's Salsa platform and the NIST Secure Software Development Framework (SSDF), despite its lack of certification measures. Crossley also discusses the unique challenges of maintaining provenance for older software, especially open-source projects, and highlights the crucial role of developer education in preventing vulnerabilities introduced by unverified code snippets.

Chris Lindsey raises pertinent concerns about access control complexities within production environments and underscores the need for rigorous security measures to ensure the integrity of devices and software. The conversation shifts to the potential threats posed by AI, with both speakers stressing the importance of embedding security into AI-generated code from the outset. They explore global supply chain security issues, referencing Cisco’s audits and the effectiveness of zero-trust policies. Crossley also addresses the impact of legislative measures like California's connected devices law on both consumer and industrial devices, and how cybersecurity practices have evolved since the 80s and 90s.

The episode wraps up on a personal note, with Crossley sharing her views on career growth and the importance of pursuing roles that bring personal fulfillment. She advocates for exploring opportunities within the same organization to foster both personal and professional development without losing accumulated knowledge and experience. This episode offers listeners a comprehensive overview of supply chain security, blending high-level frameworks with practical challenges, and provides valuable insights into both the technical and human aspects of the field.

Key topics with timestamps:
1. Understanding Supply Chain Security and Modern Software Practices with Cassie Crossley

2. Securing Software Development: From Google Salsa to NIST SSDF Standards

3. Protecting Supply Chains: Challenges and Solutions in a Digital World

4. Cassie Crossley on Cybersecurity Challenges in Modern Supply Chains

5. The Role of AI and Secure Development in Supply Chain Integrity

6. Ensuring Safe Software: Best Practices and Emerging Threats

7. Access Control, Zero Trust, and Supply Chain Security Insights

8. Cassie Crossley Discusses Securing Legacy Systems and Modern Software

9. From AI to Software Certification: Enhancing Cybersecurity Practices

10. Navigating the Complexities of Supply Chain Security and Software Updates

For more amazing application security information, please visit the following LinkedIn communities:
https://www.linkedin.com/company/appsec-hive

Provided by Mend.io (https://mend.io)

In this episode of "Secrets of AppSec Champions," host Chris Lindsey engages with Michael Vance, the CISO at Navient, to explore the nuances of bounty programs and their integration with traditional penetration testing. Michael discusses the journey of transitioning from a managed vulnerability disclosure program (VDP) to a full-scale bug bounty program. He highlights the importance of establishing clear policies and scopes for these programs to ensure effective and safe collaboration with external hackers. Through these structured programs, Navient was able to address resource constraints, boosting their testing capabilities threefold while reducing costs.

The conversation also delves into the historical challenges faced by companies in managing security reports, often due to mistrust and insufficient communication channels. Michael and Chris stress the value of legal, structured avenues for ethical hacking, enabling companies to receive and act on security findings without friction. They discuss the potential risks, such as the involvement of 'black hat' hackers, and how employing established platforms like Bugcrowd or HackerOne helps mitigate these concerns by vetting participants and managing the process. This approach not only enhances security but also publicly demonstrates the company's commitment to safeguarding data.

Towards the end, Michael shares invaluable advice for security practitioners: the critical need to fully understand the problems they are tasked with solving, which often involves grasping both technical and business aspects. This holistic understanding is crucial for devising effective security measures. The episode concludes with Chris thanking Michael for his insights, reaffirming the episode's focus on creating efficient, secure systems for managing and mitigating vulnerabilities through both internal efforts and external collaborations.

Key Topics by time stamps:
04:40 Transitioning App Security Services: From Ethical Hacking to Testing Stream

06:43 Boosting Application Workload Capacity through Efficient Testing Measures

10:02 Establishing Policies and Rules for Ethical Hacking

14:47 Evaluating the Effectiveness of Repeated Testing

19:51 Reviving a Project and Uncovering Unexpected Flaws

21:59 Effective Security: Understanding the Problem

For more amazing application security information, please visit the following LinkedIn communities:
https://www.linkedin.com/company/appsec-hive

Provided by Mend.io (https://mend.io)