Wednesday, March 10, 2010

Bejtlich OWASP Podcast Posted

My appearance on OWASP Podcast 61 is available.

The .mp3 is 36 MB. Thanks to Jim Manico for inviting me to participate.

We recorded the podcast in late January. Jim asked me the following questions:
  1. Would you care to tell us how did you get into IT and what lead you into a career in information security? What keeps you busy these days?
  2. What's the difference between focusing on threats vs focusing on vulnerabilities?
  3. What is your problem with the "protect the data" mindset?
  4. What do you mean by "building visibility in"?
  5. What is your take on the Aurora/Google hack?
  6. You just tweeted that "Network Security Monitoring ideology is the proper mechanism to combat APT/APA". Do you think network IPS/IDS/WAF can help defend insecure web applications? What are the limits of Network Security Monitoring?
  7. How important a role do you think secure coding and secure software development life-cycle play in defending the enterprise?
  8. Have HIPAA, PCI, SOX and other regulations helped reduce risk in the average enterprise?
  9. Is seems pretty clear that attackers have a clear advantage. Why is that? How can we turn the tide?
  10. Any thoughts on OWASP? Are we helping the cause?
  11. Where are we going to be as an industry in 10 years?
  12. You blogged that "The trustworthiness of a digital asset is limited by the owner's capability to detect incidents compromising the integrity of that asset." Given that we don't have any high integrity database, identities or application servers - how do you detect a breach of integrity when there is no verifiable integrity in the system in the first place?

No comments: