br3akp0int Security Podcast
br3akp0int Security Podcast
br3akp0int
br3akp0int-'Exploring the depths of Defensive Security'. The defensive side of Security is a world in itself with teams achieving amazing feats that involve excellent engineering practices and smart optimisation for scale. This is not talked about enough in the industry. Join me in the br3akp0int podcast as we reflect on the methods and approaches these smart teams use to solve practical challenges in information security and innovate their way into the future. Who is this meant for? : This podcast is for anyone in InfoSec willing to know more about advances in security techniques. This includes security researchers or professionals, product owners, compliance or cloud, AI/ML, threat intel, SecOps automation, Security Leaders, development teams, pentesters and security practitioners. A bit about me: I am a technical security enthusiast and have been dabbling my hands at both offensive and defensive security. I am passionate about growing security communities and have spoken and trained at various security conferences.
#S02EP10 | Zeroing Trust: Identity Threats, the New Attack Surface | Sudarshan Pisupati
The proliferation of digital identities and access points has increased the attack surface, making it difficult to monitor and secure user identities effectively. The rising sophistication of cyber threats, including identity theft and credential-based attacks, demands proactive measures to detect and respond to these threats promptly. Additionally, compliance requirements and data protection regulations necessitate robust identity security to avoid legal and financial repercussions. All the above result in growing the complexity of managing user identities, especially in large enterprises and hence require automation and real-time monitoring capabilities to manage Identity threats, ensuring the organization can effectively safeguard its digital assets and sensitive data.Guest : Sudarshan Pisupati, Principal Research Engineer at Zscaler. He is currently focused on adding  Identity Threat Detection and Response capabilities to Zscaler's cyber threat protection portfolio. I would love to hear your suggestions and feedbacks, please DM me. If you liked this episode, please share with others in the community. It always means a lot! If you’re interested in a security challenge that you’re facing or would like to hear from a specific speaker/team, let me know. Buzz me on Twitter or LinkedIn; checkout my handles below: Twitter: @NeeluTripathy LinkedIn: neelutripathy
Jan 17, 2024
56 min
#S02EP09 | Controlling your SaaS Sprawl with a SaaS Security Platform | Abhishek Anand
Just like cloud is omnipresent in 2023, SaaS sprawl is just as prevalent. A company on an average uses 110 SaaS apps and broadly 70% of the software that is being run is SaaS with issues even more severe  at enterprise level. SaaS security today is thought of as an IAM problem solved with an SSO integration but issues go beyond that, with misconfigurations leading to leaked data, insecure SaaS plugins opening up new threat vectors and how  your services talk to other SaaS apps.A lot of cloud security issues can be solved in orgs with good engineering practices but SaaS security is harder because users are spread across the organization and each tool has its own nuances, so IT/security teams find it hard to manage well. The general practice of allowing users to bring their own plugins and ways of use around SaaS apps is what creates security issues. In this episode, we dive deep into SSP implementations for organisations.Guest: Abhishek Anand, Co-Founder Koala LabAbhishek is a technology leader who built Housingdotcom as CTO and most recently built cloud infra at Whitehat Jr, where he led the platform and SRE teams. Over the course of his career, he has solved varied security problems and is currently building KoalaLab based on inspiration during his time building and securing infrastructure for these fast-growing companies.Recommended reading/viewing for practitioners:SaaS Sprawl: https://www.zippia.com/advice/saas-industry-statistics38% of companies run almost entirely on SaaSAs of 2021, an average of 110 SaaS apps are used per organization.Approximately 70% of total company software use is SaaS as of 2022. However, this number has the potential to reach up to 85% by 2025, indicating that SaaS as software will only continue to become more popular.Salesforce leak of data: https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leaking-private-data/Google drive leaks: https://ny.chalkbeat.org/2021/8/5/22612388/data-breach-nyc-students-staff-google-driveCase: https://www.wired.co.uk/article/nhs-covid-19-app-health-status-futureTL;DR:  https://tldrsec.com/- Good newsletter covering a lot of security researchSSP Coverage Reference: https://www.koalalab.com/saas-securityI would love to hear your suggestions and feedbacks, please DM me. If you liked this episode, please share with others in the community. It always means a lot! If you’re interested in a security challenge that you’re facing or would like to hear from a specific speaker/team, let me know. Buzz me on Twitter or LinkedIn; checkout my handles below: Twitter: @NeeluTripathy LinkedIn: neelutripathy
Dec 29, 2023
57 min
#S02EP08 Packing a Punch! With Policy-as-Code | Abhay Bhargav
In today's world of rapidly evolving technology and the increasing complexity of software systems, ensuring the security and compliance of applications across the stack has become paramount. The stack has also gotten to be much more complex with the proliferation of APIs on cloud and cloud-native technologies. Tightly coupled security controls for things like Authorization, Validation and Admission Control is not realistic and is causing a large inconsistency in the implementation of security controls. This episode will provide an in-depth exploration of Policy-as-Code (PaC) and how it can be employed to implement decoupled security practices across the stack. PaC serves as a unified framework that enables organizations to define, manage, and enforce policies in a consistent, transparent, and automated manner. This approach facilitates better security, compliance, and risk management, while also reducing the need for manual intervention.Guest: Abhay Bhargav, Founder of we45,Appsec EngineerAbhay Bhargav is the Founder of the Chief Research Officer of AppSecEngineer, an elite, hands-on online training platform for AppSec, Cloud-Native Security, Kubernetes Security and DevSecOps. AppSecEngineer delivers hands-on security skills that companies are actually looking for. Abhay started his career as a breaker of apps, in pentesting and red-teaming, but today is more involved in scaling AppSec with Cloud-Native Security and DevSecOpsHe has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security, specifically Cloud-Native Security. In addition, Abhay has contributed to pioneering work in the Vulnerability Management space, being the architect of a leading Vulnerability Management and Correlation Product, Orchestron. Abhay is also committed to Open-Source and has developed the first-ever Threat Modeling solution at the crossroads of Agile and DevSecOps, called ThreatPlaybook.Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat USA, SHACK and so on. He's authored two international publications on Java Security and PCI Compliance as well.I would love to hear your suggestions and feedbacks, please DM me. If you liked this episode, please share with others in the community. It always means a lot! If you’re interested in a security challenge that you’re facing or would like to hear from a specific speaker/team, let me know. Buzz me on Twitter or LinkedIn; checkout my handles below: Twitter: @NeeluTripathy LinkedIn: neelutripathy
Dec 19, 2023
42 min
#S02EP07 From Chaos to Compliance: Navigating the ISMS Implementation Maze | MS Sripati
From Chaos to Compliance: Navigating the ISMS Implementation MazeIn this episode, we will be talking about the challenges an organization faces when doing an ISMS implementation. We will talk about this in the context of ISO 27001 implementation and see the practical nuances it entails.Guest: Sripati MS, Assistant Vice President, Risk, Utkarsh Small Finance BankHe is an information security risk management professional, 18 years and counting. He has helped create, run, and audit information security programs for customers in the oil/gas, utility, and banking domains. He has also helped provide security assessment services to customers in various industries. He runs a blog (sripati.info) and answers questions on Quora.Recommended reading/viewing for practitioners:- Gary Hinson’s ISO 27001 Google Group (https://iso27001security.com/html/forum.html https://groups.google.com/g/iso27001security)- ISO Certification Process: www.advisera.com- ISO 27001 Standard: https://iso27001security.com/I would love to hear your suggestions and feedbacks, please DM me. If you liked this episode, please share with others in the community. It always means a lot! If you’re interested in a security challenge that you’re facing or would like to hear from a specific speaker/team, let me know. Buzz me on Twitter or LinkedIn; checkout my handles below: Twitter: @NeeluTripathy LinkedIn: neelutripathy
Dec 7, 2023
54 min
#S02EP06 (MITRE) ATT&CK in your Backyard | Shweta Kshirasagar
MITRE ATT&CK has been the go-to framework for both offensive & defensive security teams. It’s sophistication and vast coverage makes it quite comprehensive, often not easy to fathom, let alone implement to the fullest. In this episode of br3akp0int, we demystify this through practical scenarios & Shweta’s experience of implementing it in day-to-day activities of Cyber Defenders. Guest: Shweta Kshirsagar, General Manager - Security Assurance, Airtel AfricaShweta is an accomplished information security professional with 18 years of industry experience in various domains of Cyber Security such as Cyber Incident Response, Data Protection and Privacy, Information Security Audit and Compliance. Possess strong leadership skills with a collaborative approach towards driving cross-functional programs. Holds multiple professional certifications and has won awards and recognition in the industry.Recommended reading/viewing for practitioners:Mitre Att&ck Framework & website: https://attack.mitre.org/matrices/enterprise/ https://github.com/mitre-attack https://center-for-threat-informed-defense.github.io/attack-sync/ https://redcanary.com/blog/avoiding-common-attack-pitfalls/https://www.inforisktoday.in/insights-from-dual-vendor-saas-based-siem-implementation-a-22207I would love to hear your suggestions and feedbacks, please DM me. If you liked this episode, please share with others in the community. It always means a lot! If you’re interested in a security challenge that you’re facing or would like to hear from a specific speaker/team, let me know. Buzz me on Twitter or LinkedIn; checkout my handles below: Twitter: @NeeluTripathy LinkedIn: neelutripathy
Oct 28, 2023
50 min
#S02EP05 From Zero to One: Bootstrapping Security for your Organization | Prajal Kulkarni
From Zero to One: Bootstrapping Security for your OrganizationWith the rise in the number of digital start ups, many of us in security and engineering find ourselves in a place where we are the first of the lot. We need to not just define, but start and secure our organization and assets from the ever growing set of breaches & attacks. This episode is dedicated to starting security from scratch and going ground up.Guest Intro: Prajal Kulkarni, Chief Information Security Officer  @ GrowwPrajal Kulkarni brings over 13 years of expertise in securing infrastructure, designing robust security frameworks, and assisting startups in their initial security journey. As the current Chief Information Security Officer at Groww, he leads a team of talented and dynamic security engineers.Before joining Groww, Prajal held the position of Senior Security Architect at Flipkart, where he was responsible for ensuring the security of the entire ecommerce business. He also managed comprehensive security charters for Flipkart's M&A companies, contributing significantly to their secure operations.Furthermore, Prajal led a skilled team at a prominent Fintech company, overseeing offensive and defensive security projects to safeguard their systems and data.Beyond his corporate experience, Prajal actively participates in the Indian security community. He serves as the lead contributor to Code Vigilant, an open security project that promotes responsible disclosures and enhances the security of open source software.I would love to hear your suggestions and feedbacks, please DM me. If you liked this episode, please share with others in the community. It always means a lot! If you’re interested in a security challenge that you’re facing or would like to hear from a specific speaker/team, let me know. Buzz me on Twitter or LinkedIn; checkout my handles below: Twitter: @NeeluTripathy LinkedIn: neelutripathy
Oct 18, 2023
43 min
#S02EP04 IoT Security: Safeguarding Your Smart World! | Aseem Jakhar
The world is getting smarter and the number of IoT devices is growing by the day. Securing such environments presents unique challenges due to the diverse nature of these devices and the complexity of their interactions.Guest: Aseem Jakhar  Co-Founder & Dir. Research at PayatuLinkedin: @aseemjakharX: @aseemjakharAseem Jakhar is a Cybersecurity Entrepreneur and Technologist with two decades of experience in security product development, services, building and scaling teams and communities. He is currently working on solving the IoT Security problem with his latest venture EXPLIoT. He has previously bootstrapped impactful cybersecurity companies to multi-million dollar revenue. He co-founded Payatu, Nullcon, Hardwear.io and null - the open security community.He is an active speaker and trainer at various security conferences like AusCERT, Black Hat, Defcon, Brucon, Hack.lu, Hack in Paris, Hack In The Box, PHDays, Zerocon and many more. He has authored various open source security software including:  - EXPLIoT - IoT Exploitation Framework https://expliot.io  - DIVA Android (Damn Insecure and Vulnerable App for Android)  - Jugaad/Indroid - Linux Thread injection kit for x86 and ARM  - Dexfuzzer - Dex file format fuzzerRecommended reading/viewing,  for practitioners:U.S. Cyber Trust Mark: https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/IoT Profiler research: https://www.usenix.org/conference/usenixsecurity23/presentation/nanEXPLIoT - IoT Security Testing and Exploitation framework: https://gitlab.com/expliot_framework/expliot Docs - https://expliot.readthedocs.io/en/latest/Singapore Cybersecurity Labeling Scheme - https://www.csa.gov.sg/our-programmes/certification-and-labelling-schemes/cybersecurity-labelling-schemeHands-on IoT Hacking Ebook - https://store.expliot.io/products/hands-on-internet-of-things-hackingI would love to hear your suggestions and feedbacks, please DM me. If you liked this episode, please share with others in the community. It always means a lot! If you’re interested in a security challenge that you’re facing or would like to hear from a specific speaker/team, let me know. Buzz me on Twitter or LinkedIn; checkout my handles below: Twitter: @NeeluTripathy LinkedIn: neelutripathy
Oct 3, 2023
50 min
#S02EP03 DevSecOps for teams building on Steroids | Akash Mahajan
TOPIC: DevSecOps for teams building on Steroids Developers have already adopted public cloud in all tech enabled companies and industry verticals. Security teams are mostly for after the fact testing, signaling that compliance is in place or even as a sales aid when selling to large enterprises. If Continuous Delivery is the goal (as that gets the business money) then the integration and deployment pipelines (CI/CD) are the assembly lines. Far too often under the misguided notions of shift left, security teams come and slow things down by adding security steps to such pipelines and are surprised when no one likes this. This is what he was able to solve for Byjus enterprise business team and they presented this at DevOps Enterprise Summit 2021 Europe as well.Guest: Akash Mahajan, Founder &  CEO Kloudle,AppseccoBefore founding Kloudle, Akash started Appsecco in 2015. At Appsecco, they did security testing of products hosted in the public cloud. They tested 100s of applications. But instead of app bugs, they found most of the time cloud infra was misconfigured.Humans make mistakes. So far most developers are human too. Project after project they hacked into customer's apps due to cloud misconfigurations. Therefore, they built Kloudle. Kloudle automates cloud security to eliminate human errors in setting up and using cloud infrastructure. It answers 3 things. What's running, what's wrong, how to fix it. Automatically in a loop. A CSPM built for devs.Recommended reading/viewing,  for practitioners:The Phoenix Project [https://www.amazon.in/Phoenix-Project-Devops-Helping-Business/dp/1942788290]The Goal [https://amzn.eu/d/ebKsrd6]Accelerate [https://amzn.eu/d/41jhgu6]DORA Metrics [https://cloud.google.com/blog/products/devops-sre/using-the-four-keys-to-measure-your-devops-performance]Turtles All The Way Down Scaling Enterprise BizOps by Automating DevOps Practiceshttps://github.com/devopsenterprise/2021-virtual-europe/blob/main/PPT%20revamp%20-%20DevOps%20Enterprise%20Summit%20v6%20(2).pdf I would love to hear your suggestions and feedbacks, please DM me. If you liked this episode, please share with others in the community. It always means a lot! If you’re interested in a security challenge that you’re facing or would like to hear from a specific speaker/team, let me know. Buzz me on Twitter or LinkedIn; checkout my handles below: Twitter: @NeeluTripathy LinkedIn: neelutripathy
Sep 15, 2023
51 min
#S02EP02 Sprinting Securely: Pentesting Keeping Pace with Agile Development | Sanoop Thomas
TOPIC:  Sprinting Securely: Pentesting Keeping Pace with Agile DevelopmentBuilding Actionable Security Champion Programs & Pentest catching up with speed of agilePodcast Guest: Sanoop Thomas (@s4n7h0)Sanoop Thomas (@s4n7h0) is a seasoned security professional with a diverse background in consulting, teaching, research and product-based industries with a passion to solve complex security problems. Today, Sanoop works as an information security specialist focusing on application security and secure coding. His field of interest includes fuzzing software vulnerabilities, reverse engineering, malware analysis, application security and automating security pentest/analysis methodologies. He also moderated null open community chapter in Singapore and Mumbai and organized over hundreds of events and workshops to spread security awareness across the country. Sanoop is the author and maintainer of Halcyon IDE project (https://halcyon-ide.org) and podcast show host at InfoSec Campus (https://infoseccampus.com). He has spoken at multiple international security conferences that includes Nullcon, OWASP India, DevSecCon, HITBGSEC, Rootcon, Defcon (Demo Labs) and Blackhat (Arsenal - Vegas and Singapore). Sanoop is also the founding organizer for BSides Singapore.Recommended reading/viewing, for practitionerstl;dr sec newsletter by Clint Gibler (@clintgibler) https://tldrsec.com/The Backend Engineering Show with Hussein Nasser (podcast) https://www.youtube.com/@hnasrhttps://www.youtube.com/playlist?list=PLQnljOFTspQU0ICDe-cL1EwXC4GDSayKY Listen to Sanoop Thomas’ podcast: Infosec Campushttps://infoseccampus.com/I would love to hear your suggestions and feedbacks, please DM me. If you liked this episode, please share with others in the community. It always means a lot! If you’re interested in a security challenge that you’re facing or would like to hear from a specific speaker/team, let me know. Buzz me on Twitter or LinkedIn; checkout my handles below: Twitter: @NeeluTripathy LinkedIn: neelutripathy
Sep 1, 2023
44 min
#S02EP01 From Threat Actors with Love! Tackling Malware Attacks for Healthcare | Shyam Sundar
Season 02  Episode 01TOPIC: From Threat Actors with Love ! Tackling Malware Attacks for HealthcareThe sophisticated cyber attacks post pandemic opens the door for threat actors to craft more mail spam that spans across different sectors of industry. The rise of attacks towards the healthcare industry targeting health care specific devices and infrastructure. How do we stop these ? Wait ! Do we even know such sectors are affected ?Guest: Shyam Sundar Ramaswami , Sr. Staff Cyber Security Architect , Cyber Labs - GE Healthcare  Shyam is a two- time TEDx speaker , co- author of the book titled it's your digital life . Shyam leads the efforts with cyber security research in GE healthcare, an advisor for penetration testing, cloud security and cyber security compliance in cyber labs. Shyam has worked on malware, memory forensics investigations and has published several of his original research work in conferences like BlackHat USA, Qubit, DeepSec, NullCon, HackFest and several international conferences. Shyam holds a masters in Digital Forensics and also mentors students across the globe under his “Being Robin” program. I would love to hear your suggestions and feedbacks, please DM me. If you liked this episode, please share with others in the community. It always means a lot! If you’re interested in a security challenge that you’re facing or would like to hear from a specific speaker/team, let me know. Buzz me on Twitter or LinkedIn; checkout my handles below: Twitter: @NeeluTripathy LinkedIn: neelutripathy
Aug 19, 2023
52 min
Load more