Understanding Software Supply Chain security threats for Terraform which has been the default for Infrastructure as Code is important. in this episode Mike Ruth is sharing his experience of working on securing Terraform Cloud/Terraform Enterprise - no open source was harmed in the making of this episode. Episode YouTube: ⁠⁠⁠ ⁠⁠⁠⁠⁠Video Link⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Mike's Linkedin (⁠⁠Mike Ruth) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (03:27) A bit about Mike Ruth (04:01) What is Terraform? (05:38) Terraform in the context of supply chain (07:24) Flavors of Terraform (09:07) Deploying Terraform (12:25) Terraform Architecture (14:48) Research findings that Mike and Oca made (25:52) Securing Terraform Architecture (28:13) Policy Enforcement (29:13) What is a Module? (30:15) Security best practices for Terraform Deployment (31:53) Learning about Terraform security (34:44) Maturity for Terraform (37:45) The Fun Questions Mike spoke about Terraform Cloud Security Model during the interview. See you at the next episode!

DSPM or Data Security Posture Management with Yotam Segev from Cyera: Most security teams have known about data challenges in their organization and some of them are put in the too hard to solve right now bucket. Yotam came on the show to talk about who should own and manage data security programs and what can a data security roadmap look like for leaders who are working on the data problem today. Episode YouTube: ⁠⁠⁠ ⁠⁠⁠⁠Video Link⁠⁠⁠⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Yotam's Linkedin (⁠Yotam Segev⁠⁠) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (04:32) Why is data security getting attention? (05:46) How was data security done before? (06:43) Cloud native way of managing data (07:31) What triggers a data security project? (08:35) At what stage should you start data security? (10:06) Challenges with starting data security projects (13:02) What does success look like? (15:02) Does the CISO own data security? (16:03) The right skill set for data security See you at the next episode!

Is it code to cloud or cloud to code with Harshil Parikh from Tromzo: A lot of leaders today face the inevitable question of should i start with the code or the cloud first. Harshil Parikh from Tromzo was kind enough to share his CISO experience on the topic on what each of these are and what can CISOs priortise in their programs. Episode YouTube: ⁠⁠⁠ ⁠⁠⁠Video Link⁠⁠⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Harshil's Linkedin (Harshil Parikh⁠) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (02:51) Harshil's path into cybersecurity (04:30) What is code to cloud? (05:19) What is cloud to code? (06:29) How was cybersecurity done traditionally? (08:28) What should CISOs prioritise? (09:43) How different sectors are impacted? (10:56) Where should CISOs start? (12:30) Application vs Cloud vs Product Security (14:44) Is application security becoming cloud security? (16:43) What does maturity look like? (20:18) The fun questions See you at the next episode!

Josh Lemos former CISO of Block and the current CISO of GitLab comes from a pentester background and made his way to become a CISO. We were lucky enough to interview him during the hacker summer camp on his journey, his experience in AI, takeaway from BH CISO summit and types of CISOs & more. Episode YouTube: ⁠⁠ ⁠⁠⁠Video Link⁠⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Josh's Linkedin (⁠⁠⁠⁠⁠Josh Lemos) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (01:47) A bit about Josh Lemos (03:48) What does cloud security mean to Josh? (04:53) What to look out for with AI/ML? (07:03) CISO perspective on AI/ML (08:13) What should a CISO roadmap look like in 2023? (10:39) Takeaways from BlackHat CISO Summit (12:24) CISO for B2B vs B2C (13:43) Hardware vs Software Security (14:41) Skills needed to become a CISO (15:48) What is cloud pentesting? (17:20) Fun Questions See you at the next episode!

Karl Fosaaen, the author of Penetration Testing "Azure for Ethical Hacker" and the VP of Research at NetSPI, came as a guest to share why the penetration Test of a Web Application hosted on Azure Cloud in 2023 is quite different to just a simple/traditional web app pentesting and the skills you need to pentest Azure environments. Cloud Penetration testing is misunderstood to be just config review in Microsoft Azure Cloud just like in AWS and Google Cloud. In this video, we have Karl Fosaaen was kind enough to answer the following questions and methods. Episode YouTube: ⁠ ⁠⁠⁠Video Link⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Karl's Linkedin (⁠⁠⁠⁠Karl Fosaaen) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (02:32) A bit about Karl Fosaaen (03:26) How is pentesting in Azure different from AWS? (04:35) Cloud pentesting is not just config review (05:42) Cloud pentesting vs Network pentesting (06:25) Cloud Pentest - Next evolution of Network Pentest? (07:14) Boundaries of cloud pentesting (09:07) Do you need prior approval for Azure Pentest? (09:32) Working with Microsoft Security Research Centre (10:35) Process of pentesting in Azure (11:57) Low hanging fruits to start off with! (13:37) How to persist and escalate? (14:58) Managed Identities in Azure (16:23) Impact of peripheral services to Azure (18:33) Scale of deployments in Azure (21:02) Getting access to permissions for Azure Entra (22:36) Scaling your pentest tools (23:34) TTPs or Matrix you can use (25:30) Getting into Azure Pentesting (26:56) Transitioning from network to azure pentesting (28:37) Connect with Karl Resources: The NetSPI Blog to learn more about offensive cloud security Mitre - Cloud Attack Matrix ATRM Karl's Book - Penetration Testing Azure for Ethical Hackers: Develop practical skills to perform pentesting and risk assessment of Microsoft Azure environments See you at the next episode!