CSCP S4EP18 - James Berthoty - What The heck is ASPM and the evolution of Product security
oin us for an engaging episode as we welcome James Bertoldi, a seasoned cybersecurity professional with a diverse background spanning sysadmin, DevOps, and security engineering roles. James takes us through his journey across different organizations, including his current role at PagerDuty, where he tackles the intricate challenges of FedRAMP compliance. Listen in as James shares insights on the rapid evolution of the Application Security (AppSec) industry, driven by the need for infrastructure professionals to interact with application code in today’s API-driven cloud environment. We also explore the disparity in innovation recognition among security solution providers and the difficulties of staying current in this fast-paced industry. Sponsored by Phoenix Security: This episode is brought to you by Phoenix Security, leaders in vulnerability management from code to cloud. Take control of your security with Phoenix and see firsthand how to prioritize and act on critical vulnerabilities with a free 14-day license available at Phoenix Security - Request a Demo. We also discuss the complex challenges of managing visibility and actionability within cybersecurity, particularly in handling software vulnerabilities. Learn about the evolution of patch management and the inefficiencies of the Common Vulnerabilities and Exposures (CVE) system, which often leads to false positives. This conversation sheds light on the market’s tendency to prioritize quantity over quality in vulnerability detection tools and the potential shift towards more precise, less noisy solutions. Effective testing and benchmarking tools, like insecure testing repositories and OWASP projects, are also highlighted as a means to enhance the reliability of security tools. Finally, we explore the broader landscape of security tools and frameworks, including the stringent requirements of FedRAMP and the balance between flexible and opinionated tools. Through case studies and real-world examples, we discuss the significance of asset management, the evolving landscape of security tools, and the importance of transparency in marketing. The episode wraps up with a look at managing open-source supply chain risks and the crucial role of entities like Tidelift in providing paid maintenance services, reflecting the industry’s shift towards better security practices. Don’t miss this comprehensive exploration of the current state and future trends in the cybersecurity and software security industry.