TLDR; * The key to application and product security is understanding the risk appetite of the organization. And in order to understand this, organization needs to have an unified approach to risk quantification utilizing context. * A key trick to incorporate security practices into SDLC is to work with secure-by-default libraries / frameworks.
March 26, 2025
TLDR; Here are a few points which stood out for us: * As the technology moves rapidly, one key skill to success in Digital Forensics is constant learning. Stay up to date with new the tools, technologies like GenAI, Quantum Computing. These bring new challenges and opportunities to Digital Forensic Analysts.
March 12, 2025
TLDR; * For Detection Engineering, understanding your network architecture, application ecosystem and people of network plays a major role. * In order to treat an alert as false positives, wait for at least three occurrences. Second could be a co-incidence. But, marking an alert as false positive on the first occurrence could
February 12, 2025
TLDR; * Security with AI can be bucketed into two areas. Detection based (where humans detect the spam using past experience, tone, etc in conversations) and Process based (using tools to block spams). * AI should leveraged for automating tedious manual activities. At the same time it should be verified before the
January 22, 2025
TLDR * For the success of CyberSecurity Programs, Prioritization is the Key. Follow a Risk based approach for prioritization. * CyberSecurity awareness programs should be behavior based vs tool based. It should also cover both individual and organizational goals. Most importantly, programs should have clear objectives since the landscape changes frequently be
January 08, 2025
* Listen to the episode on Spotify TLDR; * One of the key skills necessary during Incident Response is to stay calm. Analyze the incident before acting on it. Find the right balance between Speed and Accuracy of Analysis * For Preparedness, Define Processes, Playbooks, Document Landscape and Stakeholder Communication plans to avoid
December 18, 2024
TLDR; 1. Cross-training is key for CISOs. CISOs specializing in AppSec should also focus on other areas like Incident Management, GRC, and People Management to name a few areas. And remember Perfection is the enemy of good. 2. Communication is an essential skill for CISOs & Security Leaders. 2 Pro
December 04, 2024
TLDR; 1. Privacy engineering focuses on implementing privacy best practices for users and organizations. The core focus is user's privacy and responsible handling of their data. Finding the balance between experience and fatigue is key. 2. Privacy by design enables teams to incorporate privacy engineering practices to each
November 20, 2024
TLDR; * gcpwn (modeled after Pacu) is a great tool for pentesting covering enumeration and lateral movement. There are many more capabilities coming up soon with support for more Services and APIs. * Annual Pen Testing is a good start. But, pentesting should be as close to continuous as possible. It helps
November 06, 2024
TLDR; * Zero Trust is a continuous journey. It’s not like a set it and forget it type of program. Organizations need to invest not only to set it up initially but also to keep monitoring and improving the program. * For adoption of zero trust, some of the biggest challenges
October 23, 2024
TLDR; * Vendor / Platform selection should be based on organization goals. CISOs & Security leaders should prioritize selection based on current posture and look at achieving a set of future goals vs compliance needs or by following a checkbox approach. * Vendor health is an important aspect of determining a platform/vendor.
October 09, 2024
TLDR; * Having a defined Incident Response Process and Alignment among the team are key for a successful Incident Response Program * Monitor your MTTD and MTTR and use that to constantly improve your Incident Response Program. * When it comes to the Security of your organization, Open Source or Native security tools
September 25, 2024
TLDR; * GenAI Tools are good at generic information. But, it often lacks contextual awareness. Building contextual awareness it into the GenAI tooling to get the maximum benefit of this technology trend. * Data privacy & Privacy Enhancing Technology (PET) plays a critical role in organisation’s GenAI strategy. Enough guardrails should
September 18, 2024
TLDR; * There are two essentials to focus in cloud security. Strong security foundations / baselines for preventive measures and remediations for drifts from a reactive measures stand point. * Biggest challenge with remediation programs is buy-in from other stakeholders like Engineering, DevOps, Leadership. To get the buy-in, show the current MTTR vs
September 11, 2024
TLDR; * In an organization, the IAM landscape is always a moving target. So, understand the organizational structure and usability of cloud services before setting up the foundation. * Security vs Compliance is an age-old debate. When the security basics are implemented the right way, compliance automatically follows. * For data perimeter security,
September 04, 2024
TLDR; Thanks, Cassie for the fun conversation. Here’s a summary of our conversation: * To enhance security program effectiveness, infuse security into daily practices of engineering and others. A simple example could be doing a security review as part of the code review process in SDLC. * Training and Awareness programs
August 28, 2024
TLDR; * Security baseline along with security boundaries define the security foundation for Organizations. There are various types of security baselines organizations should incorporate like Network, IAM, Infra, and Data. * Baselining is a continuous process. Define it, measure it, monitor it, and refine it using internal and external audits & findings.
August 21, 2024
TLDR; * For organizations, alignment between Revenue Goals vs Cost vs Risk is key for success. Instead of teams working in isolation, collaborate to improve the security of the organization. * Security is seen as a team of No. Instead of saying No, security teams should show the path to Yes for
August 14, 2024
TLDR; Thanks, Jan, for the insightful conversation. Here are a few things that I gathered. * For the compliance and security debate, understand different personas and their agendas, have a governing body that works with all of these personas, and helps with prioritization. * Always start with basic security practices and focus
August 07, 2024
This episode dives deep into network segmentation - your secret weapon for building a secure and scalable network. We'll discuss best practices, tackle implementation challenges, and explore how to integrate segmentation with Zero Trust.
July 24, 2024
TLDR * Standardization of logs is very important when designing a Centralized Logging and Monitoring solution. Both from a security and also from an engineering perspective. * When it comes to Logging, start with User Logs, System Logs, Config Logs, Network Logs, in that order to analyze for Detecting Security issues. * For
July 10, 2024
TLDR; * Communication, both written and oral, are key skills for security engineers and organizations should evaluate for this during the hiring process. * For startups while hiring, assessing the business risk has a huge impact because it helps you decide whether to hire a contractor or a pen tester or a
June 26, 2024
TLDR; * Secure by design is a key step in building a healthy security program. It should not be done, or rather it should be done while designing and building applications and not as an afterthought. * When it comes to threat modeling, taking a pause and asking questions about possible threats
June 12, 2024
TLDR; * Risk Management should not only be reactive. It has to have the right balance between proactive and reactive strategies. * Continuous training and awareness programs are key for running a healthy and successful security program. Also, when it comes to training, it should be targeted vs generic. * Security is a
May 29, 2024
TLDR; * In order to ensure success of security programs, security engineers should not work in Isolation. Instead, they should collaborate across teams and organization. * For Incident Detection and Response, organizations should have a rubrik. It reduces the stress on engineers to figure out the right plan of action and next
May 15, 2024
TLDR; * Create and Practice a Culture of Knowledge, Learnings and Growth. This not only helps you in hiring new Security Roles but also helps in Retaining them. * For a Startup, hire a generalist as a First Role. This helps in Building the Trust and relationship foundation between Security and other
April 17, 2024
TLDR; * Threat researchers use threat hunting to learn about trends, and correlations, to narrow focus of the research. And they use this information to watch for other threats and also to help bring awareness in organizations. * Threat research needs creative and out-of-the-box thinking. By following a checklist, threat researchers often
April 03, 2024
TLDR; * When it comes to Cloud Security, it needs a mindset shift vs on-prem security. And Cloud Security Maturity Model helps with that. * Biggest challenge with Adoption of Cloud Security Maturity Model is expectation setting. Work with Leadership to set the right expectations. * Before acting on Maturity Model, evaluate the
March 20, 2024
TDLR; * When it comes to Cloud Security, focus on Basic & Common Misconfigurations first. Only after all of those are resolved, pay attention to edge cases. * For the Prevention of Cloud Security risks, ensure the Pipeline is Secure. The Infrastructure getting deployed into the Cloud environment is secure and does
February 21, 2024
TLDR; * Software Bill of Material (SBOM) is key for Supply Chain Security. It helps organizations understand dependencies and vulnerabilities associated with the dependencies. * To analyze SBOMs, utilize a Software Composition Analysis (SCA) Tool and integrate is as part of CI/CD Process. * Some of the best practices of Image Signing
February 07, 2024
TLDR; * Security of Cloud IAM requires a different mindset than traditional IAM. Once credentials are breached, attackers gain access to all infrastructure in a Cloud environment. This is one of the Primary Reasons why IAM is the new Perimeter. * To address IAM security gaps, start with Tagging of IAM Resources,
January 24, 2024
TLDR; * IAM is the critical component when moving workloads from On-Prem to Cloud. Special attention should be paid to Right Sizing of Permissions early on as part of Cloud Security strategy. * Visibility of Cloud Assets is important. Implement Automation for workloads and follow DevSecOps best practices to ensure Security is
January 10, 2024
TLDR; * When it comes to Code generation using Gen AI tools, Trust but Verify. Always run those through your DevSecOps pipelines for Static & Dynamic Scans. * During Prompt engineering, stay away from feeding sensitive information and ask for Low Cyclomatic Complexity recommendations. It’s simpler and easier to maintain. * On
December 27, 2023
TLDR; * Vendor Security Questionnaires are not enough because they are out of date a month after its filled. Continuous assessment is more important than one time vendor security questionnaire. * Prioritization of Vendors and their security is key to not get overwhelmed with massive number of vendors. it can be driven
December 13, 2023
TLDR; * From a culture perspective, create an environment where your Team feels comfortable in taking Risks. Without Risk Taking, there’s no Innovation. * When it comes to Security, show the ROI to the Leadership and do not forget to recognize effort and celebrate small wins. * Assign Tiers to vendors based
November 29, 2023
TLDR; * To Show Value of IAM improvements to Leadership, map them to outcomes like Cost Improvement from Audit/SOX perspective, Developer Productivity Gains via Provisioning improvements and MTTD & MTTR from Incident Response perspective. * To keep Cloud Security complexity to minimum, bring all your data sources (like SIEM, SOAR, IDS/
November 16, 2023
TLDR; * Organizational alignment is the most important factor for Security roadmap. Pro tip - when speaking with Business, Security Teams should use the Business Language instead of Technical Language. * Build a One team culture. Brown Bags, Lightning Talks, Dojos, etc are great ways to collaborate with Engineering and Product teams
November 10, 2023
TLDR; * Context is key. When looking at Vulnerabilities do not just look at CVSS Base score, instead, understand your Risk Profile and add the Environmental elements for better prioritization. * In order to adhere to DevSecOps practices, be pragmatic. Instead of a Big Bang approach, start small and iterate to incorporate
October 27, 2023
TLDR; * For Application Security, start with Threat Modeling including Context. Look at all our architecture diagrams and start evaluating from an attacker's mind. * When using Open Source dependencies, start with a Baseline Vulnerability Scan and do a continuous process to review and evaluate dependencies. * Understand dependencies, SBOM to
October 13, 2023
TLDR; * Context is key when it comes to Vulnerability Management. Instead of focusing on Vulnerabilities by severity, organizations should evaluate the exploitability and actively exploited vulnerabilities for Prioritization. * When looking at Vulnerabilities do not take CVSS Base score at face value, organizations should understand & utilize Temporal and Environmental elements
September 29, 2023
TLDR; * Detailed Understanding on particular capability with overview of entire architecture is very important from a Threat Modeling perspective. * Create Checklists to scale security in an organization. Involve all teams, and when possible invest and nurture a security champions program. * Security is a journey not a destination. Celebrate small wins.
September 08, 2023
TLDR; * When it comes to asset management, always start from outside in, like DNS, to understand your dangling subdomains or public IPs, which are sort of overexposed and work your work towards inside of your infrastructure. * For asset inventory, get data from multiple sources so that you can use that
August 25, 2023
Host: Welcome to the final chapter of Kubernetes Learning series. In part one we learned about Kubernetes and workloads in general along with some open-source tools. In part two we learned about approaches for attacking Kubernetes clusters from a red teaming perspective and also understanding attackers mindset while exploiting clusters.
August 04, 2023
TLDR; * First Security hire for an organization should be a Generalist and has necessary soft skills to work with other teams to improve overall security. Soft Skills and Relationship building is key at the early stage of an organization. * Security Champions are important for a successful Security program implementation. Collaborate
July 28, 2023
Host: Welcome to another part of Kubernetes Learning series. In part one, we focused on Kubernetes and workloads in general, along with some open-source tools. Today in part two, we will focus on approaches for attacking a Kubernetes cluster from a red teaming perspective. This also helps in understanding how
July 14, 2023
TLDR; * Playbooks have an important role in the Incident Response Process, from all aspects, including Evidence Collection, Triage, Retrospection. * There are 4 key factors which need to be understood in Incident Response - Initial Access, Execution, Lateral Movement and Command & Control. * Training your engineers on Architecture (Cloud or Hybrid
July 07, 2023
Host: Hi everyone. Thanks for tuning into another episode of Scale to Zero. I'm Pursottam, co founder and CTO of Cloudanix. Today's topic includes Kubernetes Security, both from an attack perspective and also from a defense perspective. We'll be doing this slightly differently than
June 30, 2023
TLDR; * Kubernetes is not a solution for all. It always depends on the use case. It depends on the growth stage of the company, expertise in the team, and few more. Surprisingly, monoliths could be a better solution sometimes. * Automation is a key practice while adopting Cloud Native Security. Shift
June 23, 2023
TLDR; * Security is definitely an additional overhead for DevOps practices. Self-Serve tooling helps ease the gap between Engineering and Security. * Some of the best practices of DevOps are: Do not embed secrets in Code. Follow Standardization via Config Management, automation (IaC) and Observability. * It’s highly recommended to use Hardware
June 16, 2023
TLDR; * For an organization starting to incorporate Security into their systems, start right (as in securing your Production Systems) and make progress towards securing the Source Code. This helps bridge the gap between best case scenario and current state. * Security is not always the highest priority. Depending on the stage
June 09, 2023
TLDR; * Threat Modeling is a continuous activity and should be part of every phase of SDLC starting from Design phase itself. * For Threat Modeling, start with something as simple as STRIDE framework and as the organization matures, review and utilize other frameworks as needed. * For resource constrained organizations, start with
June 06, 2023
TLDR; * Finding right balance between Production Speed and Security is all about right Prioritization. It’s a shared responsibility between Security & other teams. * Security Team is an advisor where as Product & Engineering owns the implementation. So, building relationship with other Teams is highly important. * Empathy is one of
May 26, 2023
TLDR; * Security Tools does not mean AppSec. There are other factors to Security as well like People, Process and Governance. * For resource constrained organizations, start with Open Source to improve Security for high impact areas before investing in Wholistic & Expensive Tools. * Instead of following all the best practices like
May 19, 2023
TLDR; * Threat modeling is key for incorporating security in each phase of SDLC. More importantly, training the team to look out for gaps in security and then using that for threat modeling will have the highest return for organizations. * When working with other teams and execs show how security can
May 12, 2023
TLDR; * When it comes to threat hunting exercises, instead of focusing on the top fives of the world, focus on areas which are applicable and can be exploited in your architecture. * As part of your incident response plan, conduct frequent fire drill or tabletop exercises to evaluate preparedness. * Learning from
April 28, 2023
TLDR; * Threat modeling is the most cost effective way to improve security, and it helps in avoiding future costs incurred, like through bug bounties or breaches or pen testing. * While prioritizing threat modeling areas, instead of boiling the ocean, focus on the most important assets, the critical assets, and their
April 21, 2023
TLDR; * Exploit prediction scoring system which is also known as EPSs is a better way to understand and prioritize vulnerabilities as it uses data driven approach to determine the likelihood or probability of a vulnerability to be exploited. * As part of vulnerability management programs document the process design playbooks for
April 14, 2023
TLDR; * Credential Stuffing is a massive problem. Attackers have already found workarounds to MFA with techniques like Evil Proxy. Use of Hardware keys is recommended. * Understand your exposure and cyber crime value. Cyber crime value is what can an attacker benefit by attacking you or your organization. * Humans are the
April 07, 2023
TLDR; * Incident Response Plan is a must in order to fight phishing or social engineering attacks. * Security is the responsibility of the entire and not just of the security team to bring awareness. Security awareness training should be conducted with other teams in the organization. * Whenever possible, implement MFA across
March 24, 2023
TLDR; * Understanding the threat model in depth is very important for Blue Team to be successful. * Red Team should be considered as partners rather than adversaries in building and improving the threat defense program. * Accuracy of digital forensic data is key for analyzing and improving security difference programs. It should
March 17, 2023
TLDR; * The very first step in setting up a solid security program is to understand the scope and the current set up really well. * Documentation of the security process and organizational training are super important for the successful GRC setup. * When it comes to data privacy, there is no one
March 10, 2023
TLDR; * Before using any new service or thinking about any new service, thinking about security for any new service cloud practitioners should do threat modeling exercise to understand the attack paths because that helps in defining the right set of permissions policies for the service. * Limit impact of any attacks
March 06, 2023
TLDR; * For organizations before investing in threat hunting or Red teaming, blue teaming or Purple teaming, understand your threat landscape, your security maturity, and have threat detection capabilities via different tooling. * Certifications like soc. Two hipaa, et cetera are a good foundation, but invest in continuous security risk assessment. * For
February 24, 2023
TLDR; * For managed kubernetes hyper scalers are sort of responsible for control plane, key value store like, etc. But when it comes to security of the workloads or worker notes, it’s the user’s responsibility. * In case of Kubernetes, like securing. Kubernetes best practice is to implement a few
February 17, 2023
TLDR; * For incident response. Always prepare a plan and socialize that within the organization and perform tabletop or fire drill exercises to check for the preparedness of those. * Avoid social engineering and doxing attacks. MFA is a must. And on top of that, use onetime passcode based or the hardware
February 10, 2023
TLDR; * Prepare personal data inventory data flow maps for teams to understand how data, particularly crown jewels, are being referred and used or should be used throughout the organization. * For data governance, cataloging is important. Build a knowledge base to improve visibility and awareness of the governance process. * Recognition is
February 03, 2023
TLDR; * As part of the shared responsibility model, cloud providers take care of a few areas like the control plane or data HCD, key value store and stuff like that. But there are areas like your own workload secrets, base images. There is RBAC dashboard and logs, which users need
January 27, 2023
TLDR; * Data Perimeter provides additional security capabilities on top of current AWS offerings by combining power from SCP, Resource Policies, Identity Policies, Network Policies, etc. to build a perimeter around your data. * It’s recommended to focus on all the areas of Data Perimeter like Identity, Network & Resource while
January 20, 2023
TLDR; * To build and improve security culture in an organization, lead with empathy. Understand current culture and processes before introducing new ones. * Alignment is a key factor in improving collaboration between the security team and other teams in an organization. Continuous learning and engagement is a must. * In case of
December 16, 2022
TLDR; * Priority of security debt is always context driven. Businesses should reevaluate the risks depending on liability or exploitability of it and how it applies to the business. * Building a security centric culture always depends on two aspects. First is the messaging from the leadership of the execs. And the
December 06, 2022
TLDR; * To build a security centric culture, first educate other teams about security roadmap & improve security awareness. It can be as simple as Brown Bags or Lunch & Learns focused on specific Security Areas like XSS or Cryptojacking. * In order to prioritize & address security debt, have a combined
November 18, 2022
TLDR; * Measure your current risk posture using existing tools. This helps in justification of the spend and budget planning. * Data privacy is a shared responsibility across all members in the organization. It’s not a tools problem. * MFA should be set up for all the apps and services as a
November 04, 2022
TLDR; * Security program should be risk driven rather than compliance driven. So risk assessment is the key for designing a good security program. * Continued reevaluation of the risks in your risk matrix is the key to prioritization. It also helps in addressing security depth. * Prior to using any open source
October 21, 2022
TLDR; * For risk management, have security baked in early in your SDLC process. This helps in your security debt prioritization as well. * Follow the Information Security triad, which is also known as CIA Triad. The confidentiality, integrity and availability. For Data Protection and Cyber security, apply the NIST framework for
October 07, 2022
TLDR; * Security should be mandated from top down and it should be implemented in partnership with individual contributors or the doors, right? Who own the implementation. * From a security standpoint, start small with frameworks like Nest, CIS, sock one and understand your risk tolerance. Do the gap analysis during the
September 30, 2022
TLDR; * To implement Zero Trust as part of the security program, understand the current Architecture first and then introduce Zero Trust in each layer one by one. Follow the NIST 800-207 guidelines closely. * Security debt is nothing but Tech Debt for Security. Have clear communication with Leadership team to find
September 23, 2022
TLDR; * For Zero Trust CIS 1 & 2 Benchmarks are the most important. To start, Draw & Understand the Inventory architecture. * Identity is one of the core components of Zero Trust and it feeds into Zero Trust. Define the Policies and enforce the policies to incorporate zero trust through out
September 15, 2022
TLDR; * When it comes to Preparation for data breaches or ransomware attacks, focus on both Business Risk & Financial Impact. Have an Incident Response Plan & Perform frequent simulations with all the stakeholders to check your preparedness. * When working with other Teams & Executives, use Tailored Messaging to educate &
September 02, 2022
TLDR; * When a hacker reports a finding. We sometimes ignore it. It’s not wise to do so. Instead, Acknowledge and work with the Hackers to improve your Security Posture. * In order to prepare an organization for potential data breaches or attacks, use a Data Driven approach and define clear
August 24, 2022
TLDR; * Security is not just a checkbox. Certifications should be used as a measurement tool rather than a goal. Continuous security improvement has much more impact than just getting certifications like SOC2, ISO, HIPAA, etc. * In order to setup IAM in the most accurate way, understanding Who needs access to
August 08, 2022
TLDR; * To build a security centric culture, Transparency with teams, getting Executive Support and Investing in Regular Training are utmost important. * In order to improve working relationships with other teams, Security Teams should Start interacting early in the journey and define Go To Market Security Strategy along with the teams.
July 29, 2022
Purusottam: Hi Everyone, Thanks for tuning into our Scale to Zero show. With this podcast, our goal is to get your security questions answered by experts in the security space and build a community. For Today’s episode, we have Swati Anuj Arya with us. Swati is a Leader at
June 24, 2022
Purusottam: Hi Everyone, Thanks for tuning into our Scale to Zero show. With this podcast, our goal is to get your security questions answered by experts in the security space and build a community. For Today’s episode, we have Gary Dylina with us. Gary is the Director of Security
June 24, 2022
Purusottam: Hi Everyone, Thanks for tuning into our Scale to Zero show. Today we have Gaurav Batra with us. Gaurav is the Founder & CEO of CyberFrat (A Cross-Training Platform for Nexgen Cybersecurity & Risk Leaders). Earlier he was a Global Information Security & Cloud Expert at Mondelez International. Gaurav,
June 24, 2022
Purusottam: Hi Everyone, Thanks for tuning into our Scale to Zero show. Today we have Aseem Rastogi with us. Aseem is the Head of CyberSecurity and Compliance at Meesho. Prior to joining Meesho, he was leading the CyberSecurity & Compliance efforts at RazorPay. Aseem, Thank you so much for joining
June 17, 2022