Displaying all 7 Episode of Three Buddy Problem with the tag “supply chain”.
-
Cris Neckar on the early days of securing Chrome, chasing browser exploits
April 11th, 2024 | 54 mins 36 secs
chrome, investments, pwn2own, supply chain, venture capital
Episode sponsors:
- Binarly, the supply chain security experts (https://binarly.io)
- XZ.fail backdoor detector (https://xz.fail)
Cris Neckar is a veteran security researcher now working as a partner at Two Bear Capital. In this episode, he reminisces on the early days of hacking at Neohapsis, his time on the Google Chrome security team, shenanigans at Pwn2Own/Pwnium and the cat-and-mouse battle for browser exploit chains. We also discuss the zero-day exploit marketplace, the hype and promise of AI, and his mission to help highly technical founders bring products to market.
-
Dan Lorenc on fixing the 'crappy' CVE ecosystem
November 14th, 2023 | 41 mins 45 secs
chainguard, cve, sboms, supply chain, venture capital
Episode sponsors:
- Binarly, the firmware security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Dan Lorenc is CEO and co-founder of Chainguard, a company that raised $116 million in less than two years to tackle open source supply chain security problems. In this episode, Dan joins Ryan to chat about the demands of building a "growth mode" startup, massive funding rounds and VC expectations, fixing the "crappy" CVE and CVSS ecosystems, managing expectations around SBOMs, and how politicians and lobbyists are framing cybersecurity issues in strange ways.
-
Abhishek Arya on Google's AI cybersecurity experiments
September 12th, 2023 | 33 mins 27 secs
google, open source software, openssf, oss-fuzz, supply chain
Episode sponsors:
- Binarly (https://binarly.io)
- FwHunt (https://fwhunt.run)
Abhishek Arya is director of engineering at Google, overseeing open source and supply chain security efforts that include OSS-Fuzz, SLSA, GUAC and OSV DB.
In this episode, Arya talks about some early success experimenting with AI and LLMs on fuzzing and vulnerability management, the industry's over-pivoting on SBOMs, regulations and liability for software vendors, and the long road ahead for securing software supply chains.
-
GitHub security chief Mike Hanley on secure coding, AI and SBOMs
August 2nd, 2023 | 40 mins 29 secs
github, open source, sbom, shift-left, supply chain
Episode sponsors:
- Binarly (https://binarly.io)
- FwHunt (https://fwhunt.run)
GitHub security chief Mike Hanley joins the show to discuss merging the CSO and SVP/Engineering roles, securing data and code in an organization under constant attack, the thrilling promise of AI to the future of secure code, the dangers of equating SBOMs to supply chain security, and new SEC reporting rules for CISOs.
-
OpenSSF GM Omkhar Arasaratnam on open-source software security
July 5th, 2023 | 36 mins 11 secs
log4j, open source, supply chain
Episode sponsors:
- Binarly (https://binarly.io)
- FwHunt (https://fwhunt.run)
New General Manager of the Open Source Security Foundation (OpenSSF) Omkhar Arasaratnam joins the podcast for a candid conversation on the challenges surrounding open-source software security, lessons from the Log4j crisis, the value of SBOMs, and the U.S. government efforts at securing America's software supply chains.
-
Sounil Yu on SBOMs, software supply chain security
July 13th, 2021 | 48 mins 26 secs
open-source, sbom, supply chain
Episode sponsored by SecurityWeek.com
JupiterOne CISO Sounil Yu joins the show to sift through the noise and explain the value of SBOMs (software bill of materials), the U.S. government's response to software supply chain security gaps, and what every buyer and seller should be doing to prepare for major changes in the ecosystem.
-
Michael Laventure, threat detection and response, Netflix
June 10th, 2021 | 30 mins 32 secs
supply chain, threat-hunting, threat-intel
Netflix threat detection and response practitioner Michael Laventure joins the show to talk about a simple goal to "do security better." We discuss a transition from .gov security work to the fast pace of Silicon Valley, the culture clashes that can make life difficult, the value of threat-intelligence to a modern security program, and why we should all be optimistic about the future of cybersecurity.