October Meet

Security time, courtesy of our host Poshmark Inc . We will have three exciting talks, lots of people to meet, and great food. Come join us at Poshmark's Beautiful office

Tak#1 Setting up a Cloud Security Practice
Talk#2 Emerging Best Practices in Software Supply Chain Security: What We Can Learn from Google, the White House, OWASP, and Gartner

Talk#3 APIs: Attackers

#1 Setting up a Cloud Security Practice
Speaker:- Saran Makam, Head of security at Poshmark. Saran has 18 years of experience in managing and implementing Security programs across different industry verticals. This talk will focus on how an organization can implement Cloud security controls

#2 Emerging Best Practices in Software Supply Chain Security: What We Can Learn from Google, the White House, OWASP, and Gartner
Attackers are taking advantage of insecure software deployment pipelines; the White House, OWASP, Google, and others have released guidelines on best practices in response. We will break down the key takeaways and compile a list of best practices for mitigating software supply chain security risks.
The severity and frequency of software supply chain attacks have increased significantly. How should software teams react to these new threats? Several new frameworks are emerging. The National Institute of Standards and Technology (NIST) created the NIST Secure Software Development Framework (SSDF) with robust guidance on securing the software supply chain. Similarly, Google has also released the Supply chain Levels for Software Artifact (SLSA) framework for ensuring software supply chain and build integrity. Here, we will compare and contrast NIST SSDF and Google SLSA and discuss how they may be used to improve your organization's security posture.

Description:

• The Biden Administration has unveiled a National Security Memorandum on improving cybersecurity for critical infrastructure control systems, which outlines a framework for cybersecurity to protect against modern threats. This initiative emphasizes preventative measures within cybersecurity, making it so that security is built into the process and designed into applications in earlier stages.
• The National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) are collaboratively building cybersecurity goals for critical infrastructure to adhere to.
• Objective 1: Protect EO-critical software and platforms from unauthorized access and use
• Objective 2: Protect the confidentiality, integrity, and availability of data used by EO-critical software and software platforms
• Objective 3: Identify and maintain EO-critical software platforms and software deployed to these platforms to protect EO-critical software from exploitation
• Objective 4: Quickly detect, respond to, and recover from threats and incidents involving EO-critical software and EO-critical software platforms
• Objective 5: Strengthen the understanding and performance of humans actions that foster the security of EO-critical software and EO-critical software platforms

Bio: Tony Loehr is the Developer Advocate for Cycode. Their prerogative is to make it easy for developers to use the Cycode platform, and to help protect data through knowledge sharing. They have professional experience with engineering, marketing, and sales and bring a unique perspective on how to implement comprehensive cybersecurity solutions. They value being a lifelong learner and aim to help teach cybersecurity solutions to people with varying degrees of technical knowledge. Tony enjoys tending houseplants, freestyle rapping, and working on various side projects in their free time.

#3 APIs: Attackers
Target Application programming interfaces (APIs) help ensure a smooth running and engaging experience for mobile and web applications. Attackers are performing new levels of analysis to understand how each API works, how they interact with each other, and what the expected outcome is. According to Gartner, API attacks involving unmanaged, and unsecured APIs will become the most-frequent attack vector, causing a growing number of data breaches for enterprise web applications. The uptick in API usage and bots to attack even perfectly coded APIs is likely one of the reasons that Forrester included API Security and Bot Management as two technologies CISOs must have. In this discussion we’ll cover why traditional security tools don’t cut it when it comes to API protection. In addition, we’ll walk-through real-world examples of API attacks and mitigation steps.
Speaker:- Shreyans Mehta, Founder & CTO of cequence Security