The Security Ledger Podcasts

In this week’s podcast (#177) we’re back from RSA Conference and talking about the growing prominence of cyber threat intelligence services with Eric Olson of the firm LookingGlass Cyber Solutions.   Last week’s RSA Security Conference in San Francisco showcased the latest the technology industry has to offer against sophisticated hackers, bots and viruses – even as a real world virus, COVID-19, stalked the streets of San Francisco and prompted the city government to declare a state of emergency mid-way through the event. Threats – Virtual and Otherwise That was a reminder, if any was needed, that the threats facing global organizations today are more varied and harder to predict than ever. Global pandemics can interrupt critical supply chains or bring business operations to a screeching halt. So too malware and denial of service attacks aimed at you, or just a region or third party you rely on. Eric Olson is the senior vice president of product management at LookingGlass Cyber Solutions. That cold reality may go some way towards explaining why so-called threat intelligence is all the rage among organizations both large and small. By one count, there were 79 vendors alone at RSA offering some variation of threat intelligence services. Words of Advice from the Justice The hunger for threat intelligence is so great that the Department of Justice, in recent weeks, issued guidance to private firms that were considering threat intelligence, warning them away from actions or business partners that might cross the line from gathering information on malicious activities to engaging in them. Managed Threat Hunting Bridges the Talent Gap What is threat intelligence and what value does it offer to companies worried about falling victim to sophisticated cyber actors? In this RSA wrap-up podcast, we’re taking on the challenge of answering that question. And, to do so, we’ve invited an expert on the subject into the studio. Opinion: AI and Machine Learning will power both Cyber Offense and Defense in 2020 Eric Olson is the senior vice president of product management at LookingGlass Cyber Solutions. In this conversation, Eric talks about what the term “threat intelligence” means in 2020, how companies are turning threat intelligence to their advantage and about some simple steps that organizations who haven’t already invested in this type of information service can take to start making threat intelligence work for them. (*) Disclosure: This podcast was sponsored by LookingGlass Cyber Solutions or more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out 

In this Spotlight* podcast, Yaser Masoudnia of LogMeIn and LastPass talks about the continued persistence of the password in enterprise IT environments and how its inevitable demise (and replacement) may be closer than you would think. If you look back the seminal hacking film, 1983’s War Games, not much about the technology will seem familiar. The computer monitors are monochrome. There are modems instead wired – let alone wireless networks – to connect computers to the Internet and each other. Data is stored on 5 1/2” floppy disks. But one bit of technology is strikingly familiar: the password. High school student David Lightman ( played by Matthew Broderick) makes a game of finding and using them: hacking into his school’s grading system and, eventually, guessing the password needed to access a back door account on a military supercomputer. Senior Director Product Management, Identity Access Management, at LogMeIn More than 35 years later, the security of a discomforting number of modern IT systems and networks is protected by the same flimsy and vulnerable defense. But how do we finally ditch the password and embrace something stronger, that’s resilient, easier to use and harder to abuse? The solution may be closer than you think. To talk about it, we invited Yaser Masoudnia, the Senior Director Product Management, Identity Access Management at LogMeIn into the studio to talk. In this conversation, Yaser and I talk about some of the struggles that organizations have abandoning passwords and the trends that are moving organizations towards a passwordless future – and what password-less means. (*) Disclosure: This podcast was sponsored by LastPass, a LogMeIn brand. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations. As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

In this week’s episode of The Security Ledger Podcast, sponsored* by Code42, we do a deep dive on the security implications of the recently released Census II audit of open source software. We’re joined in our first segment by Frank Nagle of Harvard University’s Laboratory for Innovation Science and Mike Dolan, the Vice President of Strategic Programs at The Linux Foundation. In our second segment: tools like Slack and Microsoft Teams are revolutionizing how workers collaborate and communicate, but they also make it easier than ever for employees or malicious insiders to abscond with sensitive information. Joe Payne the CEO of Code42 joins us to talk about how the challenge of data breach prevention is changing. But first: software is eating the world, as the saying goes, and these days much of that munching is happening courtesy of free and open source software. Since the open source software movement first got going in the early 1980 with the GNU Project, the use of open source has grown exponentially. Today, open source libraries and other components can be found in virtually every substantial software application in use. Census II exposes OSS Security Debt But the rapid and friction-less adoption of open source isn’t without a cost. Namely: security debt. While the popular wisdom is that the wisdom and energy of the crowd is sufficient to keep open source software components secure and stable, history has indicated otherwise, as bugs like Heartbleed in the ubiquitous OpenSSL software opened the eyes of the security community to the fact that serious bugs and exploitable holes may lurk in other, widely used open source components. But surveying such a massive repository of code is a Herculean task. Better to know which open source components are the most widely used and shared, and which pose the greatest security risks. That’s why the folks at Harvard University’s Laboratory for Innovation Science and The Linux Foundation teamed up on the second open source Census and the first ever census to identify and measure how widely open source software is deployed within applications by private and public organizations. The goal was to draw a more complete picture of FOSS usage including through analyzing usage data provided by partner Software Composition Analysis (SCA) companies. Their report, dubbed “Vulnerabilities in the Core,” and recommendations it offers are a unique insight into the security challenges facing the open source community. To discuss their work, we invited Frank Nagle of Harvard Business School and Mike Dolan of the Vice President of Strategic Programs at The Linux Foundation in to talk about the Census II findings and what they mean for the larger project of securing open source code. The New Face(s) of Insider Threat Back in the Watergate era, stealing sensitive data was a cloak and dagger affair. The burglars hired to obtain sensitive strategy documents from the Democratic National Committee needed physical access to offices and file cabinets and went equipped with flash lights, lock picks, and other implements to do the job.

In this Spotlight episode of the Podcast, sponsored* by ForAllSecure we speak with CEO David Brumley about application “fuzzing” and how advancements in machine learning technology are allowing security researchers to find more and more serious vulnerabilities faster. The challenge now, Brumley says, is to keep up with the machines. The media’s focus on artificial intelligence and machine learning technologies are mostly confined to digital voice assistants like Amazon’s Alexa or the many AI and ML applications in healthcare, public safety – even criminal justice and medicine. But the same technologies are bringing about a quiet revolution in the field of information security. One area that have seen rapid advancement thanks to ML and AI is the tried and true practice of “fuzzing” – or testing software applications for defects and exploitable vulnerabilities. A highly specialized discipline, bug hunting is also highly data- and work intensive. That’s driven bug hunters to look for ways to speed and automate the discovery and testing of software holes. David is the CEO of ForAllSecure Our guest for this episode of the podcast, David Brumley, said that machine learning is transforming fuzzing as a strategy, as advanced machine learning algorithms are being coupled with analytic methods like “symbolic execution” to model the operation of software applications and note the presence of serious security flaws. (Check out our previous podcast conversation with David about security automation here.) In this conversation, David and I talk about the growing importance of application fuzzing as a security tool and some of the complications that large scale vulnerability discovery has created. (*) Disclosure: This podcast was sponsored by ForAllSecure for more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations. As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

Sponsored by DigiCert. In our first segment, Andrew Peterson, the CEO of the cyber security firm Signal Sciences joins us to talk about the struggles that campaigns have managing online security. In our second segment: in an age of deep fakes and software supply chain hacks, securing online identity these days is about a lot more than lock icons in your browser window. In part 2 of our podcast we’re joined by Dan Timpson, Chief Technology Officer at Digicert to talk about the fast expanding terrain of securing online identities.

The U.S. Department of Homeland Security warned of critical vulnerabilities in a range of products by GE. We speak with Elad Luz, the head of research at CyberMDX, which discovered the holes. Caring for sick patients in a hospital is as much about mastering technology these days as it is about mastering biology, physiology and chemistry. The modern hospital room is a forest of beeping, blinking computer hardware that does everything from measuring vital signs to administering medication or life saving treatments. Report: Hacking Risk for Connected Vehicles Shows Significant Decline All that hardware and software is prone to cyber security vulnerabilities, however, and cyber risk is a growing concern for providers. Witness the warning issued by the Department of Homeland Security on January 23 about a slew of vulnerabilities in products by healthcare giant GE. Elad Luz is the head of research at CyberMDX. DHS’s ICS CERT warned that a collection of six cybersecurity vulnerabilities discovered in a range of GE Healthcare devices could allow an attacker to make changes at the software level of the device. Those changes could render the device unusable, interfere with its proper functioning, expose Patient Health Information – or all of the above. The vulnerabilities – collectively referred to as MDhex – were discovered by the firm CyberMDX, which was looking into the product’s use of a deprecated open source component known as “webmin” as well as what the company described as “problematic open port configurations” in GE CARESCAPE patient monitoring workstation. Five of the vulnerabilities were given CVSS (v3.1) values of 10, while the remaining vulnerability scored an 8.5 on the National Infrastructure Advisory Council’s (NIAC) 1-10 scale for assessing the severity of computer system vulnerabilities. In this episode of the podcast, we invited Elad Luz, the head of research at CyberMDX into the studio to talk about the security holes. Luz and CyberMDX discovered the flaws, reported them to GE and then worked with the company and DHS on a coordinated disclosure of the holes. In this conversation, Elad and I talk about the flaws CyberMDX discovered and some of the challenges facing healthcare organizations as they try to secure medical hardware and software deployed in clinical settings.

As it weighs further response to the assassination of General Qasem Soleimani, Iran is almost certain to consider the use of cyber attacks. We talk with Levi Gundert at the firm Recorded Future about what cyber “payback” from Tehran might look like. When missiles from Iran landed near U.S. military bases in Iraq, the world assumed that it was an escalation of tensions between Iran and the U.S. in response to the January 3rd U.S drone assassination of General Qasem Soleimani, a high-ranking member of the Iranian government and the architect of the country’s Middle East policy. But fears of a shooting war between the U.S. and Iran have eased in the days following the Iranian missile launch, which caused no U.S. casualties and little damage and which were followed by mollifying comments from both the Iranian and U.S. leadership. Disaster averted? Not so fast. Levi Gundert, Recorded Future Disaster averted? Not so fast, say Middle East experts. “Killing Soleimani crossed a significant threshold in the US-Iran conflict,” Kiersten Todt, managing director of the Cyber Readiness Institute told CNN.  “Iranians will certainly try to retaliate — definitely in the region and they will also look at options in our homeland. Of the options available to them, cyber is most compelling.” Government, Private Sector Unprepared for 21st Century Cyber Warfare With Iran’s kinetic response mostly symbolic, speculation is now focused on the cyber theater, where Iran’s government has used hacking to advance both domestic and geopolitical objectives before. In recent memory, for example, the country tapped the Chafer hacking group to target aviation repair and maintenance firms in 2018 in an apparent effort to obtain information needed to shore up the safety of that country’s fleet of domestic aircraft, according to research by the firm Symantec. Those concerns prompted the U.S. Department of Homeland Security to issue a warning to private sector firms to prepare for the worst. But what might “the worst” look like? Episode 80: APT Three Ways A well-developed Offensive Cyber Program Iran has a well-developed offensive cyber program and has been linked to attacks against public and private interests in Saudi Arabia, the United States and Europe, according to experts. The country already has successfully executed several known major cyber attacks against the United States, with two notable ones occurring in

In this episode of the podcast (#172), Jennifer Bisceglie, the founder and CEO of Interos to talk about the links between America’s voting infrastructure and countries with a history of trying to subvert democracy. With an election year upon us, the media’s attention has swung back the vexing issue of election security. Given the documented interference by Russia in the 2016 presidential election and anomalies in the performance of electronic voting systems in both 2016 and 2018, as well as the recent UK Parliamentary elections, both government and watchdog groups worry about foreign actors tampering with election results in crucial (“swing”) districts. Report: Chinese Ties to US Tech Firms put Federal Supply Chain at Risk Supply chain: the unseen election risk Jennifer Bisceglie is the CEO of the firm Interos. But efforts to secure voting systems at election time can only go so far, according to research released this month from the firm Interos. The company found that one fifth (20%) of the hardware and software components in a popular voting machine came from suppliers in China. Furthermore, close to two-thirds (59%) of components in that voting machine came from companies with locations in both China and Russia. Podcast Episode 142: On Supply Chains Diamond-based Identities are forever Heightened awareness of supply chain risk The study comes as the U.S. government and Trump Administration are issuing guidance to private sector firms and government agencies to steer clear of hardware and software from countries with a history of spying and espionage within the U.S., including hardware giants like the Chinese firm Huawei. In this week’s podcast, we sat down with Jennifer Bisceglie, the founder and CEO of Interos to talk about the links between America’s voting infrastructure and countries with a history of trying to subvert democracy. In this conversation, Jennifer and I also talk about the larger issue of supply chain risk, which Bisceglie says goes well beyond cyber security, encompassing ethical sourcing, environmental risks and more. As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

In this Spotlight edition of the Security Ledger Podcast, sponsored by Trusted Computing Group*: we’re joined by Rob Spiger, a principal security strategist at Microsoft and co-chair of the cyber resilient technologies working group at Trusted Computing Group. Rob talks to us about efforts to make more resilient connected devices and how the advent of the Internet of Things is changing TCG’s approach to building cyber resilient systems. When the trusted computing group first hit the scene 20 years ago, the idea was to provide a so-called “root of trust” from which security operations might be launched, and a secure enclave from which devices could recover should all else fail. But attacks these days aren’t as simple as removing malware from a windows system and getting it back up and running. Destructive malware like Shamoon, NotPetya and WannaCry have shown that disruption and even physical destruction of devices may be the objective of malware infections and hacks. At the same time, so-called “advanced persistent threat” (APT) actors have made a practice of stealthy, long-lived compromises designed to harvest information or extend control over compromised environments. A Focus on Cyber Resilience And, as Internet of Things devices permeate both commercial and private networks, the cyber physical consequences of comprises mount. That’s why the Trusted Computing Group is expanding its work on what it calls “cyber resilient technologies” that can help restore connected devices to a working state in the event of a cyber attack or other disruption. In this spotlight edition of the podcast, we invited Rob Spiger of Microsoft into the studio to talk about this concept of “cyber resilience.” Rob is a 17 year veteran of Microsoft and the co-chair of the Cyber Resilient Technologies Working Group at TCG. Breaking the Ice on DICE: scaling secure Internet of Things Identities Rob Spiger is a principal security analyst at Microsoft and co-chair of the Cyber Resilient Technologies Working Group at Trusted Computing Group. In this conversation, Rob and I talk about how the importance of cyber resilience has grown in recent years and how TCG is adapting to address the unique challenges of the Internet of Things, including the need to manage physically remote devices and devices deployed at massive scale. Rob notes that the concept of resilience is not so much different today from what it was 20 years ago when TCG was first setting up shop, even though technology use cases have changed dramatically. “The concept is that devices could be come compromised and you need re-establish them to a trusted stage and resume normal or limited operations if mitigations are not available immediately,” Spiger told me. “The basic concept is to provide better protections and detect if an attack has occurred and then to recover from that attack to a trusted state.”

In this Spotlight edition of The Security Ledger Podcast, sponsored by RSA Security*, the Chief Privacy Officer at Nemours Healthcare, Kevin Haynes, joins us to talk about the fast evolving privacy demands on healthcare firms and how the Chief Privacy Officer role is evolving to address new privacy and security threats. In just a couple weeks The California Consumer Privacy Act – or CCPA – will take effect. Considered the most comprehensive data privacy law in the country, the CCPA could become a de-facto federal standard akin to the EU’s GDPR, at least in the absence of a matching federal law. The law, enforcement of which begins in July, 2020, will be a wake up call to many industries that have made a business of collecting, mining and even re-selling their customers data. One industry that is unlikely to be phased by the new requirements, however, is healthcare. That’s because a comprehensive patient data privacy law, HIPAA, has governed that industry for more than two decades. Spotlight Podcast: RSA CTO Zulfikar Ramzan on confronting Digital Transformation’s Dark Side Healthcare Industry beset by Changes Kevin Haynes is the Chief Privacy Officer at Nemours Healthcare. But the existence of a strong federal data protection law for patient health information doesn’t leave the healthcare industry immune from controversies, risks or questions about the extent of privacy protections. That’s especially true as a new generation of connected medical devices work their way into clinical settings, exposing them to cyber and operational risks in new ways. And, as data hungry firms like Google look to expand their reach into the massive healthcare industry, healthcare firms are needing to balance their interest in new treatments and better customer service against the privacy rights and concerns of their members. Concerns about data privacy and the abuse of medical information, for example, has dogged initiatives like Google’s Project Nightingale since its inception. The Role of Healthcare CPO: Beyond HIPAA To learn more about the unique challenges facing healthcare organizations, we invited Kevin Haynes, the Chief Privacy Officer of the Nemours Foundation – a pediatric health provider in six states and the District of Columbia – about how the role of Chief Privacy Officer is changing and adapting to the challenges and threats facing healthcare organizations. Massive Marriott Breach Underscores Risk of overlooking Data Liability Haynes says that – despite laws like HIPAA and even CCPA- privacy protecti...

In this week’s episode of the podcast (#171): as voters go to the polls in the UK and primaries loom here in the U.S., we sit down with Michael Kaiser, the CEO of a new group: Defending Digital Campaigns and Joel Wallenstrom, the CEO of secure collaboration platform Wickr to discuss efforts to extend an information security lifeline to political campaigns in an era of epidemic campaign hacking and online disinformation. Cyber attacks on high profile political campaigns aren’t just an artifact of the 2016 presidential campaign in the U.S. or the 2015 Brexit referendum in the UK. In fact, attacks on campaigns – at home and abroad- predate those events and have now become more the rule than the exception. Just in the last year, there is evidence of campaign hacks and damaging leaks in the US midterm elections and in the lead-up to this week’s Parliamentary elections in the UK. Episode 106: Election Trolls Are Afoot. We Talk To The Guy Who Watches Them There are many explanations for why campaign hacks and attacks have become a fixture of modern elections. For one thing: campaigns operate almost entirely online these days, making the crowbar and flashlight routine of the Watergate burglars unnecessary. But campaigns are also slap dash affairs: spun up quickly, with ever evolving and revolving staff, and spun down just as quickly after the voting is finished. Michael Kaiser is the CEO of Defending Digital Campaigns. Furthermore, despite the never-ending media fixation on hacks of voting infrastructure, malicious operations to discredit candidates and campaigns are easier and have been shown to actually sway outcomes. And finally: campaigns run on shoestring budgets, with most of their available cash devoted to getting the candidate’s message out to voters. Cyber security tools and talent are not a high priority. Still: in the wake of the 2016 election hacking, plenty of cyber security firms stood ready to offer both tools and talent…for free, or at steep discounts. But then there’s the matter of federal election rules, which consider such discounts as ‘in kind’ gifts that were disallowed campaign donations. Enter Defending Digital Campaigns (DDC). The not-for-profit group that was created to give campaigns access to cybersecurity products, services and information regardless of party affiliation. Episode 146: Elections Loom, Political Parties struggle with Cyber Security and Securing Cloud with Aporeto’s Amir Sharif

In this episode of the podcast, sponsored by Signal Sciences: Cyber Monday may have been the biggest yet – and not just for shoppers and online retailers. Hackers use the year’s biggest online shopping day to cover their tracks. Brendon Macaraeg joins us to talk about Cyber Monday and the rising tide of e-commerce hacks. Cyber Monday 2019 is in the rear view mirror and this year’s holiday shopping bonanza looks to be the biggest ever. Adobe Analytics estimated this week that sales from Thanksgiving through Cyber Monday will exceed $29 billion. And, in just one measure of how shopping habits are changing, the online sales platform Shopify, which is used by more than a million merchants, reported that sales on the platform had already surpassed $1.5 billion, which is more than the sales from the full Thanksgiving weekend last year, according to reports. But the post-Thanksgiving weekend isn’t just big for shoppers and retailers. It is also one of the busiest weekends for cyber criminals, who find cover for their attacks and fraud among the millions of legitimate online shoppers. Critical Flaws in VxWorks affect 200 Million Connected Things Brendon Macaraeg is a Senior Director of Product Marketing at the firm Signal Sciences. And it isn’t just during the holiday season that online criminals hide in the crowd. A recent study by the firm Signal Sciences* found that attacks on e-commerce applications jump on the 15th and 30th of the month — pay days when overall shopping volume is higher as well. What does this mean for e-tailers? To find out, we invited Brendon Macaraeg of the firm Signal Sciences back into the Security Ledger Studios to talk about that company’s research which finds a rising tide of e-commerce fraud. Data Breach Exposes Records of 114 Million U.S. Citizens, Companies To start off, I asked Brendon about Cyber Monday and how e-tailers are struggling to balance a concern about security and fraud with the desperate need to have their e-commerce operation humming from Black Friday on.  (*) Disclosure: This podcast was sponsored by Signal Sciences. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations. As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher,

In this episode of the podcast, sponsored by PureVPN*, Michael Kajiloti of the firm Intezer Labs joins us to talk about the origins and makeup of PureLocker, a new family of ransomware designed to target production servers in the enterprise. Ransomware attacks are making headlines all over the world, as the malicious, file encrypting software wreaks havoc everywhere from school districts in small town America to hospitals in France and beyond.  Up to now, ransomware attacks have followed a pattern: attackers target organizations indiscriminately using phishing email campaigns and malicious websites. For those unfortunate enough to click on a malicious link or open a malicious email attachment, the punishment is swift and severe: ransomware crawls their network finding, infecting and encrypting every hard drive it can find.  Do Cities deserve Federal Disaster Aid after Cyber Attacks? Michael Kajiloti is a security researcher a the firm Intezer Ransom fit for the Enterprise But as the ransomware plague continues unabated, new variants of ransomware are emerging: less noisy and more particular about the organizations and systems they will infect. One example of this is the recently discovered PureLocker malware: a new ransomware variant that was identified by researchers at IBM X-Force and the Israeli firm Intezer. Unlke other common ransomware, PureLocker is shy and retiring by comparison: programmed to run only on production servers deployed in the enterprise – and only under conditions most favorable to the malware’s spread.  Destructive Shamoon Malware Attacks Italian Oil Services Firm Sold as a service, the new ransomware is difficult to detect. Under the hood, it bears a striking resemblance malware used by hacking groups like Fin6 and the Cobalt Gang and linked to the same malware as a service group.  What does this mean about the evolution of the ransomware problem and the types of companies and assets that may be targeted? To find out, we invited Michael Kajiloti, a security researcher a Intezer, which discovered the malware, into the Security ledger studios to discuss PureLocker and how clues in the ransomware code helped researchers understand where it came from.   (*) Disclosure: This podcast and blog post were sponsored by PureVPN. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger ...

In this spotlight edition of the podcast, sponsored by Trusted Computing Group* Steve Hanna joins us to talk about TCG’s 20th anniversary and how the group is tooling up to confront the challenge of securing billions of Internet of Things devices. Twenty years ago, the Trusted Computing Group formed as a consortium of technology vendors concerned about the scourges of viruses and worms, which were then ravaging the still-young Internet.  That’s not unusual. The last two decades has witnessed the formation and then slow, silent deaths of hundreds of similar industry groups. But TCG’s story turned out quite differently. Today, the group counts more than 100 members across industries. Steve Hanna is the senior principle at Infineon technologies and co-chair of the embedded systems workgroup at The Trusted computing group.  Critical Flaws in VxWorks affect 200 Million Connected Things Even more important: the technology it has developed and promoted, including its trusted platform module (or TPM) chips, today power more than a billion devices including virtually all enterprise personal computer, many servers, networking equipment, storage drives and a growing number of embedded systems. Securing Billions of Devices But as the second decade of the 21st century draws to a close, TCG faces a monumental challenge: as computing shifts from PCs, laptops and servers to a vast universe of other devices – the Internet of Things.  Spotlight Podcast: Fixing Supply Chain Hacks with Strong Device Identities As our guest this week, Steve Hanna of Infineon, points out: many of those devices are not suited to run traditional TPM type technologies – because they are too small, too power constrained or both. In this spotlight podcast, Steve and I talk about how Trusted Computing Group is making the transition to the IoT and bring hardware based roots of trust to a much larger and more diverse population of devices. We also talk about why TCG succeeded when so many other industry consortiums have failed, and how the early backing from the likes of Microsoft and IBM gave Trusted Computing Group technologies a critical boost in the marketplace.  (*) Disclosure: This podcast and blog post were sponsored by Trusted Computing Group. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations. As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on 

In this week’s episode of the podcast (#168), sponsored by Signal Sciences, Chris Eng of Veracode joins us to talk about the 10th annual State of Software Security Report and the problem of application security debt. Also, Brendon Macaraeg of Signal Sciences talks about the expanding landscape of web application attacks and defenses. Ten Years On: Application Security Debt is growing If you want a good measure of the growth in the web application space, you might look to Veracode’s annual State of Software Security report, which has taken the measure of that company’s application vulnerability scanning activity each year (more or less) for the last decade. Chris Eng is the Chief Research Officer at Veracode The report covered a little more than 1,500 applications in its first year. In its tenth iteration, Veracode compiled data from scans of more than 85,000 applications.  Despite the greater volume, however, you could be forgiven for confusing the tenth SOSS with the first: most of the  vulnerabilities encountered in application scans are more or less the same as a decade ago. And it seems that companies haven’t made much progress in addressing vulnerabilities in a timely fashion. The result: mountains of security debt is piling up in enterprises as application security vulnerabilities are left unaddressed even as new vulnerabilities are created on top of them. In our first segment, we speak with Chris Eng, the Chief Research Officer at Veracode, about why companies still  struggle to address application security, how security debt accumulates and what organizations can do to get it off their books.  Opinion: Better Code Won’t Save Developers in the Short Run Securing Web Applications in the Age of the IoT As more and more businesses migrate legacy applications to the cloud, while adopting a cloud-first strategy for new initiatives, Web application security has moved from the periphery to the center of enterprise IT concerns. In our second segment, we’re joined by Brendon Macaraeg of the firm Signal Sciences* to talk about the expanding landscape of web application threats. Web application security is about more than spotting vulnerabilities in code. Once those applications are deployed they need to be defended against all manner of attacks. That’s where our next guest comes in. Brendon Macaraeg is a Senior Director of Product Marketing at the firm Signal Sciences.  Brendon Macaraeg is the Senior Director of Product Marketing at Signal Sciences, a next generation Web Application Firewall and RASP (runtime application self protection) technology. In this conversation, Brendon and I talk about the changing landscape of web application protection including the growing risks posed by insecure web application APIs – application program interfaces- and how growth in the Internet of Things is compounding web application security risk.