Security Bros

In this conversation, John and Rocky Giglio discuss the recent updates to the OWASP Top 10 list for 2025, exploring the implications of these changes for application security. They delve into the data behind the rankings, the influence of community feedback, and the importance of secure design practices. The discussion highlights the ongoing challenges in cybersecurity, particularly around misconfiguration and identity management, and emphasizes the need for a holistic approach to security that integrates both software and infrastructure considerations.Chapters 00:00 Introduction and Technical Challenges02:00 Exploring OWASP Top 10 Updates07:01 Understanding OWASP and Its Data Sources14:02 Community Influence on OWASP Rankings17:07 Movement in OWASP Top 10: Insights and Implications20:30 The Challenge of Keeping Up with Technology21:37 The State of Vulnerability Management22:44 Cloud Native vs. Traditional Organizations24:11 Understanding the OWASP Top 1026:14 Trends in Identification and Authentication27:12 The Importance of Security Logging and Monitoring28:55 Balancing Application and Infrastructure Security30:19 The Role of Secure Design in Security32:02 The Future of Security Practices34:38 Understanding Weaknesses vs. Vulnerabilities36:58 The Importance of Cloud Security Practices39:45 Shifting Left in Security Practices41:46 The Need for Continuous Assessment

In this episode of Security Bros, hosts Rocky and John Giglio delve into the complexities of identity management in the cybersecurity landscape, particularly in the cloud era. They discuss the challenges of identity sprawl, the importance of managing permissions, and the balance between security and business needs. The conversation emphasizes the necessity of building relationships across departments to effectively manage identity and security practices.Chapters00:00 Introduction to Cybersecurity and Identity Management01:28 Challenges of Identity Management in the Cloud Era06:13 The Importance of Permissions and Access Control11:15 Balancing Security and Business Needs19:01 Building Relationships for Effective Security Management

In this episode the Security Brothers, Rocky and John Giglio delve into the complexities of patch management and vulnerability management in the tech industry. They discuss the ongoing challenges faced by security practitioners, the implications of recent incidents like the CrowdStrike outage, and the evolving role of AI in enhancing security measures. The conversation emphasizes the need for comprehensive testing, strategic planning, and prioritization in managing vulnerabilities, while also exploring the importance of adapting to new technologies and methodologies in cybersecurity.TakeawaysHandling old tech and patch management is a significant issue.Vulnerability management is overwhelming but necessary.Prioritization is key in dealing with numerous vulnerabilities.Automated systems can help reduce the burden of patch management.Testing is crucial before rolling out updates.AI can assist in writing tests and improving deployment processes.A comprehensive security strategy includes monitoring and logging.Continuous learning from incidents is essential for improvement.Collaboration with business leaders is vital for effective security management.The landscape of vulnerabilities is constantly evolving, requiring adaptive strategies.Chapters00:00 Introduction to Security Challenges02:49 The Importance of Patch Management06:03 Navigating Vulnerabilities in Modern Tech08:53 Lessons from the CrowdStrike Incident11:45 Testing and Deployment Strategies14:49 The Role of AI in Security Management17:43 Building a Comprehensive Security Strategy20:53 Final Thoughts and Future Directions

In this episode the brothers discuss the alarming tactics used by North Korea in cyber infiltration, particularly through fake job interviews and identity fraud. They emphasize the critical need for robust identity verification processes to combat these threats. The discussion also highlights the growing concern of insider threats within organizations and the necessity of implementing layered security strategies to protect sensitive data. The episode concludes with a reminder of the importance of mastering basic security practices to effectively mitigate risks. Takeaways North Korea is using fake identities to infiltrate companies. The money collected is used for developing nuclear weapons.Identity verification is crucial in hiring processes. Insider threats are often overlooked in security measures.Ransomware attacks can be a consequence of data theft.Layered security is essential; no single solution suffices.Understanding user behavior is key to detecting anomalies. Regular assessments of security strategies are necessary.Basic security practices are often neglected. Investing in security must be balanced with operational needs. Chapters 00:00 Introduction to Cybersecurity Challenges 02:41 North Korea's Infiltration Tactics 05:22 Identity Verification and Its Importance 08:31 Understanding Insider Threats 11:35 Ransomware and Data Protection 14:14 The Need for Multi-layered Security 17:00 Final Thoughts

John and Rocky Giglio kick of the Security Bros podcast with a special guest, Justin O'Connor founder of Onward Platforms.Want to see it live with your own eyes? Jump into the webinar Dec 19th, 12pm EST: https://bit.ly/sb-infracodeSubscribe to catch every episode and stay up-to-date with security trends and the latest security tech.SummaryIn this inaugural episode of the Security Bros podcast, hosts Rocky and John Giglio welcome Justin O'Connor, an industry leader in cloud and AI, to discuss the current state of cloud security, the challenges posed by misconfiguration, and the impact of AI on coding practices. Justin introduces Infracodebase, a tool designed to enhance security in infrastructure as code, and demonstrates its features by building a secure API management landing zone. The conversation highlights the importance of integrating security from the outset and the need for organizations to adapt to the evolving landscape of cloud technology.TakeawaysCloud adoption is primarily hybrid or multi-cloud.85-90% of organizations report an increase in cloud security incidents.Misconfiguration is a leading cause of cloud security failures.AI can generate code quickly, but often lacks context.Security posture varies significantly between startups and enterprises.InfraCodebase helps enforce security standards across teams.The tool allows for easy integration with existing security tools.Automated security checks can improve compliance and reduce risks.Creating a secure infrastructure requires ongoing monitoring and adjustments.The future of cloud engineering lies in simplifying infrastructure management.Sound bites"AI slop is a real problem.""This is the future of cloud engineering.""We need to layer in security from day zero."Chapters00:00 Introduction to Security Bros Podcast02:42 Current State of Cloud Security04:39 The Impact of AI on Security07:43 Understanding Security Posture09:32 Infracodebase Product Overview12:33 Creating Secure API Management17:21 Governance and Control in Security19:13 Terraform Configuration and Security Best Practices24:19 Understanding Infrastructure Architecture and Security Checks28:48 MCP Server Integration and Security Considerations34:33 The Future of Cloud Engineering and Security37:55 Enterprise Scale Infrastructure as CodeCheck out Infracodebase at https://bit.ly/4iZM2LHThis is not sponsored, we just like Justin and his team.