- Why Bright
-
Product
- Resources
- DAST
- Application Security Testing
- Penetration Testing
- Vulnerability Management
Guide to DAST (Dynamic Application Security Testing)
Your primer for application security testing.
We explain the concept of penetration testing.
Comprehensive overview of vulnerability management.
- DevSecOps
- API Security
- Unit Testing
- Fuzzing
All the necessary knowledge to get started with DevSecOps
We take a deeper look into securing & protecting your APIs!
All you need to know about keys of unit testing & best practices.
We explore fuzzing and evaluate if it's the next big thing in cybersec.
-
Company
- Partners
- Contact
12 days of security: Day 10
00:00:00
Speaker 1: Hello, everyone. Welcome to the 12 days of Security. My name is Akira Brand and I am joined today by Jonathan Bennun. Welcome, Jonathan.
00:00:13
Speaker 2: Welcome. Welcome. Thank you for having me for a chat.
00:00:16
Speaker 1: Yeah. Thank you so much for being here and for your time. We are very excited to get your opinion on these questions and kind of hear your unique viewpoint. So thank you again for coming. So, Jonathan, can you just kick us off a little bit and tell us about yourself?
00:00:32
Speaker 2: Yes, absolutely. And hello, everyone. I started my career doing a bunch of technical roles. I was a software developer comp SCI major, did security consulting all the way to risk management and risk assessment and in testing and then eventually transitioned full stack product management and go to market leadership companies such as Cisco and ONELOGIN, as well as advising and consulting to startups and enterprises in Silicon Valley. And then now at Brite, I lead the global product team of product managers, product designers, technical writers and researchers. And in my personal life, I live in the beautiful city of San Francisco, and I do lots of different things in my personal time from from trying ramen dishes, in playing sports, in training, in martial arts, and right now sipping on really good peppermint tea.
00:01:34
Speaker 1: Right on. I love that you do martial art. In addition to having this amazing career, I wonder how much of the discipline of martial art has fed your ability to do all these different things in your career so far?
00:01:48
Speaker 2: That’s an excellent question. I would say so. I am a practitioner of Aikido. I’m still a couple of tests away from my black belt, but, you know, I don’t know about this year, but hopefully very, very soon. And Aikido has enriched my life in so many ways. And I also take a lot of. I’ve gained a lot of insights that have to do with either a creative approach to life or structured approach to life. A structured approach to professional practices, martial arts, especially if you take that path, it teach you. It teaches you a lot about mastery, which I think is really, really important. And so I’ve gained some wonderful lessons on the path to mastery based on based on my martial arts background.
00:02:39
Speaker 1: That’s beautiful. I mean, there’s the path to mastery. There’s also, like the intense relationship between, like a student and teacher. You’re showing respect for your colleagues. That’s that’s wonderful. I’m really glad you have that in your life.
00:02:52
Speaker 2: Definitely. I mean, I am I think you learn a lot about etiquette. You learn a lot about. About Kata. So just the form, how to be very strict with your form and how that applies to. To again, different areas for instance a professional development and I’ve so one thing that’s interesting about aikido, it has a very rich philosophy about the ying and the yang about AWAs. So I’m actually going to even do that, what do we call ayahuasca in Japanese? So blending. So the philosophy in Aikido at a very high level is blending with the attacks of the ability to receive attack, blend it with it and then use the opponent’s force against them. And I think there’s some really interesting lessons there, again, in in one’s personal life, but also professionally and especially in our theme, which is security.
00:03:49
Speaker 1: You know, I think we could talk all all day about Aikido and how it feeds into your professional life, but I’m glad you made that segway into security, which is what we’re here to talk about today. So I’m curious, Jonathan, in the world of security, what really happened this year that stood out to you?
00:04:08
Speaker 2: That’s a good question. So, you know, having this this super technical background and having experienced a lot of things at a very technical level, for instance, vulnerabilities like Heartbleed, if you’ve been in security for a long time or all sorts of OpenSSL issues that we’ve had over the years. So the micro level is always interesting because software is never going to be any less complex than it is right now. It’s just going to keep getting more and more complex and we’re going to keep finding, you know, earth shattering vulnerabilities to major solutions and and and products that we all use and. And I think another way to look at this is at the macro level, like global events, which I think this year specifically is the more interesting angle. So let’s talk about that for a minute and specifically about geopolitics or the geopolitical climate. I think it’s been a difficult a difficult year, to say the least, with more war, more casualties and more refugees. And my heart goes out to them and to their families. And it also means political and economic instability. And in the background that changes so much for matters so much and changes so much in the cybersecurity landscape on several levels, such as increased activity of state actors that governments are experiencing more threats than they used to, and that there’s just generally more concerns around the targeting of global companies. So I think all that coming together is is likely to keep pushing security to to its new limits of whether it’s its global management, global risk management, or just understanding how to respond better to global threats, but definitely wishing us all to have a more peaceful year in 2023.
00:06:20
Speaker 1: I agree. I think that would be a blessing to have more, more pieces coming here. And you mentioned a bit about pushing cybersecurity to its limits. I’m curious what you think the limits of cybersecurity are right now and maybe those areas you mentioned.
00:06:36
Speaker 2: That that that is a good question. So let’s let’s talk about something very simple, which is, you know, some of us who have been around cybersecurity, a lot of the measures that we used to take have been have been things like geofencing. So the ability to just block attacks based on geolocation and IP restriction. And since since then and last five, ten plus years, we’ve seen gradually how that does not work anymore, at least not very well. And whether it’s whether it’s concepts like Zero Trust that have entered our our environments and we’re trying to follow them in principle. And so. Especially with with other things that I think we’re going to touch on today, such as AI, machine learning, remote work, all these things coming together. It just means that a lot of the old ways are going to be even less effective in coming years. So, you know, sometimes it’s just incremental changes, small changes, but also geopolitical climate, COVID 19, the way that has changed, the way we look at hybrid, the way that changed. Remote work that all of a sudden all companies, for instance, are some sort of hybrid or remote. Right. And or all companies. I think what I used to say is all companies are now all of a sudden distributed companies and to some extent and it means that their attack surface. Is is a lot is a lot bigger. So. Hopefully, hopefully again, wishing us all a more peaceful year in 2023, but definitely more cybersecurity threats to come.
00:08:37
Speaker 1: It’s interesting, you mentioned that all companies are now essentially some in some way, shape or form distributed companies. It also seems that all companies now are in some way, shape or form tech companies, which also greatly increases attack surfaces. So, for example, like a giant big box chain store no longer just sells products in their stores. Now they have an entire online component, things of this nature. So you have these cybersecurity threats that are so much larger because not only is the workforce distributed, but the way that products and services are being sold is also distributed.
00:09:15
Speaker 2: Yeah, I love that point. This exactly right because what has been the key theme for solutions and for enablement of productivity in that changing world? Or if not productivity, then at least the ability to continue to streamline businesses. It’s it’s with technology, right. There’s no other way. And so it’s that same technology that that gets compromised and is vulnerable to all sorts of threats. And so I love your point. I think and this is exactly where we come in.
00:09:52
Speaker 1: So on that note, I’m kind of curious how how you face some challenges this year, like which ones you faced and how you overcame them. It could be in relationship to this topic we just covered, or we could totally go a different direction to. I just I’m curious what challenges that you face this year.
00:10:11
Speaker 2: Totally. It’s interesting. I think on a personal level, it’s just been it just has been one more layer of coming out of COVID because at the end of the day, if 2021 was the year of vaccine. Right. 2021 was the year of the vaccine. We still have had miles to go to our first, I think, in-person conferences. And both companies did not have in 2021 or at least until very late 2021. And so I think easing back into that world has definitely been challenging, traveling more and in trying to figure out how to integrate that with with life. And then professionally, I joined Bryant only about three months ago. And so I’m still getting to know my team and the technology. I’d say that in my line of work, my biggest challenge has been bridging between, on the one hand, the demand for our product and on the other hand the need to lead a clear forward looking plan. So let me explain what I mean by that. I think the I think customers. Only recently realized the big gap that they have, that automated security and specifically automated security tooling like Das need to fill. And so they have been mostly reacting to it. And we’ve been sensing this increased demand. And at the same time as veterans, we’ve seen a number of changes in landscape and generations of of technologies and specifically security technologies. We know that the road ahead needs to be more structured. Specifically, even the best technology requires putting a lot of thought into the right rollout and integrated processes at an enterprise level. And so we’re spending a lot of time with our customers now to plan together how 2023 is going to be the year of accelerated adoption of automated security.
00:12:27
Speaker 1: So it sounds like that’s the way you negotiate these two things, is you have this need to be strategic and roll out in a very structured manner. Yet you also need to respond to customer demand. So the way that you do that is you listen to the customer while also planning alongside of them.
00:12:44
Speaker 2: Exactly. And I’ll give you one one specific things that one specific thing that I think is our focus for for 2023. It’s difficult for. For security. For biosecurity and security organizations to integrate all the solutions that they have planned into the organization. Right. Some things that you need to roll out, such as, let’s say, security training for an entire organization, and then even then you have to layer it, such as from from certifications to to to basic training to all sorts of, for instance, simulations like phishing, social engineering. And and when you talk about our our specialty, which is which is dast or just security automation or securing applications, then it’s, it’s about working with developers a lot a lot more closely. And so I think a big focus for us is going to be the developer experience and helping security teams understand and work together with with their development teams on how to work in a way that’s a lot more integrated.
00:14:02
Speaker 1: So looking forward with all this theme of looking forward, what do you think is going to happen next year, both the good and the bad?
00:14:10
Speaker 2: Ooh, so much to say about that. So let’s talk about something. I’m not going to be super original here, but let’s talk about AI by AI machine learning. And specifically, I think the interesting part is the packaging accessibility and consumerization of of AI and machine learning driven products. What’s interesting to a lot of people that maybe haven’t been around so much is that AI and machine learning are not new. They’ve been around for a while, but it’s been taking a long time for for performance and computational power and in other other parts of it, such as the packaging and product ization to catch up. So if we take something very specific such as Chat GPT that everybody’s talking about these days. Now you have a tool that’s a lot more accessible and a lot easier for consumption. And so that can be, you know, can be used for something like social engineering at scale all of a sudden. Right. To put it in plain words. Now, hackers globally have access to this tool, which is a lot better to just using broken English. And at the same time, maybe this can also be used for something like security training at scale, such as smarter phishing simulations. And I think we can draw similar conclusions for other forms of machine learning in AI that can also be prioritized better. And and so again, I think she had is just one of the more approachable parts of the machine learning story, how AI is getting productized and how more people can use it effectively without much hassle. So I think 2023 is going to yield a lot more interesting stories on that front.
00:16:21
Speaker 1: We’re going to see certainly two sides of the same coin over and over again.
00:16:27
Speaker 2: Exactly, because at the same time, what we’re going to do, what we’re going to use, not necessarily charge you, but other similar tools, other similar technologies, is generate more effective attacks, more generate more payloads, more ways of testing security effectively or just generally software effectively.
00:16:46
Speaker 1: Yeah, using that air generated power to to run things like more and more targeted death scans, maybe more targeted SAS scans, things of this nature. And we’ll see how the tools integrate with AI technology that be really interesting. Yeah. So, Jonathan, my last question for you before I let you go today is what security gift do you want for the holidays?
00:17:11
Speaker 2: Ah, this is going to be fun. So I already mentioned that so many things that I like in my personal life and I love dogs. And I think, you know, as a human, that dogs love us, right? So they want to spend time with us. They want to cuddle and they want to play ball and they want to chillax. And they also want to help. And so the security gift that I want for the holidays is that dogs would be able to sniff out security vulnerabilities. Right. I mean, think about that. This is something we do in physical security. Can we extend that to software? And I think with great power comes great responsibility. And so any dog that chooses to make good use of that special power of sniffing out security vulnerabilities will also be very deserving, a very special treats. So that is the special security gift that I want for the holidays.
00:18:12
Speaker 1: Jonathan, That is the most imaginative answer I’ve ever heard to that question. Well done.
00:18:20
Speaker 2: Well, more power to dogs. That’s what I say.
00:18:23
Speaker 1: Absolutely. I think so, too. I think so, too. All right, listeners, we have been with Jonathan before noon today. Again, my name is Akira Brand. Thank you so much for joining us for 12 days of security. Thank you, Jonathan, for being here. Don’t forget. Yeah, absolutely. Don’t forget to like and subscribe to us and we will see you for the next day of the 12 days of security. Bye bye.