The Elephant in the Pipeline: Securing the Wild, Untamed Software Supply Chain – Pete Morgan – ESW #348
Full Audio
View Show IndexSegments
1. The Elephant in the Pipeline: Securing the Wild, Untamed Software Supply Chain – Pete Morgan – ESW #348
We've seen general users targeted with phishing, financial employees targeted for BEC scams, and engineers targeted for access to infrastructure. The truly scary attacks, however, are the indirect ones that are automated. The threats that come in via software updates, or trusted connections with third parties.
The software supply chain is both absolutely essential, and fragile. A single developer pulling a tiny library out of NPM can cause chaos. A popular open source project changing hands could instantly give access to millions of systems. Every day, a new app store or component repository pops up and becomes critical to maintaining infrastructure.
In this interview, we'll chat with Pete Morgan about how these risks can be managed and mitigated.
Segment Resources:
Announcements
Don’t let 3rd party risk ruin your Valentine’s Day! Join Adrian Sanabria and Bill Brenner on an SC Media webcast titled: Understanding third party risk by studying third party breaches. As listeners will know, Adrian loves exploring risk through our understanding of real breaches and incidents. They’ll discuss how to prepare for some of the most concerning third party risks you should be aware of, along with our partner for this webcast, ProcessUnity.
Visit securityweekly.com/ValentineRisk to register!
Guest
Pete Morgan is a co-founder and CSO of Phylum. He is a recognized security researcher and entrepreneur with more than 20 years of experience in information security, software development and executive leadership. Pete’s background in offensive security drives his passion for creating and sharing the best defenses against the growing number of software supply chain attacks originating in the open-source ecosystem.
Hosts
2. The Internet of Shit, AI Funding, Market Struggles, The Cyber Why, and when to Quit – ESW #348
In this week's Enterprise Security News, Adrian, Tyler, and Katie discuss: 1. Tons of funding! 2. A notable acquisition! 3. The line is blurring between services and product firms 4. Apparently IronNet isn’t dead? 5. The toxicity of Hero culture in tech 6. Knowing when to quit 7. AI-powered fraud is hitting close to home 8. Quantum snake oil is getting worse 9. Prompt injection 10. Are you being hacked by your washing machine?
All that and more, on this episode of Enterprise Security Weekly.
Announcements
Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!
Hosts
- 1. FUNDING: Silverfort raises $116 million Series D for identity security platform
$116M Series D, led by Brighton Park Capital (BPC). Added "tens of millions of new ARR". IAM vendor with MFA, ITDR, ISPM, and other trendy offerings.
- 2. FUNDING: Bastille Raises $44 Million Series C Investment Led by Goldman Sachs Asset Management — Bastille
For... wireless security? Protecting wireless networks? Not a big market for this, I can't imagine.
- 3. FUNDING: Cybersecurity automation firm Torq lands $42M in expanded Series B
$42M "expanded" Series B with Bessemer, GGV, Insight Partners, Greenfield Partners, and Evolution Equity Partners participating. Totally not a down round after raising a $50M Series B almost exactly 2 years prior. No, this round, which is exactly timed like you'd expect a series C to be, isn't a down round, it's just more series B.
- 4. FUNDING: Doppel – Announcing $14M Series A to Protect Brands and Organizations
$14M Series A led by A16Z. Appears to be defending against account takeover threats?
- 5. FUNDING: Aim Security Raises $10M to Secure Generative AI Enterprise Adoption
$10M Seed round, led by YL Ventures. Aim aims to secure the use of GenAI.
- 6. FUNDING (NEW COMPANY): Stealth Firm Reken Raises $10 Million Seed Funding
$10M seed round led by Greycroft and FPV Ventures. Focused on detecting GenAI techniques used in cybercrime, like deepfakes.
- 7. FUNDING (NEW COMPANY): P0 raises $5 million in seed funding led by Lightspeed Venture Partners to secure access for cloud-native companies
$5M seed funding led by Lightspeed Venture Partners. Seems focused on privileged access management for engineers (DevOps folks)?
- 8. FUNDING (NEW COMPANY): Prompt Security wants to make GenAI safe for the enterprise
$5M Seed round led by Hetz Ventures. Securing GenAI use within the enterprise.
- 9. FUNDING: Health2047 Portfolio Company HEAL Security Launches from Stealth with $4.6 Million Raised
$2.3M in additional pre-seed funding, led by Health2047 (why not 24/7?), a venture firm founded by the American Medical Association. Total pre-seed funding is now $4.6M.
- 10. FUNDING: Naq Raises €3M in Funding
€3m venture round led by No Such Ventures. NL and UK-based automated healthcare and medical compliance platform.
- 11. FUNDING (NEW COMPANY): Sequoia backs Coana to help companies prioritise vulnerabilities using ‘code aware’ software analysis
$1.6M pre-seed led by Sequoia Capital.
- 12. ACQUISITIONS: The Cyber Why Acquires The Reformed Analyst
- 13. LAYOFFS: Security giant Proofpoint is laying off 280 employees, about 6% of its workforce
- 14. ESSAY: Enmeshment in cybersecurity: blurring boundaries between products and services
A very interesting topic that we've covered here quite a bit, as we've watched services firms raise more funding than pure software firms!
- 15. DUMPSTER FIRE: Former NSA Chief Keith Alexander Caught SPAC Fever, and Investors Got…
Rumors of IronNet's death seem to have been exaggerated. Not by much though.
- 16. ESSAYS: Hero culture in cybersecurity: origins, impact, and why we need to break the toxic cycle
- 17. ESSAYS (CAREER ADVICE): Quitting Time
- 18. TRENDS: Cybersecurity author Ross Haleliuk battles AI-powered fraud
A post from our friend Ross, who is battling illicit copies of his book, featured alongside the real book on the very platforms he partnered with to publish his book.
- 19. TRENDS: Why 404Media Needs its Readers’ Email Addresses
More AI-enabled fraud threatening written works. It's not just book authors having to battle this stuff.
- 20. NEW TECH: EPB, ORNL announce new partnership on Quantum Security
Innovation or snake oil? Apparently, the vendor involved in this partnership is Qubitekk, which has invented a "Quantum Network". Why would you want a quantum network? Apparently, if observed by an outside party, it can notify you.
But don't fiber networks have light leaks? Don't networks need to be monitored?
I'm having a hard time seeing this as anything other than a technology in search of a problem. We already have encryption to protect data against prying eyes, so I'm not sure what value this is providing.
- 21. BREACHES: 26 Billion Records Released in “The mother of all breaches”
But is it really new content when someone publishes an omnibus edition?
- 22. RESEARCH: HackAPrompt – A Taxonomical Ontology of Prompt Hacking Techniques
Some very cool research into prompt injection techniques.
- 23. RESEARCH: Cybersecurity In 2024: Startling Insights from Over 1000+ CISOs
A nice meta analysis of several reports that interviewed CISOs. I don't know that I can call anything in it "startling", but there were definitely some interesting nuggets that made it worth the read.
- 24. SQUIRREL: Your washing machine could be sending 3.7 GB of data a day — LG washing machine owner disconnected his device from Wi-Fi after noticing excessive outgoing daily data traffic