How Jump Trading Group uses Teleport to access at scale

With Joseph Conti, Systems Engineer and Linux enthusiast with 15+ years of financial industry engineering experience, and Chris Spann from Jump Trading Group.

Watch a video version of this panel on Jan 26th https://goteleport.com/teleport-connect-virtual-2022/

Cryptography, Trust, and Open-Source with Filippo Valsorda

Throughout this episode, Filippo offers a comprehensive view of his professional journey in the field, from his initial intrigue with cryptographic algorithms during his high school years to his pivotal role in the Go Team at Google. Key discussion points include:

• Key milestones in web cryptography include HTTPS, WebPKI, and the impact of messaging protocols like Signal and WhatsApp on end-to-end encryption.
• Looking to the future, Filippo discusses the importance of transparency mechanisms in cryptography and highlights the need for accountability.
• Filippo advises against rolling one's own crypto but encourages collaboration and learning with experienced individuals to build a feedback loop for secure implementations.
• Filippo shares his thoughts on the current state of Certificate Authorities (CAs).
• Filippo explains the accountability established by transparency in open source and compares it to closed-source software.
• Security patching is addressed, highlighting the need for a balance between stability and urgency when applying patches.
• Filippo explains the potential threats posed by quantum computers and the ongoing efforts to implement post-quantum key exchanges in protocols like SSH and TLS.
• Cryptographic concerns in cloud computing are discussed, focusing on the importance of trust in cloud platforms while acknowledging the shared responsibility model.
• In a practical piece of advice for improving security, Filippo recommends being deliberate in trimming dependency trees to reduce vulnerabilities.

Mario Loria from Carta discusses improving developer productivity and securing Kubernetes.

Key topics on Access Control Podcast: Episode 9 - SRE-Powered Dev Productivity

• The DevOps movement is about how we can all work together to build a better pipeline for building, running, and shipping software and give our customers a better experience.
• In the financial world, security is probably number one, followed by latency, and then resiliency/reliability.
• It's important to determine what aspects one gets by default from their cloud platform and what the blind spots are.
• Security in the context of Kubernetes has become an important issue.
• Teleport is a Certificate Authority and an Access Plane for your infrastructure.
• By working closely with developers, SRE teams can make sure that developers are getting what they expect.
• By giving service ownership, service empowerment, and confidence to developers, SRE teams can enable them to manage their own applications.

How companies can leverage the power of hacker community.

If anyone ever wants to ask Ben any questions about bug hunting, bug bounty programs, you're always welcome to reach out to be Ben at @NahamSec, https://nahamsec.com/ and on his Discord

Key topics on Access Control Podcast: Episode 7 - Hacker-Powered Security

• Bug bounty programs and vuln disclosure programs are similar, except the first pays and the second doesn't.
• The scope of bounty programs usually encompasses a company's main application where the production sites are happening. What is out of scope is mostly third parties.
• Rules of engagement depend on the bug bounty program and the company.
• Some programs pay for credential stuffing, but not for phishing since companies don't want you to phish their employees and customers.
• How much hackers are paid in a bug bounty program is entirely up to the company and depends on its budget.
• Determining the bug severity level depends on a combination of the vuln type and how critical it is and the asset itself.
• Hackers care more about how fast they get paid than about how quickly the company fixes the issue.
• A bug bounty program doesn't make you a bigger target.
• Building a public bug bounty program depends on the product and size of the company.
• Improve Input validation to reduce bugs created

Interview with Rob Picard, CEO of Observa, a company that can build and run your security program.

Access Control Podcast: Episode 22 - Security as a Service Rob Picard, CEO of Observa

• Outsourcing security to a provider like Observa can be beneficial for early-stage companies that don't have the budget or need for a full-time in-house security team. It allows the company to focus on their core business while getting the security expertise they need.
• When starting an engagement, Observa focuses on three key things: addressing urgent goals (like getting SOC 2 certification), creating a plan for the longer-term security program maturity, and managing the ongoing operational work.
• Common security mistakes Observa sees include companies making decisions based on fear, uncertainty, and doubt rather than facts; agreeing to overly restrictive security requirements from customers; and having a cynical "everything is a dumpster fire" attitude rather than a pragmatic approach to security.
• SOC 2 is an important compliance framework, but its primary purpose is to provide a way for companies to make statements about their security practices and have them audited, not necessarily to improve security itself. However, going through the SOC 2 process can lead to security improvements.
• When educating auditors, it's important to help them understand how new technologies and architectures (like containerization, passwordless authentication, etc.) change the risk profile compared to traditional IT environments.
• The security team's role should be to enable the business to make informed risk decisions, not just to say "no" to everything. Security should be a partner, not a gatekeeper, and the team should avoid glorifying a "no" culture.

- Outsourcing certain security functions like pen testing, managed detection and response, and incident response can be beneficial for early-stage companies that don't need or can't afford a full in-house security team.