We Hack Purple Podcast Episode 74 with Ray Espinoza

05/08/23 • 43 min

In episode 74 of the We Hack Purple Podcast, host Tanya Janca talks to guest Ray Espinoza from Inspectiv! During the podcast we honed in on how to build a positive security culture, which has several important ingredients; Security Champions, Empathy, explaining ‘the why’, sharing information in both technical and non technical formats, and storytelling! We talked about training, we talked about metrics, we talked about how to get your point across in an effective way, without scaring people’s pants off. If you want to hear about creating a successful security champions programs, how to ‘win’ more often, and what pitfalls to avoid, this episode is especially helpful!

We ended the conversation with several calls to action for audience members abounding including more people in cyber. Young people, old people, new-to-cyber people, every race of people, every gender; we really mean EVERYONE. Ray also (very generously) offered listeners to connect with him online so he could help them find mentors and meet people. This episode was great!

A bit more about Ray:
Ray Espinoza is Vice President and Chief Information Security Officer at Inspectiv, Inc. With over 15 years of both tactical and security leadership experience, Ray has a proven track record of successfully building effective security programs for top companies that include eBay, Cisco, Amazon and Cobalt.io.

Prior to joining Inspectiv, Ray served as VP of Cloud Security at Medallia where he was responsible for developing and executing Medallia’s multi-cloud security strategy. Outside of work, Ray is the head strength and conditioning coach and an assistant football coach at Camas High School.

Where to find Ray!
LinkedIn - https://www.linkedin.com/in/ray-espinoza-b399821/
Twitter - https://twitter.com/RayEspinozaSec

Causes and Groups Ray (and Tanya) supports:
• Raîces Cyber
• Black Girls Hack
• Black Girls in Cyber

Very special thanks to our sponsor: Day of Shecurity! This annual event advocates for inclusion & diversification of gender in cybersecurity, AND it’s very soon. Day one is May 18th (virtual) and day two is May 19th, in person in Redwood City, California, United States. Tickets are FREEEEEEEEE!
View the agenda here: https://guides.dayofshecurity.com/view/314270378/
If you’re not sure, you can see videos from previous events here: https://www.youtube.com/c/DayofShecurity.

Join We Hack Purple!

Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

Where to find Ray!
LinkedIn - https://www.linkedin.com/in/ray-espinoza-b399821/
Twitter - https://twitter.com/RayEspinozaSec

Causes and Groups Ray (and Tanya) supports:
• Raîces Cyber
• Black Girls Hack
• Black Girls in Cyber

Join We Hack Purple!

Previous Episode

We Hack Purple Podcast Episode 73 with Amanda Crawley

In episode 73 of the We Hack Purple Podcast, host Tanya Janca talks to guest Amanda Crawley of 1Password! We talked about how developers need special tools to help them do their jobs, securely, then we chatted about several things that can help them, especially password managers! Developers are huge targets for malicious actors and Amanda shared TONS of ways devs can protect themselves, and their companies they work for:
• Keep everything up to date - phones, computers, routers, all software (apple just released an update to fix actively exploited vulnerabilities!)
• Use strong, unique passwords. Change passwords when:
◦ The respective service recommends a password change, or;
◦ The password has been shared with individuals who are no longer authorized to use the password, or;
◦ The password has been used for another service.
• Use encryption
• Follow your company’s security policies
• Don’t disable your operating system’s malware detection (Windows Defender, XProtect)
• Vet your third party libraries and dependencies, and then keep an eye on them to make informed decisions about updating
• Follow the principle of least privilege - people can’t be compromised for things they don’t have access to
• Consider non-SMS based 2FA (google authenticator, 1Password, yubikey), but any MFA is better than none
◦ Something you know (pin, password)
◦ Something you have (token, hardware key)
◦ Something you are (biometrics)
• Don’t store user data locally (if you need it, delete immediately after you’re done with it)
Things you can do today!
• Audit connected oauth apps (to social media platforms, github, etc)
• Delete old accounts
• Check haveibeenpwned.com
• Check your router for firmware updates (I did this yesterday)
Developer hack examples
• https://thehackernews.com/2023/03/lastpass-hack-engineers-failure-to.html
• https://www.upguard.com/blog/what-caused-the-uber-data-breach
• https://en.wikipedia.org/wiki/2017_Equifax_data_breach
• https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
• https://www.synopsys.com/blogs/software-security/heartbleed-bug/
Links From Amanda:
· https://1password.com/developers
· https://1password.com/developer/student
· https://education.github.com/pack
· https://hashnode.com/hackathons/1password
Very special thanks to our sponsor: Women’s Society of Cyberjutsu!
Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting
Opportunities, Celebration, and more. Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here:

Next Episode

We Hack Purple Podcast Episode 75 with Enno

In episode 75 of the We Hack Purple Podcast, host Tanya Janca interviews Enno, a security researcher from Semgrep. They discussed all things static analysis, including; how do we come up with SAST rules, what’s important to search for, important considerations when writing rules, testing rules before wider roll out, and writing rules specifically for Semgrep.

We briefly got into The Official Docs, and content creation for both internal and external use, plus its importance when trying to scale your security efforts.

Want more Enno?

They can be found here!
https://www.linkedin.com/in/enno-liu/
https://www.youtube.com/@enncoded
https://youtu.be/g_Yrp9_ZK2c
https://twitter.com/enncoded

The video by Enno that we discussed can be watched here!
https://twitter.com/enncoded/status/1648908623152844801

Very special thanks to our sponsor: Day of Shecurity!

This annual event advocates for inclusion & diversification of gender in cybersecurity, AND it’s very soon. Day one is May 18th (virtual) and day two is May 19th, in person in Redwood City, California, United States. Tickets are FREEEEEEEEE!
View the agenda here: https://guides.dayofshecurity.com/view/314270378/
If you’re not sure, you can see videos from previous events here: https://www.youtube.com/c/DayofShecurity.

Join We Hack Purple!