Imperva Blog|Login|中文Deutsch日本語

Podcasts

Launch iTunes & Subscribe  Imperva on iTunes Hide Descriptions
Popular Tags: Data Security, WAF, Compliance, ADC, NERC
Application Security Survey Results -- An interview with Jeremiah Grossman

Application Security Survey Results -- An interview with Jeremiah Grossman


On this episode of the Imperva Security Podcast Jeremiah Grossman of Whitehat Security is interviewed regarding the latest application security survey conducted by the Ponemon Institute.

Jeremiah gives his perspectives on the survey results and details the why and how of the survey's findings: good, bad, and ugly.

Jeremiah Grossman is the founder and CTO of WhiteHat Security. He is considered a world-renowned expert in Web security, is a co-founder of the Web Application Security Consortium, and was named to InfoWorld's Top 25 CTOs for 2007. Grossman is a frequent speaker at industry events and universities around the globe. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks. Grossman is often quoted in the business and technical press. Prior to WhiteHat, Grossman was an information security officer at Yahoo!

Tags: Application Security, Jeremiah Grossman, Whitehat Security, Survey, WAF, VA, Application Security Survey Results

Play Podcast Podcast Transcript (PDF)
Application Security Survey Results -- An interview with Dr. Larry Ponemon

Application Security Survey Results -- An interview with Dr. Larry Ponemon


On this episode of the Imperva Security Podcast Dr. Larry Ponemon of the Ponemon Institute is interviewed regarding his latest application security survey.

Dr. Ponemon discusses why this survey is so timely given the state of application security. He goes on to discuss some of the statistical findings as well as well as his interpretation of the results. Finally, he outlines what companies that are getting application security done correctly are doing in contrast to those that are missing the mark.

Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework.

Dr. Ponemon consults with leading multinational organizations on global privacy management programs. Dr. Ponemon was appointed to the Advisory Committee for Online Access & Security for the United States Federal Trade Commission. He was appointed by the White House to the Data Privacy and Integrity Advisory Committee for the Department of Homeland Security. Dr. Ponemon was also an appointed to two California State task forces on privacy and data security laws.

Dr. Ponemon earned his Ph.D. at Union College in Schenectady, New York. He has a Master's degree from Harvard University, Cambridge, Massachusetts, and attended the doctoral program in system sciences at Carnegie Mellon University, Pittsburgh, Pennsylvania. Dr. Ponemon earned his Bachelors with Highest Distinction from the University of Arizona, Tucson, Arizona.

Tags: Application Security, Larry Ponemon, Ponemon Institute, Survey, WAF, VA, Application Security Survey Results

Play Podcast Podcast Transcript (PDF)
Perspectives on Data Security in Asia -- An interview with Terry Ray

Perspectives on Data Security in Asia -- An interview with Terry Ray


On this episode of the Imperva Security Podcast Terry Ray -- Senior Director for Americas and Asia Pacific Technical Services for Imperva is interviewed.

Terry is a frequent visitor to many parts of Asia. Over the years he has developed a relationship with customers and partners in Asia, giving him a sense for the state of data security, general security trends, and reactions to current security events from an Asian-centric perspective that he can contrast with a North America-centric view. Terry discusses how different regions approach application and database security, current events such as the recent Google attacks in China, and how the Asian community is applying countermeasures to protect their sensitive applications and databases.

Terry Ray is the Senior Director for Americas and Asia Pacific Technical Services for Imperva Inc., a provider of data security solutions. At Imperva, Terry manages teams of security engineers and, has designed and deployed data security solutions, and performed data penetration testing for a wide range of healthcare, financial services, government and eCommerce organizations. Terry has been a frequent speaker for ISSA, OWASP, ISACA, IANS and others in the Americas and abroad.

Prior to joining Imperva, Terry worked in a variety of technical roles at Check Point Software Technology ltd., including security engineering and, partner and end-user technical instruction. Terry has lectured on general network security topics and taught professional security related product certifications in over 35 countries worldwide.

Tags: Terry Ray, Imperva, Asia, Data Security

Play Podcast Podcast Transcript (PDF)
Securing Mission-Critical Web Applications -- An interview with Catho Online CTO - Marcelo Roberto Riberio

Securing Mission-Critical Web Applications -- An interview with Catho Online CTO - Marcelo Roberto Riberio


Marcelo, CTO of Catho Online in Brazil, discusses the importance of Web application security for one of the largest job-search websites in South America.

Catho Online is the largest job-search website in South America, and one of the top 15 in the world. It is the market leader in its segment. With the slogan "your success is our business", the company's main objective is to facilitate hiring processes, as a liaison those looking for new challenges with hiring companies.

Marcelo Roberto Ribeiro has been the CTO at Catho Online since 2007. His goal is to turn Catho's network and security infrastructure into a high-availability, cutting-edge technology environment, meant to work like the major internet providers, focused on availability, performance, integrity, security and professionalism.

Marcelo has over 25 years of experience in Information Technology, majored in Information Technology and Business Administration, and has experience working in different industries: Internet Service Provider, Telecom Operator, Pulp and Paper, Oil, and others.

To download a Portuguese version of the transcript, click here.

Tags: Marcelo Roberto Ribeiro, WAF, Application Security, Catho Online, Customer

Play Podcast Podcast Transcript (PDF)
Adaptive Reputation-based Defense (ThreatRadar) -- An interview with Eldad Chai

Adaptive Reputation-based Defense (ThreatRadar) -- An interview with Eldad Chai


On this episode of the Imperva Security Podcast Eldad Chai -- Imperva Web Application Firewall Product Manager, is interviewed.

Eldad talks about Imperva's ThreatRadar solution. He outlines what it is, how it's used, and what customers can expect to gain from it. He covers specific threat examples such as automated attacks and business logic attacks and how they can be addressed beyond blocking and alerting with capabilities such as CAPTCHA, challenge-response, redirection and more.

Eldad Chai is a product manager at Imperva, responsible for Imperva's award winning Web Application Firewall (WAF). Eldad defines and leads the product vision and roadmap and is behind various game changers in the Web application security space such as the integration between WAFs and Web vulnerability scanners and Imperva's reputation based web security technology - ThreatRadar. Eldad started at Imperva as the leader of the web research team, where he was part of the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Eldad lead research projects in various fields such as web security, security technologies, mitigation strategies and hacking methodologies. Prior to Imperva, Eldad provided data security and network optimization services as a consultant. Eldad participated in Deutsche Telecom's eThreat project where he developed an innovative solution for a distributed electronic threat detection system that is now part of Deutsche Telecom's intellectual property. He holds a B.Sc and an M.Sc in Communication Systems Engineering from Ben-Gurion University, Israel.

Tags: Eldad Chai, Imperva, WAF, ThreatRadar

Play Podcast Podcast Transcript (PDF)
Next Generation WAF (NG-WAF) -- An interview with Amichai Shulman

Next Generation WAF (NG-WAF) -- An interview with Amichai Shulman


On this episode of the Imperva Security Podcast Amichai Shulman -- CTO and Co-founder of Imperva talks about the next generation of WAFs.

Amichai discusses the Industrialization of Hacking and how that's creating a need for WAF solutions to evolve so they can address automated attacks, business logic attacks, and the existing and growing list of technical attacks such as SQL Injection, XSS, etc. He also discusses mechanism for combating automated attacks and business logic attacks, deployments within MSSP and Cloud-based environments, and other components of Imperva's NG-WAF vision.

Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.

Tags: Amichai Shulman, ADC, WAF, NG-WAF, Industrialized Hacking, Automated Attacks, Business Logic Attacks, Hacking

Play Podcast Podcast Transcript (PDF)
Data Security at a Non-Profit Radio Station -- An interview with Juan Walker

Data Security at a Non-Profit Radio Station -- An interview with Juan Walker


On this episode of the Imperva Security Podcast Juan Walker -- Database and Data Security Advisor with the Educational Media Foundation (EMF) is interviewed.

Juan and I discuss the need for non-profits to protect sensitive information such as donor details. The key to a solid security strategy for EMF is data security, so Juan talks about a number of controls that EMF has in place including the Imperva Database Activity Monitoring (DAM) solution. Juan discusses why the Imperva DAM was chosen over several competitors, how it is currently used to address security and compliance, as well as some of the early wins it has given them related to data discovery and reporting.

Juan Walker is Database and Data Security Advisor for the Information Technology Team at EMF Broadcasting, which is KLOVE and Air-1 Radio Network with over 610 Stations and Translators in 46 States. Juan has over 15 years of experience in Database Architecture and Administration, and extensive knowledge in encryption and data security. Prior to EMF Broadcasting Juan worked as a Database Administrator at Microsoft Corporation and Senior Data Architect at Georgia Pacific Corporation. He has received certifications from SANS and ISC2.

Tags: Juan Walker, Educational Media Foundation, Customer, DAM, Data Security

Play Podcast Podcast Transcript (PDF)
Software Security -- An interview with Dr. Gary McGraw

Software Security -- An interview with Dr. Gary McGraw


On this episode of the Imperva Security Podcast Dr. Gary McGraw, CTO of Cigital, interviewed.

Gary and I discuss the current state of software security. We talk about SDLC, building security in, incident prevention and incident detection, and leveraging Web Application Firewalls, or WAF.

Gary also talks about BSIMM -- the Building Security In Maturity Model. You can find out more about BSIMM here -- http://www.bsi-mm.com/.

Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of eight bestselling books on this topic. His titles include Java Security, Building Secure Software, Exploiting Software, Software Security, and Exploiting Online Games; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors, produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT), and produces the Reality Check Security Podcast for CSO Online.

Tags: Dr. Gary McGraw, Software Security, WAF, SDLC

Play Podcast Podcast Transcript (PDF)
Interview with Dana Tamir on Data Discovery, Assessment and Classification

Interview with Dana Tamir on Data Discovery, Assessment and Classification


On this episode of the Imperva Security Podcast Dana Tamir is interviewed.

Dana talks about the Imperva SecureSphere DAS (Discovery and Assessment Server) solution. She outlines why this technology is critical to an effective data security strategy, they theory and technical details of how it works, as well as several use cases.

Dana Tamir is a Sr. Product Marketing Manager at Imperva. She has over a decade of real-world experience in the Software Industry. In her role at Imperva she leads the launch and marketing activities related to database security solutions. She routinely delivers compliance and security-related presentations, white papers and webcasts. Prior to joining Imperva, Dana held various Pre-sale, Post-Sale, Application Engineering and Product Development roles at high tech and Internet security companies including Symantec, Bindview, and Amdocs. Dana holds a B.Sc. from the Technion -- Israel Institute of Technology. She is a certified MCSE, MCDBA and OCA.

Tags: Dana Tamir, Imperva, DAS, Discovery, Assessment, Classification

Play Podcast Podcast Transcript (PDF)
Portuguese interview with Rafael Koike of Telsinc Brazil; he talks about growing trends in application and database security in Brazil

Portuguese interview with Rafael Koike of Telsinc Brazil; he talks about growing trends in application and database security in Brazil


On this episode of the Imperva Security Podcast Rafael Koike of Telsinc is interviewed by Luiz Eduardo Dos Santos of Imperva.

Rafael and Luiz discuss the partnership between Telsinc and Imperva, as well as the evolution, current state, and futures of the security industry in the Brazil. Topics covered are the main drivers for application security, compliance, internal fraud, and, inevitably touch on the controversial subject of the power blackout that recently happened in Brazil.

Telsinc is an Imperva partner and has been active in the Brazilian IT market since 1994, offering advanced solutions and professional services. They are recognized as a company that is agile, experienced and innovative in the utilization and operation of information technology.

Rafael has been with Telsinc since 2006 and helps develop and grow the IT Security business within Telsinc which offers complete solutions from the perimeter to the end point. He has more than ten years of experience in networking and security field having previously worked at Siemens. Rafael holds CISSP and CISM certifications in governance and administration. In addition, he is technically certified CCSE Checkpoint and CCNP Cisco. Due to his contributions, Telsinc's IT Security division has grown an average of 33% annually with estimated revenue of over R$11m in 2010 in hardware sales alone.

To download a Portuguese version of the transcript, click here.

Tags: Partner, Telsinc, Rafael Koike, Portuguese, Brazil, Data Security

Play Podcast Podcast Transcript (PDF)
Interview with Lars Ewe -- CTO of Cenzic -- WAF

Interview with Lars Ewe -- CTO of Cenzic -- WAF


On this episode of the Imperva Security Podcast Lars Ewe, CTO of Cenzic, is interviewed.

Lars discusses the Imperva Cenzic partnership, and why bringing together vulnerability scanning services with Web Application Firewalls (WAF) is critical for application security. He also shares his views on what the future holds for application security overall.

Lars Ewe, Chief Technology Officer and VP of Engineering with Cenzic, is a technology executive with broad background in (web) application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering, product management/marketing, and sales in a variety of different markets. Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts. Lars was also AMD's representative to the board of directors of the Distributed Management Task Force. Before AMD, Lars was senior director at Borland Software Corp., where he managed worldwide server software pre-sales, technical services, and key partner relationships. Prior to Borland he held key positions at Oracle Corporation's Server Technologies Division and Webgain. Lars has Bachelor of Science and Master of Science degrees in Mechanical Engineering from the Technical University of Munich, Germany.

Tags: Lars Ewe, Cenzic, Partner, WAF and VA, Web Application Security

Play Podcast Podcast Transcript (PDF)
Interview with the CISO of the State of Colorado and his security deputy on the consolidation of IT security resources and building security in early

Interview with the CISO of the State of Colorado and his security deputy on the consolidation of IT security resources and building security in early


On this episode of the Imperva Security Podcast Seth Kulakow - Chief Information Security Officer for the State of Colorado and his deputy Travis Schack are interviewed.

We discuss several issues that are unique to state-level information security as well as several solid, modern approaches to developing an effective security posture. The consolidation of IT security resources such as security, database and application developers, etc under one umbrella, and the need for executive level sponsorship kicks off this discussion. We also talk about the importance of marketing security internally to peers, building security into the business process and outlining key requirements early on in the form of RFPs, contracts and the like to ensure that there is a real partnership between vendors and customers.

Seth Kulakow was selected as the Chief Information Security Officer (CISO) in November 2008. As the CISO, Seth is responsible for the State's Information Assurance and Compliancy programs.

Prior to joining the Governor's Office of Information Technology, Seth was the Information Security Officer for Denver International Airport (DIA), ranked the 4th busiest airport in the nation and the 10th busiest in the world. During his tenure at DIA, Seth created and managed a peer recognized first of its kind (in any US airport) full time security program from its infancy to a best practice repeatable program. The program covered every facet of security from risk analysis and assessment, compliancy, system auditing, penetration testing and forensics, to ingress and egress controls.

Tags: Seth Kulakow, Travis Schack, State of Colorado, Data Security, State Government, Government

Play Podcast Podcast Transcript (PDF)
Leveraging WAF and DAM for Protecting Data, Securing Servers, Meeting Partner Requirements, Addressing PCI, and Beyond -- an Interview with Richard Collins from Imperva Customer TechSoup Global

Leveraging WAF and DAM for Protecting Data, Securing Servers, Meeting Partner Requirements, Addressing PCI, and Beyond -- an Interview with Richard Collins from Imperva Customer TechSoup Global


On this episode of the Imperva Security Podcast Richard Collins from TechSoup Global talks about using Imperva SecureSphere WAF and DAM solutions. He discusses key drivers such as sensitive data protection, securing mission-critical servers, addressing partner concerns over data security from Microsoft, Adobe, and Intuit (which require their partners to have strong data security solutions), and addressing PCI.

Richard also discusses how WAF can be used as a unifying technology that brings together development and operations teams. Finally he explains why he chose Imperva SecureSphere above competitors, and how Imperva offers the best solution for TechSoup Global by providing a superior: user interface, policy management system, profiling and learning capability, architecture flexibility, and ability to integrate database and Web application protection through a single solution.

Mr. Collins is the Senior Director for Information System Security for TechSoup Global, a nonprofit organization that helps nonprofits in 31 countries around the world get and use technology to better serve their missions. In addition, TechSoup Global works with companies and foundations to optimize their philanthropic impact.

At TechSoup Global, Mr. Collins is in charge of security strategy and security policy to protect data and information systems across the organization. He is also responsible for senior project management, consulting, and coordination for all security and system-stability related projects.

Mr. Collins is currently leading several security projects including achieving PCI compliance, providing security and risk protection across the architecture stack, and embedding security into systems development, operations planning, and implementation processes.

A 20-year industry veteran, Mr. Collins has held positions ranging from programmer analyst to CIO in a wide range of industries including banking, telecommunications, publishing, and technical consulting services. Mr. Collins holds a Masters Degree in Information Systems and Telecommunications Management.

Tags: Customer, WAF, DAM, Richard Collins, TechSoup Global, Sensitive Data, Compliance, PCI

Play Podcast Podcast Transcript (PDF)
Direct Database SQL Injection Attacks and Mitigation Techniques with Amichai Shulman -- Imperva CTO & Co-founder

Direct Database SQL Injection Attacks and Mitigation Techniques with Amichai Shulman -- Imperva CTO & Co-founder


On this episode of the Imperva Security Podcast Amichai Shulman -- CTO and Co-founder of Imperva talks about Direct Database SQL Injection attacks. A video on this subject can be found here. He discusses how these attacks are preformed directly through the database interface or through Web applications. He also talks about flaws in stored procedures that make these attacks possible.

Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.

Tags: Amichai Shulman, ADC, Direct Database SQL Injection, Database Security, Web Application Security, SQL Injection

Play Podcast Podcast Transcript (PDF)
PCI by the Numbers: Survey Results Explored -- an Interview with Dr. Larry Ponemon of the Ponemon Institute

PCI by the Numbers: Survey Results Explored -- an Interview with Dr. Larry Ponemon of the Ponemon Institute


On this episode of the Imperva Security Podcast Dr. Larry Ponemon of the Ponemon Institute discusses the results of his latest PCI DSS survey. He talks about a number of fascinating and sometimes anomalistic statistics from the survey results, and shares his views and leanings. Dr. Ponemon addresses questions such as:
  • Can consumers rely on companies to protect their credit card information?
  • How has PCI affected security budgets?
  • Which PCI approaches work and which ones don't?
  • How do smart companies manage the cost and get the most out of PCI?
Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework.

Dr. Ponemon consults with leading multinational organizations on global privacy management programs. Dr. Ponemon was appointed to the Advisory Committee for Online Access & Security for the United States Federal Trade Commission. He was appointed by the White House to the Data Privacy and Integrity Advisory Committee for the Department of Homeland Security. Dr. Ponemon was also an appointed to two California State task forces on privacy and data security laws.

Dr. Ponemon earned his Ph.D. at Union College in Schenectady, New York. He has a Master's degree from Harvard University, Cambridge, Massachusetts, and attended the doctoral program in system sciences at Carnegie Mellon University, Pittsburgh, Pennsylvania. Dr. Ponemon earned his Bachelors with Highest Distinction from the University of Arizona, Tucson, Arizona.

Download: PCI DSS Survey Results (pdf)

Tags: PCI DSS, Larry Ponemon, Ponemon Institute, Survey, Compliance

Play Podcast Podcast Transcript (PDF)
Insider Threats, Privileged User Abuse and Mitigation Techniques with Amichai Shulman -- Imperva CTO & Co-founder

Insider Threats, Privileged User Abuse and Mitigation Techniques with Amichai Shulman -- Imperva CTO & Co-founder


On this episode of the Imperva Security Podcast Amichai Shulman -- CTO and Co-founder of Imperva talks about Insider Threats. He explores the differences between careless and nefarious insiders and talks about the difficulties of managing risks surrounding privileged users. He also discusses several threat mitigation strategies.

Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.

Tags: Amichai Shulman, ADC, Insider Threat, Privileged User, Database Security, Application Security

Play Podcast Podcast Transcript (PDF)
Insider Threats -- an Interview with the Former Deputy Director of the National Security Agency -- NSA

Insider Threats -- an Interview with the Former Deputy Director of the National Security Agency -- NSA


On this episode of the Imperva Security Podcast Bill Crowell, former Deputy Director of the NSA, is interviewed. He talks extensively about insider threats, shares some stories from the trenches, and discusses the nature of cybercrime. Bill also covers the importance of sensitive data protection -- especially around mission-critical applications and databases.

Bill Crowell quotes from this interview:
  • "On the Internet everyone is an insider."
  • "We haven't done nearly enough to protect applications and databases."
  • "The magnitude of loses around insider threats are underreported."
  • "Security is not just the perimeter; layered defenses must be inside of the network, on the applications and databases, if we really want to protect information."
  • "Cybercrime is a rewarding endeavor...attacks can be monetized and there are fewer consequences."
  • "Crime is only diminished when there is some reasonableness to the expectation of being caught."
Mr. Crowell is an independent consultant in the areas of information technology, security and intelligence systems and serves as Chairman of the Senior Advisory Group to the Director of National Intelligence. He also served as President and Chief Executive Officer of Cylink Corporation, a provider of network security solutions, from 1998 until its acquisition by SafeNet, Inc. in February 2003.

Prior to Cylink, Mr.Crowell worked at the National Security Agency, where he held a series of senior executive positions, including Deputy Director of Operations and Deputy Director of the NSA.

He also serves as a director of several private companies. Mr. Crowell has been quoted in many trade and business publications including the Wall Street Journal, BusinessWeek, USA Today, Information Week, Network World, Computer World, Federal Computer Week, CIO Magazine and the San Jose Mercury News. Crowell has also appeared on CBS MarketWatch, CNET News, CNBC and KNTV's Silicon Valley Business.

Bill is the co-author of the book Physical and Logical Security Convergence.

Tags: Insider Threat, Bill Crowell, NSA, Cybercrime

Play Podcast Podcast Transcript (PDF)
Web Application Security within Cloud Computing, SaaS, and Virtualized Environments -- Chris Richter of Savvis, an Imperva Partner, shares his Wealth of Experience

Web Application Security within Cloud Computing, SaaS, and Virtualized Environments -- Chris Richter of Savvis, an Imperva Partner, shares his Wealth of Experience


On this episode of the Imperva Security Podcast Chris Richter from Savvis talks about cloud computing, SaaS, virtualization, and the need for Web Application Firewalls. He shares some stories from the trenches, and talks about the trend in modern business to become more focused on core capabilities and less on infrastructure, thus getting back to managing the top and bottom lines.

Chris is VP and general manager of security products and services at Savvis, a leading network, hosting and security services provider, where he is responsible for the managed-security line of business, strategy and product portfolio. Chris has assisted many enterprises in adapting their premise-based infrastructure risk management programs and security controls to Savvis' outsourced virtual-ized and shared-infrastructure services. He brings an IT service provider's view of control requirements for virtualized- and cloud-based infra-structures. Chris is a member of ISSA and ISACA, and for more than 20 years has held various security and IT services manage-ment and consulting positions at companies such as Digital Equipment Corporation, Compaq Global Services, 3Com, Cable & Wireless and Sterling Software. He is a Certified Information Systems Security Professional (CISSP) and a Certified Information Security Manager (CISM), and has served as a technical advisor and board member of several Silicon Valley-based IT product and services companies.

Tags: Chris Richter, Partner, Savvis, WAF, Cloud Computing, SaaS, Virtualization

Play Podcast Podcast Transcript (PDF)
Protecting Web Portals and Bringing Together Security Operations and Development with the Imperva SecureSphere WAF at Telefonica O2 Germany -- an Interview with Daniel Stricharz

Protecting Web Portals and Bringing Together Security Operations and Development with the Imperva SecureSphere WAF at Telefonica O2 Germany -- an Interview with Daniel Stricharz


On this episode of the Imperva Security Podcast Daniel Stricharz is interviewed. He shares his experiences around choosing, implementing and operating the Imperva SecureSphere Web Application Firewall (WAF). He shares a number of examples where WAF helped Telefonica discover and address application vulnerabilities. He also discusses:
  • Drivers to implement WAF in large, complex, telco
  • Bringing together security operations and developers with WAF
  • Business logic attacks and application profiling
  • What to look for in a WAF
Daniel Stricharz is a senior security and infrastructure specialist at Telefonica O2 Germany responsible for the customer portals and their value-added services. Stricharz has studied law and computer science. Before he joined the telecommunications area in 2000 he worked as a consultant both in the IT and legal area for international businesses. His knowledge of emerging German legislation, cyber-crime, and cyber-law has helped to reconcile both specific legal and complex technical requirements. He initially specialized in data protection law and its technical implementation until he moved on to cover the full range of security aspects from product development to the operations of on-line services.

Telefonica O2 Germany GmbH & Co. OHG belongs to Telefonica Europe and is part of the Spanish telecommunication group Telefonica S.A. The Company offers its German private and business customers postpaid and prepaid mobile telecom products as well as innovative mobile data services based on the GPRS and UMTS technologies. In addition, the integrated communications provider also offers DSL fixed network telephony and high-speed internet. Telefonica Europe has nearly 47 million mobile and fixed network customers in Great Britain, Ireland, the Czech Republic, Slovakia and Germany.

In Germany, where the company is known simply as O2 with its head quarter located in Munich, Germany, has a customer base of more than 14.5 Million. Besides its more than 750 shops O2 operates a massive online portal, offering services ranging from an on-line shop over a complex web-based email solution, to a range of self-service opportunities for the customers and a huge number of other mobile services that help enrich the customers' mobile experience.

Tags: Daniel Stricharz, Customer, Telefonica O2 Germany, WAF, Business Logic Attacks, Application Profiling, Web Portal Security

Play Podcast Podcast Transcript (PDF)
Database Activity Monitoring (DAM) for State-Wide Healthcare Programs -- Gary Lilley, an Imperva Customer, Shares his Experiences

Database Activity Monitoring (DAM) for State-Wide Healthcare Programs -- Gary Lilley, an Imperva Customer, Shares his Experiences


On this episode of the Imperva Security Podcast Gary Lilley from an anonymous state agency talks about choosing, deploying, and using Database Activity Monitoring (DAM) solutions. He shares his experiences with Imperva SecureSphere, why Imperva was chosen, and some of the value already achieved.

Currently working on a state-wide, healthcare database activity monitoring project, Gary Lilley is a Senior Enterprise Solutions Architect at HP with Nineteen years + of experience in software system design, development, implementation with extensive experience in government systems, large scale chain retail, data management, manufacturing, distribution, translation software, within the computer industry, banking, EDI and most translators across all hardware platforms.

Tags: Gary Lilley, Customer, State Government, Database Security, Database Audit, Database Activity Monitoring, DAM

Play Podcast Podcast Transcript (PDF)
SQL Injection Attacks and Mitigation Techniques with Amichai Shulman -- Imperva CTO & Co-founder

SQL Injection Attacks and Mitigation Techniques with Amichai Shulman -- Imperva CTO & Co-founder


On this episode of the Imperva Security Podcast Amichai Shulman -- CTO and Co-founder of Imperva talks about SQL Injection. He discusses how these attacks are preformed, why they are so pervasive, why signature detection doesn't work, and how to mitigate these attacks.

Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.

Tags: Amichai Shulman, ADC, SQL Injection, WAF, Web Application Security

Play Podcast Podcast Transcript (PDF)
GLBA co-author, Paul Reymann talks about GLBA, compliance and security within the financial industry

GLBA co-author, Paul Reymann talks about GLBA, compliance and security within the financial industry


On this episode of the Imperva Security Podcast Paul Reymann - CEO of the Reymann Group & co-author of GLBA talks about the financial industry, and how security and compliance have been changing. He also touches on financial modernization, the convergence of NIST and ISO, and the risk management continuum.

Mr. Reymann is one of the nation's leading regulatory experts and co-author of Section 501 of the Gramm-Leach-Bliley Act Security rule. Fortune 500 companies have leveraged Mr. Reymann's subject matter expertise to develop successful go-to-market strategies for information security and technology products and services within key vertical markets.

He has more than twenty years experience in the financial services industry, including thirteen years with the Department of Treasury's Office of Thrift Supervision (OTS) in Washington D.C. There he guided the regulatory agency's Technology Risk management activities and authored several key regulatory directives and advisories on emerging risk management issues, including the industry's first regulatory directive on "Transactional Internet Banking."

Tags: Paul Reymann, GLBA, GLB, NIST, ISO, Financial, Data Security

Play Podcast Podcast Transcript (PDF)
Aviram Jenik of BeyondSecurity, an Imperva Partner, talks about WAF, VA, Black Box testing, and related solutions necessary for a strong application security posture

Aviram Jenik of BeyondSecurity, an Imperva Partner, talks about WAF, VA, Black Box testing, and related solutions necessary for a strong application security posture


On this episode of the Imperva Security Podcast Aviram Jenik of BeyondSecurity is interviewed. Aviram discusses why Imperva and BeyondSecurity have partnered to offer a combination of WAF, Black Box Testing, and Vulnerability Assessment services together. Aviram discusses several very interesting application security "stories from the trenches," and shares his perspectives on the evolution of application security.

Mr. Jenik has 17 years of experience in the Computer Security field. From the early days of computer viruses he was involved in the fields of encryption, security vulnerabilities detection and research. He worked in development, marketing and sales roles in several startups, and had 2 successful exits before co-founding Beyond Security in 1999.

Aviram has a Bsc. in Computer Science with a major in cryptography and an MBA from T.A. University with majors in strategy and entrepreneurship.

Tags: Aviram Jenik, Partner, BeyondSecurity, WAF, VA, Black Box Testing

Play Podcast Podcast Transcript (PDF)
Mark Weatherford, CISO for the State of California, discusses the complexities of security within state government

Mark Weatherford, CISO for the State of California, discusses the complexities of security within state government


On this episode of the Imperva Security Podcast Mark Weatherford, CISO for the State of California is interviewed. He discusses challenges within information security at the state level including fusion centers, cross-agency coordination, and addressing risks beyond the perimeter -- specifically sensitive data.

Mark Weatherford has extensive executive and operational experience in the information and cyber security arena with a career that spans both the public and private information security sectors. Appointed by Governor Schwarzenegger to his present position as Executive Officer of the California Office of Information Security and Privacy, Weatherford has broad authority over the State's information security and privacy activities.

Mr. Weatherford previously served as the Chief Information Security Officer for the State of Colorado where he was appointed by two successive governors to develop and lead the state information security program.

Mr. Weatherford is a former U.S. Naval Cryptologic Officer, holds a Bachelor of Science degree in Business Administration from the University of Arizona at Tucson and a Master of Science degree in Information Technology Management from the Naval Postgraduate School in Monterey, California.

Tags: Mark Weatherford, State Government, Data Security, Government

Play Podcast Podcast Transcript (PDF)
Jeremiah Grossman of Whitehat Security, an Imperva Partner, talks about bringing together to worlds of WAF and VA to improve overall application security and reduce business risk

Jeremiah Grossman of Whitehat Security, an Imperva Partner, talks about bringing together to worlds of WAF and VA to improve overall application security and reduce business risk


On this episode of the Imperva Security Podcast Jeremiah Grossman of Whitehat Security is interviewed. Jeremiah discusses why Imperva and Whitehat have partnered to offer a blended approach to Web application security through WAF plus VA. Jeremiah explains that the industry now requires these once diametrically opposed solutions to unite in order to address today's threats and reduce overall business risk.

Jeremiah Grossman is the founder and CTO of WhiteHat Security. He is considered a world-renowned expert in Web security, is a co-founder of the Web Application Security Consortium, and was named to InfoWorld's Top 25 CTOs for 2007. Grossman is a frequent speaker at industry events and universities around the globe. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks. Grossman is often quoted in the business and technical press. Prior to WhiteHat, Grossman was an information security officer at Yahoo!

Tags: Jeremiah Grossman, Partner, Whitehat Security, WAF, VA

Play Podcast Podcast Transcript (PDF)
Microsoft IIS WebDAV Remote Authentication Bypass: Interview with Amichai Shulman -- CTO and Co-founder of Imperva

Microsoft IIS WebDAV Remote Authentication Bypass: Interview with Amichai Shulman -- CTO and Co-founder of Imperva


On this episode of the Imperva Security Podcast Amichai Shulman is interviewed. He talks about Microsoft Security Advisory Number 971492 that was released on May 17th 2009. This vulnerability is related to Microsoft IIS servers running WebDAV. Amichai goes into detail about the vulnerability, why servers are still vulnerable even though this is a well known exploit, and how attacks can be mitigated with WAF or Web Application Firewalls. Amichai further talk about how the Imperva SecureSphere WAF has been protecting customers from redundant UTF-8 encoding attacks just like this for over three years.

Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.

Tags: Amichai Shulman, ADC, Microsoft IIS WebDAV Remote Authentication Bypass, Redundant UTF-8 Encoding, Microsoft Security Advisory Number 971492

Play Podcast Podcast Transcript (PDF)
Convergence of Risk and Security -- Andreas Wuchner, advisory board member for companies such as Microsoft, Oracle, Symantec and Cisco, is interviewed

Convergence of Risk and Security -- Andreas Wuchner, advisory board member for companies such as Microsoft, Oracle, Symantec and Cisco, is interviewed


On this episode of the Imperva Security Podcast Andreas Wuchner is interviewed. He discusses a wide range of subjects related to risk and security converging.
  • Who owns risk management
  • How can solutions like WAF be evaluated by businesses in terms of organizational risk
  • Where is the real value in risk management
  • How important are technical solutions and automation
  • Perspectives on cloud computing, outsourcing, and trust based models as they relate to risk
Andreas is an experienced IT Manager, Risk, Compliance and Security Professional who is a globally acknowledged and a well known thought leader, who is a highly respected deliverer within the Risk and Security industry. Andreas sits on advisory boards of leading IT technology companies including Microsoft, Oracle, Symantec, Cisco and others. In addition to his role at a multi-national pharmaceutical company Andreas operates the Risk Management Blog IT Risk Space - http://ITRiskSpace.com.

Tags: Andreas Wuchner, Risk Management, Security, Governance, WAF

Play Podcast Podcast Transcript (PDF)
Holistic Investigations: Lawrence Dietz, military and commercial information security and intelligence expert, is interviewed

Holistic Investigations: Lawrence Dietz, military and commercial information security and intelligence expert, is interviewed


On this episode of the Imperva Security Podcast Lawrence Dietz is interviewed. He talks about "holistic investigations" -- the bringing together of various investigatory disciplines from traditional to IT. Larry shares many fascinating case studies and details how this type of investigation can be leveraged most effectively.

Larry has also included a presentation that can accompany this podcast. Please click here to download it now.

Lawrence Dietz, has over 30 years of military and commercial information security and intelligence experience. Recent assignments have included developing the IT and legal chapters of the implementation plan for the BioPHusion Center of the CDC. Projects include intelligence fusion planning, data forensics strategic analysis. Previous to resuming independent consulting in 2007, Dietz held key senior marketing roles at Symantec Corporation for 6 years. Prior to Symantec Dietz held senior Marketing, Market Research and Customer Support Management roles. He is a licensed attorney in California and retired from the Army Reserve as a Colonel after 27 years of intelligence, PSYOP and information operations assignments. He holds BS in BA, Northeastern University; MBA, Babson College; JD, Suffolk University; LLM in European Law from the University of Leicester in the UK, and MS Strategic Studies from the U.S. Army War College.

Tags: Lawrence Dietz, Holistic Investigations

Play Podcast Podcast Transcript (PDF)
Control System Red Teams -- an Interview with Ray Parks from Sandia National Labs (SNL)

Control System Red Teams -- an Interview with Ray Parks from Sandia National Labs (SNL)


On this episode of the Imperva Security Podcast Ray Parks is interviewed. Ray discusses various red teams:
  • Behavioral
  • Operational (Military Services, NSA)
  • Analytical
  • Research Gaining and Hypothesis Testing
In particular, he focuses on red teams that evaluate the security for control system environments such as nuclear power plants. Ray also shares his perspectives on regulations like NERC and their place in improving the overall security of critical infrastructure environments.

Ray touches on bringing together government, industry, academia and others to analyze control system environments from a joint perspective. In fact, Brian Contos and Ray first met during such an effort called Project LOGIIC (Linking the Oil and Gas Industry to Improve Cyber Security) which Ray discusses during the interview.

Mr. Raymond C. Parks is a program manager of Sandia's Information Design Assurance Red Team (IDART), a Senior Member of the Technical Staff in the Assurance Technology and Assessments Department at Sandia National Laboratories, and project lead for several control systems security projects. He has led twelve red teams through assessments, and has been team member of over three-dozen other red teams. Currently, he is leading a red team assessment of a financial critical infrastructure element. Recently, he led a team that performed a North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cyber vulnerability assessment of a major Midwest utility. Mr. Parks is a graduate of the United States Air Force Academy with a B. S. in Engineering and an Eagle Scout.

Tags: Ray Parks, Red Team, Sandia National Labs, Control Systems, NERC

Play Podcast Podcast Transcript (PDF)
Using WAF in Complex, Global Environments -- an Interview with Marc Appelbaum -- Imperva Customer and Manager of Information Security for Vonage

Using WAF in Complex, Global Environments -- an Interview with Marc Appelbaum -- Imperva Customer and Manager of Information Security for Vonage


On this episode of the Imperva Security Podcast Marc Appelbaum is interviewed. Marc discusses the importance of application security at Vonage. He details several projects that are aimed at protecting Vonage as well as Vonage partners and customers. Marc also shares his views on application security as it relates to vulnerability scanning, the Imperva SecureSphere Web Application Firewall (WAF), and the integration of the two.

Marc Appelbaum is Manager of Information Security for Vonage, a leading provider of broadband telephone services. Marc is responsible for all Information Security functions for Vonage worldwide. Under Marc's leadership Vonage has deployed several security initiatives, including a Global Vulnerability Management Program, a Global Security Information Management System, and security awareness programs. Marc also developed policies and procedures that now involve the Security team in all technology projects. Marc also maintains the responsibility for ensuring IT Compliance with all government and industry regulations (i.e. SOX, PCI, CPNI, etc.).

Prior to joining Vonage, Marc was at Dow Jones & Co. for about 10 years. During that time Marc served in various roles, most recent as Security Architect introducing several new technologies to replace legacy equipment and establishing firewall guidelines. Marc began with Dow supporting the WSJ.COM website.

Tags: Marc Appelbaum, Customer, Practitioner, WAF, Vonage

Play Podcast Podcast Transcript (PDF)
Interview with Joe White -- Imperva Customer and Web Application Security Practitioner:  Getting Started in Web Application Security

Interview with Joe White -- Imperva Customer and Web Application Security Practitioner: Getting Started in Web Application Security


On this episode of the Imperva Security Podcast Joe White is interviewed. This is the second in a series of podcast interviews where Joe White and Brian Contos will discuss various topics related to application and data security.

Joe talks about getting started in Web Application Security. He discusses several tools and resources useful for those that are new to this industry and for seasoned experts. Here are some examples.In addition to working for a large SaaS provider in Northern California that's an Imperva Customer, Joe White is President of Cyberlocksmith Corporation, and specializes in Information Security and technology risk. He is a Subject Matter Expert in Internet, Extranet, and Intranet security risks and network penetration techniques. He has 15+ years of Information Technology experience including SOA, SaaS, Information Security, and Systems. Joe has focused expertise in securing web applications and extensive knowledge of networking, routing protocols switching and remote access methodologies. Over the years, Joe has participated in numerous penetration tests and ethical hacking engagements and comes to Web Application Security after spending many years involved in traditional infrastructure/operations security. Finally, with 10+ years of Business Development experience Joe offers a unique perspective on the marriage between business and technology.

Tags: Joe White, Customer, Practitioner, WAF, Getting Started with Web Application Security

Play Podcast Podcast Transcript (PDF)
Interview with Dave Anderson -- Director of Marketing for SAP Business Objects governance, risk and compliance solutions

Interview with Dave Anderson -- Director of Marketing for SAP Business Objects governance, risk and compliance solutions


On this episode of the Imperva Security Podcast Dave Anderson from SAP is interviewed. Dave discusses GRC and ITGRC. He covers the differences, early adopters and what solutions currently exist. He dives into gaps that need to be addressed and what he sees as the future for GRC.

Dave Anderson, Director of Marketing for SAP Business Objects governance, risk and compliance solutions has 15 years of experience in information security, risk management and compliance at several leading companies, including SAP, ArcSight, KPMG, and VeriSign. During this time, he developed and managed marketing and product solutions that integrate risk, compliance, strategy and performance into unified governance and compliance frameworks. Dave's experience also includes implementing and auditing IT Governance solutions based on COSO, CobiT, ISO 27001 and ITIL standards; and he is a Certified Information Systems Auditor.

Tags: Dave Anderson, SAP, ITGRC, GRC, Governance, Risk, Compliance, IT Governance

Play Podcast Podcast Transcript (PDF)
Interview with Amichai Shulman -- CTO and Co-founder of Imperva

Interview with Amichai Shulman -- CTO and Co-founder of Imperva


On this episode of the Imperva Security Podcast Amichai Shulman is interviewed. Amichai talks about CSRF (Cross-Site Request Forgery). He gives a detailed background on the attack, how it works, and why we aren't hearing a lot about it. He also discusses mitigation techniques.Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.

Tags: Amichai Shulman, ADC, CSRF, Cross-Site Request Forgery

Play Podcast Podcast Transcript (PDF)
Interview with Martin McKeay -- Host of the Network Security Blog and Podcast Series, and QSA

Interview with Martin McKeay -- Host of the Network Security Blog and Podcast Series, and QSA


On this episode of the Imperva Security Podcast Martin McKeay is interviewed. Martin talks about the recent Webcast from Homeland Security titled "Do the Payment card Industry Data Standards Reduce Cyber Crime." He also shares with us his perspectives on the changing security industry. Martin discusses how he got into blogging and podcasting, and gives some insight into the Network Security Blog -- including some interesting history related to interviewing Imperva's Chief Security Strategist:Martin McKeay started blogging about security in August of 2003. He took up blogging as a means to extend his knowledge and test ideas about security by putting them up for peer review. Four years later he's still at it. He works as a Senior Consultant for Trustwave, specializing in PCI assessments. He has a podcast co-hosted with Rich Mogull of Securosis. He also writes for Computerworld.

Tags: Martin McKeay, PCI, Podcaster, Network Security Blog, Network Security Podcast

Play Podcast Podcast Transcript (PDF)
Interview with Jim Manico -- Web Application Architect, Security Engineer, and Producer & Host of the OWASP Podcast Series

Interview with Jim Manico -- Web Application Architect, Security Engineer, and Producer & Host of the OWASP Podcast Series


On this episode of the Imperva Security Podcast Jim Manico is interviewed. Jim tells us how he got into the application security space, gives us some background on OWASP, and shares some of his perspectives on application security.

Jim Manico is a Web Application Architect and Security Engineer for Aspect Security. Jim has 11 years of experience developing Java-based data-driven web applications for organization such as FoxMedia (MySpace), GE, CitiBank and Sun Microsystems. Jim also volunteers for the Open Web Application Security Project by producing and hosting the OWASP Podcast Series as well as participating in the Enterprise Security API (ESAPI) Project.

Tags: Jim Manico, OWASP, Podcaster, Application Security

Play Podcast Podcast Transcript (PDF)
Interview with Raffy Marty -- Chief Security Strategist for Splunk and Security Author

Interview with Raffy Marty -- Chief Security Strategist for Splunk and Security Author


On this episode of the Imperva Security Podcast Raffy Marty is interviewed. Raffy discusses the importance of visualization when analyzing network, security, application and database information. He shares several use cases and provides insights on the relevance of visualization as a critical resource for any security practitioner.

As chief security strategist for Splunk, Raffy is customer advocate and guardian - expert on all things security and log analysis. Starting with IBM Research and Price Waterhouse Coopers Consulting, then ArcSight and Splunk, Raffy has been in the log management and analysis world for many years. He has built numerous log analysis systems and implemented use-cases for hundreds of customers that deal with log management challenges on a daily basis. Currently he uses his skills in data visualization, compliance, security metrics, and risk management to solve problems and create solutions for Splunk customers. Fully immersed in industry initiatives, standards efforts and activities, Raffy lives and breathes security and visualization.

His passion for visualization is evident in the many presentations he gives at conferences around the world and his book: "Applied Security Visualization". In addition, Raffy is the author of AfterGlow, founder of the security visualization portal, and contributing author to a number of books on security and visualization.

Tags: Raffy Marty, Security Visualization

Play Podcast Podcast Transcript (PDF)
Interview with Joe White -- Imperva Customer and Web Application Security Practitioner

Interview with Joe White -- Imperva Customer and Web Application Security Practitioner


On this episode of the Imperva Security Podcast Joe White is interviewed. This is the first in a series of podcast interview where Joe White and Brian Contos will discuss various topics related to application and data security.

Joe shares his perspectives on the current state of application security. He discusses some of the history and current gaps as well as technical and political issues. Joe also discusses Web Application Firewalls (WAF)-- what they can be used for in addition to firewalling, and where they fit within a holistic security program.

In addition to working for a large SaaS provider in Northern California that's an Imperva Customer, Joe White is President of Cyberlocksmith Corporation, and specializes in Information Security and technology risk. He is a Subject Matter Expert in Internet, Extranet, and Intranet security risks and network penetration techniques. He has 15+ years of Information Technology experience including SOA, SaaS, Information Security, and Systems. Joe has focused expertise in securing web applications and extensive knowledge of networking, routing protocols switching and remote access methodologies. Over the years, Joe has participated in numerous penetration tests and ethical hacking engagements and comes to Web Application Security after spending many years involved in traditional infrastructure/operations security. Finally, with 10+ years of Business Development experience Joe offers a unique perspective on the marriage between business and technology. Joe presented at OWASP in September 2008, and his presentation Web Application Security Roadmap can be found here.

Tags: Joe White, Customer, Practitioner, WAF, OWASP

Play Podcast Podcast Transcript (PDF)
Interview with Branden Williams -- QSA with VeriSign

Interview with Branden Williams -- QSA with VeriSign


On this episode of the Imperva Security Podcast Branden Williams is interviewed. This is a follow-up to a joint partner Webcast conducted by Imperva and VeriSign titled: PCI Validated, But Not Secure: Real Life Stories of a PCI QSA.

Branden discuss several PCI experiences form companies that just don't get it and those that get it right. He discusses the strong need to address application and database security, issues to look out for when working with your QSA, and the future of PCI.

Branden has fourteen years of experience in the security and compliance space. He is an Adjunct Professor at the University of Dallas's Graduate School of Management where he teaches in their NSA Certified Information Assurance program. He is a PCI Practice Lead with over 80 certified QSAs globally, and has led and delivered security related assessments for clients in the financial, retail, healthcare, manufacturing, utilities, transportation, service provision, and industrial sectors. He is a Certified Information System Security Professional (CISSP), Certified Information Security Manager (CISM), Qualified Security Assessor (QSA), as well as a Certified Payment-card Industry Security Auditor (CPISA), and Manager (CPISM). He holds a Bachelors of Business Administration, Marketing from the University of Texas, Arlington and a Masters of Business Administration, Supply Chain Mgt & Market Logistics from the University of Dallas.

Tags: Branden Williams, VeriSign, PCI, QSA, Partner

Play Podcast Podcast Transcript (PDF)
Interview with Amichai Shulman -- Co-founder and CTO of Imperva

Interview with Amichai Shulman -- Co-founder and CTO of Imperva


On this episode of the Imperva Security Podcast Amichai Shulman is interviewed. Amichai talks about Clickjacking. He gives a detailed background on the attack, how it works, some high profile examples, as well as mitigation techniques to protect both applications and users.

More information on this subject can be found here:
Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.

Tags: ADC, Amichai Shulman, Clickjacking

Play Podcast Podcast Transcript (PDF)
Interview with Nick Selby, Leader of the 451 Group's Enterprise Security Practice

Interview with Nick Selby, Leader of the 451 Group's Enterprise Security Practice


On this episode of the Imperva Security Podcast Nick Selby is interviewed. Nick talks about analyzing cyber black markets and trends in compliance. He also covers the maturing of security as it becomes more about operations and business risk. He also discusses the economy and its impact on the network security and data security industry.

Nick Selby leads The 451 Group's Enterprise Security Practice (ESP), which provides objective analysis of enterprise security businesses and trends. Nick also serves as The 451's Director of Research Operations, leading the coordination of 451 analysts' research methodologies and processes.

Tags: Nick Selby, Black Market, Compliance, Business Risk, Network Security, Data Security

Play Podcast Podcast Transcript (PDF)
Interview with Dr. Ulf Lindqvist, Program Director in the Computer Science Laboratory at Stanford Research Institute - SRI International

Interview with Dr. Ulf Lindqvist, Program Director in the Computer Science Laboratory at Stanford Research Institute - SRI International


On this episode of the Imperva Security Podcast Dr. Ulf Lindqvist is interviewed. Ulf talks about the DATES project, NERC, and cyber security within the electric industry. He shares valuable insight from his years of working with research organization, government agencies, academics, vendors, and the electric industry on enhancing cyber security.

Dr. Ulf Lindqvist is a Program Director in the Computer Science Laboratory at SRI International. He manages research and development programs in infrastructure security for government and commercial clients. Dr. Lindqvist currently leads SRI's support for the U.S. Department of Homeland Security's Cyber Security Research and Development Center. Dr. Lindqvist and his group address cyber security challenges for critical infrastructures such as energy, communications, and financial systems. His expertise includes development of efficient and generic methods for analysis, modeling, categorization, and automatic real-time detection and correlation of computer misuse. He has more than twenty publications in the computer security area, many of which are bridging the gap between theoretical and applied research, and he holds one patent. Dr. Lindqvist is a member of the Executive Committee and former Vice Chair of the Institute for Information Infrastructure Protection (I3P), a consortium of leading national cyber security institutions, including academic research centers, government laboratories and non-profit organizations. Dr. Lindqvist holds a Ph.D. in computer engineering and an M.S. in computer science and engineering, both from Chalmers University of Technology in Sweden.

Tags: Ulf Lindqvist, NERC, SCADA, Control Systems

Play Podcast Podcast Transcript (PDF)
Interview with Dr. Anton Chuvakin, Director of PCI Compliance Solutions at Qualys and Recognized Security Expert & Author

Interview with Dr. Anton Chuvakin, Director of PCI Compliance Solutions at Qualys and Recognized Security Expert & Author


On this episode of the Imperva Security Podcast Dr. Anton Chuvakin is interviewed. Anton talks about PCI and the need for vulnerability assessments to work in concert with application and data security solutions to develop a strong security posture.

Dr. Anton Chuvakin (http://www.chuvakin.org) is the Director of PCI Compliance Solutions at Qualys and is a recognized security expert and book author. He is an author of the book "Security Warrior" and a contributor to books such as "Know Your Enemy II", "Information Security Management Handbook", "Hacker's Challenge 3", "PCI Compliance", "OSSEC HIDS" and others. Anton also published numerous papers on a broad range of security subjects. In his spare time he blogs at http://www.securitywarrior.org. Anton has presented at many security conferences across the world; his recent speaking engagements include presenting in the United States, UK, Singapore, Spain, Canada, Poland, Czech Republic, Russia and other countries. Anton holds a Ph.D. degree from Stony Brook University.

Tags: Anton Chuvakin, PCI, Data Security

Play Podcast Podcast Transcript (PDF)
Interview with Joseph Weiss, Industry Expert on Control Systems and Electronic Security

Interview with Joseph Weiss, Industry Expert on Control Systems and Electronic Security


On this episode of the Imperva Security Podcast Joseph Weiss is interviewed. Joe talks about cyber security within industrial control system environments, SCADA, and NERC. He shares a number of perspectives based upon his decades of experience, and some fascinating examples of how incidents related to cyber assets, have negatively impacted SCADA systems, destroyed multi-million dollar assets, and even resulted in injuries and death.

Joseph Weiss is an industry expert on control systems and electronic security of control systems, with more than 35 years of experience in the energy industry. Mr. Weiss spent more than 14 years at the Electric Power Research Institute (EPRI). As Technical Manager, Enterprise Infrastructure Security (EIS) Program, he provided technical and outreach leadership for the energy industry's critical infrastructure protection (CIP) program. Mr. Weiss serves as a member of numerous organizations related to control system security. This includes the North American Electric Reliability Corporation (NERC) Control Systems Security Working Group (CSSWG). He has published over 60 papers on instrumentation, controls, and diagnostics, and he has two patents on instrumentation and control systems.

Tags: Joseph Weiss, NERC, SCADA, Control Systems

Play Podcast Podcast Transcript (PDF)
Interview with Amichai Shulman, Co-founder and CTO of Imperva

Interview with Amichai Shulman, Co-founder and CTO of Imperva


On this episode of the Imperva Security Podcast Amichai Shulman is interviewed. Amichai talks about Drive-by-Downloading. He gives a detailed background on the attack, how it works, some high profile examples, as well as mitigation techniques to protect both applications and users.

Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.

Tags: ADC, Amichai Shulman, Drive-by-Downloading

Play Podcast Podcast Transcript (PDF)
Interview with Gretchen Hellman, VP of Marketing & Product Management Vormetric

Interview with Gretchen Hellman, VP of Marketing & Product Management Vormetric


On this episode of the Imperva Security Podcast Gretchen Hellman is interviewed. Gretchen talks about the Heartland Data Breach, and shares her perspectives on compliance. She also discusses data security and explains how there is not technological panacea -- data security comes through defense in depth.

Gretchen Hellman brings over 10 years of enterprise security and enterprise software experience to her role as the VP of Marketing and Product Management for Vormetric. Most recently, Gretchen was Director of Product Marketing for Voltage Security, where she led product marketing, field marketing and corporate marketing initiatives. Prior to Voltage Security, she was responsible for compliance market strategy at ArcSight, where she drove initiative to apply ArcSight's award winning Security Information and Event Management solution to the regulatory compliance market. She has also held marketing leadership roles at Network Associates/McAfee. Gretchen began her career in information security as a consultant specializing in security policy and security program development. Gretchen is a frequent speaker in the areas of security standards and control frameworks, regulatory compliance strategies, security policy, and security technologies. She holds a B.S.E.E. from Santa Clara University.

Tags: Gretchen Hellman, Data Security, Compliance, Heartland, Partner

Play Podcast Podcast Transcript (PDF)
Interview with John P. Pironti, President of IP Architects and Interop Chairperson

Interview with John P. Pironti, President of IP Architects and Interop Chairperson


On this episode of the Imperva Security Podcast John P. Pironti is interviewed. John discusses the relationship between security operations and business risk management. He also shares his views on regulatory compliance and the changing landscape for network and data security professionals.

John P. Pironti is the President of IP Architects, LLC and Interop chairperson. He has designed and implemented enterprise wide electronic business solutions, information security programs, business resiliency capabilities, and threat and vulnerability management solutions for key customers in a range of industries, including financial services, energy, government, hospitality, aerospace, media and entertainment, and information technology on a global scale. Mr. Pironti has a number of industry certifications including Certified in the Governance of Enterprise IT (CGEIT), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Information Systems Security Architecture Professional and (ISSAP) and Information Systems Security Management Professional (ISSMP). He is also a published author and writer, highly quoted and often interviewed by global media, and a frequent speaker on electronic business and security topics at domestic and international industry conferences.

Tags: John P. Pironti, Data Security, Risk Management, Compliance

Play Podcast Podcast Transcript (PDF)
Interview with Richard Stiennon, Founder of IT-Harvest and Former Gartner Analyst

Interview with Richard Stiennon, Founder of IT-Harvest and Former Gartner Analyst


On this episode of the Imperva Security Podcast Richard Stiennon is interviewed. Richard talks about beginning authorship of a new book and his perspectives on data security including a very interesting story about WWI and efficiency experts.

Richard Stiennon, security expert and industry analyst, is known for shaking up the industry and providing actionable guidance to vendors and end users. He recently re-launched the security blog ThreatChaos.com and is the founder of IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. He was Chief Marketing Officer for Fortinet, Inc. the leading UTM vendor. Prior to that he was VP Threat Research at Webroot Software. Before Webroot, Mr. Stiennon was VP Research at Gartner Inc. where he covered security topics including firewalls, intrusion detection, intrusion prevention, security consulting, and managed security services for the Security and Privacy group. He is a holder of Gartner's Thought Leadership award and was named "One of the 50 most powerful people in Networking" by NetworkWorld Magazine.

Music provided by partnersinrhyme.com.

Tags: Richard Stiennon, Data Security

Play Podcast Podcast Transcript (PDF)
Launch iTunes & Subscribe Request More Information