In this episode, Cole Cornford chats with Matt Jones, co-founder of Elttam, an independent security boutique that provides security assessment services. On top of his role at Elttam, Matt is active in the infosec community in a variety of ways, including helping with BSides Canberra's call for papers and writing open-source tooling such as talkback.sh. Cole and Matt chat about the motivation behind founding Elttam, why Australia's infosec industry is lagging behind other parts of the world, the exploit development space, and plenty more.

Timestamps

2:00 - Matt's career background

7:00 - Matt's early challenges finding an opportunity in cybersecurity

11:00 - Why Matt chose to co-found Elttam

13:00 - Cole: Australia's infosec industry is immature compared to US

19:00 - The importance of specialisation

20:30 - Better to do 1 thing really well when bootstrapping

24:00 - Using the right approach for the right context

25:30 - Risks of using a bug bounty program

31:10 - Cole: the bar for pen testing reports should be much higher

37:10 - Training & education for infosec

39:00 - Cole: is infosec a cottage industry?

44:00 - Product vs service approach to cybersecurity

47:50 - Cole: I like looking at source code from 80s and 90s

49:00 - Rapid fire questions

In this episode of Secured, host Cole Cornford interviews Bruce Large, a security architect and evangelist at Secolve, the OT security specialists in Australia. They discuss the importance of threat modelling in operational technology systems and the need for engineers to consider the potential for cyber attacks. Bruce also shares insights from the ISA/IEC 62443 series of standards, which provides guidelines for secure system development in OT. Additionally, they touch on the significance of unions in the tech industry and the benefits of joining organisations like Professionals Australia. Tune in for a fascinating conversation on application security and more.

1:25 - Bruce's professional background

2:40 - Defining "engineer" in different contexts

6:20 - Differences between computer engineers and civil engineers

8:20 - Threat modeling

12:40 - How we treat safety in software vs other industries

18:30 - Bruce: we should be encouraging lifelong learning

24:00 - ISA/IEC 62443 safety standard

29:00 - The Year 2038 Problem

34:20 - Unions & industrial relations

43:40 - Rapid fire questions

Summary

Paul McCarty is CEO and founder of SecureStack, a DevSecOps visibility & automation company, and GitLab's Red Team leader. Paul's been involved in software security in Australia for decades. In his conversation with Cole Cornford, Paul discusses how Australia's software security industry has changed since the early 2000's, whether security professionals aught to know how to code, and plenty more.

Timestamps

2:50 - Paul's career background

7:00 - Spicy take: people on LinkedIn are too blindly positive

10:00 - Understanding what went wrong when there's a breach

13:00 - Cole doesn't think "zero trust" is feasible

14:10 - Cole: maturity of cybersecurity in Aus is weak generally

16:00 - Cole hires for dev experience, not sec ops, because dev is harder to teach

18:30 - Aus market different to US, which has lots of software companies

21:50 - Paul: we've devalued the importance of operations

22:20 - The "holy trinity" of offensive security

26:30 - What percentage of ASX companies have a bug bounty program?

28:50 - Cole's free pizza exploit

31:00 - Got to be in security for the long haul

31:40 - The book that changed Paul's life

Mentioned in this episode:

Call for Feedback