Cybersecurity shouldn’t be a black box. Security Science aims to demystify cybersecurity with education combined with a dose of entertainment. We will tap a mix of experts to tackle the gamut of security topics - from the (mis)use of AI to deep analysis of specific vulnerabilities - grounding out each episode with measurable outcomes or joking around when there is a lack thereof. New episodes every other Wednesday.
47 min 29 sec
We tackle a hotly contested debate as old as cybersecurity itself: does releasing exploit code do more harm than good?
1 hr 10 min
We interview Collin Boyce, Chief Information Officer for the City of Tucson, Arizona and discuss his process of turning impossible ideas into real projects that achieve meaningful results.
34 min 51 sec
Dive into a quick history of the CVE List as we kick off a quarterly update that tracks the progress of new CVEs issued.
22 min 45 sec
We discuss and add some quantifiable data to a hot-button issue in the cybersecurity industry: responsible disclosure of vulnerabilities and exploits.
34 min 29 sec
Continuing our miniseries into Risk, Measured: we go back to statistics class and discuss some of the characteristics of good metrics to help people understand what you should be looking for when you want to meaningfully quantify cybersecurity phenomena, program performance, or anything really.
45 min 28 sec
Sometimes a number is just a number. Context - the information and environment around the number - is what really matters. We discuss how this concept holds especially true in vulnerability management and risk scoring.
22 min 42 sec
We discuss the general lack of defensive perspectives in cybersecurity media and culture, how that impacts perceptions and decision making, and what we can do about it.
30 min 57 sec
We discuss the application of power law distributions in cybersecurity.
33 min 52 sec
We look at the phenomena of exploit code moving from traditional and cybersecurity-centric databases like Exploit-DB and Metasploit and instead being published on Github. Is Github becoming a de facto database for exploit code?
38 min 34 sec
Kenna Security recently celebrated its 10-year anniversary on Dec. 10th, 2020; so we decided to do what we do best and take a data-based (and rare) review of the top vulnerabilities from the past decade, year-by-year.
52 min 41 sec
We discuss the security and privacy of connected gifts this holiday shopping season.
42 min 15 sec
We welcome a special guest from VMware Carbon Black to discuss the state of cloud infrastructure and security, primarily through the lens of vulnerability management today, tomorrow, and far into the future.
46 min 27 sec
Jerry Gamblin gives us a pre-thanksgiving primer for Amazon AWS re:Invent 2020, which will be held from Nov. 30 - Dec 18th on a computer monitor near you.
25 min 6 sec
We discuss the sixth and latest report in our ongoing dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 6: The Attacker-Defender Divide looks at exploitation events from 2019 to analyze the momentum shifts between cybersecurity hackers and the teams defending organizations from attack.
54 min 28 sec
Will Docker’s download rate limits kill containers as we know them today?
26 min 5 sec
We discuss the fifth report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 5: In Search of Assets at Risk.
55 min 51 sec
We discuss the challenges managing risk in 3rd party code from things like Open Source Software libraries.
26 min 47 sec
We discuss the fourth report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 4: Measuring What Matters In Remediation.
1 hr 7 min
We discuss the evolution of cybersecurity metrics and reporting to Boards of Directors.
33 min 7 sec
We discuss the third report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 3: Winning the Remediation Race looks at (1) how quickly and (2) how many vulnerabilities a given organization can handle. Answering two key questions: Can organizations remediate all of the new vulnerabilities in their environments? If not, can organizations remediate all of the new High-Risk vulnerabilities in their environments?
43 min 19 sec
Today on Security Science, we have a special around the virtual table with some of the biggest names in cybersecurity discussing a wide range of topics like securing remote workers, whether companies are really moving to the cloud, and the impact of the 2020 presidential election.
52 min 15 sec
We discuss the Exploit Prediction Scoring System (EPSS), the first open, data-driven framework for assessing vulnerability threat: that is, the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure.
54 min 29 sec
We discuss the second report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction, Volume 2: Getting Real About Remediation picks up on the overall vulnerability landscape analysis from Volume 1 and dives deep into the vulnerability landscape from within actual enterprise networks (a little over 500 of them to be exact).
58 min 27 sec
How does the spread, detection, and response to viruses like COVID-19 compare with cybersecurity practices today? In the second episode of our Risk, Measured series we talk to special guest, Northeastern University Assistant Professor, Sam Scarpino about how Epidemiology relates to cybersecurity.
49 min 10 sec
We chat about the state of everyone’s favorite buzz technology: Threat Intelligence with our favorite internet fingerprinter, Kenna’s head of research, Jcran. Joining us is a special guest, longtime pentester, infamous internet listener, and founder of GreyNoise Intelligence, Andrew Morris.
36 min 31 sec
We discuss the infamous cybersecurity gathering that gets canceled year-after-year, DEF CON. Guiding us along this journey to nowhere is everyone’s favorite security guru and serial DEF CON non-presenter, Jerry Gamblin.
19 min 16 sec
Both the bane and salvation of security teams, and the start of a month-long fix cycle for IT teams, Microsoft's Patch Tuesday is a consistent reminder that nothing keeps us more secure than good old fashioned cyber-hygiene. Kenna Security's Head of Research, Jcran walks us through his Patch Tuesday ritual and gives us some tools, tips, and tricks along the way.
25 min 25 sec
Picking up where we left off on the history of vulnerability management, Ed Bellis walks us through the history of risk-based vulnerability management (RBVM) to current times and the near future.
53 min 48 sec
Year after year we read about millions of unfilled cybersecurity jobs as incidents increase and Twitter experiences one of the most public cyber meltdowns in history. We talk with data scientist extraordinaire, Michael Roytman about whether Machine Learning can fill the cybersecurity skills gap.
36 min 54 sec
The first in a multi-part dive into the Prioritization to Prediction (P2P) research series by Kenna Security and The Cyentia Institute - guests Ed Bellis and Wade Baker discuss P2P Volume 1 which quantifies the performance of vulnerability prioritization and remediation strategies for the very first time.
49 min 27 sec
Want more detail than Shodan queries? Need to figure out which devices have that new critical vuln and are exposed to the internet? Creator of Intrigue.io, Jcran discusses his creation and touches on the topics of digital fingerprinting and discovery tools.
16 min 35 sec
The first episode in a Security Science mini-series called Risk, Measured - Kenna's Chief Data Scientist, Michael Roytman discusses the theory and components used to measure risk. Touching on the definitions, current and future data sources, responsibilities of security teams, characteristics of bad models, and much more, this is a definite must listen for anyone interested in measuring cyber risk.
28 min 51 sec
2020's global Covid-19 pandemic has yet again thrust the concept of Zero Trust architectures into the security mainstream. Researcher, Builder, Hacker, Traveler, and Kenna's head of Security and Compliance, Jerry Gamblin discusses Zero Trust and the realities of the work required to truly adopt the architecture, probably bursting a few bubbles along the way.
26 min 25 sec
In the very first episode of Security Science the Father of Risk-Based Vulnerability Management, Ed Bellis walks us through the history of Vulnerability Management. From the dark times before the CVE list and open-source scanners to the capabilities of today's best performing vulnerability management programs.
42 min 23 sec