OwlTail

Cover image of Josh Corman

Josh Corman Podcasts

Read more

11 of The Best Podcast Episodes for Josh Corman. A collection of podcasts episodes with or about Josh Corman, often where they are interviewed.

Read more

11 of The Best Podcast Episodes for Josh Corman. A collection of podcasts episodes with or about Josh Corman, often where they are interviewed.

Updated daily with the latest episodes

Episode artwork

Episode 4: Stress and Burnout in Infosec (with Josh Corman, Stacy Thayer, and Martin McKeay)

Play
Read more

It has been 8 years since the initial research was performed by Jack Daniel, Josh Corman, Dr. Stacy Thayer, Martin McKeay, Gal Shpantzer, and K.C. Yerrid.  For the most part, the industry is coming to grips with the fact that burnout and stress are running rampant in our industry.  How much has changed in the 8 years?  What do we know now that we did not know then?  

Aug 24 2020 · 48mins
Episode artwork

Regulations, PCI, and IoT Safety - Part 2 - Josh Corman - SCW #30

Play
Read more

Jeff loves PCI DSS. Josh has been a fierce critic of it... and... Josh has been working with public policy... We'll dig into the nuances and offer better ways to tell good from bad policy incentives.

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/SCWEpisode30

Jun 04 2020 · 43mins

Similar People

Bryson Bort

John Strand

Dave Kennedy

Chris Kubecka

Lorrie Cranor

Tom Brennan

Keren Elazari

Allison Miller

Gabe Gumbs

Amanda Berlin

Eric Conrad

Lenny Zeltser

Heather Mahalik

Javvad Malik

Troy Hunt

Episode artwork

Regulations, PCI, and IoT Safety - Part 1 - Josh Corman - SCW #30

Play
Read more

Jeff loves PCI DSS. Josh has been a fierce critic of it... and... Josh has been working with public policy... We'll dig into the nuances and offer better ways to tell good from bad policy incentives.

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/SCWEpisode30

Jun 03 2020 · 43mins
Episode artwork

Advocating for Tech Literacy and Transparency: A Discussion with I Am The Calvary’s Josh Corman and Audra Hatch

Play
Read more
On this week’s episode of Security Nation, Josh Corman and Audra Hatch of I Am The Cavalry share insights into the software bill of materials (SBoM) and software transparency. Stick around for our Rapid Rundown, where Tod breaks down the latest iPhone bug that wasn’t and Sophos bug that was.
May 01 2020 · 38mins

Most Popular

Elon Musk

Barack Obama

Bill Gates

LeBron James

Mark Cuban

Michelle Obama

Melinda Gates

Arnold Schwarzenegger

Kevin Hart

Terry Crews

Mike Tyson

Episode artwork

Josh Corman - Safety Professional | Blue Collar CFO | Ep. 05

Play
Read more

Today on Episode 5 of Blue Collar CFO, we welcome our first guest! Cypress Safety Professional CEO, Josh Corman.

Blue Collar CFO is a weekly small business podcast hosted by Jason DeRosier and Spencer Bunting. The duo covers many topics including finance, investing, and entrepreneurship.

#SmallBusiness #BusinessFinancing #BlueCollarCFO

See acast.com/privacy for privacy and opt-out information.

Mar 26 2020 · 55mins
Episode artwork

#058 – Josh Corman: The Absence of Good

Play
Read more

Joshua Corman is a Founder of I am The Cavalry (dot org) and CSO for PTC. Josh previously served as Director of the Cyber Statecraft Initiative for the Atlantic Council, CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research, analyst, & strategy roles. He co-founded RuggedSoftware and IamTheCavalry to encourage new security approaches in response to the world’s increasing dependence on digital infrastructure.

Josh's unique approach to security in the context of human factors, adversary motivations, and social impact, has helped position him as one of the most trusted names in security. He also serves as an adjunct faculty for Carnegie Mellon’s Heinz College and on the Congressional Task Force for Healthcare Industry Cybersecurity.

In this episode we discuss his start in information security, being a super hero, the start of I am The Cavalry, cyber security and public safety, government vs. hackers, IoT security, looking for non-traditional cyber skills, and so much more.

Where you can find Josh:

Sep 10 2018 · 42mins
Episode artwork

Combating Cyberterrorism and Cybercrime in the 21st Century | Josh Corman

Play
Read more

In Episode 8 of Hidden Forces, host Demetri Kofinas speaks with cybersecurity expert and cyber safety advocate, Josh Corman. Josh is the founder of I am The Cavalry, an advocacy group actively engaged in addressing some of the most pressing issues of public safety and threats to human life on the Internet today. He is also the Director of the Cyber Statecraft Initiative at the Atlantic Council. Josh Corman is part of the 2016 Cybersecurity Task Force commissioned by the United States Congress to address the growing risk to our hospitals, medical infrastructure, and connected devices, from cyber-attacks.

Gone are the quaint, innocent days of the early Internet, with its pesky Trojan’s, Macro Viruses, RATs, slammer worms, and blaster worms. Today’s cybersecurity landscape features a wide assortment of easily accessible and robust attack tools that exploit software bugs like Shellshock and Heartbleed. This is a cybersecurity landscape littered with DDoS and PDoS attacks like the Mirai Botnet and the recently released Brickerbot. The use of ransomware tools like CryptoLocker and SamSam have become billion-dollar criminal industries. Cybercrime is estimated to cost the global economy hundreds of billions to trillions of dollars a year. Yet, we accept the losses as the simple cost of doing business. But what about when the cost of these crimes escalates from dollars and cents to flesh and blood? What are the risks to our industrial control systems? What about our aviation and emergency response infrastructure? What are the vulnerabilities in our connected devices, cars, and hospitals? The threats posed by cyber criminals, terrorists, and hackers are no longer fringe concerns. They strike at the heart of our increasingly interconnected, exposed, and vulnerable society. In this episode, we explore what to do about them. 

Producer & Host: Demetri Kofinas

Editor & Engineer: Stylianos Nicolaou

Join the conversation on FacebookInstagram, and Twitter at @hiddenforcespod

Apr 17 2017 · 1hr 46mins
Episode artwork

Josh Corman on the challenges of securing safety-critical health care systems

Play
Read more

The O’Reilly Security Podcast: Where bits and bytes meet flesh, misaligned incentives, and hacking the security industry itself.

In this episode, I talk with Josh Corman, co-founder of I Am the Cavalry and director of the Cyber Statecraft Initiative for the non-profit organization Atlantic Council. We discuss his recent work advising the White House and Congress on the many issues lurking in safety-critical systems in the health care industry, the misaligned incentives across health care, regulatory bodies and the software industry, and the recent incident between MedSec and St. Jude regarding their medical devices.

Here are some highlights:

Where bits and bytes meet flesh

I asked Josh to comment on his advisory role with the White House for the Presidential Commission on Enhancing Cybersecurity:

Previous testimony from JPMorgan Chase said that they had over 2,000 full-time security people and they spend over $600 million a year securing things and they still get breached pretty routinely. About 100 of the Fortune 100 companies had had a material loss of intellectual property or trade secrets in the last couple years. If you take a step back strategically, one could argue that on a long enough time line our failure rate is 100%. If we can't secure big banks with $600 million and 2,000 people, how do you secure a hospital with zero security staff and almost no security budget?

In many cases, we know what to secure, or even how to secure it, but we lack the incentives to do so—some of the commissioners are surprised by this, but it's encouraging. They're looking at really controversial ideas like software liability. One of the reasons we have such terrible software is there's really no penalty for building and shipping terrible software. It's controversial because if you introduce something like software liability in a casual or cavalier way, you could destroy the entire software industry.

Down the rabbit hole of legacy health care systems

When asked about his work on the HHS Cybersecurity Task Force for Congress, Josh laid bare the stark realities of health care security in a world of interconnected devices and legacy technology and systems:

There's this thing called “meaningful use” in hospital environments. Reimbursement for medical investment was tied to meaningful use. [The health care industry] was encouraged to move rapidly from paper records to electronic records, and so they essentially took a whole bunch of medical devices that were never threat modeled, designed, architected, and implemented to be connected to anything and then forced them to be connected to everything. What that means is that even if a hospital has that 2,000 person security staff that is used to securing a bank or JPMorgan Chase, they can't achieve the same level of network security possible in a banking environment because of the unintended consequences of meaningful use. We're chasing rabbits down the rabbit hole and it goes a lot further than I think anybody has realized. There are some seemingly intractable problems in this long tail of Windows XP and legacy, outdated, unsupported operating systems being the overwhelming majority of the equipment in these hospitals, and they have scant security talent and budget and resources to even operate the old stuff. It's pretty ugly.

Misaligned incentives

In my testimony to the White House, I said that for some of these things, we know what the fix is. We actually know how to completely eliminate SQL injection. We know how, but we don't do it. I think in many cases we have technical solutions; we lack the incentives and the political will. And when you think about someone who has the means, motive, and opportunity to hurt the public through this irrational dependence on connected technology and safety critical spaces like hospitals, I don't think we have to make perfect things. I think what we have to do is drain the low hanging fruit and the hygiene issues, because if you can raise the bar high enough, we get rid of the high intent, low capability adversaries.

You're never going to stop Russia or China from being good enough, but at least they're rational and we have norms and treaties and mutually assured destruction and economic sanctions and whatnot. I'm more concerned about the people that lay outside the control or the reach of deterrence. What we want to do is get to that 80/20 rule or the balance point where the really reasonable stuff, like no known vulnerabilities and make your goods patchable, at least equip us to shield ourselves against the whims and will of these more extreme adversaries. We don't have to boil the ocean, just raise the tide line enough.

MedSec/St. Jude refocusing on the impact on patients

Building on our conversation about health care security, I asked Josh about the recent debacle with MedSec, Muddy Waters, and St. Jude:

Regardless of the veracity of the findings (because the veracity of the findings is in dispute), or whether you think it's moral to make money off of these things, or whether you think it's legal or should be legal to short safety-critical industries, if we can separate those three aspects we’ll see that there's been discussion about who's to blame here but stunningly little discussion about the effect on patients and on safety. I think it's hard to argue that the safest thing for the customers is to tell every adversary on the planet [about the vulnerability] before the patients or the doctors who care for those patients or the regulator who regulates the care for those patients has had a chance to get ground triage, form a plan, communicate the plan, and manage expectations so that a thoughtful, unemotional response can be done when the information comes to light. My belief is that the safest outcome will factor all relevant stakeholders, and I have seen almost no press that even factors for the impact on patients.

Hacking the health care security industry

We had a 20-year stalemate with the industries that we bring these disclosure issues to. Let's try not to be a pointing finger at past failures but a helping hand at future success. I have no interest in finding and fixing one device, one bug in one device for one manufacturer. We need to hack the industry and hack the incentives. We need to fix the whole problem. We're seeing the tide turn from a very real risk that white hats would be completely criminalized, to a massive embrace that it's not just a pointing finger at past failure and a researcher of the threat but rather that the researcher is a vitally necessary teammate. In fact the FDA, in their post-market guidance, is strongly advocating for high trust, high collaboration with white hats. In the context of all this sea change, from seeing us as enemies to vitally necessary teammates that help make their customers safer, our stories and advice scare the legal teams and the shareholders and might make researchers once again look like a threat.

Related resources:

Sep 28 2016 · 49mins
Episode artwork

Security Weekly #479 - Josh Corman, Cyber Statecraft Initiative

Play
Read more

Joshua Corman is Director of the Cyber Statecraft Initiative for the Atlantic Council. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to increasing dependence on technology.

Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/Episode479#Interview:_Joshua_Corman.2C_Cyber_Statecraft_Initiative-_6:00PM-6:30PM

Subscribe to YouTube Channel: https://www.youtube.com/channel/UCg--XBjJ50a9tUhTKXVPiqg

Security Weekly Website: http://securityweekly.com

Follow us on Twitter: @securityweekly

Sep 02 2016 · 1hr 10mins
Episode artwork

Security Weekly #479 - Josh Corman, Cyber Statecraft Initiative

Play
Read more

Joshua Corman is Director of the Cyber Statecraft Initiative for the Atlantic Council. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to increasing dependence on technology.

Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/Episode479#Interview:_Joshua_Corman.2C_Cyber_Statecraft_Initiative-_6:00PM-6:30PM

Subscribe to YouTube Channel: https://www.youtube.com/channel/UCg--XBjJ50a9tUhTKXVPiqg

Security Weekly Website: http://securityweekly.com

Follow us on Twitter: @securityweekly

Sep 02 2016 · 1hr 10mins
Loading