How can enterprises stay ahead of security vulnerabilities?
In this InTechnology video, Camille talks with Stephanie Domas, CISO at Canonical. They get into ethical hacking and software reverse-engineering, transitioning security perspectives and managing teams, and Stephanie’s insights on new technologies from her perspective as a CISO.
Read Stephanie’s book x86 Software Reverse-Engineering, Cracking, and Counter-Measures here.
Ethical Hacking and Software Reverse-Engineering
Stephanie kicks off by delving into the subject matter of her and her husband’s publication, x86 Software Reverse-Engineering, Cracking, and Counter-Measures. She sheds light on the book’s objective, which was to enlighten those intrigued by security and software on the workings of software and computers, and how this knowledge could be applied in reverse-engineering software endeavors. The intent was to translate the theoretical understanding of software operations into practical application. A considerable portion of this insight is derived from Stephanie’s professional journey as an ethical hacker. She shares with Camille the essence of ethical hacking: identifying security flaws before they are exploited by malicious entities. This involves operating within an authorized system, typically in a controlled environment like a lab, and collaborating with manufacturers or relevant entities to patch identified vulnerabilities before they are leveraged in real attacks. Stephanie highlights the effectiveness of ethical hacking by referencing the National Vulnerability Database (NVD), which has preemptively uncovered numerous vulnerabilities in contrast to the Known Exploited Vulnerabilities (KEV) list.
Transitioning Security Perspectives and Managing Teams
Stephanie elucidates that as organizations expand, their approach to security must evolve. She introduces the concept of “shift left,” which advocates for a proactive stance on security to minimize the need for reactive measures. Despite many companies beginning with a reactive security posture, Stephanie points out the necessity of transitioning to proactive strategies to manage vulnerabilities sustainably. Although adopting a proactive approach can disrupt customer and developer experiences, she advises starting with minimal-impact measures, acknowledging that some level of disruption is inevitable. The advantages of such a strategy include enabling customers to make educated security decisions and motivating development teams to understand user interactions with their products.
In managing teams of security researchers or ethical hackers, Stephanie emphasizes the importance of fostering their curiosity without constraints. She suggests implementing necessary guardrails but avoiding excessive metric-based restrictions. By nurturing researchers’ curiosity, she believes, more innovative outcomes can be achieved.
CISO Insights on AI, Confidential Computing, and Open Source
Upon Camille’s inquiry about new technologies and their impact on security, Stephanie discusses the role of AI, highlighting the advent of AI security regulations that guide developers in creating secure software. She notes the integration of AI in various security tools, including detection and threat monitoring engines, as well as compliance tools. Stephanie praises the concept of confidential computing, which ensures hardware-backed encryption of data while in use. Regarding open source, she recounts its initial perceived insecurity decades ago and its evolution to becoming a staple in enterprise-ready solutions. Nonetheless, Stephanie underscores the ongoing need for better security documentation and hardening guidelines, which remain scarce in current software offerings.
Stephanie Domas, CISO at Canonical
Stephanie Domas and her spouse Christopher Domas are co-authors of x86 Software Reverse-Engineering, Cracking, and Counter-Measures. Since 2023, Stephanie has served as the Chief Information Security Officer at Canonical, steering the company towards becoming a premier, trusted partner in the open-source community. Her career history boasts significant positions such as Chief Security Technology Strategist and Senior Director of Security Technology at Intel, Executive Vice President and CTO at MedSec, and Founder and Business Line Manager of DeviceSecure Services at Battelle. Currently, she also holds positions on the Technical Advisory Board for MedSec, serves as a USA Review Board Member for Black Hat, and is an Official Member of the Forbes Technology Council. Stephanie earned her degree in electrical and computer engineering, with a specialization in microprocessors, from The Ohio State University.
Check it out. For more information, previous podcasts, and full versions, visit our homepage.
To read more about cybersecurity topics, visit our blog.
#ethicalhacking #opensource #canonical
The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.
—–
If you are interested in emerging threats, new technologies, or best tips and practices in cybersecurity, please follow the InTechnology podcast on your favorite podcast platforms: Apple Podcast and Spotify.
Follow our host Camille @morhardt.
Learn more about Intel Cybersecurity and Intel Compute Life Cycle (CLA).