The day after part 1 Keybase halted the spacedrop the day after the first podcast is complete...   Security failures in implementation     “We need to push this to market, we’ll patch it later!”   Risk management discussion for project managers (PMP)   CIA Triad… where does ‘business goals’ fit? Security is at odds with the bottom line     **Reference Noid’s Bsides Seattle talk and podcast earlier this year.** Other companies that have made security mistakes in the name of business   Practical Pentest Labs storing passwords in the clear https://twitter.com/mortalhys/status/1202867037120475136 https://web.archive.org/web/20191207132548/https://twitter.com/mortalhys/status/1202867037120475136  https://twitter.com/piaviation/status/1202994484172218368 T-Mobile Austria partial password issues: https://www.pcmag.com/news/360301/t-mobile-austria-admits-to-storing-passwords-partly-in-clear     No one was championing security, because no one considered the problems with partial disclosure of the passphrase in an account.     Marketing people on your socMedia accounts do NOT help allay security issues (cause they didn’t have escalation procedures for vuln disclosure)         Insider threats could takeover accounts   Follow-up from last week’s show with Bea Hughes:   I liked the interesting docussion about security and DevOps teams with Bea Hughes in your recent podcast. When you mentioned you are taking your PMP for agile I'm surprised you did not mention the term "product owner".  You were asking who cares about security that you, as a security guy can talk to. Bea mentioned that it was the "stakeholders", but in the agile process the "product owner" is the team's advocate for the "stakeholders".   And, you also mentioned "PM", as in project manager. In an agile world, the typical PM role is minimized. Actually, the PM is removed entirely ideally in favor of empowered teams. Empowered teams understand that good products are reliable and secure. (Secure because the security CIA includes "availability" and "integrity" aka reliability.)   As Directory of DevOps for my 4,000 persons strong consulting company I'm working with our security team to push responsibility for security to our development teams. Empowering them to take the time and bear the costs of using security tools prior to release and during system operation is what we are working on now, as we roll into 2020.    **If the ‘product owner’ or ‘empowered team’ does not consider security a priority/requirement, then who champions security? It only becomes a priority when something bad happens, like a breach. **   “Empowered teams”  Some people aren’t fans:   https://hackernoon.com/the-surprising-misery-of-empowered-teams-35c3679cf11e Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec