Episode 81 with Diana Kelly

Diana Kelly

In episode 81 of the We Hack Purple Podcast host Tanya Janca spoke to Diana Kelly, Chief Information Security Officer (CISO) at Protect AI. Diana and Tanya worked together at Microsoft, and to say that Diana is a pillar of the information security industry is somewhat of an understatement. Together they discussed problems with Large Language Models (LLMs) ingesting crappy code, and bad licenses, the OSSF (and it’s goodness), and that sometimes people don’t even realize they are breaking software licences when they use what an LLM has produced.

We discussed the fact that if a CVE comes out for a library an LLM gave you, but it didn’t identify it with the correct name of the library, you wouldn’t receive notifications about it. She clarified how ML pipelines are set up, how data scientists work, with insecure juniper laptops all over the place (perhaps a generalization on my part). We discussed how data science seems to be a topic a lot of CISOs are pretending aren’t in their domain to protect, but both of us agreed that is not so. They have some of the most valuable data your organization can possess.

We also covered best practices for securing MLSec, the OWASP Top Ten for LLMs, and the new free community her company has started MLSECOPS. She also released an update version of her book, Practical Cyber Security Architecture!

.

Diana Links:

.

Bio: Diana Kelley is the Chief Information Security Officer (CISO) for Protect AI. She also serves on the boards of Cyber Future Foundation, WiCyS, and The Executive Women’s Forum (EWF). Diana was Cybersecurity Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group (now Gartner), a Manager at KPMG, CTO and co-founder of SecurityCurve, and Chief vCISO at SaltCybersecurity.

Her extensive volunteer work has included serving on the ACM Ethics & Plagiarism Committee, Cybersecurity Committee Advisor at CompTIA, CTO and Board Member at Sightline Security, Advisory Board Chair at WOPLLI Technologies, Advisory Council member Bartlett College of Science and Mathematics, Bridgewater State University, and RSAC US Program Committee.

She is a sought-after keynote speaker, the host of BrightTALK’s The (Security) Balancing Act, co-author of the books Practical Cybersecurity Architecture and Cryptographic Libraries for Developers, has been a lecturer at Boston College’s Masters program in cybersecurity, the EWF 2020 Executive of the Year and EWF Conference Chair 2021-2023, an SCMedia Power Player, and one of Cybersecurity Ventures 100 Fascinating Females Fighting Cybercrime.

.

Very special thanks to our sponsor!

Semgrep Supply Chain’s reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.

Get Your Free Trial Here! 

Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Check out Semgrep Code HERE

.

 Join We Hack Purple!

Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community,  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter  for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

Shownotes 14/09/2023 12:00 am