
Security Weekly Podcast Network (Audio)
1,071 episodes — Page 10 of 22
AIs in Love, UEFI, Fortinet, Godaddy, Juggalos, Aaran Leyland, and More. - SWN #443
AIs in Love, UEFI, Fortinet, Godaddy, Juggalos, Aaran Leyland, and More. In this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-443
Stopping The Bad Things - Rob Allen - PSW #857
Rob from ThreatLocker comes on the show to talk about how we can disrupt attacker techniques, including Zero Trust, privilege escalation, LOLbins, and evil virtualization. In the news we talk about security appliances and vulnerabilities, rsync vulnerabilities, Shmoocon, hacking devices, and more! This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-857
Boards Stepping Up, as CISOs Build Stronger Bonds with Legal and Safeguard Leadership - BSW #378
In the leadership and communications segment, New Year, New Cyber Threats: How Boards Are Stepping Up (or Not), Why CISOs should build stronger bonds with the legal function in 2025, New Managers: You Don’t Need to Know It All, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-378
Smishing, Beyond Trust, CryptoReligion, Aviatrix, Azure, Josh Marpet, and more... - SWN #442
Smishing, Beyond Trust, CryptoReligion, Aviatrix, Azure, Little Red Books, AI Abuse, Josh Marpet, and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-442
Discussing Useful Security Requirements with Developers - Ixchel Ruiz - ASW #313
There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backlog. Segment resources: https://github.com/ossf/scorecard https://www.commonhaus.org/ https://www.hackergarten.net/ Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-313
How threat-informed defense benefits each security team member - Frank Duff, Nathan Sportsman - ESW #389
We're thrilled to have Frank Duff on to discuss threat-informed defense. As one of the MITRE folks that helped create MITRE ATT&CK and ATT&CK evaluations, Frank has been working on how best to define and communicate attack language for many years now. The company he founded, Tidal Cyber is in a unique position to both leverage what MITRE has built with ATT&CK and help enterprises operationalize it. Segment Resources: Tidal Cyber website Tidal Cyber Community Edition We're a fan of hacker lore and history here at Security Weekly. In fact, Paul's Security Weekly has interviewed some of the most notable (and notorious) personalities from both the business side of the industry and the hacker community. We're very excited to share this new effort to document hacker history through in-person interviews. The series is called "Where Warlocks Stay Up Late", and is the creation of Nathan Sportsman and other folks at Praetorian. The timing is crucial, as a lot of the original hackers and tech innovators are getting older, and we've already lost a few. References: Check out the Where the Warlocks Stay Up Late website and subscribe to get notified of each episode as it is released Check out the anthropological hacker map and relive your misspent youth! In this latest Enterprise Security Weekly episode, we explored some significant cybersecurity developments, starting with Veracode’s acquisition of Phylum, a company specializing in detecting malicious code in open-source libraries. The acquisition sparked speculation that it might be more about Veracode staying relevant in a rapidly evolving market rather than a strategic growth move, especially given the rising influence of AI-driven code analysis tools. We also covered One Password's acquisition of a UK-based shadow IT detection firm, raising interesting questions about their expansion into access management. Notably, the deal involved celebrity investors like Matthew McConaughey and Ashton Kutcher, suggesting a trend where Hollywood influence intersects with cybersecurity branding. A major highlight was the Cyber Haven breach, where a compromised Chrome extension update led to stolen credentials. The attack was executed through a phishing campaign disguised as a Google policy violation warning. To their credit, Cyber Haven responded swiftly, pulling the extension within two hours and maintaining transparency throughout. This incident underscored broader concerns around the poor security of browser extensions, an issue that continues to be exploited due to lax marketplace oversight. We also reflected on Corey Doctorow's concept of "Enshittification," critiquing platforms that prioritize profit and engagement metrics over genuine user experiences. His decision to disable vanity metrics resonated, especially considering how often engagement numbers are inflated in corporate settings. The episode wrapped with a thoughtful discussion on how CISOs can say "no" more effectively, emphasizing "yes, but" strategies and the importance of consistency. We also debated the usability frustrations of "magic links" for authentication, arguing that simpler alternatives like passkeys or multi-factor codes could offer a better balance between security and convenience. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-389
Robot Dogs, Ivanti, SonicWall, Banshee, Telegram, Motorola, Aaran Leyland, and more. - SWN #441
Bad Cameras, Robot Dogs, Ivanti, SonicWall, Banshee, Telegram, Motorola, Aaran Leyland, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-441
Threat Actors With A Thousand Names - PSW #856
DNA sequencer vulnerabilities, threat actor naming conventions, new CNAs and problems, backdoors are not secrets (again), The RP2350 is hacked!, they know where your car is, treasury department hacked, what if someone hacked license plate cameras? Tenable CEO passes away, and very awkwardly, a Nessus plugin update causes problems, who needs fact-checking anyhow (And how people steal stuff and put it on Facebook), when you are breached, make sure you tell the victims how to be more secure, Salt Typhoon - still no real details other than more people were hacked and they are using the word sanctions a lot, Bitlocker bypassed again, Siri recorded you, and Apple pays, and yes, you can't print on Tuesdays! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-856

Organizations Must Adapt To Safeguard Data In Evolving Environments - Lamont Orange - BSW #377
Data is the fastest growing enterprise attack surface, and is projected to surpass 181 Zettabytes in 2025. Couple data growth with the growing demands of Artificial Intelligence, and the attack surface expands even more. How should organizations adapt their security programs to safeguard their data? Lamont Orange, Chief Information Security Officer at Cyera, joins Business Security Weekly to help you solve your biggest data security challenges. By starting with inventory and classification, data access review can help you answer your biggest data security questions, including: what data you have, where it's stored, who, or what, can access it, and which data risks exist. In the leadership and communications segment, The Business of Cybersecurity: The CISO’s Role in Alignment and Pervasive Governance, CISO Priorities for 2025: Budget Wisely, How Do I Position Myself to Influence Senior Leadership?, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-377
Ättestupa, Moxa, Typhoons, WordPress, Likert Scales, Algol, Josh Marpet, and more... - SWN #440
Ättestupa, Moxa, Typhoons, WordPress, Likert Scales, Algol, Josh Marpet, and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-440
DefectDojo and Bringing Quality Appsec Tools to Small Appsec Teams - Greg Anderson - ASW #312
All appsec teams need quality tools and all developers benefit from appsec guidance that's focused on meaningful results. Greg Anderson shares his experience in bringing the OWASP DefectDojo project to life and maintaining its value for over a decade. He reminds us that there are tons of appsec teams with low budgets and few members that need tools to help them bring useful insights to developers. Segment Resources: https://owasp.org/www-project-defectdojo/ Three-quarters of CISOs surveyed reported being "overwhelmed" by the growing number of tools and their alerts: https://www.darkreading.com/cloud-security/cisos-throwing-cash-tools-detect-breaches As many as one-fifth of all cybersecurity alerts turn out to be false positives. Among 800 IT professionals surveyed, just under half of them stated that approximately 40% of the alerts they receive are false positives: https://www.securitymagazine.com/articles/97260-one-fifth-of-cybersecurity-alerts-are-false-positives 91% of organizations knowingly released vulnerable applications, 57% of vulnerabilities are left unresolved by developers, 32% of CISOs deploy vulnerable code in the hopes it won’t be discovered, 56% of developers struggle to prioritize vulnerability fixes: https://info.checkmarx.com/future-of-application-security-2024 Curl removes a Rust backend, double clickjacking revives an old vuln, a new tool for working with HTTP/3, a brief reminder to verify JWT signatures, design lessons from recursion, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-312

Endpoint Security - Rob Allen - SWN Vault
Rob Allen and Doug talk about Endpoint security and how important it is to secure your endpoints going into the new year. Show Notes: https://securityweekly.com/vault-swn-26

The Future in the Age of AI - SWN Vault
Our old friend Russ Beauchemin and Doug talk about the future of AI and what it may mean when AI is smarter than us all. Show Notes: https://securityweekly.com/vault-swn-25

Say Easy, Do Hard, Minimum Viable Security - Part 2 - Jon Fredrickson - BSW Vault
Check out this episode from the BSW Vault, hand picked by main host Matt Alderman! This segment was originally published on January 3, 2023. With the current macro economic head winds, 2023 budgets are either frozen or are flat. Where should CISOs focus these limited budgets to maximize the most out of their security program? In this segment, we invite Jon Fredrickson, Chief Risk Officer at Blue Cross Blue Shield of Rhode Island, to debate what should be in your minimum viable security program. This segment is part 2 and focuses on the minimum viable security vendors for our top 6 capabilities: Asset Management Patch Management IAM/MFA/PIM/PAM EDR/MDR/XDR Backup/Recovery Risk Management Show Notes: https://securityweekly.com/vault-bsw-16

The Impact of Tariffs - SWN Vault
Josh Marpet and Doug talk about how Tariffs work and how you maybe should get ready for higher prices to replace equipment in the coming years if new rounds of tariffs are imposed on foreign goods and components. Show Notes: https://securityweekly.com/vault-swn-24

Hacker Heroes - Haroon Meer - PSW Vault
Unraveling Cybersecurity Complexity: A Conversation with Haroon Meer Haroon Meer, an influential figure in the world of cybersecurity, takes center stage in this podcast interview. With a deep reservoir of knowledge and a track record of tackling complex security challenges, Haroon has established himself as a key player in the InfoSec domain. As the founder of Thinkst Applied Research, Haroon brings a wealth of practical experience to the table. Join us as we explore his professional journey, from early forays into cybersecurity to pioneering innovations that have reshaped how organizations approach security. Haroon Meer's insights go beyond the theoretical, offering a pragmatic understanding of cybersecurity issues and solutions. Dive into the intricacies of threat landscapes, security architectures, and the evolving dynamics of cyber threats as Haroon shares his perspectives on the current state of cybersecurity. With a focus on practicality and a knack for simplifying complex concepts, Haroon Meer's interview is a must-listen for anyone interested in the nuances of cybersecurity. Gain a deeper understanding of the challenges faced by security professionals and uncover valuable takeaways that can enhance your approach to securing digital environments. Join us as we explore the mind of a cybersecurity luminary, unraveling the layers of InfoSec intricacies with Haroon Meer in this enlightening podcast episode. Show Notes: https://securityweekly.com/vault-psw-14

Compliance & Privacy - SWN Vault
Josh Marpet and Doug talk about Compliance and Privacy for about 30 minutes but it could have been a lot more. Show Notes: https://securityweekly.com/vault-swn-23

Say Easy, Do Hard, Minimum Viable Security - Part 1 - Jon Fredrickson - BSW Vault
Check out this episode from the BSW Vault, hand picked by main host Matt Alderman! This segment was originally published on January 3, 2023. With the current macro economic head winds, 2023 budgets are either frozen or are flat. Where should CISOs focus these limited budgets to maximize the most out of their security program? In this segment, we invite Jon Fredrickson, Chief Risk Officer at Blue Cross Blue Shield of Rhode Island, to debate what should be in your minimum viable security program. This segment is part 1 of 2 parts and focuses on the minimum viable security capabilities. Show Notes: https://securityweekly.com/vault-bsw-15
Dysentery, TP-Link, Piracy, Calendar Scams, Tencent, TikTok, Aaran Leyland and More.. - SWN #439
Dysentery, TP-Link, Piracy, Calendar Scams, Tencent, TikTok, Aaran Leyland, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-439
D3FEND 1.0: A Milestone in Cyber Ontology - Peter Kaloroumakis - ESW #388
Since D3FEND was founded to fill a gap created by the MITRE ATT&CK Matrix, it has come a long way. We discuss the details of the 1.0 release of D3FEND with Peter in this episode, along with some of the new tools they've built to go along with this milestone. To use MITRE's own words to describe the gap this project fills: "it is necessary that practitioners know not only what threats a capability claims to address, but specifically how those threats are addressed from an engineering perspective, and under what circumstances the solution would work" Segment Resources: https://d3fend.mitre.org In the enterprise security news, a final few fundings before the year closes out Arctic Wolf buys Cylance from Blackberry for cheap, a sentence that feels very weird to say the quiet HTTPS revolution passkeys are REALLY catching on resilience keeps showing up in the titles of news items Apple Intelligence insults the BBC’s intelligence MITRE ATT&CK evals drama Lastpass breach drama continues All that and more, on this episode of Enterprise Security Weekly As we wrap up the year, we have an honest discussion about how important security really is to the business. We discuss some of Katie's predictions for AppSec in 2025, as well as "what sucks" in security! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-388
When Public Payphones Become Smart Phones - Inbar Raz - PSW #855
If you've ever wondered how attackers could go after payphones that are "smart" we got you covered! Inbar has done some amazing research and is here to tell us all about it! Segment Resources: https://www.retro.unarmedsecurity.net/post/%D7%9E%D7%A1%D7%AA%D7%91%D7%A8-%D7%A9%D7%92%D7%9D-%D7%98%D7%9C%D7%A4%D7%95%D7%9F-%D7%A6%D7%99%D7%91%D7%95%D7%A8%D7%99-%D7%94%D7%95%D7%90-%D7%98%D7%9C%D7%A4%D7%95%D7%9F-%D7%97%D7%9B%D7%9D XSS is the number one threat?, fix your bugs faster, hacking VoIP systems, AI and how it may help fuzzing, hacker gift guides, new DMA attacks, hacking InTune, Rhode Island gets hacked, OpenWrt supply chain issues, we are being spied on, Germans take down botnet, Bill and Larry are speaking at Shmoocon!, and TP-Link bans. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-855
NAC is Back - How Network Access Control Can Protect Your Remote Devices and Data - Rob Allen - BSW #376
The local network is no more. Neither is the corporate firewall. Users are not only working from the office but also remotely, meaning the network we utilize has quickly become the internet, leaving devices and data vulnerable to cyber threats. But how do we monitor this new, expanded network? Rob Allen, Chief Product Officer at ThreatLocker, joins Business Security Weekly to discuss how the dissolution of the business perimeter makes network access controls essential to protect your devices and, by extension, your data. Network Access Control helps protect business assets whether employees are in the office or remote. ThreatLocker Network Control provides a direct connection between the client and server, as opposed to a VPN that goes through a central point. This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them! In the leadership and communications segment, CISOs need to consider the personal risks associated with their role, CISOs: Don’t rely solely on technical defences in 2025, The Questions Leaders Need to Be Asking Themselve, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-376
Vogons, Task Scams, HiatusRat, Cellebrite, Deloitte, Quantum, Aaran Leyland, and More - SWN #438
Vogons, Task Scams, HiatusRat, Cellebrite, Deloitte, Quantum, WordPress, Aaran Leyland, and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-438
Applying Usability and Transparency to Security - Hannah Sutor - ASW #311
Practices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and setting an example for transparency in security disclosures. Segment resources https://youtu.be/ydg95R2QKwM Curl's oldest bug yet, RCPs (and more!) from AWS re:Invent, possible controls for NPM's malware proliferation, insights and next steps on protecting top 500 packages from the Census III report, the flawed design choice that made Microsoft's OTP (successfully) brute-forceable, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! 00:00 Welcome to Application Security Weekly! 01:49 Meet the Experts 03:28 What Are Non-Human Identities? 06:17 Balancing Security & Usability 08:24 MFA Challenges & Admin Security 12:09 Navigating Breaking Changes 16:05 Security by Design in Action 18:42 Identity Management for Startups 20:18 Secure by Design: Real Impact 24:03 Transparency After a Critical Vulnerability 31:39 Looking Ahead to 2025 32:45 Application Security in Three Words 34:10 - Intro & Cyber Resilience Insights 35:30 - The 25-Year-Old Curl Bug Story 38:27 - Fuzzing for Security: A Missed Opportunity? 42:56 - AWS re:Invent Security Highlights 46:04 - NPM Malware Surge 50:43 - Small Packages, Big Risks in NPM 54:05 - Open Source Security Trends 58:37 - Microsoft MFA Vulnerability Explained 62:38 - Hardware Hacking & DMA Exploits 65:05 - Auditing Ruby’s Package Ecosystem 68:12 - Looking Ahead to 2025 Show Notes: https://securityweekly.com/asw-311

Nudity, Krispy Kreme, Cleo, AIAPIs, NHI, North Korea, Jersey Drones, Josh Marpet - SWN #437
Nudity, Krispy Kreme, Cleo, AIAPIs, non-human identities, North Korea, Jersey Drones, Josh Marpet, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-437

The 2024 Cybersecurity Market Review - Mike Privette, Rew Islam - ESW #387
For our second year now, Mike Privette, from Return on Security and the Security, Funded newsletter joins us to discuss the year's highlights and what's to come in the next 12 months. In some ways, it has been a return to form for funding, though some casualties of a tough market likely had to seek acquisition when they might have otherwise raised another round and stayed independent a while longer. We'll cover some stats, talk 2025 IPO market, and discuss the likelihood of (already) being in another bubble, particularly with regards to the already saturated AI security market. It won't be all financial trends though, we'll discuss some of the technical market trends, whether they're finding market fit, and how ~50ish AI SOC startups could possibly survive in such a crowded space. In this segment, we discuss two new FIDO Alliance standards focused on credential portability. Specifically, if passwordless is going to catch on, we need to minimize friction and maximize usability. In practice, this means that passkeys must be portable! Rew Islam of Dashlane joins us to discuss the new standards and how they'll help us enter a new age of secure authentication, both for consumers and the enterprise. Segment Resources: Elevating Passwordless Security With AWS Nitro Synced Passkeys Will Be Portable FIDO Alliance Publishes New Specifications to Promote User Choice and Enhanced UX for Passkeys This week, in the enterprise security news, NOTE: We didn't get to 2, 3, 5, or 7 due to some technical difficulties and time constraints, but we'll hit them next week! The show notes have been updated to reflect what we actually discussed this week: https://www.scworld.com/podcast-segment/13370-enterprise-security-weekly-387 Snowflake takes security more seriously Microsoft takes security more seriously US Government takes telecom security more seriously Cleo Capital takes security more seriously EU’s DORA takes effect soon Is phishing and security awareness training worthless? CISOs need financial literacy Supply chain firewall is basic but useful All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-387

Navigating Regulations in Supply Chain Security - Eric Greenwald - PSW #854
Join us for this segment as we discuss government regulations and certifications as they apply to supply chain security and vulnerability management, and how understanding the mumbo jumbo can enable organizations to improve their cyber security. In the security news, the crew, (minus Paul) get to gather to discus hacks causing disruptions, in healthcare, donuts and vodka, router and OpenWRT hacks (and the two are not related), Salt/Volt Typhoon means no more texting and 10 year old vulnerabilities and more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-854

Okta Secure Sign-In Trends Report Shows Companies are Getting Smarter about MFA - Chris Niggel - BSW #375
For over 15 years, Okta has led the charge in securing digital identities through more sophisticated sign-in solutions. Our latest 2024 Secure Sign-In Trends Report offers insights into the rapidly evolving world of identity security, specifically on how organizations across industries are embracing modern, phishing-resistant methods like Multi-Factor Authentication (MFA) and passwordless sign-ins. In this year's report, we explore: - The surge in MFA adoption across industries, and what it means for the future of secure authentication. - Phishing-resistant authentication methods gaining traction, signaling that the passwordless future is possible. - Why a seamless user experience and strong security are no longer in opposition. - How industries compare in their adoption of modern authentication, and who's setting the pace. Segment Resources: Secure Sign-In Trends Full Report: https://www.okta.com/resources/whitepaper-the-secure-sign-in-trends-report/ Todd McKinnon Blog on the Secure Sign-In Trends Report: https://www.okta.com/blog/2024/10/phishing-resistant-mfa-shows-great-momentum/ This segment is sponsored by Okta. Visit https://www.securityweekly.com/okta to learn more about them! In the leadership and communications segment, How Good Leaders Become Great By Never Leading Alone, How Leaders Can Prepare Their Teams For 2025, Nervous About Public Speaking? Here’s How to Use Notes Like a Pro, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-375

Evil ISPs, Deloitte, YOLO11, Microsoft, Gift Cards, Navix, Telegram, Josh Marpet... - SWN #436
Evil ISPs, Deloitte, YOLO11, Microsoft, Gift Cards, Navix, Horror, Telegram, Josh Marpet and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-436

Looking Back on 2024 - ASW #310
We do our usual end of year look back on the topics, news, and trends that caught our attention. We covered some OWASP projects, the ongoing attention and promises of generative AI, and big events from the XZ Utils backdoor to Microsoft's Recall to Crowdstrike's outage. Segment resources https://prods.ec https://owasp.org/www-project-spvs/ https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/ https://securitychampions.owasp.org/ https://deadliestwebattacks.com/appsec/2024/11/14/ai-and-llms-asw-topic-recap https://www.scworld.com/podcast-episode/3017-infosec-myths-mistakes-and-misconceptions-adrian-sanabria-asw-279 Curl and Python (and others) deal with bad vuln reports generated by LLMs, supply chain attack on Solana, comparing 5 genAI mistakes to OWASP's Top Ten for LLM Applications, a Rust survey, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-310

Deloitte, e-Tattoos, Cp3o, Chemonics, IPv6, 6, Chinese Emperors, Aaran Leyland... - SWN #435
Deloitte, e-Tattoos, Web 3.0, Cp3o, Chemonics, IPv6, the Number 6, Chinese Emperors, Aaran Leyland, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-435

Tackling Barriers on the Road To Cyber Resilience - Rob Allen, Theresa Lanowitz - ESW #386
In this final installment of a trio of discussions with Theresa Lanowitz about Cyber Resilience, we put it all together and attempt to figure out what the road to cyber resilience looks like, and what barriers security leaders will have to tackle along the way. We'll discuss: How to identify these barriers to cyber resilience Be secure by design Align cybersecurity investments with the business Also, be sure to check out the first two installments of this series! Episode 380: Cybersecurity Success is Business Success Episode 383: Cybersecurity Budgets: The Journey from Reactive to Proactive This segment is sponsored by LevelBlue. Visit https://securityweekly.com/levelblue to learn more about them! When focused on cybersecurity through a vulnerability management lens, it's tempting to see the problem as a race between exploit development and patching speed. This is a false narrative, however. While there are hundreds of thousands of vulnerabilities, each requiring unique exploits, the number of post-exploit actions is finite. Small, even. Although Log4j was seemingly ubiquitous and easy to exploit, we discovered the Log4Shell attack wasn't particularly useful when organizations had strong outbound filters in place. Today, we'll discuss an often overlooked advantage defenders have: mitigating controls like traffic filtering and application control that can prevent a wide range of attack techniques. This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them! This week, in the enterprise security news, Funding and acquisition news slows down as we get into the “I’m more focused on holiday shopping season” North Pole Security picked an appropriate time to raise some seed funding Breaking news, it’s still super easy to exfiltrate data The Nearest Neighbor Attack Agentic Security is the next buzzword you’re going to be tired of soon Frustrations with separating work from personal in the Apple device ecosystem We check in on the AI SOC and see how it’s going Office surveillance technology gives us the creeps All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-386

Hacker Gadgets - PSW #853
The hosts discuss hacker gadgets! We'll cover what we've been hacking on lately and discuss gadgets we want to work on in the future and other gadgets we want to get our hands on. Paul has been working with some M5Stack devices, a guide can be found here: https://securitypodcaster.com/m5stack-hacking-guide/ We will cover the Clockwork PI "uConsole" (RPI CM4) - https://www.clockworkpi.com/uconsole We want the RPI Pico 2 W and the RPI CM5 (https://www.raspberrypi.com/products/) Paul upgraded one of his Flipper Zeros with Momentum Firmware (https://momentum-fw.dev/) Paul and Larry have the new Crowview Note (https://www.kickstarter.com/projects/elecrow/crowview-note-empowering-your-device-as-a-laptop?ref=20bm9i) Larry's List: Cheap Yellow Display - https://github.com/witnessmenow/ESP32-Cheap-Yellow-Display KV4P HT - https://www.kv4p.com/ Lilygo T-Deck - https://lilygo.cc/products/t-deck Helltec LoRa32 https://heltec.org/project/wifi-lora-32-v3/ NRF52840-DK - https://www.mouser.com/ProductDetail/Nordic-Semiconductor/nRF52840-DK?qs=F5EMLAvA7IA76ZLjlwrwMw%3D%3D NRF52840 Dongle - https://www.mouser.com/ProductDetail/Nordic-Semiconductor/nRF52840-Dongle?qs=gTYE2QTfZfTbdrOaMHWEZg%3D%3D&mgh=1 MakerDialry NRF52840 - https://wiki.makerdiary.com/nrf52840-mdk-usb-dongle/ Radioberry - https://www.amazon.com/dp/B0CKN1PW4J Bootkitties and Linux bootkits, Canada realizes banning Flippers is silly, null bytes matter, CVE samples, how dark web marketplaces do security, Perl code from 2014 and vulnerabilities in needrestart, malware in gaming engines, the nearby neighbor attack, this week in security appliances featuring Sonicwall and Fortinet, footguns, and get it off the freakin public Internet! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-853

Security Money: Of Course Okta Should Be In The Index - BSW #374
This week, it's time for Security Money. Of course Okta should be in the Security Weekly 25 Index, Duh! Here are all the companies that now comprise the index: SCWX Secureworks Corp PANW Palo Alto Networks Inc CHKP Check Point Software Technologies Ltd. RBRK Rubrik Inc GEN Gen Digital Inc FTNT Fortinet Inc AKAM Akamai Technologies, Inc. FFIV F5 Inc ZS Zscaler Inc OSPN Onespan Inc LDOS Leidos Holdings Inc QLYS Qualys Inc VRNT Verint Systems Inc. CYBR Cyberark Software Ltd TENB Tenable Holdings Inc OKTA Okta Inc S SentinelOne Inc NET Cloudflare Inc CRWD Crowdstrike Holdings Inc NTCT NetScout Systems, Inc. VRNS Varonis Systems Inc RPD Rapid7 Inc FSLY Fastly Inc RDWR Radware Ltd ATEN A10 Networks Inc In the leadership and communications segment, Should the CISO Role Be Split?, CISO's tips for building a culture of cybersecurity, Personal Leadership and Cyber Risk — Top 3 Traits that Deliver Enterprise Level Results, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-374

ISIS, Enron, Tor, Scams, Wintermute, Zabbix, Josh Marpet and more... - SWN #434
ISIS, Enron, Tor, Scams, Wintermute, Zabbix, Josh Marpet and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-434

Adding Observability with OpenTelemetry - Adriana Villela - ASW #309
Observability is a lot more than just sprinkling printf statements throughout a code base. Adriana Villela explains principles behind logging, traceability, and metrics and how the OpenTelemetry project helps developers gather this useful information. She also provides suggestions on starting logging from scratch, how to avoid information overload, and how engaging users about their experience with solutions like OpenTelemetry makes for better software -- a lesson that appsec teams can apply to paved roads and security guardrails. Segment Resources: https://opentelemetry.io https://cncf.io https://adri-v.medium.com/ Fuzzing barcodes and getting projects onboarded with fuzzers, using AI to guide fuzzers, using AI to combat scammers, using CWEs for something, using malicious comments to ban repos, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-309

2023 Funding and Acquisition Summary with Return on Security - Mike Privette - ESW Vault
Check out this episode from the ESW Vault, hand picked by main host Adrian Sanabria! This segment was originally published on December 22, 2023. We're excited to give an end-of-year readout on the performance of the cybersecurity industry with Mike Privette, founder of Return on Security and author of the weekly Security, Funded newsletter. This year, this podcast has leaned heavily on the Security, Funded newsletter to prep for our news segment, as it provides a great summary of all the funding and M&A events going on each week. In this segment, we look back at 2023, statistics for the year, comparisons to 2022, interesting insights, predictions, and more! Segment Resources: Mike's blog; Return on Security: https://www.returnonsecurity.com/ Mike's newsletter; Security, Funded: https://www.returnonsecurity.com/subscribe Show Notes: https://securityweekly.com/vault-esw-17

Terms & Acronyms - SWN Vault
Check out this episode from the SWN Vault, originally published on February 13, 2019! This Secure Digital Life episode was hand-picked by main host Doug White. Well, there are a lot of terms that are around in Cyber these days. I think we could do shows every week for a while and never get through them all. From AI to Zero Day Exploits, there are a plethora of terms that everyone uses all the time but maybe you don't know them yet. So, I thought we would grab some of the more common ones and try to explain. Show Notes: https://securityweekly.com/vault-swn-21

2nd Edition: How to Measure Anything in Cybersecurity Risk - Doug Hubbard - BSW Vault
Check out this episode from the BSW Vault, hand picked by main host Matt Alderman! This segment was originally published on Jan 24, 2023. Richard Seiersen and our guest, Doug Hubbard, are finishing the second edition of How to Measure Anything in Cybersecurity Risk. Doug is here to share the success of the first edition and preview the second edition. With more insights, the second edition will share more more research data, free tools, and new concepts like FrankenSME. If you're a risk management professional or want to learn more about risk management, don't miss this interview. Show Notes: https://securityweekly.com/vault-bsw-14

Fixing how cybersecurity products are bought and sold - Mariana Padilla - ESW #385
This is a topic our hosts are very passionate about, and we're excited to discuss with Mariana Padilla, co-founder and CEO of Hackerverse. She wants to change how cybersecurity sales works, with a focus on making the process more transparent and ideally demonstrating a product's efficacy before buyers even need to talk to a sales team. We'll discuss why existing sales processes are broken, how VC funding impacts vendor sales/marketing, and why community-led growth is so important. Why a special segment on Microsoft Ignite announcements? There were a lot of announcements Microsoft is the largest security vendor, in terms of revenue Microsoft and its products are also the biggest and most vulnerable hacking target in the tech industry. In the enterprise security news, Bitsight, Snyk, and Silverfort announce acquisitions Tanium announces an “autonomous” endpoint security offering We find out how much a smartphone costs when it is manufactured in the US CISA’s leadership announces resignations Ransomware is going after old versions of Excel Should vendors be doing more about alert fatigue? The latest cybersecurity reports Using AI to mess with scammers All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-385

Tesla, Druids, Salt Typhoon, North Korea, Amazon, Microsoft, Google, Joshua Marpet... - SWN #433
Tesla, Druids, Salt Typhoon, North Korea, Amazon, Microsoft, Google, Joshua Marpet, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-433

Confessions of a Cyber Criminal Stalker - Ken Westin - PSW #852
Black Hats & White Collars: We know criminal hacking is big business because we've spied on them! Ken comes on the show to talk about chasing and stalking criminals, even if it means sacrificing some of your own personal safety. Fast cars kill people, Apple 0-Days, memory safety, poisoning the well, babble babble and malware that tries really hard to be stealthy, Palto Alto and Fortinet have some serious new vulnerabilities, open-source isn't free, but neither is commercial software, get on the TPM bus, find URLs with stealth, stealing credentials with more Palto Alto and Fortinet, the first zoom call, and one person's trash is another person's gaming PC! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-852

Biometric Frontiers: Unlocking The Future Of Engagement - Andras Cser, Enza Iannopollo - ASW #308
This week's interview dives deep into the state of biometrics with two Forrester Research analysts! This discussion compares and contrasts regional approaches to biometrics; examine the security challenges and benefits of their implementation; and reveal how biometrics holds the keys to a range of engagement models of the future. Andras Cser dives into the technical end of things and explains how biometrics can be resilient to attack. We can't replace our fingerprints or faces, but as Andras explains, there's no need to, thanks to how biometrics actually work. Then, Enza takes us through the latest on privacy in biometrics - a concern for both consumers, and businesses tasked with complying with privacy regulations and avoiding costly fines. Finally, get a sneak peek into the upcoming Forrester Security & Risk Summit. Whether you're an industry professional or just curious about the implications of biometrics, this episode delivers insights you won't want to miss! This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us. We also discuss whether Secure by Design's goals are practical or not. OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet. Also, Watchtowr has some fun with Citrix VDI! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-308

Google DeGoogled, Hammerbarn, Blofeld, VMWare, DeepData, SafePay, Josh Marpet and... - SWN #432
Google DeGoogled, Hammerbarn, Blofeld, VMWare, DeepData, SafePay, Josh Marpet and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-432

Similarities Between SOX And SEC's Cyber Rule - Padraic O'Reilly - BSW #373
The Sarbanes-Oxley (SOX) Act was a watershed moment in corporate governance, fundamentally altering how companies approached financial reporting and internal operational controls. By holding executives personally accountable for the accuracy of financial reports, SOX restored investor confidence in the wake of corporate malfeasance. The SEC's new cybersecurity rule represents a similar pursuit to restore investor confidence — this time for the digital age, centered on integrating cybersecurity into overall risk management. Padraic O'Reilly, Founder and Chief Innovation Officer at CyberSaint, joins Business Security Weekly to discuss the similarities between SOX and SEC's Cyber Rule. The SEC's cybersecurity rule introduced several vital requirements that build on the principles established by SOX, including: Companies must report material cybersecurity incidents on Form 8-K, ensuring timely and transparent disclosure to investors. Companies must provide regular updates on their cybersecurity risk management policies, the role of management in implementing these policies and the board's oversight of cybersecurity risks. The rule encourages companies to disclose the cybersecurity expertise of their board members, highlighting the importance of informed oversight in managing cyber risks. The rule requires cybersecurity disclosures to be presented in Inline Extensible Business Reporting Language, or Inline XBRL, ensuring consistency and comparability across filings. This segment is sponsored by CyberSaint . Visit https://securityweekly.com/cybersaint to learn more about them! In the leadership and communications segment, Insurance Firm Introduces Liability Coverage for CISOs, How to Navigate a Leadership Transition, Has the Cybersecurity Workforce Peaked? and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-373

Granny Bots, Microsoft, Shrinklocker, SlugResin, BlueSky, Aaran Leyland, and More... - SWN #431
Granny Bots, Microsoft, Shrinklocker, SlugResin, BlueSky, Aaran Leyland, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-431

AI and the Autonomous SOC - Separating Hype from Reality - Justin Beals, Itai Tevet - ESW #384
There have been a lot of bold claims about how generative AI and machine learning will transform the SOC. Ironically, the SOC was (arguably) invented only because security products failed to make good on bold claims. The cybersecurity market is full of products that exist only to solve the problems created by other security products (Security Analytics, SOC Automation, Risk-Based Vulnerability Management). Other products are natural evolutions and pick up where others leave off. In this interview, we'll explore what AI can and can't do, particularly when it comes to alert triage and other common SOC tasks. Segment Resources: From Forrester: Generative AI Will Not Fulfill Your Autonomous SOC Hopes (Or Even Your Demo Dreams) From Intezer: Mastering SOC Automation in 2024: Tips, Trends and Tools The Future of SOC Automation Platforms SentinelOne wants to make the autonomous SOC a reality Naturally, the next approach to try is a federated one. How do we break down cybersecurity into more bite-sized components? How do we alleviate all this CISO stress we've heard about, and make their job seem less impossible than it does today? This will be a more standards and GRC focused discussion, covering: the reasons why cross-walking doesn't work the reasons why traditional TPRM approaches (e.g. questionnaires) don't work opportunities for AI to help risk management or sales support? This week in the enterprise security news, Upwind Security gets a massive $100M Series B Trustwave and Cybereason merge NVIDIA wants to force SOC analyst millennials to socialize with AI agents Has the cybersecurity workforce peaked? Why incident response is essential for resilience an example of good product marketing who is Salvatore Verini, Jr. and why does he have all my data? All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-384

No CVE and No Accountability - Ed Skoudis - PSW #851
Alright, so we dove deep into some pretty wild stuff this week. We started off talking about zip files inside zip files. This is a variation of old-school zip file tricks, and the latest method described here is still causing headaches for antivirus software. Then we geeked out about infrared signals and the Flipper Zero, which brought back memories of the TV-B-Gone. But the real kicker was our discussion on end-of-life software and the whole CVE numbering authority mess. Avanti's refusal to issue a CVE for their end-of-life product sparked a heated debate about cybersecurity accountability and conflicts of interest. Ed Skoudis joins us to announce this year's Holiday Hack Challenge! Segment Resources: https://sans.org/holidayhack Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-851

Modernizing AppSec - Melinda Marks - ASW #307
In this week's interview, Melinda Marks' joins us to discuss her latest research. Her recent report Modernizing Application Security to Scale for Cloud-Native Development delves into many aspects and trends affecting AppSec as it matures, particularly in cloud-first organizations. We also discuss the fuzzy line between "cloud-native" AppSec and everything else that refuses to disappear, particularly for organizations that weren't born cloud-native and still have legacy workloads to worry about. Integrating security into the SDLC and CI/CD pipelines, infrastructure as code (IaC) trends, best of breed vs platform, and other aspects of AppSec get discussed as well! This week, in the Application Security News, we spend a lot of time on some recent vulnerabilities. We take this opportunity to talk about how to determine whether or not a vulnerability is worth a critical response. Can AI fully automate DevSecOps Governance? Adrian has his reservations, but JLK is bullish. Is it bad that 70% of DevSecOps professionals don't know if code is AI generated or not? All that and more on this week's news segment. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-307

Struwwelpeter, Krampus, Flutter, Apple, DLink, C++, Josh Marpet and more... - SWN #430
Struwwelpeter, Krampus, Flutter, Apple, DLink, C++, Josh Marpet and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-430