Security Weekly Podcast Network (Audio)

Emilie comes on the show to talk about penetration testing and share her knowledge and stories! In the Security News: There is no national cyber director, time to move away from MoveIT, update Microsoft IIS at least every 6 years, your security system is not secure, for that matter neither is your smart pet feeder, identity management is hard, at least for some, spies using spy gadgets to spy on spies, go ahead and just replace your hardware, secure boot is hard, bypassing the BIOS password (but don’t try this at home, or work for that matter), Rob shaved his beard, what’s new in PCI (drink, are we still drinking on PCI? If so, drink again), if your firmware isn’t patched, no cloud updates for you, and Gigabyte has a backdoor! Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! FShow Notes: https://securityweekly.com/psw-788

Check out this interview from the ESW Vault, hand picked by main host Adrian Sanabria! This segment was originally published on September 29, 2021. No Man is an Island. Neither can a security program exist without interconnections and strong relationships to the rest of the business. Yet, over and over again I meet Security Leaders that thrive on designing security fiefdoms with large moats, and one bridge that they roll down only when they intend to roll out a new technology, initiative or need budget authority. There is no amount of authority or power that can provided to a CISO that makes he or she immunized against the need for communication, collaboration and diplomacy with peers, users and Senior Executives. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/vault-esw-2

Security is one of the most evolving and impactful landscapes in the regulatory sphere. Proposed initiatives in the areas of Incident Response, Software and Product Assurance, Coordinated Vulnerability Disclosure (CVD), and IoT or Connected Products Regulations are among the most active and developing areas of security policy around the world. This evolving landscape also serves as an opportunity for innovation and research collaboration. Elazari will walk us through some of the most recent trends in policy proposals shaping the future of security. We will also talk about bug bounties and vulnerability disclosure, what are some of the industry's best practices in this area, how to implement these programs to foster security, collaboration and transparency, and how this connects to the policy momentum and its impact on security researchers. Segment Resources: Project Circuit Breaker: https://www.intel.com/content/www/us/en/newsroom/news/intel-launches-project-circuit-breaker.html Project Circuit Breaker Landing Page: https://www.projectcircuitbreaker.com/ Intel’s 2021 Product Security Report: https://www.intel.com/content/www/us/en/security/intel-2021-product-security-report.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/vault-asw-2

Check out this interview from the BSW VAULT, hand picked by main host Matt Alderman! This segment was originally published on October 12, 2020. We go off script. Michael Santarcangelo joins me for a discussion on leadership. We review the 4 C's of Leadership: 1. Culture 2. Collaboration 3. Communication 4. Cultivation - and Michael shares some of his leadership approaches and ideas. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/vault-bsw-2

The WAF has a relatively long history with InfoSec. A few years back, we saw the traditional architecture separated by new technologies and philosophies on the best way to detect and stop web-borne attacks. In this episode with Daniel Corbett, we'll take a deep dive into the latest on WAF capabilities, what it means to be 'next-gen' in the WAF world, and how LLM AI like ChatGPT could influence the attacks we see (and have to defend against) in the near future. Explore the rapidly-evolving landscape of Managed Detection and Response (MDR) with insights from Sophos, a pioneering MDR provider. Understand how businesses can gain superior security outcomes and better value from their investments by integrating 3rd party products natively into an adaptive ecosystem backed up by 24/7/365 threat detection, incident response and proactive threat hunting from one of the largest global providers of MDR services. Finally in the Enterprise News segment, we discuss the user-facing security trend, bad ideas in company naming/branding, and why you might not want to be on a list of the top 200 most secure companies. We also discuss the right way to treat employees when doing layoffs, and the future for companies that probably shouldn't have received funding before the market downturn. Finally, France uses AI to discover untaxed pools! This segment is sponsored by Fastly. Visit https://securityweekly.com/fastly to learn more about them! Segment Resources: http://sophos.com/mdr https://www.sophos.com/en-us/x-ops This segment is sponsored by Sophos. Visit https://securityweekly.com/sophos to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-321

This week Dr. Doug talks: Killer Robots, ESXI, Lockbit, MoveIt, CISA, SEC, Texas, Aaran Leyland, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-305

Eric Olden, CEO and Co-Founder of Strata Identity, discusses the concept of Identity Orchestration. He covers the evolving identity landscape and how it has evolved to keep pace with modern apps, the challenges encountered during an identity modernization project, how Identity Orchestration helps those modernization projects, and best practices for implementing secure identity. Segment Resources: - [Identity Orchestration Use Cases](https://www.strata.io/use-cases/) - [What is Identity Orchestration WhitePaper](https://www.strata.io/resources/whitepapers/what-is-identity-orchestration-and-why-you-need-it-to-succeed-with-multi-cloud/) This segment is sponsored by Strata. Visit https://securityweekly.com/strata to learn more about them! This year's Verizon DBIR is out, CVSS is updating its methodology, poor password reset design, SQL injection in MOVEit, a CTF for AWS IAM Visit https://www.securityweekly.com/asw for all the latest episodes! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-244

Check out this interview from the PSW VAULT, hand picked by main host Paul Asadoorian! This segment was originally published on April 9, 2013. Bill Cheswick logged into his first computer in 1968. Seven years later, he was graduated from Lehigh University in 1975 with a degree resembling Computer Science. Ches has worked on (and against) operating system security for over 35 years. He is probably best known for "Firewalls and Internet Security; Repelling the Wily Hacker", co-authored with Steve Bellovin, which help train the first generation of Internet security experts. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/vault-psw-2

This week Dr. Doug talks: Mad dogs and paper clips, Fortinet, MoveIt, BatCloak, China, More News, and Jason Wood on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-304

The Gartner definition of integrated risk management is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks. Enterprises typically have a broad coverage of the risks that face the business including cybersecurity risk, however, its 2023 and after more than a decade of requiring training compliance for our people, the Verizon DBIR reports this year that 74% of breaches involved human error. It's clear that compliance is not the answer for where to include the human in an IRM strategy, so what's next? In the leadership and communications section, Only one in 10 CISOs today are board-ready, study says, Why Conflicting Ideas Can Make Your Strategy Stronger, How to Overcome Communication Barriers in Your Teamwork, and more! This segment is sponsored by Living Security. Visit https://securityweekly.com/livingsecurity to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-309

Phrenology, Barracuda, MoveIt, Lazarus, Minecraft, ChatGPT, Adrian Sanabria, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-303

This is the first interview in a two-part AI special! First up, we talk with Daniel Miessler, who has been following the generative AI trend very closely and is one of the most prolific writers and thought leaders on the topic. It's a massively divisive topic with the most successful product ever launched (ChatGPT). Some folks think it's overhyped, some think it's going to replace all the worst parts of the worst jobs, and others think it could be the beginning of the end for humanity. While other interviews on GenAI get deep into conversations on the future of humanity, we're going to stay closer to home on this one. It seems clear that GenAI will transform the enterprise more quickly than any other technology trend we've seen. We'll discuss what security needs to do to prepare for this shift, and why security teams should begin exploring GenAI themselves as soon as possible. Generative AI is taking the world by storm. Naturally, enterprises are looking for ways to integrate the innovative technology into their techstack, boost productivity of the knowledge workers and overall increase their ROI. The question is, how to do it without compromising data privacy and security standards of the enterprises. Segment Resources: https://zerosystems.com/ In this episode we briefly cover funding, and discuss Snyk's acquisition of Enso Security and Cisco's Armorblox buy. We discuss some new open source AI tools: privateGPT, llm, ttok, and strip-tags. We discuss the death of Meta's massive Metaverse movement and go DEEP down the rabbithole on the new Stop Silly Security Awards website. Artifact's AI rewrites clickbaity headlines and we wrap up by exploring a very entertaining Map of GitHub communities: https://anvaka.github.io/map-of-github/ Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-320

Check out this interview from the PSW VAULT, hand picked by main host Paul Asadoorian! This segment was originally published on October 18, 2015. L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. We learn about the history of the L0pht and the future. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/vault-psw-1

Ducking AI, Kimsuky redux, SMB signing, MoveIt, Gigabyte, Splunk, Chrome Extensions, AI, Jason Wood and more on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn-302

The American Data Privacy and Protection Act introduces oversight of how companies handle the data they collect and process from U.S. citizens, including AI algorithms used to uncover insights that can be monetized. Security professionals should prepare now for the legislation by understanding how to audit algorithms and implement compliance processes. Even if this version of privacy legislation doesn’t pass, similar legislation will likely pass soon. Segment Resources: Forbes Tech Council article: Why You Need to Prepare Now for Privacy Legislation That May Not Pass https://www.senecaglobal.com/media-mentions/ftc-why-you-need-to-prepare-now-for-privacy-legislation-that-may-not-pass/ Enterprise Security Tech - American Data Privacy Protection Act: What, Who, How https://www.enterprisesecuritytech.com/post/american-data-privacy-protection-act-what-who-how Security Info Watch - What the American Data and Privacy Act means for businesses https://www.securityinfowatch.com/security-executives/article/21295869/what-the-american-data-and-privacy-act-means-for-businesses In the leadership and communications section, Cybersecurity Starts with the Board and C-Suite, How CISOs can achieve more with less during uncertain economic times, Why Authentic Leadership Is So Hard, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-308

Walking the show floor at RSA Conference, you couldn't trip without falling into an application security vendor booth ... and API security specialists were especially plentiful. Join Forrester Principal Analyst Sandy Carielli for her thoughts on RSA Conference and a deep dive into the challenges of API security. Segment Resources: https://www.forrester.com/blogs/insights-from-the-2023-rsa-conference-generative-ai-quantum-and-innovation-sandbox/ OWASP has a draft for the LLM Top 10, simple vulns in a modern SaaS app, ancient vuln in a Wordpress plugin, PyPI moves to secure its package manager accounts, ThinkstScape Quarterly research report, having fun with memory variables, DNS, and logins. Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-243

Penetration Tester stories, dumb and funny stuff that's crazier than movies. Segment Resources: https://www.cyberpointllc.com/index.php https://www.cyberpointllc.com/srt.php In the security news: keystroke logs are stored in plain-text (and other atrocities in software used in schools), WPBT is the gift that keeps on giving and this time it's Gigabyte, PCI DSS 4.0 (drink!), immutable linux desktops, one packet exploits, neat linux malware, sock puppets, a must read new book about hacks, why SMB why?, boot girls, exposing customers....data, cracking GSM, you MUST use 2fa (not should, must), old wine in a new bottle, lab grown "meat", malicious bookmarks, and ChatGPT's secret reading list! All that and more on this episode of Paul’s Security Weekly. Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Check out this interview from the ESW VAULT, hand picked by main host Adrian Sanabria! This segment was originally published on October 21, 2021. The Record has published several interviews with cybercriminals, courtesy The Record's Russian-speaking analyst, Dmitry Smilyanets (https://therecord.media/author/dmitry-smilyanets). These interviews have included representatives from REvil, BlackMatter, and Marketo. The interviews have uncovered the gangs' motivations, targets, and tactics, and have been cited by officials, including White House Deputy National Security Advisor Anne Neuberger. We talk with Adam Janofsky, founder and Editorial Director of The Record about what it's like to start a vendor-sponsored media outlet (The Record is funded by Recorded Future), and what they've learned by interviewing the bad guys. This segment is sponsored by Devo. Visit https://securityweekly.com/devo to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/vault-esw-1

Check out this interview from the BSW VAULT, hand picked by main host Matt Alderman! This segment was originally published on June 8, 2020. Marc French has more than 25 years of technology experience in engineering, operations, product management, and security. Prior to his current role at CISO at Product Security Group, Marc was the SVP & Chief Trust Officer at Mimecast, Inc. and has held a variety of senior security roles at Endurance/Constant Contact, EMC/RSA, Iron Mountain, Digital Guardian, and Dun & Bradstreet. With all this security experience, Marc has created a series of career ladders to help guide infosec professionals with their job journey, including the illustrious CISO position. We will also cover whether you really want to be a CISO... All of the open source career ladders can be found here: https://github.com/product-security-group/Security_Ladders Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/vault-bsw-1

Check out this interview from the ASW VAULT, hand picked by main host Mike Shema! This segment was originally published on March 14, 2022. Cybersecurity is a large and often complex domain, traditionally focused on the infrastructure and general information security, with little or no attention to Application Security. Security providers usually tack-on AppSec services to their existing menu of offering without understanding the domain, and their team of professionals have little or no experience with software development or inner workings of modern application architectures. As the world turns Digital at a rapid pace accelerated by the recent pandemic, applications become common place in our lives, providing attackers more opportunities to exploit these poorly protected applications. As such, it is important to know what is actually required to build and run software securely, and how to do application security right. Segment Resources: https://forwardsecurity.com/2022/03/07/application-security-for-busy-tech-execs/ Show notes: https://www.scmagazine.com/podcast-episode/asw-188-farshad-abasi

Ferret Legging, Elon's Brain Implants, Volt Typhoon, CosmicEnergy, OAuth, ILoveYou (and that's not just the Molly talking), Aaran Leyland, and More on this episode of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn301

On this edition of the ESW news, we're all over the place! Funding and acquisitions are a little sad right now, but AI and TikTok bans raise our spirits. The hosts are split on feelings about the new .zip gTLD, there's a new standard for scoring an "AI Influence Level" (AIL), and lessons learned from Joe Sullivan's case and other Uber breaches. Also, don't miss the new AI tool DragGAN, which enables near magical levels of ease when manipulating photos. What's even real anymore? We might not be able to tell for long... The reality is no organization is insusceptible to a breach – and security teams, alongside the C-suite, should prepare now to make the response more seamless once a crisis does happen. Based on his experience working 1:1 with security leaders in the private and public sectors, Jon Check, executive director of Cyber Protection Solutions at Raytheon Intelligence & Space, will share the critical steps organizations must take to best prepare for a security breach. This segment is sponsored by Raytheon. Visit https://securityweekly.com/raytheonrsac to learn more about them! While companies utilize dozens of security solutions, they continue to be compromised and are continually searching for their real cybersecurity gaps amongst the overload of vulnerability data. A primary issue security teams face is that they lack a way to continuously validate the effectiveness of the different security solutions they have in place. Automated Security Validation is revolutionizing cybersecurity by applying software validation algorithms, for what was once manual penetration testing jobs. It takes the attacker's perspective to challenge the integrity and resilience of security defenses by continuously emulating cyber attacks against them. This segment is sponsored by Pentera. Visit https://securityweekly.com/penterarsac to learn more about them! Security teams are always on the lookout for external threats that can harm our organizations. However, an internal threat can derail productivity and lead to human error and burnout: repetitive, mundane tasks. To effectively defend against evolving threats, organizations must leverage no-code automation and free analysts to focus on higher-level projects that can improve their organization’s security posture. This segment is sponsored by Tines. Visit https://securityweekly.com/tinesrsac to learn more about them! In today’s hyper-connected world, devices are everywhere, people are online constantly and sensitive data has moved to the cloud. Given these trends, organizations are making digital trust a strategic imperative. More than ever, companies need a unified platform, modern architecture and flexible deployment options in order to put digital trust to work. This segment is sponsored by DigiCert. Visit https://securityweekly.com/digicertrsac to learn more about them! Bill Brenner, VP of content strategy at CyberRisk Alliance, and Cisco storyteller/team leader/editor Steve Ragan discuss the issues security professionals are sinking their teeth into at RSA Conference 2023, including: Threats organizations face amid geopolitical strife (Russia/Ukraine, China, North Korea) What SOCs need to respond to a world on fire (training for cloud-based ops, XDR) Challenges of identity and access management (zero trust, MFA, hybrid work environments) Challenges of vulnerability management (finding the most critical flaws in the cloud, key attack vectors in 2023, ransomware) This segment is sponsored by Cisco. Visit https://securityweekly.com/ciscorsac to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw319

Liam Mayron from Fastly comes on the show to talk about his unique path into information security, the security implications of generative AI, advances in technologies to protect web applications, detecting bots, and enabling better MSP services! This segment is sponsored by Fastly. Visit https://securityweekly.com/fastly to learn more about them! In the Security News: a cross-platform, post-exploit, red teaming framework, cover your backups, your voice should never be your passport, time to change your fingerprints, a drop in the bucket sucka, Thor will take out those pesky drones, never give your AI friends money, bye-bye PyPi for a while anyhow, bug bounties are broken, you say you want people to update routers, not-too-safe-boot, mystery microcode, Cisco listens to the podcast (they must have heard it from Microsoft), will it run DOOM?, your server is bricked, permentantly, Hell never ends on x86, and coldplay lyrics in your firmware. Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw786

Space, the final frontier, Naughty Cell Phones, HP, ASUS, Meta, Google, Gil Kirkpatrick, and more on this edition of the Security Weekly News. Segment Resources: https://www.darkreading.com/cloud/microsoft-azure-vms-highjacked-in-cloud-cyberattack This segment is sponsored by Semperis. Visit https://securityweekly.com/semperis to learn more about them! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn300

The OWASP Top 10 dates back to 2003, when appsec was just settling on terms like cross-site scripting and SQL injection. It's a list that everyone knows about and everyone talks about. But is it still the right model for modern appsec awareness? What if we put that attention and effort elsewhere? Maybe we could have secure defaults instead. Or linters and build tools that point out these flaws. We'll talk about top 10 lists, what we like about them, what we don't like, and what we'd like to see replace them. We'll also test our hosts' knowledge of just how many top 10 lists are out there. Segment resources: [OWASP Top 10:2021](https://owasp.org/Top10/) [OWASP API Security Project](https://owasp.org/www-project-api-security/) [OWASP Top 10 Mobile Risks](https://github.com/OWASP/www-project-mobile-top-10/blob/master/2016-risks/index.md) [OWASP Top 10 CI/CD Security Risks](https://owasp.org/www-project-top-10-ci-cd-security-risks/) and [ASW #220](https://www.scmagazine.com/podcast-episode/asw-220-daniel-krivelevich) [OWASP Low-Code/No-Code Top 10](https://owasp.org/www-project-top-10-low-code-no-code-security-risks/) [OWASP Top 10 Privacy Risks](https://owasp.org/www-project-top-10-privacy-risks/) [OWASP Proactive Controls](https://owasp.org/www-project-proactive-controls/) [OWASP AI Security and Privacy Guide](https://owasp.org/www-project-ai-security-and-privacy-guide/) [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org) [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/) and [ASW #232](https://www.scmagazine.com/podcast-episode/asw-232-josh-grossman) [Moving on from the OWASP Top 10](https://deadliestwebattacks.com/appsec/2023/03/30/reflecting-on-the-owasp-top-10) New TLDs are already old news, fuzzing eBPF validators, Microsoft sets to kill bug classes, draft RFC to track location trackers, a top ten list with directory traversal on it, conference videos from Real World Crypto and BSidesSF, and an attack tree generator from markdown. Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw242

You can rebuild infrastructure. But you can’t un-breach data – Data sits at the core of an organization and is often the most open and vulnerable. This is why data security is the most important and urgent security problem to solve right now. We’re joined by Matt Radolec, Senior Director of Incident Response and Cloud Operations at Varonis, to walk through the blast radius concept – from what it is and how to use it to understand your organization's risk, to how it can serve as a guide to securing data from insiders and external attackers. Segment Resources: The Great SaaS Data Risk Exposure report: https://info.varonis.com/hubfs/Files/docs/research_reports/Varonis-The-Great-SaaS-Data-Exposure.pdf The Forrester Wave™: Data Security Platforms, Q1 2023 https://reprints2.forrester.com/#/assets/2/1646/RES178465/report Learn more about the Varonis Data Security Platform https://www.varonis.com/products/data-security-platform This segment is sponsored by Varonis. Visit https://securityweekly.com/varonis to learn more about them! In the leadership and communications section: Do You Really Need a CISO?, A CISO Employment Contract May Mean the Difference Between Success and Jail, When Your Employee Tells You They’re Burned Out, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw307

$10M reward, a serious wemo vulnerability, EXSI threats, critical Cisco flaws, millions of smart phones with preinstalled malware and Bill Brenner Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn299

This week, we discuss fundings, acquisitions (TWO DSPM exits!), the ongoing market downturn/weirdness, and surprise - LLM-based AIs! We spend a fair amount of time talking about the importance of breach transparency - we need to be able to learn from others' failures to improve our own defenses. We also discuss the inevitable 'One App To Rule them All' that will serve as an all-knowing personal assistant. It will integrate with all our comms, calendars, and notes, which will be scary and fraught with privacy and security issues. But Tyler and Adrian still yearn for it, as their pre-frontal cortexes become increasingly dulled by scotch and beer. Enterprises are struggling to manage and reduce their organizational attack surface, especially with a shortage of skilled staff. Find out how some security executives are tackling this challenge by automating their IT and vulnerability management. This segment is sponsored by Syxsense. Visit https://securityweekly.com/syxsensersac to learn more about them! Cars have evolved from a physical mode of transportation to a digitized experience, bringing with it new risks and challenges in security, privacy and user experience. Putting identity at the center of the connected world solves simplicity and safety challenges, including physical safety, digital security and data privacy. Furthermore, decentralized identity plays a major role in a better, more secure seamless experience – not just for vehicles, but for society at large. This segment is sponsored by ForgeRock. Visit https://securityweekly.com/forgerockrsac to learn more about them! There is a war on trust in the digital world, and people are caught in the crosshairs. Everywhere we look, there are identity risks with crippling repercussions for businesses, whether fake people, fake content, or insecure web links. With the rise of generative AI tools in business, threat actors are utilizing these technologies to create more sophisticated phishing emails – mimicking brands and tone or more easily translating copy into several languages making them more difficult to identify and easily connecting hackers with global audiences. Now is the time to implement solutions that empower a connected thread of trust between businesses and users – before all trust is lost. This segment is sponsored by OneSpan. Visit https://securityweekly.com/onespanrsac to learn more about them! Semperis CEO Mickey Bresman sits down with SC Magazine to share practical steps for improving Active Directory resilience in the face of escalating cyberattacks, using real-world examples. With cybercrime costs projected to reach $8 trillion in 2023 and AD being the top target for attackers, organizations must prepare to detect, respond, and recover from AD-based attacks. Learn how InfoSec and IAM teams can operationalize the Gartner "top trending" topic of identity threat detection and response (ITDR) to ward off attackers and take back the advantage. This segment is sponsored by Semperis. Visit https://securityweekly.com/semperisrsac to learn more about them! Today’s CISOs are laser focused on three imperatives: reducing risk; reducing operational costs, and attracting or retaining top talent. All three priorities are driven by creating a better SOC analyst experience which translates to less time to detect and respond to an attack. In this discussion, we’ll uncover how Extended Detection & Response (XDR) can drastically improve the SOC analyst experience and alleviate CISOs’ top challenges. This segment is sponsored by VMware. Visit https://securityweekly.com/vmwarecarbonblackrsac to learn more about them! While emerging cyber threats and vulnerabilities tend to dominate headlines, criminals often exploit known vulnerabilities to gain access to critical systems and data for nefarious purposes. And with the number of vulnerabilities rising constantly, they can pose significant risk to organizations, especially if defenders don’t know which ones are critical. Learn how Expel is helping to pull back the curtain on how organizations can more effectively prioritize their most critical vulnerabilities. This segment is sponsored by Expel. Visit https://securityweekly.com/expelrsac to learn more about them! Visit https://www.securityweekly.com/esw\ for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw318

Kevin Johnson joins us to discuss pen testing, automated testing, why AI testing is not pen testing! In the security news: How AI Knows Things No One Told It, Dragos Employee Gets Hacked, VMProtect Source Code Leaks, CISA Vulnerabilities, SHA-1 is a Shambles, Microsoft Scans Inside Password Protected Files, Geacon Brings Cobalt Strike Compatability to MacOS, Google Launches Tools to Identify Misleading & AI Images, Cyberstalkers Use New Windows Feature to Spy on iPhones, Texas A&M Prof Flunks all his Students, Wemo Won’t Fix Smart Plug Vulnerability, Catfishing on an industrial scale, and Hacking the Ocean to store Carbon Dioxide Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw785

This week in the Security News, Aaran Leyland joins remotely to dish out the latest news: Cyber Resilience Act contains a poison pill, a powerful backdoor, Malicious Actors and Jason Wood - Valued Co-Host OR Malicious Actor? All that and more on this episode of SWN! Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn298

What happens to an app's security after six months? What about a year or two years? A Secure SDLC needs to maintain security throughout an app's lifetime, but too often the rate of new flaws can outpace the rate of new code within an app. Appsec teams need strategies and processes to keep software secure for as long as possible. Segment Resources: https://www.veracode.com/state-of-software-security-report Learn how hackers are exploiting the trust that mobile app owners place in their customers. Hackers are increasingly modifying app code, posing as trusted customers, and infiltrating IT infrastructure. This segment is sponsored by Verimatrix. Visit https://securityweekly.com/verimatrixrsac to learn more about them! Unlike vulnerabilities, which can and do often exist for months or years in application code without being exploited, a malicious package represents an immediate threat to an organization, intentionally designed to do harm. In the war for cybersecurity, attackers are innovating faster than companies can keep up with the threats coming their way. A new approach is needed to stay ahead of the impacts of malicious packages within applications. Findings from our latest report "Malicious Packages Special Report: Attacks Move Beyond Vulnerabilities" illustrate the growing threat of malicious packages. From 2021 to 2022, the number of malicious packages published to npm and rubygems alone grew 315 percent. Mend.io technology detected thousands of malicious packages in existing code bases. The top four malicious package risk vectors were exfiltration, developer sabotage, protestware, and spam. Nearly 85 percent of malicious packages discovered in existing applications were capable of exfiltration – causing an unauthorized transmission of information. Threat actors leveraging this type of package can easily collect protected information before the package is discovered and removed. We’ll share why as long as open source means open, the door will be left open to bad actors, so it’s especially critical to know when things are being brought into your code. Malicious packages represent an immediate threat, unlike vulnerabilities, and can not be taken lightly. This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw241

Medtronic's Security Ambassador program has seen tremendous growth and engagement in recent years. Learn how they gave their program a shot of adrenaline and haven't looked back since. Cybersecurity teams today are inundated with tools that provide an abundance of alerts and data about threats, gaps, vulnerabilities and everything in between. While security tools are critical to operating a cybersecurity program and produce helpful data, they should never dictate an organization’s cybersecurity strategy. Instead, Amad Fida, CEO & Founder of Brinqa, explains why business priorities should be the foundation for any company’s cybersecurity strategy. This segment is sponsored by Axonius. Visit https://securityweekly.com/axoniusrsac to learn more about them! Economic uncertainty has forced IT and security leaders to be more cautious than ever when increasing spending and team size. Suh dynamics give CISOs and CIOs an opportunity to demonstrate value by going beyond “merely” defending the organization from threats. We can contribute toward the organization’s efforts to constrain costs by looking inward at existing tools and assets to understand deployment, usage, and value. We can do this by ensuring the company is making the most of what it already has – and eliminating the spend that’s not being utilized in the most effective way. This segment is sponsored by Brinqa. Visit https://securityweekly.com/brinqarsac to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw306

Singing Terminators, Gmail, Joe Sullivan, Dragos, ESXi, Microsoft, Greatness, Jessica Davis, and More on this episode of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn297

We are nearly half way through 2023, and we're seeing some new trends surface in the cyber landscape. These include generative artificial intelligence, which was everywhere at RSA Conference this year, as well as automation across security operations and the continued need for skilled expertise. Join Matt Alderman from CyberRisk Alliance and Antonio Sanchez, Principal Evangelist at Fortra, as they dive into 2023 cybersecurity trends and observations. Segment Resources: https://www.fortra.com/resources/cybersecurity-education?code=cmp-0000011812&ls=717710002&utm_source=cyberrisk-alliance&utm_medium=contsynd&utm_campaign=ft-brand-awareness https://www.fortra.com/products/bundles?code=cmp-0000011812&ls=717710002&utm_source=cyberrisk-alliance&utm_medium=contsynd&utm_campaign=ft-brand-awareness This segment is sponsored by Fortra. Visit https://securityweekly.com/fortra to learn more about them! In the enterprise security news, A slow week for funding, but, as always, a busy week for AI news! Databricks acquires Okera, CrowdStrike, Fortinet and other cybersecurity shares rise, Merck might finally see that $1.4 billion dollar NotPetya payout, Ex-Uber CISO Joe Sullivan won’t go to jail, Google rolls out passkey support, Do Bartenders make good pen testers?, ICS using steganography to hide data, DEF CON will unleash hackers on Large Language Models, and Security’s eternal prioritization problem! The browser is the most used application, but was never built with the needs of the enterprise in mind. The Enterprise Browser delivers a whole new level of visibility, security and governance. This conversation will explore the benefits of the Enterprise Browser and the gaps it is filling for enterprises around the world. This segment is sponsored by Island. Visit https://securityweekly.com/islandrsac to learn more about them! Resilience and the capacity for reinvention have never been more important. In a world evolving at the speed of tech and roiled by the pandemic, enterprises that have security innovation woven into their DNA enjoy a distinct advantage. Learn more. This segment is sponsored by Sumo Logic. Visit https://securityweekly.com/sumologicrsac to learn more about them! The increased prevalence of phishing kits sourced from black markets and chatbot AI tools like ChatGPT has seen attackers quickly develop more targeted phishing campaigns. This improved targeting has simplified the process of manipulating users into taking actions that compromise their security credentials, leaving them and their organizations vulnerable. This segment is sponsored by Zscaler. Visit https://securityweekly.com/zscalerrsac to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw317

In this talk, Paula Januszkiewicz, renowned cybersecurity expert with years of experience in the field, shares her insights on critical tasks that must be included in any successful penetration testing checklist. She will offer the listeners a sneak peek into her pentesting trick book, discuss the special tools she is using, and highlight the importance of diversifying your pentester's toolkit. This episode is a must-listen for anyone interested in mastering the art of penetration testing. In the security news: feel free to cry a bit, honeytokens are the shiny new hotness, it's fixed in the future, backdooring electron, should we move to passkeys, the turbo button, why Cisco hates SMBs, old vulnerabilities are new again, MSI, Boot Guard and some FUD, fake tickets, AI hacking, prompt injection, and the SBOM Bombshell! Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw784

Poisonous Parsley and Chat GPT, QR codes, Boot Guard, Akira, Wanted Posters, SuperCare, VPNS, Jason Wood, and more on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn296

What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more. Segment Resources: Book -- https://securitychaoseng.com Blog -- https://kellyshortridge.com/blog/posts/ In the ever-evolving world of cybersecurity, attackers are constantly finding new ways to infiltrate your software supply chains. But with GitGuardian's Honeytoken, you can stay ahead of the game. Deploy honeytokens at scale, monitor for unauthorized use, and detect intrusions before they can wreak havoc on your system. With Honeytoken, you'll have the insight you need to protect your confidential data and know where, who, and how attackers are trying to access it. This segment is sponsored by GitGuardian. Visit https://securityweekly.com/gitguardianrsac to learn more about them! In light of the constant change in the threat landscape, how does an organization keep up with the attackers who're always innovating? New specialized security solutions are regularly being introduced to address new threats, increasing complexities and the non-functional requirement(NFRs) associated with integration of these systems to already complicated enterprise web applications. How does an organization implement holistic defense without increasing cost, complexity and impacting user experience? Edgio will address how an edge-enabled holistic security platform can effectively reduce the attack surface, improve the effectiveness of the defense while reducing the latency of critical web applications via it’s multi-layered defense approach. It also offers the ability to integrate with an enterprises' DevSecOps workflow to achieve better security practices. Edio will discuss how its security platform “shrinks the haystacks” so that organizations can better focus on delivering key business outcomes. This segment is sponsored by Edgio. Visit https://securityweekly.com/edgiorsac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw240

Each year, Forrester tracks the top systemic risks — external events that impact your firm and customers but are out of your control — facing organizations. The impacts of climate change are both short-term, in the form of severe weather, drought, and heat waves, and long-term, in the form of biodiversity loss, sea-level rise, and rising temperatures. Want to see where climate risk ranked on the list? Read The Top Systemic Risks, 2023 (https://www.forrester.com/report/the-top-systemic-risks-2023/RES179156) or listen to this segment on Business Security Weekly. A resilient cybersecurity strategy is essential to running your business while protecting against security threats and preventing data breaches. For CISOs, partnering with a managed service security provider (MSSP) means you can be in control of your organization’s information and infrastructure security without placing a strain on internal personnel or resources which is critical in today’s uncertain economy. With an MSSP on board, CISOs are better equipped to meet strategic and business goals, while improving operations and reducing expenses. This interview will discuss not only why to consider an MSSP but how to choose the right one for the job. This segment is sponsored by Direct Defense. Visit https://securityweekly.com/directdefensersac to learn more about them! Insider Risk is a problem that continues to grow - and that companies are still struggling to solve. CISOs state that it is the number one most difficult threat to detect, placing it over malware and ransomware. Code42 President and CEO Joe Payne will explain why the Insider Risk problem is so challenging and will offer guidance on how to solve it. This segment is sponsored by Code42. Visit https://securityweekly.com/code42rsac to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw305

St. Alban's Day, Kimsuky, WinRAR, Microsoft, fake AI, Siemens, Apple, and More on this episode of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn295

This week, we start with the news: 2 weeks of news to catch up on! 16 funding stories, 4 M&A stories, Cybereason prunes its valuation… a lot, First Republic Bank seized by FDIC, Ransomware is irrelevant Sun Tzu hates infosec, AI Trends, Kevin Mandia’s 7 tips for defense, & How much time should we spend automating tasks? Christopher will delve into what lateral security/lateral movement are and identify key lateral security tools (network segmentation, micro-segmentation, advanced threat prevention systems, network sandboxes, and network traffic analysis/network detection and response). He will also touch on why automation is important when it comes to consistent security and the current threat landscape. This segment is sponsored by VMware. Visit https://securityweekly.com/vmwarenetsecrsac to learn more about them! AT&T Cybersecurity released its 12th annual Cybersecurity Insights Report, “Edge Ecosystem,” which highlights the dramatic shift in computing underpinned by 5G, the edge, and the convergence of networking and security. The report found that business and technology leaders are finally coming together not just to understand the new edge computing ecosystem, but to make more predictable, data-informed business decisions. Collaboration among these leaders, as well as external partners in the ecosystem, will be critical for the edge journey ahead – but more progress must be made to better leverage the edge and transform the business. This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attrsac to learn more about them! EASM is a critical component of continuous threat exposure management and a necessary step in improving validation and vulnerability management processes. Gartner recently published a report describing the evolution of EASM and where it's headed in the market. We're excited to see the market move in this direction because, at NetSPI, we're already committed to investing in our team and technology to stay ahead of these trends. We already have a head start. This segment is sponsored by NetSpi. Visit https://securityweekly.com/netspirsac to learn more about them! “Man plans, the Universe laughs” - unfortunately, that’s been the saying for far too long when it comes to cybersecurity. Security leaders know it's only a matter of time before their organization gets breached, but instead of being ready for it, they rely on fixing the problem after it happens. In Cisco’s newest report, the first ever Cybersecurity Readiness Index, it was found that a small minority of businesses globally (15%) consider themselves to be ready and able to defend against the expanding array of cybersecurity risks and threats of today. Organizations need to get ready and stay ready with solutions they can trust. This segment is sponsored by Cisco. Visit https://securityweekly.com/ciscorsac to learn more about them! OpenText Cybersecurity is on a mission to simplify security by delivering smarter, innovative solutions. Geoff Bibby, the SVP of OpenText Cybersecurity Marketing & Strategy, will offer insight into the company’s purpose-built approach to create a powerhouse cybersecurity portfolio that scales to meet the security needs of large enterprises down to individual consumers. This segment is sponsored by OpenText. Visit https://securityweekly.com/opentextrsac to learn more about them! The continued headcount shortage facing cybersecurity teams is driving many organizations to embrace Managed Detection and Response (MDR) as a way to combat cyber threats. With this demand, dozens of MDR companies have emerged over the past two years. Critical Start’s CTO, Randy Watkins, will discuss the origin of MDR, share evaluation tips, and reveal some of the potential pitfalls. This segment is sponsored by Critical Start. Visit https://securityweekly.com/criticalstartrsac to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw316

Rob "Mubix" Fuller comes on the show to talk about penetration testing, what's changed over the years? He'll also discuss "Jurassic Malware" and creating games in your BIOS. This week in the Security News: 5-year old vulnerabilities, hijacking packages, EV charging apps that could steal stuff, do we even need software packages, selling hacking tools and ethics, I hate it when vendors fix stuff, HTTPS lock status, no pornhub for you! Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw783

Pornhub, LobShot, TMobile, lawsuits, CISA, CERN, AI, Jason Wood, and more on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn294

Application security is messy and is getting messier. Modern application security teams are struggling to identify what's more important to fix. Cloud security and application security is getting squeezed all together. Modern vulnerability maturity needs a new approach and guidance. Vulnerability management framework and mature defect management is often overlooked as organizations tend to identify issues and stop there. The devil is usually in the details and time gets burned down in identifying who needs to solve what where. Vulnerability Management Maturity Framework has been created to address that. Segment Resources: Framework: https://phoenix.security/vulnerability-management-framework/ Books on metrics: https://phoenix.security/whitepapers-resources/data-driven-application-security-vulnerability-management-are-sla-slo-dead/ Vulnerability aggregation and prioritization https://phoenix.security/whitepapers-resources/whitepaper-vulnerability-management-in-application-cloud-security/ Shift left: https://phoenix.security/shift-everywhere/ Vulnerability management talk: https://phoenix.security/web-vuln-management/ Vulnerability management framework playlist (explained) https://www.youtube.com/playlist?list=PLVlvQpDxsvqHWQfqej5Gs7bOd-cq8JO24 How to act on risk: https://phoenix.security/phoenix-security-act-on-risk-calculation/ Without visibility into your entire web application attack surface and a continuous find and fix strategy, dangerous threats can expose your organization's blind spots and create risk. Invicti analyzes common web application vulnerabilities across thousands of assets yearly and releases the Invicti AppSec Indicator for a holistic view of application vulnerability trends from automated scan results across regions. In this interview, Invicti's Patrick Vandenberg zooms in on the vulnerabilities plaguing organizations, providing insight into this year's report trends, and guidance on how CISOs and AppSec program leaders can create an environment for their teams that mitigates risk. Segment Resources: https://www.invicti.com/clp/appsec-indicator/?utm_medium=contentsyn&utm_source=sc_media&utm_campaign=i-syn_RSA-CRA-interview-2023&utm_content=230424-ga_spring-appsec-indicator&utm_term=brand T his segment is sponsored by Invicti. Visit https://securityweekly.com/invictirsac to learn more about them! Flaws in the design and implementation of an application can create business logic vulnerabilities that allow attackers to manipulate legitimate functionality to achieve a malicious goal. What’s more, API-related security incidents exploit business logic, the programming that manages communication between the application and the database. In this discussion, Karl Triebes shares what you need to know about business logic attacks to effectively protect against them. This segment is sponsored by Imperva. Visit https://securityweekly.com/impervarsac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw239

This week, it's time for Security Money. We recap Q1 2023 with the latest financial results, funding announcements, and layoffs. Don't miss this quarterly update. At the market close on April 28th 2023: - SW25 Index is 1,404.31, which is an increase of 40.43% (up from last Q) since inception. - NASDAQ Index is 12,226.58, which is an increase of 84.27% (up from last Q) during the same period. CISOs face the complex challenge of protecting organizations against an expanding array of cybersecurity risks. While the role requires constant adaptation to protect against new threats, CISOs often bear the blame when defenses are breached. In this segment Kunal Anand, CTO & CISO, Imperva, discusses the evolution of the role and what aspiring professionals need to know if they want to hold the title. This segment is sponsored by Imperva. Visit https://securityweekly.com/impervarsac to learn more about them! Today’s security products are evolving to meet the changing attack surface, each one targeting a specific set of risks. For organizations, this typically means that to increase security maturity, they need to implement a number of different solutions, and as the attack surface continues to expand, their tech stack quickly becomes difficult to manage. It’s time for the industry to help security teams achieve a better balance and reduce this operational burden. Segment Resources: https://www.fortra.com/resources/cybersecurity-education?code=cmp-0000011766&ls=717710002&utm_source=cyberrisk-alliance&utm_medium=video&utm_campaign=ft-rsa-conference This segment is sponsored by Fortra. Visit https://securityweekly.com/fortrarsac to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw304

Github, FIN7, Banks, Minecraft, Google Authenticator, Qualcomm, TenCent, BlueSky, Derek Johnson talks about China and More on this episode of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn293

STM32 boards, soldering, decapping chips, RTOS development, lasers, multiple flippers and for what you ask? So I can be alerted about a device I already know is there. The Flipper Zero attracted the attention of news outlets and hackers alike as people have used it to gain access to restricted resources. Is the Flipper Zero that powerful that it needs to be banned? This is a journey of recursion and not taking “no” for an answer. Kailtyn Hendelman joins the PSW crew to discuss the Flipper Zero and using it to hack all the things. In the Security News: SSDs use AI/ML to prevent ransomware (And more buzzword bingo), zombie servers that just won't die, spectral chickens, side-channel attacks, malware-free cyberattacks!, your secret key should be a secret, hacking smart TVs with IR, getting papercuts, people still have AIX, ghosttokens, build back better SBOMs, Salsa for your software, Intel let Google hack things, and they found vulnerabilities, and flase positives on your drug test, & more! Flipper resources: * [Changing Boot Screen Image on ThinkPad's UEFI](https://www.youtube.com/watch?v=kvqZRTMAlMA -Flipper Zero) * [A collection of Awesome resources for the Flipper Zero device.](https://github.com/djsime1/awesome-flipperzero) * [Flipper Zero Unleashed Firmware](https://github.com/DarkFlippers/unleashed-firmware) - This is what Paul is using currently. * [A maintained collective of different IR files for the Flipper!](https://github.com/UberGuidoZ/Flipper-IRDB) - Paul uses these as well. * [Alternative Infrared Remote for Flipperzero](https://github.com/Hong5489/ir_remote) Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw782

Teenage Mutant Ninja Hackers, Mark Twain, TP-Link, Intel, Papercut, Rustbucket, Solarwinds, Blue Check Marks, Jason Wood, and more on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn292

Jeff Moss shares some of history of DEF CON, from CFPs to Codes of Conduct, and what makes it a hacker conference. We also discuss the role of hackers and researchers in representing users within policy discussions. Segment links https://defcon.org https://forum.defcon.org https://media.defcon.org https://defcon.social/about Microsoft turns to a weather-based taxonomy, k8s shares a security audit, a GhostToken that can't be exorcised from Google accounts, BrokenSesame RCE, typos and security, generative AI and security that's more than prompt injection Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw238

We talk a lot about closing the skills gap, but it's harder said than done. So we thought we'd tackle the problem in our 2nd episode os Say Easy, Do Hard. Part 1 will discuss the skills needed, the requirements of the position, and the real qualifications for cybersecurity jobs. We will discuss the practical, realistic expectations of working in cybersecurity, not the hyped stereotypical positions. After discussing the requirements for working in cybersecurity, part 2 will tackle where to find the talent. We will explore education, apprenticeships, mentorships, and training. We will also identify areas within the business that have resources with skills that are very complementary with cybersecurity that also make great recruiting areas. Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw303

Elon, Clop, EvalPhP, VMWare, Google, Fancy Bear, Routers, 3CX, Aaran Leyland, and More on this episode of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/swn291