Security Weekly Podcast Network (Video)

Paddy Harrington joins us from Forrester research to discuss his findings in this year's state of IoT security report. Computers have been shoved into anything and everything, both in the home and in the workplace. Paddy will share some interesting insights from the report, and we'll discuss why some of the results seem to conflict. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-322

Securing data is hard. Business stops when data flows are hindered, stopped, sometimes even slowed. Placing controls around data traditionally leads to more friction and less productivity. Can it be a different story in the cloud? Today, we find out when we talk to Dan Benjamin about why he founded Dig and the space they're trying to fill in public cloud services. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-322

In the security news: You got so many CVEs you need your own, dedicated, vulnerability scanner, melting your neighbors with hacking, The FDA's SBOM and OSS, when the vulnerability scanner has a vulnerability, violating CISA directives at scale, make 2FA a little easier with this device, NSA's BlackLotus mitigation guide: who needs those certificates anyhow? All that and more on this episode of Paul's Security Weekly. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-789

In this segment we welcome Carlos Perez back to the show! Carlos will discuss methods we can use to hide one systems and cover our tracks. We'll cover how on a system (as administrator) the blue team's struggle using default logs or even on a default install of Sysmon to detect an attacker. Attackers can selectively disable modern event log providers, take action and then re-enable. We will demo this and how to best monitor for this technique. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-789

Two XSS vulns via postMessage methods in Azure, how to choose (and move on from) a web research topic, OpenSSF finances a security developer-in-residence for Python, more infosec myths, free cybersecurity training resources Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-245

This week in the Security News, Dr. Doug talks: Win 3.1, Fortinet, Women in Cyber nominations, Teams, IOS, Mockingjay, Jason Wood and More! Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-306

Without visibility and continuous monitoring, dangerous threats expose our blind spots and create risk. Invicti, who brought together Acunetix and Netsparker, analyzes common web application vulns across thousands of assets yearly and releases the Invicti AppSec Indicator for a holistic view of vulnerability trends from automated scan results. In this talk, Invicti Director of Product Patrick Vandenberg shares a deep dive into the trends currently impacting AppSec programs and discusses some of the best practices that will help organizations achieve efficiencies in their programs. Segment Resources: AppSec Indicator Spring 2023 edition: https://www.invicti.com/clp/appsec-indicator/?utm_medium=contentsyn&utm_source=sc_media&utm_campaign=i-syn_CRA-ASW-Jun2023&utm_content=230424-ga_spring-appsec-indicator&utm_term=brand) This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-245

In the Leadership and Communications section, CISO Burnout Prevention: Tips for Work-Life Balance, Maximizing Leadership Potential, The Essence of Effective Management: Commitment, Foresight, and Leadership, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-310

In a tight economy, security budgets have been under scrutiny. Vendor consolidation strategies are real, but what are the pros and cons of this strategy? Shawn Surber from Tanium joins us to discuss how vendor consolidation is playing out and what to look for. It's not just an expense exercise, it's also a strategic alignment exercise. This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-310

In the Security News: There is no national cyber director, time to move away from MoveIT, update Microsoft IIS at least every 6 years, your security system is not secure, for that matter neither is your smart pet feeder, identity management is hard, at least for some, spies using spy gadgets to spy on spies, go ahead and just replace your hardware, secure boot is hard, bypassing the BIOS password (but don't try this at home, or work for that matter), Rob shaved his beard, what's new in PCI (drink, are we still drinking on PCI? If so, drink again), if your firmware isn't patched, no cloud updates for you, and Gigabyte has a backdoor! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-788

Check out this interview from the ESW Vault, hand picked by main host Adrian Sanabria! This segment was originally published on September 29, 2021. No Man is an Island. Neither can a security program exist without interconnections and strong relationships to the rest of the business. Yet, over and over again I meet Security Leaders that thrive on designing security fiefdoms with large moats, and one bridge that they roll down only when they intend to roll out a new technology, initiative or need budget authority. There is no amount of authority or power that can provided to a CISO that makes he or she immunized against the need for communication, collaboration and diplomacy with peers, users and Senior Executives. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/vault-esw-2

Emilie comes on the show to talk about penetration testing and share her knowledge and stories! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-788

Security is one of the most evolving and impactful landscapes in the regulatory sphere. Proposed initiatives in the areas of Incident Response, Software and Product Assurance, Coordinated Vulnerability Disclosure (CVD), and IoT or Connected Products Regulations are among the most active and developing areas of security policy around the world. This evolving landscape also serves as an opportunity for innovation and research collaboration. Elazari will walk us through some of the most recent trends in policy proposals shaping the future of security. We will also talk about bug bounties and vulnerability disclosure, what are some of the industry's best practices in this area, how to implement these programs to foster security, collaboration and transparency, and how this connects to the policy momentum and its impact on security researchers. Segment Resources: Project Circuit Breaker: https://www.intel.com/content/www/us/en/newsroom/news/intel-launches-project-circuit-breaker.html Project Circuit Breaker Landing Page: https://www.projectcircuitbreaker.com/ Intel's 2021 Product Security Report: https://www.intel.com/content/www/us/en/security/intel-2021-product-security-report.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/vault-asw-2

Check out this interview from the BSW VAULT, hand picked by main host Matt Alderman! This segment was originally published on October 12, 2020. We go off script. Michael Santarcangelo joins me for a discussion on leadership. We review the 4 C's of Leadership: 1. Culture 2. Collaboration 3. Communication 4. Cultivation - and Michael shares some of his leadership approaches and ideas. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/vault-bsw-2

This week, in the news segment, we discuss the user-facing security trend, bad ideas in company naming/branding, and why you might not want to be on a list of the top 200 most secure companies. We also discuss the right way to treat employees when doing layoffs, and the future for companies that probably shouldn't have received funding before the market downturn. Finally, France uses AI to discover untaxed pools. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-321

This week Dr. Doug talks: Killer Robots, ESXI, Lockbit, MoveIt, CISA, SEC, Texas, Aaran Leyland, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-305

Explore the rapidly-evolving landscape of Managed Detection and Response (MDR) with insights from Sophos, a pioneering MDR provider. Understand how businesses can gain superior security outcomes and better value from their investments by integrating 3rd party products natively into an adaptive ecosystem backed up by 24/7/365 threat detection, incident response and proactive threat hunting from one of the largest global providers of MDR services. Segment Resources: http://sophos.com/mdr https://www.sophos.com/en-us/x-ops This segment is sponsored by Sophos. Visit https://securityweekly.com/sophos to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-321

The WAF has a relatively long history with InfoSec. A few years back, we saw the traditional architecture separated by new technologies and philosophies on the best way to detect and stop web-borne attacks. In this episode with Daniel Corbett, we'll take a deep dive into the latest on WAF capabilities, what it means to be 'next-gen' in the WAF world, and how LLM AI like ChatGPT could influence the attacks we see (and have to defend against) in the near future. This segment is sponsored by Fastly. Visit https://securityweekly.com/fastly to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-321

This year's Verizon DBIR is out, CVSS is updating its methodology, poor password reset design, SQL injection in MOVEit, a CTF for AWS IAM Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-244

Check out this interview from the PSW VAULT, hand picked by main host Paul Asadoorian! This segment was originally published on April 9, 2013. Bill Cheswick logged into his first computer in 1968. Seven years later, he was graduated from Lehigh University in 1975 with a degree resembling Computer Science. Ches has worked on (and against) operating system security for over 35 years. He is probably best known for "Firewalls and Internet Security; Repelling the Wily Hacker", co-authored with Steve Bellovin, which help train the first generation of Internet security experts. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/vault-psw-2

Eric Olden, CEO and Co-Founder of Strata Identity, discusses the concept of Identity Orchestration. He covers the evolving identity landscape and how it has evolved to keep pace with modern apps, the challenges encountered during an identity modernization project, how Identity Orchestration helps those modernization projects, and best practices for implementing secure identity. Segment Resources: [Identity Orchestration Use Cases](https://www.strata.io/use-cases/) [What is Identity Orchestration WhitePaper](https://www.strata.io/resources/whitepapers/what-is-identity-orchestration-and-why-you-need-it-to-succeed-with-multi-cloud/) This segment is sponsored by Strata. Visit https://securityweekly.com/strata to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-244

Mad dogs and paper clips, Fortinet, MoveIt, BatCloak, China, More News, and Jason Wood on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-304

In the leadership and communications section, Only one in 10 CISOs today are board-ready, study says, Why Conflicting Ideas Can Make Your Strategy Stronger, How to Overcome Communication Barriers in Your Teamwork, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-309

The Gartner definition of integrated risk management is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks. Enterprises typically have a broad coverage of the risks that face the business including cybersecurity risk, however, its 2023 and after more than a decade of requiring training compliance for our people, the Verizon DBIR reports this year that 74% of breaches involved human error. It's clear that compliance is not the answer for where to include the human in an IRM strategy, so what's next? This segment is sponsored by Living Security. Visit https://securityweekly.com/livingsecurity to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-309

In this episode we briefly cover funding, and discuss Snyk's acquisition of Enso Security and Cisco's Armorblox buy. We discuss some new open source AI tools: privateGPT, llm, ttok, and strip-tags. We discuss the death of Meta's massive Metaverse movement and go DEEP down the rabbithole on the new Stop Silly Security Awards website. Artifact's AI rewrites clickbaity headlines and we wrap up by exploring a very entertaining Map of GitHub communities: https://anvaka.github.io/map-of-github/ Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-320

Phrenology, Barracuda, MoveIt, Lazarus, Minecraft, ChatGPT, Adrian Sanabria, and More on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-303

Generative AI is taking the world by storm. Naturally, enterprises are looking for ways to integrate the innovative technology into their techstack, boost productivity of the knowledge workers and overall increase their ROI. The question is, how to do it without compromising data privacy and security standards of the enterprises. Segment Resources: https://zerosystems.com/ Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-320

This is the first interview in a two-part AI special! First up, we talk with Daniel Miessler, who has been following the generative AI trend very closely and is one of the most prolific writers and thought leaders on the topic. It's a massively divisive topic with the most successful product ever launched (ChatGPT). Some folks think it's overhyped, some think it's going to replace all the worst parts of the worst jobs, and others think it could be the beginning of the end for humanity. While other interviews on GenAI get deep into conversations on the future of humanity, we're going to stay closer to home on this one. It seems clear that GenAI will transform the enterprise more quickly than any other technology trend we've seen. We'll discuss what security needs to do to prepare for this shift, and why security teams should begin exploring GenAI themselves as soon as possible. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-320

Check out this interview from the PSW VAULT, hand picked by main host Paul Asadoorian! This segment was originally published on October 18, 2015. L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. We learn about the history of the L0pht and the future. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/vault-psw-1

OWASP has a draft for the LLM Top 10, simple vulns in a modern SaaS app, ancient vuln in a Wordpress plugin, PyPI moves to secure its package manager accounts, ThinkstScape Quarterly research report, having fun with memory variables, DNS, and logins. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-243

Ducking AI, Kimsuky redux, SMB signing, MoveIt, Gigabyte, Splunk, Chrome Extensions, AI, Jason Wood and more on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-302

Walking the show floor at RSA Conference, you couldn't trip without falling into an application security vendor booth ... and API security specialists were especially plentiful. Join Forrester Principal Analyst Sandy Carielli for her thoughts on RSA Conference and a deep dive into the challenges of API security. Segment Resources: https://www.forrester.com/blogs/insights-from-the-2023-rsa-conference-generative-ai-quantum-and-innovation-sandbox/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-243

In the leadership and communications section, Cybersecurity Starts with the Board and C-Suite, How CISOs can achieve more with less during uncertain economic times, Why Authentic Leadership Is So Hard, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-308

The American Data Privacy and Protection Act introduces oversight of how companies handle the data they collect and process from U.S. citizens, including AI algorithms used to uncover insights that can be monetized. Security professionals should prepare now for the legislation by understanding how to audit algorithms and implement compliance processes. Even if this version of privacy legislation doesn't pass, similar legislation will likely pass soon. Segment Resources: Forbes Tech Council article: Why You Need to Prepare Now for Privacy Legislation That May Not Pass https://www.senecaglobal.com/media-mentions/ftc-why-you-need-to-prepare-now-for-privacy-legislation-that-may-not-pass/ Enterprise Security Tech - American Data Privacy Protection Act: What, Who, How https://www.enterprisesecuritytech.com/post/american-data-privacy-protection-act-what-who-how Security Info Watch - What the American Data and Privacy Act means for businesses https://www.securityinfowatch.com/security-executives/article/21295869/what-the-american-data-and-privacy-act-means-for-businesses Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-308

Check out this interview from the ESW VAULT, hand picked by main host Adrian Sanabria! This segment was originally published on October 21, 2021. The Record has published several interviews with cybercriminals, courtesy The Record's Russian-speaking analyst, Dmitry Smilyanets (https://therecord.media/author/dmitry-smilyanets). These interviews have included representatives from REvil, BlackMatter, and Marketo. The interviews have uncovered the gangs' motivations, targets, and tactics, and have been cited by officials, including White House Deputy National Security Advisor Anne Neuberger. We talk with Adam Janofsky, founder and Editorial Director of The Record about what it's like to start a vendor-sponsored media outlet (The Record is funded by Recorded Future), and what they've learned by interviewing the bad guys. This segment is sponsored by Devo. Visit https://securityweekly.com/devo to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/vault-esw-1

In the security news: keystroke logs are stored in plain-text (and other atrocities in software used in schools), WPBT is the gift that keeps on giving and this time it's Gigabyte, PCI DSS 4.0 (drink!), immutable linux desktops, one packet exploits, neat linux malware, sock puppets, a must read new book about hacks, why SMB why?, boot girls, exposing customers....data, cracking GSM, you MUST use 2fa (not should, must), old wine in a new bottle, lab grown "meat", malicious bookmarks, and ChatGPT's secret reading list! All that and more on this episode of Paul's Security Weekly. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-787

Penetration Tester stories, dumb and funny stuff that's crazier than movies. Segment Resources: https://www.cyberpointllc.com/index.php https://www.cyberpointllc.com/srt.php Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-787

Check out this interview from the ASW VAULT, hand picked by main host Mike Shema! This segment was originally published on March 14, 2022. Cybersecurity is a large and often complex domain, traditionally focused on the infrastructure and general information security, with little or no attention to Application Security. Security providers usually tack-on AppSec services to their existing menu of offering without understanding the domain, and their team of professionals have little or no experience with software development or inner workings of modern application architectures. As the world turns Digital at a rapid pace accelerated by the recent pandemic, applications become common place in our lives, providing attackers more opportunities to exploit these poorly protected applications. As such, it is important to know what is actually required to build and run software securely, and how to do application security right. Segment Resources: https://forwardsecurity.com/2022/03/07/application-security-for-busy-tech-execs/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/vault-asw-1

Check out this interview from the BSW VAULT, hand picked by main host Matt Alderman! This segment was originally published on June 8, 2020. Marc French has more than 25 years of technology experience in engineering, operations, product management, and security. Prior to his current role at CISO at Product Security Group, Marc was the SVP & Chief Trust Officer at Mimecast, Inc. and has held a variety of senior security roles at Endurance/Constant Contact, EMC/RSA, Iron Mountain, Digital Guardian, and Dun & Bradstreet. With all this security experience, Marc has created a series of career ladders to help guide infosec professionals with their job journey, including the illustrious CISO position. We will also cover whether you really want to be a CISO... All of the open source career ladders can be found here: https://github.com/product-security-group/Security_Ladders Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/vault-bsw-1

In today's hyper-connected world, devices are everywhere, people are online constantly and sensitive data has moved to the cloud. Given these trends, organizations are making digital trust a strategic imperative. More than ever, companies need a unified platform, modern architecture and flexible deployment options in order to put digital trust to work. This segment is sponsored by DigiCert. Visit https://securityweekly.com/digicertrsac to learn more about them! Bill Brenner, VP of content strategy at CyberRisk Alliance, and Cisco storyteller/team leader/editor Steve Ragan discuss the issues security professionals are sinking their teeth into at RSA Conference 2023, including: Threats organizations face amid geopolitical strife (Russia/Ukraine, China, North Korea) What SOCs need to respond to a world on fire (training for cloud-based ops, XDR) Challenges of identity and access management (zero trust, MFA, hybrid work environments) Challenges of vulnerability management (finding the most critical flaws in the cloud, key attack vectors in 2023, ransomware) This segment is sponsored by Cisco. Visit https://securityweekly.com/ciscorsac to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw319

Ferret Legging, Elon's Brain Implants, Volt Typhoon, CosmicEnergy, OAuth, ILoveYou (and that's not just the Molly talking), Aaran Leyland, and More on this episode of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn301

The reality is no organization is insusceptible to a breach – and security teams, alongside the C-suite, should prepare now to make the response more seamless once a crisis does happen. Based on his experience working 1:1 with security leaders in the private and public sectors, Jon Check, executive director of Cyber Protection Solutions at Raytheon Intelligence & Space, will share the critical steps organizations must take to best prepare for a security breach. This segment is sponsored by Raytheon. Visit https://securityweekly.com/raytheonrsac to learn more about them! While companies utilize dozens of security solutions, they continue to be compromised and are continually searching for their real cybersecurity gaps amongst the overload of vulnerability data. A primary issue security teams face is that they lack a way to continuously validate the effectiveness of the different security solutions they have in place. Automated Security Validation is revolutionizing cybersecurity by applying software validation algorithms, for what was once manual penetration testing jobs. It takes the attacker's perspective to challenge the integrity and resilience of security defenses by continuously emulating cyber attacks against them. This segment is sponsored by Pentera. Visit https://securityweekly.com/penterarsac to learn more about them! Security teams are always on the lookout for external threats that can harm our organizations. However, an internal threat can derail productivity and lead to human error and burnout: repetitive, mundane tasks. To effectively defend against evolving threats, organizations must leverage no-code automation and free analysts to focus on higher-level projects that can improve their organization's security posture. This segment is sponsored by Tines. Visit https://securityweekly.com/tinesrsac to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw319

On this edition of the ESW news, we're all over the place! Funding and acquisitions are a little sad right now, but AI and TikTok bans raise our spirits. The hosts are split on feelings about the new .zip gTLD, there's a new standard for scoring an "AI Influence Level" (AIL), and lessons learned from Joe Sullivan's case and other Uber breaches. Also, don't miss the new AI tool DragGAN, which enables near magical levels of ease when manipulating photos. What's even real anymore? We might not be able to tell for long... Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw319

In the Security News: a cross-platform, post-exploit, red teaming framework, cover your backups, your voice should never be your passport, time to change your fingerprints, a drop in the bucket sucka, Thor will take out those pesky drones, never give your AI friends money, bye-bye PyPi for a while anyhow, bug bounties are broken, you say you want people to update routers, not-too-safe-boot, mystery microcode, Cisco listens to the podcast (they must have heard it from Microsoft), will it run DOOM?, your server is bricked, permanently, Hell never ends on x86, and coldplay lyrics in your firmware. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw786

Liam Mayron from Fastly comes on the show to talk about his unique path into information security, the security implications of generative AI, advances in technologies to protect web applications, detecting bots, and enabling better MSP services! This segment is sponsored by Fastly. Visit https://securityweekly.com/fastly to learn more about them! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw786

New TLDs are already old news, fuzzing eBPF validators, Microsoft sets to kill bug classes, draft RFC to track location trackers, a top ten list with directory traversal on it, conference videos from Real World Crypto and BSidesSF, and an attack tree generator from markdown. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw242

Space, the final frontier, Naughty Cell Phones, HP, ASUS, Meta, Google, Gil Kirkpatrick, and more on this edition of the Security Weekly News. Segment Resources: https://www.darkreading.com/cloud/microsoft-azure-vms-highjacked-in-cloud-cyberattack This segment is sponsored by Semperis. Visit https://securityweekly.com/semperis to learn more about them! Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn300

The OWASP Top 10 dates back to 2003, when appsec was just settling on terms like cross-site scripting and SQL injection. It's a list that everyone knows about and everyone talks about. But is it still the right model for modern appsec awareness? What if we put that attention and effort elsewhere? Maybe we could have secure defaults instead. Or linters and build tools that point out these flaws. We'll talk about top 10 lists, what we like about them, what we don't like, and what we'd like to see replace them. We'll also test our hosts' knowledge of just how many top 10 lists are out there. Segment resources: [OWASP Top 10:2021](https://owasp.org/Top10/) [OWASP API Security Project](https://owasp.org/www-project-api-security/) [OWASP Top 10 Mobile Risks](https://github.com/OWASP/www-project-mobile-top-10/blob/master/2016-risks/index.md) [OWASP Top 10 CI/CD Security Risks](https://owasp.org/www-project-top-10-ci-cd-security-risks/) and [ASW #220](https://www.scmagazine.com/podcast-episode/asw-220-daniel-krivelevich) [OWASP Low-Code/No-Code Top 10](https://owasp.org/www-project-top-10-low-code-no-code-security-risks/) [OWASP Top 10 Privacy Risks](https://owasp.org/www-project-top-10-privacy-risks/) [OWASP Proactive Controls](https://owasp.org/www-project-proactive-controls/) [OWASP AI Security and Privacy Guide](https://owasp.org/www-project-ai-security-and-privacy-guide/) [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org) [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/) and [ASW #232](https://www.scmagazine.com/podcast-episode/asw-232-josh-grossman) [Moving on from the OWASP Top 10](https://deadliestwebattacks.com/appsec/2023/03/30/reflecting-on-the-owasp-top-10) Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw242

In the leadership and communications section: Do You Really Need a CISO?, A CISO Employment Contract May Mean the Difference Between Success and Jail, When Your Employee Tells You They're Burned Out, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw307

You can rebuild infrastructure. But you can't un-breach data – Data sits at the core of an organization and is often the most open and vulnerable. This is why data security is the most important and urgent security problem to solve right now. We're joined by Matt Radolec, Senior Director of Incident Response and Cloud Operations at Varonis, to walk through the blast radius concept – from what it is and how to use it to understand your organization's risk, to how it can serve as a guide to securing data from insiders and external attackers. Segment Resources: The Great SaaS Data Risk Exposure report: https://info.varonis.com/hubfs/Files/docs/research_reports/Varonis-The-Great-SaaS-Data-Exposure.pdf The Forrester Wave™: Data Security Platforms, Q1 2023 https://reprints2.forrester.com/#/assets/2/1646/RES178465/report Learn more about the Varonis Data Security Platform https://www.varonis.com/products/data-security-platform This segment is sponsored by Varonis. Visit https://securityweekly.com/varonis to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw307