PLAY PODCASTS
Security Weekly Podcast Network (Video)

Security Weekly Podcast Network (Video)

4,876 episodes — Page 35 of 98

Career in Infosec, SANS Work, & End User Awareness Training - Guy Bruneau - PSW #750

Guy will go through some of his career choices that eventually led to 25 years in a long and fun career in information and cybersecurity. Infosec has been a fascinating and challenging field which anyone can learn through training and some of the excellent YouTube videos. Segment Resources: http://handlers.sans.org/gbruneau/ https://isc.sans.edu/handler_list.html#guy-bruneau Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw750

Aug 5, 20221h 7m

Akamai, PerimeterX HUMAN Merger, Azure Vulns, Blockchain Sec Startups, & Brash CEOs - ESW #282

In the Enterprise Security News: Blockchain security startups are still raising tons of money, but not in crypto, since it's now worthless. Ha! just kidding. Maybe. Am I? Anvilogic, AppViewX, Sotero, Resourcely, and Push Security all raise rounds JUICY RUMORS! Is Crowdstrike buying Orca? Is Akamai getting bought out by a PE shop? HUMAN and PerimeterX join in a rare cybersecurity merger, Are Azure's vulnerabilities out of control? Zoom brings end-to-end encryption to its cloud phone service, npm says FINE, we'll add some security, Kaseya's CEO is just, telling it like it is, man. The problem must be with you. A robot attacks a child, time to add EMP grenades to your EDC! All that and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw282

Jul 30, 202232 min

Incident Response: Practice Like you Play - Paul Kelly, Tim Morris - ESW #282

Heightened emotions, demands for updates, not knowing how bad things might be... Incident response isn't easy, but practice and the right tools can make it a whole lot less stressful. Some regulations like PCI require annual IR tests, but is that enough? Imagine playing a sport where the team meets for one half-hearted practice once a year. How would that team perform under pressure? How would they communicate? Say this sports analogy has convinced you - the IR team should practice more and should practice effectively. Questions still remain - how often? Are tabletops enough, or are live exercises and simulations necessary? We'll aim to answer these questions and more during this interview with Tim and Paul from Tanium. This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw282

Jul 30, 202235 min

Apple Airtag Detection & Simulation - PSW #749

We've heard about the recent abuses for Apple's AirTags used in tracking and stalking issues in recent months. While tools exist for detection under the Apple ecosystem, limited options exist for Android and none under Linux. We'll explore the AirTag beacons and showcase some tools for detecting beacons and creating our own for testing under Linux. We'll also show some ways to take our methods even further as an exercise left unto the reader. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw749

Jul 29, 202254 min

Cybersecurity Is a Team Sport - Dixon Styres, Jamie Moles - ESW #282

In order to run a successful SOC, security leaders rely on tools with different strengths to create layers of defense. This has led to a highly siloed industry with over 2,000 vendors, each with their own specific function and who very seldom work together. To gain an advantage on attackers, we need to start seeing cybersecurity as a team sport––united for a shared mission. In this session, ExtraHop's Jamie Moles and CrowdStrike's Dixon Styres discuss why and how vendors should work together to enable better integrated security for their customers. They'll share their joint philosophy toward an ecosystem approach to security and will show off some of the specific capabilities of the integration between ExtraHop Reveal(x) 360 and CrowdStrike Falcon in a live demo. This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/extrahop to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw282

Jul 29, 202237 min

FreeBSD, Steam Decks, Ancient Computers, UEFI Rootkits, & Office Macro Saga Continues - PSW #749

In the Security News FreeBSD and the software supply chain, open-source implies that its open, hardcoded passwords are always bad, on-again, off-again, on-again, privilege escelation defined, preparing for quantum, so many vulnerabilities, CosmicStrand another UEFI firmware rootkit, & reviving ancient computers! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw749

Jul 29, 20222h 8m

Atlassian Vuln, Attacking OAuth, OpenSSF Security Audits, Tabletop Exercises - ASW #205

Vuln in an Atlassian Confluence app, "Dirty Dancing" in OAuth flows, security audits of sigstore and slf4j, flaws in fleet management app, conducting tabletop exercises. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw205

Jul 29, 202240 min

How to Build a Successful Continuous Application Security Program - Ferruh Mavituna - ASW #205

Pressured by the speed of innovation, organizations are struggling to achieve the continuous web application security they need in the face of mounting threats and compliance requirements. What does it take in order for your AppSec program to be both effective and agile? In this segment, Ferruh Mavituna, founder and strategic advisor of Invicti Security, discusses best practices to help you implement an effective, agile, and – most importantly – continuous approach to application security. This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw205

Jul 29, 202236 min

5 Questions CFOs Should Ask, Escape Your Echo Chamber, and Up Your Cybersecurity Game - BSW #270

In the leadership and communications section, 5 Cybersecurity Questions CFOs Should Ask CISOs, How Leaders Can Escape Their Echo Chambers, 10 Cybersecurity Compliance Statistics That Show Why You Must Up Your Cybersecurity Game, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw270

Jul 27, 202220 min

Why Your Current Security Risk Assessment is Not Effective and How to Fix It - Doug Landoll - BSW #270

Most current security risk assessments are not effective. Doug Landoll joins BSW to explain how we can fIx this. Doug will share 5 Essential Elements of an Effective Security Risk Assessment, including: - Scoping, Scheduling, and Champions - Team Structure - Data and Measurements - Calculations and Analysis - Reporting, Presentation, and Tracking Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw270

Jul 26, 202232 min

Whistleblowing, Pwnednomore, Robot Protection, Securing Embedded Devices, & Hatching - ESW #281

Finally, in the Enterprise Security News: HiveWatch raises $20M to protect the office, FORT Robotics raises $13M to protect the office from robots, Emproof raises €2M to secure embedded devices, Dutch startup OneWelcome acquired by Thales, Dutch startup Hatching acquired by Recorded Future, Pwnednomore aims to protect Web3, Cybersecurity vendors make us less secure And perverse incentives in whistleblowing! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw281

Jul 23, 202258 min

Supply Chain Level 0: Grinding Tractors to a Halt - Sick Codes - ESW #281

Sick Codes hacked all four John Deere Telematics Gateway's, and the John Deere Gen4 Series Display. Without those, it's "just a tractor." However, this is Critical Infrastructure. In fact, without Tractors, Combines & Implements: farmers cannot plant, spray or harvest. No raw materials == no food & alcohol. You will see how long I persisted over multiple months, to gain access and was able to hack these devices to the absolute binary core, warts & all. What was the bounty? Source Code, Root File Systems, FPGA compiled binaries, the works. Agricultural Security is a serious issue. Multiple ransomware attacks last year showed exactly how destructive attacks on Food & Agriculture are, and how fragile the supply chain is. Segment Resources: https://sick.codes https://github.com/sickcodes https://www.youtube.com/watch?v=zpouLO-GXLo https://hardwear.io/usa-2022/speakers/sick-codes.php Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw281

Jul 23, 202234 min

Going Passwordless with Risk Signals - Aubrey Turner - ESW #281

Passwordless authentication is all the rage. And rightly so, given its promise of driving engagement and boosting productivity via more secure and frictionless user experiences. However, the path to passwordless often leads to more questions than answers. Don't fret! We'll offer a passwordless journey roadmap that delves into leveraging different risk signals like user behavior and device characteristics to make smarter authentication decisions. Segment Resources: https://www.pingidentity.com/en/solutions/business-priority/passwordless.html https://download.pingidentity.com/public/assets/misc/en/3637-workforce-survey-passwordless-future.pdf This segment is sponsored by Ping. Visit https://securityweekly.com/ping to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw281

Jul 22, 202240 min

Linux Distros, The Linux Firewall, CIA Agents, Vault 7 Leaks, & The "Coolest" Laptop - PSW #748

In the Security News for this week: heat waves and outages, GPS trackers are vulnerable, cracks in the Linux firewall, bas password crackers, microcode decryptors, SATA antennas, Okta vulnerabilities not vulnerabilities, updates on former CIA agent and Vault 7 leaks, decompiler explorer, and Tuxedo brings to market a liquid cooled laptop, & more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw748

Jul 22, 20222h 9m

ICS Security - Lesley Carhart - PSW #748

We are thrilled to welcome Lesley (@hacks4pancakes) back to the show! In this segment, we'll dig into some ICS security topics including some recent threats, monitoring ICS networks for security, incident response for ICS, and more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw748

Jul 22, 202254 min

8 Leadership Principles, 8 Changes to Cybersecurity, & 6 Tips for Hiring - BSW #269

In the leadership and communications section, How CISOs can prepare for new and unpredictable cyberthreats, 8 Leadership and Management Principles from Ex-Navy Seal, Practice Transparent Leadership, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw269

Jul 20, 202230 min

The State of Industrial Security in 2022 - Mike Goldgof - BSW #269

IIoT infrastructure protection requires immediate attention. Barracuda just released key findings from a report titled "The state of industrial security in 2022," that covers the following: • The network breaches, ransomware attacks, and other security incidents businesses are facing • The current challenges related to infrastructure protection, remote access security, and digital transformation • The solutions and strategies decision makers are using to close security loopholes and boost the protection of IIoT infrastructure This segment is sponsored by Barracuda Networks. Visit https://securityweekly.com/barracuda to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw269

Jul 19, 2022

Retbleed, CSRB's First Report, a Case-Sensitive Action, Mac Malware Book - ASW #204

New speculative execution attack with retbleed, CSRB's report on log4j, one-line lowercase action leads to a vuln, approaching SOC2 with secure engineering principles, free online Mac Malware book Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw204

Jul 19, 202239 min

0-Day Vulnerabilities & What's Next - Larry Maccherone - ASW #204

0-day vulnerabilities pose a high risk because cybercriminals race to exploit them and vulnerable systems are exposed until a patch is issued & installed. These types of software vulnerabilities can be found through continuous detection but even then may not always have a patch available. It's important for software teams to set up tools that continually look for these types of flaws, as well as defenses that let software adapt itself to an evolving threat landscape. In this episode, we will discuss the ins and outs of 0-day vulnerabilities and what the future of managing them looks like. Segment Resources: Recent 0-day blog: https://www.contrastsecurity.com/security-influencers/contrast-protect-eliminates-another-zero-day-headache What is Contrast Security video: https://www.youtube.com/watch?v=8FwY6zJX1ms The Contrast Secure Code Platform video: https://www.youtube.com/watch?v=k5CycR4R6bg This segment is sponsored by Contrast Security. Visit https://securityweekly.com/contrastsecurity to learn more! https://adhdatwork.add.org/help-adhd-employees-succeed/

Jul 18, 202235 min

Survival of the Quickest, Ransomware Victim Paid, Zendesk, & Cyber Insurance Unicorn - ESW #280

In the Enterprise Security News, Cyber insurance joins the Unicorn club, Bishop Fox raises a $75M Series B, A dozen more funding rounds, XM Cyber acquires Cyber Observer, Zendesk gets bought by private equity, 5 more rounds of cybersecurity layoffs, Some very interesting new products - both open source and commercial, Survival of the Quickest, And a ransom victim earning money from its payment?? Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw280

Jul 16, 20221h 6m

Securing IoT Devices - Kevin L. Jackson - ESW #280

Connected devices outnumber us humans two to one, a ratio that is on an accelerating growth curve. Risks associated with device counterfeiting and cyberattacks is also growing rapidly and now represent very real real risks to economies, national security, our critical infrastructure, and our very lives. One necessary component for addressing this threat is establishing a verifiable and immutable device identification and lifecycle reporting system. Segment Resources: Number of mobile devices worldwide 2020-2025: https://www.statista.com/statistics/245501/multiple-mobile-device-ownership-worldwide/ UCID Website - https://www.ucidentifier.io/ Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw280

Jul 15, 202248 min

ExpressLRS Protocol, Pi Pico W Wireless, Apple v. Spyware, & Lenovo UEFI Flaws - PSW #747

In the Security News for this week: Raspberry Pi Pico W Adds Wireless, Apple expands commitment to protect users from mercenary spyware, UK health authorities slammed for WhatsApp use in pandemic, Three UEFI Firmware flaws found in tens of Lenovo Notebook models, & a Hack Allows Drone Takeover Via 'ExpressLRS' Protocol! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw747

Jul 15, 20221h 57m

Six Degrees of BloodHound - Andy Robbins - PSW #747

Andy will explain the origin story of BloodHound, as well as where the project is today and where it's going in the future. Andy will also share his current research surrounding Azure attack paths. Segment Resources: https://github.com/BloodHoundAD/BloodHound https://medium.com/p/82667d17187a Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw747

Jul 15, 20221h 10m

A Transform Perspective & Latest Trends in Identity & Access - Fleming Shi, Meritt Maxim - ESW #280

How surreal it is for the industry to return to RSA event in person... what changed or transformed fundamentally ... etc. Specific impacts around the areas of ZTNA, SOC, and OT security. T his segment is sponsored by Barracuda Networks. Visit https://securityweekly.com/barracuda to learn more about them! Merritt Maxim discusses the latest trends on identity access and how organizations should tackle the ever expanding user security challenges. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw280

Jul 15, 202232 min

Cyber Capable Board, CISO Maturity, & Culture of 'Yes' - BSW #268

In the Leadership and Communications segment: How to build a cyber capable board, Who Is Legally Responsible for a Cyber Incident?, Building a security culture of 'Yes', and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw268

Jul 13, 202227 min

Security Money - The Index is Down, But Not Out - BSW #268

This edition of Security money is a 2 quarter update for both Q1 2022 and Q2 2022. That's what happens when you have a lot of interest and interviews. Although the SW25 Index is down, it's still outperforming the Nasdaq! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw268

Jul 12, 202237 min

iOS Lockdown Mode, 2FA in PyPI, CloudVulnDB, & Practical Attacks on ML - ASW #203

This week in the AppSec News: Apple introduces Lockdown Mode, PyPI hits 2FA trouble, cataloging cloud vulns, practical attacks on ML, NIST's post-quantum algorithms, & more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw203

Jul 12, 202235 min

The Security Challenges That Devs Encounter When Building Secure Apps - Farshad Abasi - ASW #203

Appsec starts with the premise that we need to build secure code, but it also has to be able to recommend effective practices and tools that help developers. This also means appsec teams need to work with developers to create criteria for security solutions, whether it's training or scanners, in order to make sure their investments of time and money lead to more secure apps. Segment Resources: https://forwardsecurity.com/2022/04/24/embedding-security-into-software-during-development/\ https://forwardsecurity.com/2022/03/15/application-security-for-busy-tech-execs/ https://forwardsecurity.com/2022/03/09/sast-sca-dast-iast-rasp-what-they-are-and-how-you-can-automate-application-security/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw203

Jul 11, 202234 min

Answering the 'How' Questions of Software Security - Nikhil Gupta - ASW #199

Nikhil will be discussing the pain points that leaders in the application security space are facing, which can cover how software development has evolved, as well as how this has impacted development teams and security teams as well as the occurrence of shifting left. He would also like to speak to the solution he has found to this problem, specifically being that of developing a community, the Purple Book Community. This closely connects to the final topics he would like to cover, which include how breaches have continued to occur at an increasingly rapid pace, leading to the importance behind why and how companies should be prepared for when, not if, a cyber attack will occur. The talk will also cover how the Purple Book of Software Security came about and how it has now morphed into a global movement by security leaders, for security leaders, to develop secure software. Segment Resources: https://www.armorcode.com/ https://www.thepurplebook.club/ https://www.armorcode.com/what-is-appsecops https://www.armorcode.com/platform-overview https://www.armorcode.com/news https://www.armorcode.com/integrations Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw199

Jul 6, 202239 min

Prank Calls, Lazarus APT, WordPress Critical Vulns, CISA Adds 41 Flaws, & Zoom Bugs - PSW #742

This week in the Security News: Chaining Zoom bugs is possible to hack users in a chat by sending them a message, Microsoft vulnerabilities down for 2021, CISA adds 41 flaws to its Known Exploited Vulnerabilities Catalog, Using NMAP to Assess Hosts in Load Balanced Clusters, Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover, & more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw742

Jul 6, 20221h 44m

Pwn2own, Verizon's DBIR, Zoom's XMPP Flaws, $10M Bounty, & More Bad Packages - ASW #199

This week in the AppSec News: Pwn2own results, reading the DBIR for appsec insights, XMPP flaws in Zoom, $10M bounty for a blockchain bridge vuln, researcher puts malicious payloads in ancient packages, Argo patches JWT handling, & more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw199

Jul 6, 202237 min

Building Career Links to Secure the Real Supply Chain - John Pescatore - PSW #742

John will go through his mostly random career choices that led to a long and fun career in information/cybersecurity - and how that ties into today's demand to secure the increase complex supply web of chains. Segment Resources: SANS Cyberstart initiative - https://www.cyberstartamerica.org/ Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw742

Jul 6, 20221h 10m

Attack Surface Management & Experience in the Age of Security - ESW #279

Over the past year, we've seen more buzz develop around attack surface management. In fact, major analyst firms Forrester and Gartner recently released research about this topic. But what exactly is it? In this segment, join Mark St. John, LookingGlass's SVP of Product, to learn more about how to define your attack surface, how to manage it, and how it can help your organization improve its cybersecurity. This segment is sponsored by LookingGlass Cyber. Visit https://securityweekly.com/lookingglass to learn more about them! As the push toward digital transformation continues, every organization is having to choose: Security or experience first? We are entering an era where Security and Identity professionals work together to eliminate tradeoffs and rapidly evolve from technical experts to experience artists. Using solutions that customize, code, and integrate for you while boosting security through MFA, passwordless logins, and risk modernizes your identity experience. This segment is sponsored by Ping. Visit https://securityweekly.com/ping to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw279

Jul 2, 202227 min

"The Road to Data Theft is Paved with Identities" - Len Noe - ESW #279

Extortion, business disruption, and monumental payouts. We'll cover trends in attacker "innovation" and role of identities and credentials. This segment is sponsored by CyberArk. Visit https://securityweekly.com/cyberark to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw279

Jul 2, 202245 min

What's New With PCI v4.0 - Jeff Man - ESW #279

PCI DSS v4.0 was released on March 31st, 2022 and we've got Jeff Man joining us today to discuss some of the more notable changes that folks should be aware of. Some great resources from Jeff and his employer on PCI 4.0: https://info.obsglobal.com/pci-4.0-resources And the PCI Council's own summary of changes between PCI 3.2.1 and 4.0: https://securityweekly.com/wp-content/uploads/2022/06/PCI-DSS-Summary-of-Changes-v3_2_1-to-v4_0.pdf Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw279

Jul 1, 202245 min

Destructive Firmware, Keys to the Kingdom, the Device Level, & 5 CyberSec Myths - PSW #746

In the Security News for this week: ICS training bill, 5 myths, VoIP devices and ransomware, miracle exploits, UnRAR and Zimbra, guess what the most common weakness is, security at the device level is NOT simple, keys to the kingdom, and HP says Destructive firmware attacks pose a significant threat to businesses! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw746

Jul 1, 20221h 59m

Cult of the Dead Cow & the Best Cybersecurity Journalism - Joseph Menn - PSW #746

Veteran cybersecurity journalist and author Joseph Menn, now at the Washington Post, talks about his books and the best reporting on hacking and defense today. Since he began writing on the subject in 1999, Menn has broken some of the biggest stories in the industry and written two of most widely read books in the Cybersecurity Canon. Segment Resources: https://www.amazon.com/Joseph-Menn/e/B001HD1MF6%3Fref=dbs_a_mng_rwt_scns_share https://www.washingtonpost.com/technology/2022/05/01/russia-cyber-attacks-hacking/ https://www.reuters.com/investigates/special-report/usa-politics-beto-orourke/ https://www.reuters.com/article/us-usa-security-rsa/exclusive-secret-contract-tied-nsa-and-security-industry-pioneer-idUSBRE9BJ1C220131220 https://www.reuters.com/article/microsoft-china/insight-microsoft-failed-to-warn-victims-of-chinese-email-hack-former-employees-idUKL1N14I1LU20151231 https://www.wired.com/story/cult-of-the-dead-cow-at-stake-hackers-excerpt/ Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw746

Jul 1, 2022

Security Consolidation & Beyond the CyberSec Motions - Malcolm Harkins, Paul McKay - BSW #267

There was a time when the perceived wisdom was to buy best of breed security technologies and that would do for your security program. Trouble of is, none of it integrates with each other or your wider IT. With budgets getting tighter, security pros are being asked to look again at big portfolio security providers and work out whether they can use their offerings to slim down. In this session I'll discuss what I'm hearing from our customers, and some of the things we are starting to see people do to balance the need to optimize cost and efficiency without compromising security protection. Speed, Velocity, and Acceleration. The physics of motion are well documented, and we understand how these scalar and vector quantities differ. In information security and cyber risk management the dynamics are not as well understood which has confused our ability to distinguish between motion and progress. This confusion intensifies our escalating risk cycle by causing a mirage of control that continues to lead us to down a path of compromise and catastrophe, adding to our growing labor and skill deficit. This segment is meant to explore the existing physics and gravitational forces of how we have approached cyber risk management to date, discuss where we are stuck today as well as ideas for a path forward - a reorientation of security operations function so that it is optimized to handle the volume as well as reposition it from an anchor point of continual reaction to one where it can take proactive action in front of the cycle of risk. The heart of these changes is a redefinition of the risk equation we have been using for decades Risk = F (Threat, Vulnerability, Consequence) which while useful initially has created a spray and pray model across most of our organizations. I will explain how to redefine the equation to be Risk = F (Threat, Exploitability, Consequence). Segment Resources: https://www.uscybersecurity.net/csmag/going-beyond-the-motions-of-cybersecurity/ Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw267

Jun 29, 202232 min

The VC Perspective: Embracing Uncertainty & Staying the Course - Alberto Yépez - BSW #267

Forgepoint Capital's Co-Founder and Managing Director, Alberto Yépez, explains what the current economic challenges mean for innovation and the future of the cybersecurity market. Hear his perspective on what security investments, as well as mergers and acquisitions, will look like throughout the next 12-18 months, and how responsible companies are staying the course amidst layoffs and budget cuts in order to turn uncertainty into a strategic path forward. Segment Resources: - Forgepoint's new CISO security priorities model: https://forgepointcap.com/news/forgepoint-capital-builds-first-ever-ciso-security-priorities-model/ Recent exits that Forgepoint supported: - Forescout acquires Cysiv on June 6, 2022(release: https://www.cysiv.com/news/forescout-announces-intent-to-acquire-cysiv and Forgepoint's blog: https://forgepointcap.com/news/executive-spotlight-an-interview-with-partha-panda-ceo-of-cysiv/) - SentinelOne acquires Attivo Networks on May 4, 2022 (release: https://www.sentinelone.com/press/sentinelone-completes-acquisition-of-attivo-networks/ and Forgepoint's "why we invested" blog: https://forgepointcap.com/news/attivo-networks-why-we-invested/) - LexisNexis Risk Solutions Acquires BehavioSec on May 3, 2022 (release: https://risk.lexisnexis.com/about-us/press-room/press-release/20220503-behaviosec and Forgepoint's blog: https://forgepointcap.com/news/executive-spotlight-an-interview-with-neil-costigan-of-behaviosec/ ) - Cloudflare acquires Area 1 Security on April 1, 2022 (release: https://www.cloudflare.com/press-releases/2022/cloudflare-completes-acquisition-of-area-1-security/ and Forgepoint's "why we invested" blog: https://forgepointcap.com/news/area-1-security-why-we-invested/ ) Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw267

Jun 28, 202238 min

More Fuzzing, a Decade of OT Security, & Top Threats to Cloud Computing - ASW #202

This week in the AppSec News: Lessons learned from fuzzing, OT:ICEFALL report on insecure designs, CSA's Top Threats to Cloud Computing, Twitter apologizes for misusing data collection, & State of Open Source Security report! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw202

Jun 28, 202237 min

How GraphQL & Template Injection Threats Influence App Architectures - Mike Benjamin - ASW #202

Both GraphQL and template engines have the potential for injection attacks, from potentially exposing data due to weak authorization in APIs to the slew of OGNL-related vulns in Java this past year. We take a look at both of these technologies in order to understand the similarities in what could go wrong, while also examining the differences in how each one influences modern application architectures. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw202

Jun 27, 202237 min

Stopping Phishing Attacks & A Fresh Approach to Reducing Cyber Risk - Chris Cleveland, Mehul Revankar - ESW #278

PIXM stops phishing attacks at point of click with computer vision in the browser, protecting users from phishing beyond the mailbox in any application. With the launch of PIXM Mobile, PIXM is now delivering this capability on iPhones as well as desktop devices. Segment Resources: https://pixmsecurity.com/mobile/ This segment is sponsored by Pixm. Visit https://securityweekly.com/pixm to learn more about them! The rise in disclosed vulnerabilities, the speed they are weaponized, and the cyber talent shortage have left teams struggling to wade through a mountain of vulnerabilities. In this discussion, Mehul will discuss the need for a new way to cut through the noise to focus teams on prioritizing and fixing those critical vulnerabilities that will most reduce risk in each organization's environment. He'll also cover how Qualys is redefining risk and vulnerability management in the latest version of VMDR and share stories of how customers have leveraged this solution to dramatically reduce risk. Segment Resources: www.qualys.com/trurisk www.qualys.com/vmdr This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw278

Jun 25, 202232 min

IBM Acquires Randori, Quantum Devices, Microsoft Defender, & RapidFort - ESW #278

Then, in the enterprise security news, CyberInt raises $28M for attack surface detection, RapidFort raises $8.5M for… pre-attack surface detection? Managing and monitoring your quantum devices? Making sure you don't lose access to your crypto wallets, IBM acquires Randori, Contrast Security makes some of their tools free, Rumble adds more interesting new features, Microsoft Defender for everyone, and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw278

Jun 25, 202240 min

Plastic Bags, NSA Playsets, Megs Insecure, PHP Strikes Back, & Gamification - PSW #745

In the Security News for this week: appliances with holes, gamification and its pitfalls, false rocket sirens, PHP strikes again, new laws we may actually agree with, hacking jacuzzis, Icefall and the state of ICS security, Adobe is blocking anti-virus, Mega is Mega insecure, Microcorruption CTF and DIY NSA playset! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw745

Jun 24, 20221h 57m

Breaking Through Vendor Barriers: Product Data as a Service - Tim Morris - ESW #278

Introducing the concept of Tanium Data as a Service. When you've got a product like Tanium, that collects so much useful data - why would you want to keep it within Tanium? The 'Data-as-a-Service' model aims to increase the value of the Tanium product by safely sharing its data with other teams, tools, and groups within a customer's organization. This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw278

Jun 24, 202241 min

Lacework Layoffs, Anti-Hacking Law, The Security Study Plan, & StackZone - ESW #275

This week in the Enterprise News: Lacework lays off approx 300 employees, US Narrows Scope of Anti-Hacking Law Long Hated by Critics, Security Study Plan, DevSecOps Vulnerability Management by Guardrails, StackZone, Cipherloc Acquires vCISO Security Services Provider SideChannel, Broadcom to Buy VMware for $61 Billion in Record Tech Deal, Cyscale raises EUR 3 million in Seed Funding Round, & more! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw275

Jun 24, 202249 min

Learning Should Be Fun - Sam Bowne - PSW #745

Many people think security is too difficult to learn because it is such a big field, and constantly growing. But it's endlessly fascinating and surprising, once you learn some fundamentals and get used to feeling stupid. My task is to help people get started, and learn how to appreciate this complex and challenging topic. Segment Resources: https://samsclass.info/ https://infosecdecoded.com/ Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw745

Jun 24, 20221h 6m

The 3 Ts (Truth, Transparence, Trust), 4 Leadership Strategies, & 5 Best Predictors - BSW #264

In the Leadership and Communications section, Uber CISO's trial underscores the importance of truth, transparency, and trust, 4 Leadership Strategies to Help Women Advance in the Tech Industry, 5 Best Predictors of Employee Turnover and What Leaders Should Do About Them, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw264

Jun 22, 202230 min

Hertzbleed, SynLapse, Java Deserialization, More MFA, Firmware Flaws, & Zombie 0-Day - ASW #201

This week in the AppSec News: SynLapse shows shell injection via ODBC, Java deserialization example, MFA for Ruby Gems ecosystem, simple flaws in firmware, the decade-long journey of a Safari vuln, & more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw201

Jun 22, 202231 min

IE11 Goes to Zero -- A History of Browser Security and Bug Bounties - ASW #201

IE has gone to 11 and is no more. There's some notable history related to IE11 and bug bounty programs. In 2008, Katie Moussouris and others from Microsoft announced their vulnerability disclosure program. In 2013 this evolved into a bug bounty program piloted with IE11, with award ranges from $500 to $11,000. Ten years later, that bounty range is still common across the industry. The technical goals of the program remain similar as well -- RCEs, universal XSS, and sandbox escapes are all vulns that can easily gain $10,000+ (or an order of magnitude greater) in modern browser bounty programs. So, even if we've finally moved on from a browser with an outdated security architecture, we're still dealing with critical patches in modern browsers. Fortunately, the concept of bounty programs continues. References: - https://www.blackhat.com/presentations/bh-usa-08/Reavey/MSRC.pdf - https://media.blackhat.com/bh-usa-08/video/bh-us-08-Reavey/black-hat-usa-08-reavey-securetheplanet-hires.m4v - https://web.archive.org/web/20130719064943/http://www.microsoft.com/security/msrc/report/IE11.aspx - https://web.archive.org/web/20190507215514/ https://blogs.technet.microsoft.com/bluehat/2013/07/03/new-bounty-programs-one-week-in/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw201

Jun 21, 202232 min