PLAY PODCASTS
Security Weekly Podcast Network (Video)

Security Weekly Podcast Network (Video)

4,876 episodes — Page 39 of 98

Cassandra RCE, Pixelation Is Poor Redaction, Rust's Useful Errors, & Hardening Edge - ASW #185

This week in the Application Security News: RCE in Cassandra, why pixelization isn't good redaction, Rust's compiler is friendly, Edge adds arbitrary code guard to its WASM interpreter, & the difference between secure code and a secure product (as demonstrated by a DAO) Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw185

Feb 18, 202232 min

0patch - Security Patching That Doesn't Make Your Life Miserable - Mitja Kolsek - ESW #261

0patch is a simple but powerful service that provides tiny targeted security patches to Windows computers, eliminating the most critical vulnerabilities without restarting the computer or relaunching applications. A different approach to patching allows us to both create and deploy 0day patches much quicker than original vendors can with their traditional update processes. Segment Resources: 0patch Blog with many posts on vulnerabilities and patches we make https://blog.0patch.com/ 0patch FAQ https://0patch.zendesk.com/hc/en-us/categories/200441471 Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw261

Feb 18, 202229 min

Running Windows Inside Containers On Linux - PSW #728

Yes, this is possible! We have incoporated into our vulhub-lab project a way to run Windows inside a Docker Container that is running on Linux. We didn't invent this technique but we will show you how to do it! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw728

Feb 18, 202238 min

Cybersecurity Coordinator Under President Obama - Michael Daniel - PSW #728

Michael joins us to discuss the importance of information sharing, how to convey cybersecurity practice and topics to senior leaders, cybersecurity regulation, myths surrounding militarizing cyberspace, and more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw728

Feb 18, 202256 min

Changing the TPCRM Game W/ Cyber Risk Intelligence Tools - Vikram Asnani - ESW #261

Definitions of the word intelligence include a collection of information of military or political value as well as the ability to acquire and apply knowledge or skills. In cybersecurity, when we possess intelligence, we feed that data in our Security Operations Center (SOC) to further analyze the risk present. In this case, the risk is based on the probability of threats materializing and the impact they would have on the organization. We're calling the output of that SOC Cyber Risk Intelligence. Cyber Risk Intelligence is the ability to think holistically about risk and provide information that decision makers can act on...not just analyze. Traditional Vendor Risk Management (VRM) processes focus on the gap, which is essentially information that needs to be further analyzed against the risk to the business. This is an additional step that takes time and effort, especially when different compliance frameworks and threats are constantly emerging. Segment Resources: https://www.cybergrx.com/resources/research-and-insights/blog/beyond-risk-management-how-cyber-risk-intelligence-tools-are-changing-the-tpcrm-game This segment is sponsored by CyberGRX. Visit https://securityweekly.com/cybergrx to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw261

Feb 18, 202224 min

5 Leadership Lessons, 6 Steps to Success, & 6 Tips to Say No - BSW #250

In the Leadership and Communications section, 5 Leadership Lessons General Marshall can Teach Us, Cybersecurity incident response: The 6 steps to success, 6 Effective Tips to Politely Say No (that actually work!), and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw250

Feb 17, 202227 min

Time To Move Away From "G - little R - Big C" (GRC) - John Wheeler, Padraic O'Reilly - BSW #250

How to move from legacy GRC processes and systems to a more automated approach that promotes visibility, agility, and alignment from assessment to Boardroom. This segment is sponsored by CyberSaint . Visit https://securityweekly.com/cybersaint to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw250

Feb 15, 202231 min

Docker Boundaries, Google Bounties, 2021's Top Web Hacks, Apple AirTags, AI vs. RFCs - ASW #184

In the AppSec News: Docker and security boundaries, Google's year in vuln awards, 2021's year in web hacks, Apple AirTags and privacy, turning AIs onto RFCs for security, & facial recognition research! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw184

Feb 15, 202238 min

The Modern Developer Must be Security Minded, Too - Doug Kersten - ASW #184

In light of the far-reaching Log4j vulnerability, it's become increasingly clear that the modern developer can't operate without a solid level of security expertise. Vulnerability management is not just about responding quickly but should be top-of-mind during all stages of software development from inception to delivery. Modern threats mean developers can't assume security isn't part of their job and push the burden of responsibility to their infrastructure teams. Doug Kersten, CISO of Appfire, will discuss how the nature of vulnerabilities today makes it critical for developers to make sure they're building projects in a secure manner in order to quickly mitigate vulnerabilities – or they risk being left scrambling to respond when a threat hits. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw184

Feb 14, 202242 min

Glyptodons, Mandiant Rumors, Virtual CISOs, Log4j Testimony, & A Cyber Safety Board - ESW #260

Finally, in the Enterprise Security News, Security automation startup Cerby raises $12M, Virtual CISO startup Cynomi raises 3.5M to help SMBs automate cybersecurity, Keeper Security acquires Glyptodon (I'm 90% certain Keeper hasn't just purchased the remains of an ancient, long-extinct armadillo), SecurityScorecard acquires LIFARS, a DFIR consulting firm, There's a rumor that Microsoft is considering picking up Mandiant with all the extra cash still laying around after the Activision/Blizzard buy, & DHS launches the first-ever cyber safety review board! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw260

Feb 12, 202235 min

Uncovering a Major Linux PolicyKit Security Vulnerability: Pwnkit - Wheel - PSW #727

Qualys researcher, Wheel, will discuss the discovery of the 12 year old Linux vulnerability in PolicyKit - which Qualys had dubbed, PwnKit. Wheel will provide an overview of the vulnerability and then dive into a technical discussion of the research. Segment Resources: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034 Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw727

Feb 12, 202231 min

The State of Identity in the Enterprise - Branden Williams - ESW #260

We discuss the current state of identity challenges in the enterprise with Branden Williams. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw260

Feb 12, 202238 min

To Err Is Human, but the Blockchain Is Forever - ESW #260

One of the key features of cryptocurrency, NFTs, and other blockchain-based technologies is the immutable ledger. Put another way, there's no clear way to implement an 'undo' button when it comes to blockchain. In more traditional situations, passwords can be reset. Financial institutions can issue a stop payment order. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw260

Feb 11, 202233 min

AR vs. VR, Hacking Mazdas, Risqué Latte Art, Crypto Wormholes, & Carding Forum Seized - PSW #727

In the Security News for this week: Microsoft to block VBA macros by default (in some Office applications), Russia arrests it's 3rd hacking group, The 'Metaverse' of security challenges, $323 Million in crypto stolen from the "Wormhole", & a rapping influencer allegedly launders $4.5 billion worth of stolen crypto, & more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw727

Feb 11, 20221h 6m

Cybersecurity Is Not Just a Technical Problem - Brian Honan - PSW #727

We have spent decades tackling security threats with technology, and we are failing badly. We need to look and learn from other industries and see how they have improved their industry. In particular the airline safety and automobile safety industries have a lot that we can learn from. Things such as breach disclosures, accountability, root cause analysis with openly shared results, focused training, industry norms for checklists, certification of products, and regulations have all improved these industries. Segment Resources: Security Industry Failing to Establish Trust https://threatpost.com/security-industry-failing-to-establish-trust/128321/ Treat infosec fails like plane crashes' – but hopefully with less death and twisted metal https://www.theregister.com/2017/11/24/infosec_disasters_learning_op/ IoT security: Lessons we can learn from the evolution of road safety https://www.helpnetsecurity.com/2018/08/09/iot-security-lessons/ Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw727

Feb 11, 20221h 19m

Cybersecurity Policy Creation, Champions Program, & the War for Talent - BSW #249

In the leadership and communications section, Cybersecurity Policy Creation: Priority One, 5 steps to run a successful cybersecurity champions program, The war for cloud and cybersecurity talent is on! , and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw249

Feb 9, 202234 min

Effective Communications During & After a Cyber Attack - Ann Marie van den Hurk - BSW #249

A cyber attack is a catastrophic event for any organization. Therefore, effective cyber crisis communication is crucial but often overlooked and an internal concern. In this conversation, we will talk about critical communications and why it is essential to recover quickly and with their reputation intact. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw249

Feb 8, 202230 min

HTTP/3 Streams, Argo CD Paths, Log4j Devs, Cyber Safety Review Board, OSSF Projects - ASW #183

Vulns in an HTTP/3 server, path traversal in Argo CD, Log4Shell from the perspective of Log4j devs, DHS launches Cyber Safety Review Board, OSSF launches Alpha and Omega projects, resources for learning reverse engineering and appsec Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw183

Feb 8, 202236 min

Policy Momentum in Coordinated Vulnerability Disclosure - Amit Elazari - ASW #183

Security is one of the most evolving and impactful landscapes in the regulatory sphere. Proposed initiatives in the areas of Incident Response, Software and Product Assurance, Coordinated Vulnerability Disclosure (CVD), and IoT or Connected Products Regulations are among the most active and developing areas of security policy around the world. This evolving landscape also serves as an opportunity for innovation and research collaboration. Elazari will walk us through some of the most recent trends in policy proposals shaping the future of security. We will also talk about bug bounties and vulnerability disclosure, what are some of the industry's best practices in this area, how to implement these programs to foster security, collaboration and transparency, and how this connects to the policy momentum and its impact on security researchers. Segment Resources: - Project Circuit Breaker: https://www.intel.com/content/www/us/en/newsroom/news/intel-launches-project-circuit-breaker.html - Project Circuit Breaker Landing Page: https://www.projectcircuitbreaker.com/ - Intel's 2021 Product Security Report: https://www.intel.com/content/www/us/en/security/intel-2021-product-security-report.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw183

Feb 7, 202240 min

Securing Olympians, Hiding in UEFI, 'Fingerprinting GPUs', & P4x vs. North Korea - PSW #726

This week in the Security News: Temporary phones, webcam hacks that are so much more, bags of cash, patch Wordpress plugins and patch them some more, crowd-sourced-government-funded vulnerability scanning, hiding deep in UEFI and bouncing off the moon, even more UEFI vulnerabilities, if Samaba were a fruit it would be....well vulnerable for one thing, charming kittens, fingerprinting you right in the GPU, Let's not Encrypt, your S3 bucket is showing again, and can you hack the latest wearable sex toys intended to delay things? Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw726

Feb 5, 20221h 43m

A Look at Microsoft's Cloud-Native SIEM - Darwin Salazar - ESW #259

In late 2019, Microsoft released their cloud-native SIEM, Sentinel. A lot in the world has changed since then so we'll be looking at Sentinel's progression, talking about it's features and what may make it attractive to enterprises in 2022 and beyond. To register for Darwin's upcoming workshop with Security Weekly, please visit: https://attendee.gotowebinar.com/register/2393226017093033995?source=esw Microsoft Sentinel Ninja Training - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the-complete-level-400/ba-p/1246310# Forrester MSFT Sentinel reports indicating 201% ROI over 3 years - https://www.microsoft.com/security/blog/2020/11/16/forrester-tei-study-azure-sentinel-delivers-201-percent-roi-over-3-years-and-a-payback-of-less-than-6-months/ If you want to get started with Kusto Query Language (KQL) without having to bootstrap your own environment, MSFT has a live log analytics workspace with tons of log data. You must have an Azure subscription to use. Link : https://aka.ms/lademo Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw259

Feb 5, 202231 min

How Zapier's Attila Török Manages Security for a 100% Remote Organization - Attila Török - ESW #259

Imagine having 500+ employees across the world — all working remotely. Now imagine making sure they can all do their work securely. This is exactly what Zapier's Head of Security, Attila Török does. In this chat, you'll hear from Attila regarding his experience and best practices for defending a cloud-based tech company with a remote workforce and infrastructure (including what systems to implement). Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw259

Feb 4, 202228 min

Linux Post Exploitation - PSW #726

In this Technical Segment, Paul walks through Linux Post Exploitation! Github: https://github.com/SecurityWeekly/vulhub-lab Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw726

Feb 4, 202231 min

The 1000th Unicorn, Island Browser, Optiv For Sale, & Polar Bear Takeover - ESW #259

Finally, in the Enterprise Security News, Island raises $100M to introduce a new Chromium-based web browser, designed for the enterprise, Plextrac rasies a $70M Series B, HackerOne raises a $49M Series E, Tenable acquires BAS vendor Cymptom, Orca swallows up RapidSec (sorry, had to), Cybereason confidentially files for IPO, KKR looks to offload Optiv, Cybersecurity startup trends of 2022, 1000 Unicorns, Infosec Startup Buzzword Bingo, We've got fundings, IPOs, acquisitions, take privates, a $3B seed round, legislation that makes sense - all kinds of exciting stuff today, on this episode of Enterprise Security Weekly! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw259

Feb 4, 202251 min

Covert EDC & Physical Pen Tests - Brent White - PSW #726

Discussing every-day-carry items that are utilized during covert entry assessments. Also discussing the concealment of these tools, and which tools we use for various assessment types. Segment Resources: # Blog website : www.wehackpeople.com # Employer's website : www.darkwolfsolutions.com # Link for EDC - Covert Entry Wallet : https://wehackpeople.wordpress.com/2019/10/10/lock-pick-concealment-edc-wallet/ # Link for other EDC items I use : https://wehackpeople.wordpress.com/2020/09/14/covert-entry-specialist-edc/ Physical Pentest Tools: https://www.sparrowslockpicks.com/product_p/hp.html https://www.redteamtools.com/espkey https://www.redteamtools.com/under-door-level-lock-tool Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw726

Feb 4, 20221h 7m

Cybersecurity & Audit, CIO Involvement Grows, & Poor Security Culture - BSW #248

In the leadership and communications section, Cybersecurity increasingly on audit committee agendas, CIO involvement in security grows as CEOs target risk reduction, How Poor Security Culture Leads to Insider Risk, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw248

Feb 2, 202227 min

Digital Risk Protection - Dan Mathews - BSW #248

Your information is everywhere. Executive, employee, and corporate data are contained in breach data, social media, and the dark web. How do you protect your organization from impersonation and account takeover attacks? Dan Matthews, Director, Worldwide Sale Engineering from Constella Intelligence, will discuss the challenges with digital risk protection and how to protect your executives, employees, and corporate brand. This segment is sponsored by Constella Intelligence . Visit https://securityweekly.com/constella to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw248

Feb 1, 202229 min

PwnKit, Qubit Hack, Multichain Hack, Safari Bounty, & Python NaN - ASW #182

PwnKit LPE in Linux, two different smart contract logic flaws in two different hacks, a $100K bounty for Safari, Python NaN coercion, appsec games Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw182

Feb 1, 202236 min

Shift Left, NOT S#!T LEFT - Larry Maccherone - ASW #182

If you attempt to shift security left without adaptation, it'll feel a lot more like S#!T LEFT to the development teams but most security groups lack the mindset and skills to do it in a way that works well with modern development approaches and tools but directly focuses on gradual methodical practice and culture change. Larry Maccherone led the Dev(Sec)Ops transformation program in the highly diverse environment at Comcast using Agile and Digital Transformation approaches. Teams that onboarded to the program had 1/7th as many vulnerabilities and incidents in production -- a result so compelling that security leadership allowed it to scale to all 600 development teams. Along the way, Larry learned some critical lessons on how to provide a gradual onramp to empowering teams to be worthy of being trusted with the security of the products they were developing. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw182

Jan 31, 202239 min

Continuous Red Teaming Trends - Bikash Barai - ESW #258

Why is continuous security here to stay? How is Red Teaming getting automated and moving towards continuous? Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw258

Jan 29, 202237 min

12 Year Linux Bug, Recovering Bitcoin, Lulzsec's Impact, & Pimp My Cubicle - PSW #725

This week in the Security News: More QR codes you shouldn't trust, race conditions in Rust, encrypting railways, Pwnkit - the latest Linux exploit, tricking researchers into crashing, cybersecurity is broken?, the best cybersecurity research paper, evil Favicons, escaping Kubernetes, pimping your cubicle and someone who actually recovered their crypto wallet! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw725

Jan 29, 20221h 12m

New Startups From Stealth, It's Not Matt Damon's Fault, Merck Wins, & Pearson Fined - ESW #258

This week, in the Enterprise Security News, Hunters raises a series C to continue building XDR, Anitian raises a $55M Series B, Four new startups emerge from stealth with seed funding, BugAlert is a new tool for notifying the public of new vulnerabilities, Turns out, Crypto.com WAS hacked, but it wasn't Matt Damon's fault, Who is at fault if a hacked car kills someone?, Merck wins - it was NOT an act of war, according to one court...Pearson is fined $1M for misleading investors about their 2018 data breach, Secrets of Successful Security Programs, & Why employees don't care about your security policies! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw258

Jan 29, 202253 min

Log4Shell: Impact & Lessons Learned - Jamie Moles - ESW #258

If 2021 taught us anything, it's that our supply chain–especially our technical supply chain–hangs in the balance of a very fragile system. In this interview, ExtraHop's Jamie Moles examines the impact of the Log4Shell zero day and how enterprises can be assured that they're in the clear with the help of a live demo of the vulnerability in a lab environment. This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/extrahop to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw258

Jan 28, 202241 min

Securing Ubiquiti WiFi Systems - PSW #725

Ubiquiti has become a crown favorite for WiFi (and many other solutions). Learn how to do some basic security, update the software, change passwords and more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw725

Jan 28, 202249 min

Cracks in the Castle - Jimmy Sanders - PSW #725

Enterprises today has an ever expanding attack surface. Jimmy Sanders, Head of Security for DVD.com, joins to discuss how Organizations are constantly trying to stay ahead of the latest known and unknown risks! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw725

Jan 28, 202254 min

Mastering Art and Science, Stakeholder Trust, and Trustworthy Computing - BSW #247

In the leadership and communications section, Mastering Art and Science Is Imperative for CISOs to Be Successful, Seven Ways to Ensure Successful Cross-Team Security Initiatives, 2 Key Cybersecurity Lawmakers Will Not Seek Reelection, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw247

Jan 26, 202233 min

Securing the Digital Value Chain - Mark Fernandes - BSW #247

Enabling the business requires a nuanced view of verticalization and what it means to an enterprise. Why is this important as CISO's think about how to apply cyber to enterprise resiliency? Mark Fernandes, Global Chief Technology Officer, Security, Risk, and Governance Solutions from MicroFocus, joins us to provide an overview of their Galaxy platform that aligns threats to prioritized risk activities. If you want learn more or sign-up and try Galaxy for free, please visit https://securityweekly.com/galaxy. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw247

Jan 25, 202227 min

IndexedDB Leak, Linux Kernel Bug, Zoom Security, SSRF & Allow Lists, Security Courses - ASW #181

In the AppSec News, Safari fixes a privacy leak in IndexedDB, integer arithmetic flaw leads to Linux kernel bug, a look back on Zoom security, SSRF from an URL allow list bypass, a security engineering course and lectures, 25 years of HTTP/1.1 Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw181

Jan 25, 202234 min

API Security (Shadow APIs) - Himanshu Dwivedi - ASW #181

It is hard, if not impossible, to secure something you don't know exists. While security professionals spend countless hours on complex yet interesting issues that *may* be exploitable in the future, basic attacks are occurring every day against flaws in code that receives little review. For example, a "dated trend" by effective yet lazy hackers is to search for APIs unknown by security teams, coined "Shadow APIs", then connect to these APIs and extract data. SQL Injection used to be the hack of choice, as a few simple SQL commands would either mean pay dirt or "move on to the next target". Now the same can be said for Shadow API: Find, Connect, Extract. Himanshu will discuss one of many methods that are used in the wild to target Shadow APIs and export large volumes of data with a few clicks of a button or a few lines of code in Python. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw181

Jan 24, 202235 min

McAfee MVISION XDR, Microsoft Acquires Activision Blizzard, & Tom Brady NFTs - ESW #257

In the Enterprise Security News: 1Password plans to do some shopping with their massive Series C, Devo announces a $250M round, Permiso Security and Tromzo emerge backed by both traditional VCs and industry execs, STG spins out McAfee's MVISION XDR product as Trellix - the first of many spinouts, they say, Microsoft reminds us that, in addition to being the industry's largest security vendor, they can also drop $70B on video games if they feel like it, More reminders that open source is essential, but orgs with massive budgets will still treat it as worthless and disposable, Real-world stories of CI/CD pipeline compromises, Is Uber's former CSO going to jail?, and Tom Brady NFTs! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw257

Jan 22, 20221h 4m

Architecture & Security from the Trenches - Will Clark - ESW #257

An open discussion of challenges facing software and system architects in small and medium sized businesses. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw257

Jan 22, 202221 min

REvil Gang Arrested, 5G & Airplanes, Zoom Zero-Click, & Stolen Brownies - PSW #724

In the Security News: Malware targets Ukraine, I wonder where that's coming from?, evil Google Docs comments, Russia grabs REvil, funding a dictatorship, Zoom zero clicks, When 9-year old's launch DDoS attacks, 5G interference, and when your Mom steals your brownies! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw724

Jan 22, 20221h 39m

Vulnerability Management is Dead! - Rickard Carlsson - ESW #257

Modern tech stacks are becoming increasingly complex puzzles of components built in-house and sourced from third-party vendors. With DNS at the center of the infrastructure, and staging and production being sometimes just minutes apart, scanning for CVEs is not enough to stay on top of web threats. There are lots of critical things traditional app scanners won't catch, like dangling DNS records, subdomain takeover and open S3 buckets. To keep their growing attack surface secure, companies need to combine crowdsourced vulnerability detection with solutions that detect outliers and anomalies in their software - before these become an attack vector. In this episode we'll discuss: - Why hunting for vulnerabilities is no longer enough to stay on top of threats - Vulnerability Management vs Attack Surface Management - How security teams can adapt their vulnerability management process to modern dev cycles. Segment Resources: More insights on how to secure your external attack surface: https://detectify.com/resources Free trial of Detectify's attack surface management solutions: https://detectify.com/product/surface-monitoring https://detectify.com/product/application-scanning This segment is sponsored by Detectify. Visit https://securityweekly.com/detectify to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw257

Jan 21, 202236 min

Using WPScan To Find WordPress Vulnerabilities - PSW #724

wpscan is a free tool for scanning WordPress, and let's face it, there are many vulnerabilities to be found in Wordpress! This segment will walk you through installing, configuring and using wpscan. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw724

Jan 21, 202219 min

Cyber Resilience - Cybersecurity Mental Health - Neal O'Farrell - PSW #724

What can we do to raise awareness on issues of mental health for cybersecurity professionals? Neal walks us through some of the issues and ways to deal with them. Neil has also put together training and awareness materials around the subject. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw724

Jan 21, 202257 min

Scams and Security in Web3*, URL Parsing Problems, AWS Glue, CI/CD Compromises - ASW #180

Scams and security flaws in (so-called) web3 and when decentralization looks centralized, SSRF from a URL parsing problem, vuln in AWS Glue, 10 vulns used for CI/CD compromises Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw180

Jan 19, 202227 min

Investing in Open Source Security - ASW #180

This isn't a story about NPM even though it's inspired by NPM. Twice. The maintainer of the "colors" NPM library intentionally changed the library's behavior from its expected functionality to printing garbage messages. The library was exhibiting the type of malicious activity that typically comes from a compromised package. Only this time users of the library, which easily number in the thousands, discovered this was sabotage by the package maintainer himself. This opens up a broader discussion on supply chain security than just provenance. How do we ensure open source tools receive the investments they need -- security or otherwise? For that matter, how do we ensure internal tools receive the investments they need? Log4j was just one recent example of seeing old code appear in surprising places. Segment resources - https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ - https://www.zdnet.com/article/when-open-source-developers-go-bad/ - https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/ - https://www.theregister.com/2022/01/17/open_source_closed_wallets_big/ - https://blog.google/technology/safety-security/making-open-source-software-safer-and-more-secure/ - https://docs.linuxfoundation.org/lfx/security/onboarding-your-project - https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw180

Jan 18, 202236 min

Arming CISOs, The 'Great Resignation', & Deciding Your Next Career Move - BSW #246

In the leadership and communications segment, Arming CISOs With the Skills to Combat Disinformation, Is the 'Great Resignation' Impacting Cybersecurity?, Ask These 5 Questions to Decide Your Next Career Move, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw246

Jan 16, 202226 min

Israeli CyberSec Drama, Microsoft's Security Chip, Best Job of 2022, & "YAU"s - ESW #256

In the Enterprise Security News for this week: Pentera announces a $150m Series C - YAU (Yet Another Unicorn), Herjavec Group merges with Fishtech, Google acquires SOAR vendor SIEMplify, A European grocery store buys BAS vendor XM Cyber, Flashpoint acquires vuln intel vendor Risk Based Security, Recorded Future acquires SecurityTrails, Drama in the Israeli cybersecurity news, Security, Analyst is the #1 best job of 2022, Microsoft to start rolling out its own hardware security chip, & Some annoying words get banned! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw256

Jan 15, 202238 min

Security Money - The Index Has Cooled Off - BSW #246

The Security Weekly 25 index has finally cooled off, closing at 2226.93 on January 13th, 2022, which is an increase of 122.69% (down from last Q) since inception. The NASDAQ Index closed at 14,806.81 on January 13th, 2022, which is an increase of 123.15% (down from last Q) during the same period. It hit another all-time high of 16,057.44 during the quarter. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw246

Jan 15, 202230 min