Security Weekly Podcast Network (Video)

What are the key security challenges that customers faced this year? What did attackers do differently in 2021, and why are they succeeding more often? What can we expect in 2022? Shailesh will discuss the latest defense strategies and how security teams can plan for the year ahead. Segment Resources: https://www.qualys.com/cloud-platform/ This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw720

Passwordless is everywhere these days, but like most new security markets, it's shrouded in confusion. There are already dozens of vendors promising to kill the password, but they don't all seem to be coming at the challenge the same way. In this "First Look" segment, our goal is to define Passwordless, discuss some of the companies doing it, and how they're doing it. We'll even go through a few live passwordless demos. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw252

Sven will present common vulnerabilities and issues that arise when implementing authentication and authorization in web applications. This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw720

In this interview, we discuss defenders sharing information, how Edna deals with Azure's supply chain challenges, ransomware trends, and some future predictions. Edna has been in security as long as most other folks we interview, but was a lawyer for 20 years before that! She's smart, dangerous, and has some great takes we can't wait to dive into. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw252

In the Security News for this week: Stop hiding your secrets in plain sight, Detecting Wildcard DNS Abuse, $5 setup that hacks biometrics, Managing passwords with pen and paper, Windows 10 Zero Days, & why The Matrix (might be) the best hacker movie! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw720

There's something happening here – and what it is ain't exactly clear to O.G hackers like John Threat or our own Mr. Jeff Man. We're going to devote an episode talking about how things used to be back in the day from a hacker/penetration perspective and discuss how things are today. Are things better? Worse? Depends on your attack vector, perhaps? Join us on Discord and participate in the discussion of what's right and what's wrong in our industry today and what can we do about it. All from a hacker's perspective. Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw97

There's something happening here – and what it is ain't exactly clear to O.G hackers like John Threat or our own Mr. Jeff Man. We're going to devote an episode talking about how things used to be back in the day from a hacker/penetration perspective and discuss how things are today. Are things better? Worse? Depends on your attack vector, perhaps? Join us on Discord and participate in the discussion of what's right and what's wrong in our industry today and what can we do about it. All from a hacker's perspective. Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw97

This week in the Leadership & Communications section, 'They Said a CISO Does What?', 5 Tips to be an awesome CISO, 9 tips for an effective ransomware negotiation, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw242

We cover a lot of articles about CISO leadership, communications, skills, and yes, transition. This week we discuss the CISO transition from a CISO's perspective. I will interview my co-hosts on why they made moves in 2021, what criteria did they use to analyze their next role, and what are their strategies for a successful transition. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw242

This week in the AppSec News: Bug bounty payout practices, Edge goes super duper secure mode, WebKit CSP flaw has consequences for OAuth, GoDaddy breach, vuln in MediaTek audio DSP, & more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw176

In today's session Chris Wysopal will address a number of topics with Mike, including systemic risk in software development and how developers and security teams can work together to meet common goals and solve the speed vs. security dilemma. Specifically, they'll discuss processes for fixing more vulnerabilities faster and tools for ensuring developer success. And they'll talk about improving the overall maturity of DevOps teams through good development practices, good testing, remediation, and training. Segment Resources: - Veracode State of Sofware Security v11 https://www.veracode.com/state-of-software-security-report Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw176

In the early days of PCI there was an online column called StorefrontBacktalk which focused on retail and technology issues. The column provided valuable insights from various specialists on the interpretation and application of many of the more challenging security requirements found in PCI DSS which was reflected in its tag line, "Techniques, Tools and Tirade about Retail Technology and E-Commerce. The founder of the column, Evan Schuman, is a veteran journalist who has covered a wide range of technology, privacy and legal issues over the past three decades. Evan will give us his take on many of the issues facing the connected world -past, present, and future. Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw96

In the early days of PCI there was an online column called StorefrontBacktalk which focused on retail and technology issues. The column provided valuable insights from various specialists on the interpretation and application of many of the more challenging security requirements found in PCI DSS which was reflected in its tag line, "Techniques, Tools and Tirade about Retail Technology and E-Commerce. The founder of the column, Evan Schuman, is a veteran journalist who has covered a wide range of technology, privacy and legal issues over the past three decades. Evan will give us his take on many of the issues facing the connected world -past, present, and future. Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw96

In the Leadership & Communications section for this week: Four Things Your CISO Wants Your Board to Know, 4 in 10 Organizations Do Not Employ a CISO, Creating a Culture of Cybersecurity, & more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw241

As a CISO tasked to present to the Board or other executives, communicating cybersecurity in business context is critical to success. Hear from Kevin Powers, who has taught hundreds of CISOs in his executive education courses how to level-up their presentation skills, metrics, and executive approach. Learn also from Padriac O'Rielly, CPO & Co-Founder of CyberSaint, about how some of the most cutting-edge security leaders are providing actionable, risk-based insights in Boardrooms and beyond to better build resiliency in the digital age. This segment is sponsored by CyberSaint. Visit https://securityweekly.com/cybersaint to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw241

This week in the AppSec News: What would CVEs for CSPs look like, clever C2 in malicious Python packages, diversity in bounty programs, shared responsibility and secure defaults, breach costs to influence AppSec programs! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw175

CNCF wasmCloud helps developers to build distributed microservices in WebAssembly that they can run across clouds, browsers, and everywhere securely. Segment Resources: - https://webassembly.org/ - https://wasmcloud.com/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw175

This week in the Enterprise Security News: NDR startup Netography raises a $45m Series A with Martin Roesch at the helm! Data Security startup Laminar comes out of stealth with a $32m Series A Threat Intel divestment SnapAttack spins out of Booz Allen Cloud Security startup Lacework raises $1.3bn in a single round, Lacework acquires Soluble, You can make some cash if you're willing to delete the NPM modules you manage, Congress goes Cyber Crazy - 18 new cybersecurity-related bills introduced, Emotet returns, but there are tracking tools, All that and more, on this episode of Enterprise Security Weekly! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw251

This week in the Security News: The FBI is spamming you, hacking exists in the mind, Beg Bounties, nasty top-level domains, MosesStaff, why own one npm package when you can own them all, how much is your 0day worth, upnp strikes again, when patches break exploits in weird ways, records exposed in stripchat leak, can we just block ICMP?, trojans in your IDA, suing Satoshi Nakamoto, paying to be in the mile high club, it was cilantro, and sexy VR furniture! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw719

Derek and the hosts will discuss technologies to build CTFs as well as what types of things to consider while doing so. They will also talk about the computer fundamentals that are often undervalued when entering security. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw719

Jeffrey joins us today to guide us through the rapidly changing world of Cyber Insurance! We solicited some questions from our audience and look forward to picking his brain in this segment. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw251

Ransomware: the problem that everyone is talking about, yet somehow continues to get worse with each passing year. In 2021, the cost of ransomware to global businesses is estimated to reach a whopping $20B. The problem has reached such a critical mass that it can no longer be cast away as some unknowable IT problem––everyone from cyber insurance providers to the federal government have taken note. ExtraHop VP, GM of International and Global Security Programs Mike Campfield joins Security Weekly for a retrospective on ransomware in 2021, shares his predictions on how it will evolve in 2022 and beyond, and what controls enterprises can put into place to build their resilience to the growing threat. This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/extrahop to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw251

I needed to create some vulnerable targets for testing exploits and my default password finder I wrote in Python (featured in previous episodes). I found a few useful projects, including Vulhub, that made the task of building an insecure lab environment pretty easy. I've made several additions and improvements to the available code, which I will run through in this segment. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw719

CISA recently published guidance for how managed service providers (MSPs) should approach security for their operations based on the premise that cyber threat actors are known to target MSPs to reach their customers. MSPs provide remote management of customer IT and end-user systems and generally have direct access to their customers' networks and data. By exploiting trust relationships in MSP networks, cyber threat actors can gain access to a large number of the victim MSP customers. The CISA Insights publication provides mitigation and hardening guidance for MSPs and their small- and mid-size business customers. By applying this guidance, organizations can protect MSP customer network assets and reduce the risk of successful cyberattacks. Our conversation today will focus on the problems that MSPs and SMBs face in achieving the right level of security for their organizations, satisfy compliance and regulatory requirements, while trying to stay in business. Segment Resources: https://www.cisa.gov/sites/default/files/publications/CISA%20Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw95

CISA recently published guidance for how managed service providers (MSPs) should approach security for their operations based on the premise that cyber threat actors are known to target MSPs to reach their customers. MSPs provide remote management of customer IT and end-user systems and generally have direct access to their customers' networks and data. By exploiting trust relationships in MSP networks, cyber threat actors can gain access to a large number of the victim MSP customers. The CISA Insights publication provides mitigation and hardening guidance for MSPs and their small- and mid-size business customers. By applying this guidance, organizations can protect MSP customer network assets and reduce the risk of successful cyberattacks. Our conversation today will focus on the problems that MSPs and SMBs face in achieving the right level of security for their organizations, satisfy compliance and regulatory requirements, while trying to stay in business. Segment Resources: https://www.cisa.gov/sites/default/files/publications/CISA%20Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw95

In the Leadership and Communications section, The Gardener: Four Attributes Of A Great Leader, Unpacking 5 Myths About Management, 5 Cybersecurity Myths That Make You More Vulnerable to Attacks, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw240

Identity Services such as Active Directory is an area that is almost always utilized by the attacker after the initial endpoint is compromised. This is an area lacking critical focus by defenders for a myriad of reasons. Discussion will entail how this attitude can and should change. This segment is sponsored by Attivo Networks. Visit https://securityweekly.com/attivonetworks to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw240

In the AppSec news: Disclosure decisions and CVE-2021-3064, technical details behind ChaosDB in Azure, fuzzing BusyBox, Prossimo and Rust, vulns in Nucleus RTOS, & HTML smuggling! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw174

Mobile applications have a unique attack surface. The tools and techniques being used to compromise these environments are constantly evolving. We'll talk about how to harden mobile apps against modern threats. This segment is sponsored by Guardsquare. Visit https://securityweekly.com/quardsquare to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw174

In the Enterprise Security News for this week: Drata reaches unicorn status in record time with a $100m Series B, SCYTHE announces a $10m Series A, McAfee Consumer business acquired for $14b, WPScan acquired by Automattic (the company behind WordPress), QOMPLX SPAC is called off, HashiCorp IPO is not called off, open source CSPM and firmware emulation tools, Ghost kitchens and more. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw250

Risk based security programs are all the rage, from managers looking to "trim" the security budget to regulatory bodies looking for excuses to fine your company. Nick is a security pro who has seen it all -- programs done well, programs done poorly, and implemented one or two of them himself, and would love to share the lessons learned from those experiences. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw250

I once told my college advisor that I wanted to double major in computer science and jazz performance. She laughed at me. Instead, I jumped into a career in IT and played jazz - without a degree in either. Turns out, that was fine - the industry valued experience and results over academic achievement. Today's guest *has* two degrees, one in fine arts, one in pre-law, and that's also fine. If there's anything I've learned in InfoSec, it's the mind that matters most, less so the degrees or certs on your wall. Angela Marafino gets cybersecurity and understands what makes it tick. Using this knowledge, she has built a personal brand, network, and career in an impressively short time. She is simultaneously mentor and mentee. Today, we'll explore Angela's path into the industry as well as some of her views on challenges, like imposter syndrome. https://hbr.org/2021/02/stop-telling-women-they-have-imposter-syndrome https://www.itspmagazine.com/focal-point-podcast https://twitter.com/hackerbookclub1 Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw250

Over the course of 2020 and 2021 new UAV regulations and restrictions, such as Remote Identification, have threatened UAV hobbyist's ability to fly freely. These new regulations did leave hobbyists with one loophole: building a sub 250g quad. After this realization, I set out to build a sub250g quad which can be flown for fun, or as one of the first remotely accessible war-flying devices. Segment Resources: http://mav.sh/ https://github.com/0xkayn/Valkyrie https://www.youtube.com/watch?v=CJZ2gCLopyU Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw718

This week in the Security News: NPM hijacked again, hardcoding your keys, PAN-ODay, more Nmap in your python or python in your nmap, put your Docker API to rest, Busybox will own your box, Microsoft says its a feature not a vulnerability, SBDCs, TIPC Linux kernel vulnerability, patches that don't fix everything, truckloads of GPUs and testing if your high! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw718

Can using technology risk your personal safety? Tracking information can be shared with attackers and facilitate cyberstalking in multiple ways including key logging and screen sharing. Exploration of recent court cases and investigations will be shared and attendees will learn what resources can help individuals experiencing digital abuse at the hands of a technical adversary. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw718

Join us on this episode of SCW for a general discussion about how to do this whole security/compliance thing better; how compliance really needs to come first; how it's all risk-based or should be RGC not GRC; legal and privacy issues/focus - and how they help or hinder the cause; other factors like burnout/gatekeeping/etc. that all contribute to our industry being overly focused/reliant on technology and don't handle the people/process part very well. Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw94

Join us on this episode of SCW for a general discussion about how to do this whole security/compliance thing better; how compliance really needs to come first; how it's all risk-based or should be RGC not GRC; legal and privacy issues/focus - and how they help or hinder the cause; other factors like burnout/gatekeeping/etc. that all contribute to our industry being overly focused/reliant on technology and don't handle the people/process part very well. Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw94

In the Leadership and Communications section, The First 100 Days in A CISO's Life — Biggest Mistakes and Best Quick Wins, Hybrid work woes: FOMO is real, employees feel disconnected, Breaking Down Cybersecurity's Hiring Problem, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw239

The rise in cyberattacks and the switch to remote work has kept security teams busy, but it has also left them isolated by halting their ability to meet with peers and network with industry friends. Suresh Balasubramanian Qualys CMO and Sara Griffith CISO at Euronet Worldwide will discuss the value of in-person cybersecurity events, how attending can reinvigorate teams, the benefits to sharing best practices with peers, and getting up to speed on the latest innovations in cybersecurity through conference presentations. Segment Resources: https://www.qualys.com/qsc/2021/las-vegas/ This segment is sponsored by Qualys. Visit https://securityweekly.com/qualys to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw239

This week in the AppSec News, Mike and John talk: Excel gains support for JavaScript data types and functions, arbitrary code execution in Linux kernel TIPC, more malware in npm packages, threat models and OTP/2FA bots, NIST Security Labels! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw173

In this segment, Mike and Dan McKinney from Cloudsmith will be discussing SBOM and what that looks like for your applications. Other topics include: cloud-native tooling for your software supply chain, the history of provenance, GPG Keys & signing commits, package consumption, understanding threat modeling, and knowing the roles and responsibilities when it comes to security of your assets. This segment is sponsored by Cloudsmith. Visit https://securityweekly.com/cloudsmith to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw173

In the Enterprise Security News for this week: Laika raises $35m in the growing compliance-as-a-service segment, IBM launches XDR, CrowdStrike acquires SecureCircle and moves into the data layer, HelpSystems acquires endpoint DLP vendor Digital Guardian, Crazy valuations, Questionable statistics, Analysts shine a doubtful light on Darktrace's value, Facebook gets all Meta on us, and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw249

This week in the Security News: LOLbins that make you LOL, over exposing your medical records, Shrootless gets past SIP, 73.6% of statistics are made up and other such lies, we love Signal, if an 0day drops on the Internet how many people have it?, fake Harvard students, uses for an Apple cleaning cloth, Bidi override characters, who owns my house?, who owns your printer?, and the return of Clippy! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw717

Traditionally, the red team has been seen as "fun and interesting", with blue team characterized as "all work, no play" in terms of cybersecurity career paths. Today we talk with Frank McGovern to explore the current state of blue teams and the importance of security policy. Not only has Frank been a practitioner his entire career, but he also built Blue Team Con, a labor of love designed to fill a significant gap in both the Chicago security events scene and across the wider cybersecurity events industry. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw249

When it comes to detecting the next cyber breach, would your organization pass the test? Of course, in real life, you not only need to ace the practice exam – you need to test against the real threats. So when SE Labs recently conducted the industry's first network detection and response (NDR) test against NSX NDR, they used a range of advanced persistent threats designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks. And the result? VMware NSX Network Detection and Response (NDR) was able to detect every targeted attack and tracked each of the hostile activities that occurred during the attacks. Every. One. Segment Resources: https://blogs.vmware.com/networkvirtualization/2021/10/vmware-achieves-industry-first-aaa-rating-for-network-detection-response-from-se-labs.html/ https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/NDR-Solution.pdf https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-nsx-ndr-breach-response-test-report.pdf This segment is sponsored by VMware. Visit https://securityweekly.com/vmware to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw249

Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. We've got a new container-based platform that is more flexible, more powerful, and more scalable than ever before. Join us to see how you can peel back the layers of your enterprise and make your adversaries cry! Segment Resources: https://securityonion.net https://github.com/Security-Onion-Solutions/securityonion https://securityonion.net/discuss Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw717

We've updated our script with all sorts of new features. The latest version uses the TOML configuration file format to store the vendor information and the credentials to test with. We'll focus on how to implement that as it's handy for all sorts of projects. We'll also cover some of the other updates, including testing protocols on different ports and better reporting. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw717

With cybersecurity skills already in short supply, the prospect of losing what little workforce there is to pull from to resignations (especially in the context of the 'Great Resignation'), is a disturbing one. Rick McElroy will speak to the causes of security burnout and the steps organizations need to take to prevent the loss of the precious resource that is security talent. He will share supporting research findings from VMware's latest Global Incident Response Threat Report: Manipulating Reality. Segment Resources: https://www.vmware.com/resources/security/global-incident-response-threat-report-manipulating-reality.html Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw93

With cybersecurity skills already in short supply, the prospect of losing what little workforce there is to pull from to resignations (especially in the context of the 'Great Resignation'), is a disturbing one. Rick McElroy will speak to the causes of security burnout and the steps organizations need to take to prevent the loss of the precious resource that is security talent. He will share supporting research findings from VMware's latest Global Incident Response Threat Report: Manipulating Reality. Segment Resources: https://www.vmware.com/resources/security/global-incident-response-threat-report-manipulating-reality.html Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw93

More and more, start-ups and small companies have to consider cybersecurity earlier in their growth cycle. Whether for a VC investment or revolutionary customer, cybersecurity can make or break a deal. Kyle will break down key strategies to secure your small company with limited time and resources. Segment Resources: https://podcasts.apple.com/us/podcast/secure-ventures-with-kyle-mcnulty/id1545294976 Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw238