Security Weekly Podcast Network (Video)

At Carnegie Mellon University we are designing a usable security and privacy label for smart devices to help consumers make informed choices about Internet of Things device purchases and encourage manufacturers to disclose their privacy and security practices. The label includes information on privacy and security practices of the smart device, such as the type of data the device collects and whether or not the device gets automatic security updates. Based on research with both consumers and experts, we have designed a two-layer label that includes a simple, understandable primary layer for consumers and a more detailed secondary layer that includes information important to experts. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode645

Matt and the Security Weekly crew will discuss how the interaction between network engineers and security operations has changed over the years, as well as the value of the network when identifying security threats and performing remediation. For more information on VIAVI Solutions, visit: https://securityweekly.com/viavi Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode645

Tod Beardsley, research director, will discuss some of the trends in Internet scanning and attacker behavior given there are new Windows vulnerabilities and the workforce working from home. Should you re-train your User Behavior Analytics (UBA) and/or rely on other technologies? To learn more about Rapid7 or to get a free trial, visit: https://securityweekly.com/rapid7 Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode177

The cybersecurity challenges created by remote workforces and what it takes to deliver security to remote workers while avoiding impacting business operations. How do you continue vulnerability and patch management across endpoints and servers when everyone is working from home? To learn more about Qualys, visit: https://securityweekly.com/qualys Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode177

How to Write an Automated Test Framework in a Million Little Steps, Qualys remote endpoint protection solution helps enterprises secure remote workforces, Sysdig Provides the First Cloud-Scale Prometheus Monitoring Offering, Kaspersky Security for Microsoft Office 365 adds protection for SharePoint Online and Microsoft Teams and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode177

Customer perspective on the three topics discussed with RSA in first segment Also: -What is your view of security vs. compliance vs. risk? -What drives your security program initiatives? -What are the biggest challenges in administering a security program? To learn more about RSA Security, visit: https://securityweekly.com/RSAsecurity Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/SCWEpisode22

David Walter from RSA will join us to discuss the following: -The shift in the enterprise from compliance-based focused initiatives to risk-based ones -Regulatory changes that are impacting organizations security program/management efforts -Challenges/Successes associated with automating compliance monitoring efforts/continuous compliance monitoring To learn more about RSA Security, visit: https://securityweekly.com/RSAsecurity Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/SCWEpisode22

In the leadership and communications section, Real Leaders: Abraham Lincoln and the Power of Emotional Discipline, Social Distancing: 15 Ideas for How to Stay Sane, Rethink Your Relationship with Your Vendors, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/BSWEpisode167

How do you protect your assets commensurate with their value if you lack situational awareness of everything communicating on your network thanks to IoT, rogue cloud instances, and shadow IT? If we can agree that EDR doesn't give the full picture, what can the security industry do to combat this challenge both from a technological and a process/culture perspective? Jeff will discuss how asset and risk management is changing and open up a conversation around how the CIA Triad has and is evolving. For more information, visit: https://securityweekly.com.extrahop Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/BSWEpisode167

Static application security testing (SAST) is critical for uncovering and eliminating issues in proprietary code. However, over 60% of the code in an average application today is composed of open source components. SAST isn't designed to find open source vulnerabilities (CVEs) or identify open source licenses. And manually maintaining a repository of approved open source components for developers is inefficient and time-consuming. That's where software composition analysis (SCA) comes in. Introducing a new functionality within the Code Sight IDE plugin that combines SAST and SCA in one place to enable secure development. For more information, visit: https://securityweekly.com/synopsys Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode101

Singularity is a container runtime that was built from the ground up to live in multi-user environments where POSIX permissions must be respected. In addition to a novel runtime approach, the Singularity Image Format (SIF) differs significantly from other container image formats, with built-in support for full image encryption as well as digital signatures. For more information, visit: http://sylabs.io/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode101

SANS Penetration Testing | Microsoft SMBv3.11 Vulnerability and Patch CVE-20200796 Explained, Drobo 5N2 4.1.1 - Remote Command Injection, $100K Paid Out for Google Cloud Shell Root Compromise, WordPress, Apache Struts Attract the Most Bug Exploits, Run Docker nginx as Non-Root-User. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode644

Acunetix: Automation as a Solution for Web Application Security - Mark Ralls - RSAC 2020 Mark Ralls, President and Chief Operating Officer at Acunetix, discusses web security challenges in small and medium enterprises and how automation can help fill the skills gap. To schedule a demo with Acunetix, visit: https://securityweekly.com/acunetix Netsparker: How to Scale Web Application Security - Kevin Gallagher - RSAC 2020 Kevin Gallagher, Chief Revenue Officer at Netsparker, discusses how to scale web application security including asset discovery, application scanning, prioritization of results, and more! To get a demo of NetSparker, please visit: https://securityweekly.com/netsparker Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode176

Struggling with how to get your logs from the cloud? Have no fear, Corey and the Security Weekly crew talk about how to configure your logs in the cloud, use cloud-native services to handle the shuffling of logs in and out of the cloud, and control your costs! We conclude by talking a bit about Windows Event logs and overcoming some gotchas. Visit https://www.securityweekly.com/psw for all the latest episodes! To learn more about Gravwell, visit: https://securityweekly.com/gravwell Show Notes: https://wiki.securityweekly.com/PSWEpisode644

SaltStack: Managing Configuration & Patches with SaltStack - Mehul Revankar - RSAC 2020 Offering open-source and commercial solutions for configuration, patch, and vulnerability management, SaltStack is a must-have! Mehul Ravankar provides us with details about the various products and new features including the ability to import vulnerability scan data and remediate! To request a demo with SaltStack, visit: https://securityweekly.com/saltstack Synopsys: Enabling Developers Without Negatively Impacting Their Velocity - Utsav Sanghani - RSAC 2020 Utsav Sanghani, Senior Product Manager from Synopsys, discusses the latest efforts to enable developers in ensuring that software security is accounted for in their work without negatively impacting their velocity. To get a demo of Synopsys, please visit: https://securityweekly.com/synopsys Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode176

The challenges and differentiated values of desktop and laptop protection and administrative tool control (e.g., Powershell, SSH) for remote users and administrators to work securely. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode644

Fortinet Introduces Self-Learning AI Appliance for Sub-Second Threat Detection Enterprise IT World, GreatHorn Offers Free Email Protection for 60 Days, ZeroNorth raises $10M to further expand engineering, customer support and sales, WordPress to get automatic updates for plugins and themes, and more!! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode176

Compliance requirements and SecOps frameworks like NIST - checking boxes rather than a 'holistic' view? The vendor eco-system feeding on checking boxes (of which we are one, we HAVE to be.) RSA's theme this year: 'the human factor'. Are CFOs driving technical decisions that put SecOps teams underwater? Investing in Protect vs. Detect vs. Responding tools/resources Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/SCWEpisode21

Compliance requirements and SecOps frameworks like NIST - checking boxes rather than a 'holistic' view? The vendor eco-system feeding on checking boxes (of which we are one, we HAVE to be.) RSA's theme this year: 'the human factor'. Are CFOs driving technical decisions that put SecOps teams underwater? Investing in Protect vs. Detect vs. Responding tools/resources Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/SCWEpisode21

What data compliance regulations apply to a Las Vegas hospital with California patients? One major compliance fine can lead to a big financial hit and a complete loss of customer trust, so understanding 'where your data lives' and how the law shifts based on the location of data collection, storage and transfer is paramount. With no overarching federal data law, each state can (and does) require different duties from organizations that collect and keep data. A big challenge for compliance teams is figuring out which state (or states) claim your data. Unfortunately, the legal world of intangible data property is complicated and sometimes even contradictory. I will also preview my InfoSec World 2020 session - Cyberlaw Year in Review. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/BSWEpisode166

Data of millions of eBay and Amazon shoppers exposed as another supply chain casualty, Announcing Bottlerocket, a new open source Linux-based operating system purpose-built to run containers, and The DevOps Sweet Spot: Inserting Security at Pull Requests (Part 1). Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode100

Due to a combination of a) development teams embracing Agile and DevOps and b) that security teams are often outnumbered by developers 100:1 or more in many companies, there's been a fundamental shift in how security teams need to operate. I've spent a significant amount of time studying how security teams at companies, large and small, have attempted to adapt to this new reality. There are a number of interesting trends in how work is prioritized, continuous code scanning (static and dynamic), scaling threat modeling and detection & response, investing in secure defaults, asset inventory, self-healing cloud environments, and more. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode100

In the leadership and communications segment, Drowning in a Sea of Alerts, Boeing taps Qantas exec Susan Doniz as CIO, CIO interview: Ian Cohen, chief product and technology officer, at Addison Lee, and more. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/BSWEpisode166

COVID-19, among other things, has deemed it necessary for many to work from home. There are several security concerns that need to be raised, such as those who work from home still require access to data and services. How many will store sensitive information on their personal computers? How will attackers change their strategy to target those working from home? Tune in to this segment for the full discussion! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode643

Hacks performed on connected & IoT devices, such as routers, security cameras, smart meters, etc. are increasingly common, and revealing major vulnerabilities in existing security measure. This vicious cycle of hack & patch can be broken by adopting a new approach that introduces the role of flash memory in securing devices. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode643

Girls Who Hack teaches classes primarily to middle school girls on hacking and making. Secure Open Vote is an end to end, open source election system that is in the design stages. www.BiaSciLab.com www.GirlsWhoHack.com www.SecureOpenVote.com Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode643

ExtraHop - Agents and logs don't play well in an IoT environment, however the network doesn't lie. Looking at the behaviors of IoT devices through the lens of the network traffic can help build an asset inventory help detect attacks. Corey Bodzin is the VP of Product Management for ExtraHop and discusses how network visibility can help with IoT security. To try RevealX Cloud for Free visit: https://securityweekly.com/extrahop Bandura - Todd Weller, Chief Strategy Officer at Bandura Cyber, provides an update on Bandura Cyber and discusses the latest trends and dynamics in threat intelligence. To find out more about Bandura Cyber, please email [email protected] Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode175

The pain caused by bad pricing models in cybersecurity and analytics tools Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode175

Neustar's enhanced UltraDNS capabilities boast greater capacity, global reach and security, WatchGuard acquires Panda Security to expand endpoint capabilities, Ping Identity launches two hybrid IT focused solution packages, and Fortinet updates FortiOS & launches next-gen firewall product! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode175

How we breakdown the categories in information security. We look at the major areas of infosec and how they relate to your security programs and the vendors/technologies in each category. Our category breakdown will be used to label each segment we produce and allow subscribers to select categories of interest! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/BSWEpisode165

The goal of the show is to explore all the attitudes and impressions between security and compliance regardless of where you stand. for security folks - how to navigate compliance to promote security; for compliance folks - to expose them to the depth of research/knowledge/capabilities of the hacker community. Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/SCWEpisode20

The goal of the show is to explore all the attitudes and impressions between security and compliance regardless of where you stand. for security folks - how to navigate compliance to promote security; for compliance folks - to expose them to the depth of research/knowledge/capabilities of the hacker community. Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/SCWEpisode20

CVE-2020-0688 Losing the keys to your kingdom, which is why Multiple nation-state groups are hacking Microsoft Exchange servers, Revoking certain certificates on March 4 and Why 3 million Let's Encrypt certificates are being killed off today, Gandalf: An Intelligent, End-To-End Analytics Service for Safe Deployment in Large-Scale Cloud Infrastructure and slides, CISOs Who Want a Seat at the DevOps Table Better Bring Value. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode99

In the leadership and communications section, CISOs who leave after 2 years may not finish what they start, Most CISOs ready to move jobs if something better comes along, A New Framework for Executive Compensation, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/BSWEpisode165

Guy Podjarny (@guypod) is Snyk's Founder and President, focusing on using open source and staying secure. Guy was previously CTO at Akamai following their acquisition of his startup, Blaze.io, and worked on the first web app firewall & security code analyzer. Guy is a frequent conference speaker & the author of O'Reilly "Securing Open Source Libraries", "Responsive & Fast" and "High Performance Images". Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode99

Apache Tomcat AJP exploit, malware in AWS, hacker movies and more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode642

How SHAKEN/STIR and PKI will end the global robocall problem Link to an article Mark wrote for Dark Reading: https://www.darkreading.com/endpoint/shaken-stir-finally!-a-solution-to-caller-id-spoofing/a/d-id/1336285 Link to landing page with more info: https://www.pkisolutions.com/shakenstir/ Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode642

Active Directory & Microsoft Cloud (Azure AD & Office 365) Security, including a breakdown of Microsoft's security offerings and recommendations for cloud migrations for Active Directory. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode642

Dashboards are a great way to enable junior security analysts to be more effective when trying to discover security events. Cory Thuen is the Founder and CEO of Gravwell, and they want to your logs, all of your logs. Gravwell's solution allows you to run queries and create dashboards that lead to actionable events. Cory explains how this works and even how customers are using Gravwell to collect logs on-premise and in the cloud. Vulnerabilities and exposures come from many different sources. Plextrac allows you to bring in data from anywhere and track those findings across your entire organization. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode174

It is no secret that elections are under constant attack. Attacks take many shapes and forms, from dis-information to malware to denial of service, its all in play as adversaries look to disrupt enemy infrastructure. Tod Beardsley, Director of Research at Rapid 7 brings unique and insightful perspectives on this topic as he is analyzing data from scans of the entire Internet and monitoring over 250 honeypots.Mike Nichols, Head of Product at Elastic, discusses election security and their partnership with the DDC to offer 2020 campaigns free security. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode174

News from Nozomi Networks, Code42, CrowdStrike, SCYTHE, Palo Alto Networks, Gurucul, SentinelOne and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode174

Health compliance measures to improve pandemic recovery and reduce issues, World Bank pandemic awareness, Is coronavirus not a flu?, Dear passwords: Forget you. Here's what is going to protect us instead, Cyber insurance coverage reflects a changing threat landscape, and the greatest contest ever – privacy versus security. Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/SCWEpisode19

Reflections on RSAC! Let's talk about the grand festival of infosec consumerism that is RSA Conference! Was it worth catching the Coronavirus? And if so, did you use a lime!? Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/SCWEpisode19

Dan discusses his upcoming 2-day workshop at InfoSec World. The workshop is a "deep survey" into all things DevSecOps. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode98

CVE-2020-1938: Ghostcat vulnerability in the Tomcat Apache JServ Protocol. IMP4GT: IMPersonation Attacks in 4G NeTworks demonstrates a proven insecurity on a layer above provably secure protocol, Boeing implementing more rigorous testing of Starliner after software problems shows how problems in cloud computing will be just the same in star systems, APIs are becoming a major target for credential stuffing attacks and don't have to target the login workflow, SSL/TLS certificate validity chopped down to one year by Apple's Safari and how this can drive secure DevOps behaviors, and 5 key areas for tech leaders to watch in 2020. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode98

We found some cool stuff at RSAC 2020! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode641

Gabriel Gumbs and the Security Weekly crew discuss strategies for protecting your data. We will explore practical use-cases for needing to manage access and protect your data as it pertains to security and compliance. Protect what matters most. Visit https://securityweekly.com/spirion for more information. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode641

There are many myths, legends and fables in hacker history. One of the themes of these legends surrounds some of the first red team hackers working for the US Government out of NSA. The building where they worked was called "The Pit". Jeff Man sits with us for this segment to talk about, where he can, the history and events that transpired during his tenure with the NSA. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/PSWEpisode641

This interview will cover the idea of Shadow Risk and why it's something your organization can't ignore. Specifically, we'll talk about why your security efforts have to start with mapping and managing your attack surface, how that's gotten harder with digital transformation, and how legacy approaches to addressing the problem -- including vulnerability management and penetration testing -- and even more recent approaches like Security Ratings Services, are out of touch with your IT infrastructure and, worse still, lag behind the way attackers operate. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/BSWEpisode164

Jinan Budge, Principal Analyst at Forrester, discusses CISO Leadership, Security Culture, and the Evolving Role of the CISO. Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/BSWEpisode164