Resources we mentioned:

* The Hardware Hackers Handbook is a great start
* Do a badge challenge: https://www.cyberark.com/resources/threat-research-blog/an-introduction-to-hardware-hacking 
* Take some classes
* Do some Arduino stuff: https://www.arduino.cc/ 
* Take free courses on electrical engineering: https://ocw.mit.edu/courses/6-01sc-introduction-to-electrical-engineering-and-computer-science-i-spring-2011/  (And here: https://www.tinkerforge.com/en/doc/  and here: https://www.youtube.com/watch?v=LSQf3iuluYo&list=PLoFdAHrZtKkhcd9k8ZcR4th8Q8PNOx7iU )

Building a lab - The list:

* Soldering iron (and tools and parts such as Solder, Flux, Tweezer, Soldering wick, Cutter, Wire stripper)
* Hot air rework station (can be bundled with soldering iron)
* Multi-meter (and lots of associated cables)
* Jumper and pinout wires
* Breadboard
* USB microscope
* Bench power supply
* Specific lighting (e.g. my document camera has an LED light that works great)
* Magnification - magnifying lenses and a headset (esp. if you are old, like us)
* USB serial devices (or Bus Pirate if you fancy)

Show Notes: https://securityweekly.com/psw-802

Anticipating Curl's upcoming patch for a high severity flaw, the Looney Tunables flaw in Glibc, ShellTorch flaw hits PyTorch and lots of AI, lessons from some X.Org security patches, eBPF security, and more!

Show Notes: https://securityweekly.com/asw-258

This week Aaran Leyland rants: about Google, 23andMe, Facebook, GitHub's Secret Scanning, MGM Resorts, Grindr, More News, and is joined by the notorious Jason Wood on the Security Weekly News!

Show Notes: https://securityweekly.com/swn-332

What if all these recommendations to shift left were more about shifting focus? It's all too easy to become preoccupied with vulns, whether figuring out how to find them earlier in the SDLC or spending time fixing them within specific number of days. Successful DevSecOps approaches can be so much more than just vulns and so much more than just tools. Sure, tools are useful for identifying known vulns in dependencies and new vulns in code, but teams that emphasize people and culture will find it easier to shift their attention to the security of their product and creating secure designs.

Segment Resources: Shift Everywhere is the bullet-train to secure software: https://www.forrester.com/blogs/shift-everywhere-is-the-bullet-train-to-secure-software/?refsearch=35020611696872306356 Forrester Software Composition Analysis (SCA) Wave: https://www.forrester.com/report/the-forrester-wave-tm-software-composition-analysis-q2-2023/RES178483?refsearch=35020611696863504716 Forrester Static Analysis Security Testing (SAST) Wave: https://www.forrester.com/report/the-forrester-wave-tm-static-application-security-testing-q3-2023/RES178489?scrollTo=FHqjnkXmzX

Show Notes: https://securityweekly.com/asw-258

In the leadership and communications section, The Data Your Board Actually Wants to Hear About When Valuing Cybersecurity Investments, Cybersecurity is a CFO issue, Must-know insights when navigating the CISO career path, and more!

Show Notes: https://securityweekly.com/bsw-323

CEOs and boards struggle with their digital transformation process. Does their operations hinder or align with business initiatives? Has their security operations scaled to meet the data and digital demands to protect against business risk? In today’s episode, we’re talking to Chris Morales, CISO at Netenrich, who’ll provide compelling insights towards security transformation. Security organizations all face similar security challenges of too much data, siloed teams, underperforming legacy tools, and time-consuming and laborious threat investigation work. We’ll discuss the approach enterprises need to consider in advancing their security maturity. It’s one that’s data-driven, adaptive, and predictive.

Show Notes: https://securityweekly.com/bsw-323

Each employee serves as a potential gateway to their organization, and the personal information of your workforce is readily accessible and exposed on the internet, making the organization susceptible to threats. DeleteMe is the solution that locates and eliminates personal data from the open web, safeguarding your organization.

This segment is sponsored by DeleteMe. Visit https://www.securityweekly.com/deletemeisw to learn more about them!

With all of the fancy tools, equipment, and logos most organizations are unable to understand where their data is and how it can be accessed. In the world of work from wherever and whenever orgs need a better handle on what this means. Ridge has worked to curate a set of solutions to meet and implement this need!

This segment is sponsored by Ridge IT Cyber. Visit https://www.securityweekly.com/ridgeitisw to learn more about them!

Why are we seeing a re-emergence of the demand for packet and flow-based forensic data in cloud environments? In this session, we’ll discuss three reasons why IT leaders still need the same if not even better visibility in the cloud than they have in their data centers.

We’ll also discuss the growing demand for Threat Exposure Management (TEM). Why does a leading analyst describe this as a transformation technology and how can you quickly visualize your environment the way the attackers do?

Segment Resources: https://www.viavisolutions.com/en-us/ptv/solutions/threat-exposure-management https://www.viavisolutions.com/en-us/ptv/solutions/high-fidelity-threat-forensics-remediation

This segment is sponsored by VIAVI Solutions. Visit https://www.securityweekly.com/viaviisw to learn more about them!

Show Notes: https://securityweekly.com/esw-334

This week Dr. Doug talks: Feet, Google, Apple, Predator vs. Lemurs, r77, Qualcomm, qakbot, deepfakes, More News and with the exotic Aaran Leyland!

Show Notes: https://securityweekly.com/swn-331

On this week's news segment, we go down a bit of a rabbit hole on data lakes and have a GREAT conversation about where security data wrangling might or might not go in the future. We also discuss Nord Security's funding and $3B valuation, try to figure out what Synqly is doing, and discuss IronNet's demise.

We also find out which email solution is more secure (at least, according to insurance claim data), Google or Microsoft!

We wrap up, learning that forms of CAPTCHAs are apparently broken now, $3800 gets you a gaming PC in the shape of a sneaker, and someone has created the DevOps equivalent of dieselgate!

Show Notes: https://securityweekly.com/esw-334

In this segment, we'll explore some of the most useful lessons and interesting insights to come out of the last year's worth of breaches and data leaks! We'll explain why we will NOT be covering MGM in this segment. The breaches we will be covering include:

• Microsoft AI Research Data Leak
• Microsoft/Storm-0558
• CommutAir
• Riot Games
• Lastpass
• CircleCI
• RackSpace
• Drizly (yes, this breach is older, but the full story just wrapped a year ago!)

Show Notes: https://securityweekly.com/esw-334

In the Security News: No Flipper Zero for you!, your glibc is hanging out and other Looney Tunables, and it vulnerable, for no reasons, other than the obvious ones, a Russian firm will pay $20m for Android or iPhone 0days, you do what you do and other Exim vulnerability stories, yet another way to become root on Linux, if you ever wanted to read the source code for Sub7, well, now you can, more people want to trash bug bounties (and they are wrong), Curl has something coming, and its not good, tricking AI with your dead grandma’s locket, GPU driver vulnerabilities could lead to something, and the path to the cloud is filled with holes. All that and more on this episode of Paul’s Security Weekly!

Show Notes: https://securityweekly.com/psw-801

Anuj joins us to discuss recent trends in malware. What are the malware authors up to lately? What are the latest techniques for reverse engineering malware? Learn about the latest tools and techniques from Anuj! Anuj is a Principal Threat Researcher at Blackberry, where he performs malware research and reverse engineering. He has more than 15 years of experience in malware analysis and incident response. Anuj also brings his problem-solving abilities to his position as a SANS Certified Instructor and author, which gives him the opportunity to impart his deep technical knowledge and practical skills to students.

Segment Resources: https://www.youtube.com/@sonianuj

Show Notes: https://securityweekly.com/psw-801

Attackers impersonate Dependabot commits, an alg of "none" plagues a JWT, CISA calls for hardware bills of materials, OpenSSF lists its critical projects, Exim (finally! maybe?) has some patches, bug bounties and open source projects, and more!

Show Notes: https://securityweekly.com/asw-257

Minority Report, NSA, WS_FTP, Exim, Sextortion, BunnyLoader, CISA, More News, and Jason Wood.

Show Notes: https://securityweekly.com/swn-330

Communication is a skill that doesn't appear on top 10 lists, rarely appears as a conference topic, and doesn't appear enough on job requirements. Yet communication is one of the critical ways that security teams influence developers, convey risk, and share knowledge with others. Even our own Security Weekly site falls a little short with only a podcast category for "Training" instead of more options around communication and collaboration.

Lina shares her experience presenting to executives and boards in high-stress situations, as well as training incident responders on real-world scenarios.

Segment resources

• https://training.xintra.org
• https://www.scmagazine.com/podcast-episode/2839-pointers-and-perils-for-presentations-josh-goldberg-asw-251

Show Notes: https://securityweekly.com/asw-257

In the leadership and communications section, The CISO Carousel and its Effect on Enterprise Cybersecurity, CISOs are struggling to get cybersecurity budgets, Respectfully, I Disagree, and more!

Show Notes: https://securityweekly.com/bsw-322

As we move more infrastructure into the cloud, the traditional concepts of risk start to change. It's no longer just about networks and servers, but also needs to address identities and not just human identities. Cloud infrastructure introduces additional identity types that need to be addressed as part of your risk management program. Eric Kedrosky, CISO at Sonrai Security, joins us to discuss how to think differently about risk in the cloud.

Show Notes: https://securityweekly.com/bsw-322

This week, we changed things up a bit for the news segment and Allie Mellen joins us as a surprise guest host! We discuss Cisco's Splunk acquisition and what it means for Splunk customers, and "The Blob" - Allie's term describing the negative forces responsible for much of the overhyped marketing, silly trends, and substandard products we see in the industry.

Segment Resources:

Allie's blog on Cisco/Splunk:  https://www.forrester.com/blogs/splunk-is-good-for-cisco-but-cisco-needs-to-convince-splunk-customers-that-cisco-is-good-for-them/

Allie's blog on The Blob:  https://www.forrester.com/blogs/the-blob-is-poisoning-the-security-industry/

Show Notes: https://securityweekly.com/esw-333

This week Dr. Doug talks: NarcBots, Blacktech, ZenRat, Chrome, CISO Churn, lots of privacy issues, Aaran Leyland, will Dr. Doug drink the Y3K Special Edition Coke? And more on this edition of the Security Weekly News!

Show Notes: https://securityweekly.com/swn-329

The concept of Edge computing has evolved over the years and now has a distinct role alongside public cloud. Theresa Lanowitz, from AT&T Cybersecurity, and Chris Goettl from Ivanti join us to discuss what edge computing means for the market and for cybersecurity. Specifically, we'll discuss how:

• Strong use cases in the market today for edge computing
• Security's role in edge computing, as a relative newcomer to part of the broader planning process
• Edge computing requires new thinking about security because of its distributed nature

This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attcybersecurity to learn more about them!

Show Notes: https://securityweekly.com/esw-333

We ALL use SaaS. It has become ubiquitous in both our personal and professional lives. Somehow, the SaaS Security market has only recently began to emerge. Today's interview with Yoni Shohet, co-founder and CEO of Valence Security, aims to understand why it has taken so long for SaaS Security products to come to market, what that market currently looks like, and what a SaaS Security product actually does.

Show Notes: https://securityweekly.com/esw-333

Just what are the right skills to have or acquire to work in cybersecurity today? Kayla and the Security Weekly crew talk about it in this segment. We also touch on why we get burnt out and how to avoid it, all in anticipation for SOC Analyst Appreciation Day!

This segment is sponsored by Devo . Visit https://securityweekly.com/devo to learn more about them!

Show Notes: https://securityweekly.com/psw-800

This week, First up its the Security News: libwebp or die: we unravel some of the details behind the webp vulnerability first fixed by Apple and Google, then, hopefully by everyone else, attackers can steal your pixels using your GPU, someone cough China cough has been hacking Cisco routers, Kia boys are still a problem, How the Cult of the Dead Cow plans to save the internet, how iOS updates could break glucose monitors, spamming the CVE database, and when a medium is really a high!

Show Notes: https://securityweekly.com/psw-800

A stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security).

Show Notes: https://securityweekly.com/asw-256

The Year 3000, Sandman, ShadowSyndicate, National Student Clearing House, Apple, Predator, Xenomorph, Mixin, More News, and Jason Wood on the Security Weekly News.

Show Notes: https://securityweekly.com/swn-328