This week in the Security News: Anonymous hacks Epik (with a K), Fuzzing Close-Source Javascript Engines, ForcedEntry, 8 Websites that can replace computer software, REvil decryptor key released, Microsoft fixes Critical vulnerability in Linux App, Drone accidentally delivers drug paraphernalia to high schoolers, & more!

Show Notes: https://securityweekly.com/psw710

Visit https://www.securityweekly.com/psw for all the latest episodes!

Brakeman is a free static analysis security tool specifically designed for Ruby on Rails applications. It analyzes Rails application code to find security issues at any stage of development. Justin first released Brakeman in 2010. In 2018, the commercial version, "Brakeman Pro", was acquired by Synopsys. Brakeman continues to be a very popular security tool for Rails, with tens of thousands of downloads per day.

Show Notes: https://securityweekly.com/psw710

https://github.com/presidentbeef/brakeman

Visit https://www.securityweekly.com/psw for all the latest episodes! 

Network breaches, ransomware attacks, and remote-work challenges highlight the need for cloud-native Secure Access Service Edge (SASE) deployments.

Show Notes: https://securityweekly.com/psw710

This segment is sponsored by Barracuda Networks.

Visit https://securityweekly.com/barracuda to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes! 

This week in the Enterprise News: Adrian's first Enterprise News in the Captain's Seat, BitSight raises $250m on a $2.4bn valuation, Palo Alto Networks enters the consumer IoT market, Martin Roesch Joins Netography as CEO, the special "Squirrel of the Week" story, & more!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw242

Organizations are divided. Some will be able to lean into mitigations against catastrophic and cascading failures. Others will not. In this discussion, we will explore the risk tradeoffs in firmware security. This includes risks inherent in devices, supply chain, physical access, and malicious software. We will also explore various mitigation strategies throughout the lifecycle, which separate those leaning in from those that don't.

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw242

Large organizations develop hundreds of new web applications every year. Some of those deployments are lost in time, and others go wild with high severity vulnerabilities. Forgotten and outdated web applications are a common culprit of successful hack attacks. What can you do to protect your organization? Let's talk about the first step to securing web applications - continuous web asset discovery.

Segment Resources: https://www.acunetix.com/blog/docs/benefits-of-web-asset-discovery/

https://www.netsparker.com/features/continous-web-asset-discovery-engine/

This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw242

Defining Insider Threats / Going Beyond Traditional Definitions (What Is Really Happening Behind Firewalls) How Damaging And Costly An Insider Threat Incident Can Be? (Eye Opening Examples From 10+ Years Of Research) Creating An Insider Threat Mitigation Framework

Segment Resources:

INSIDER THREAT INCIDENTS E-MAGAZINE 2014 To Present The Insider Threat Incidents E-Magazine contains the largest publicly available source of Insider Threat incidents (2,700+ Incidents). View On This Link. Or Download The Flipboard App To View On Your Mobile Device https://flipboard.com/@cybercops911/insider-threat-incidents-magazine-resource-guide-tkh6a9b1z 

INSIDER THREAT INCIDENT POSTINGS WITH DETAILS (500+ Incidents) https://www.insiderthreatdefense.us/category/insider-threat-incidents/ 

Incident Posting Notifications

Enter your e-mail address in the Subscriptions box on the right of this page. https://www.insiderthreatdefense.us/news/ 

INSIDER THREAT INCIDENTS COSTING $1 MILLION TO $1 BILLION + https://www.linkedin.com/post/edit/6696456113925230592/

INSIDER THREAT INCIDENT POSTINGS ON TWITTER https://twitter.com/InsiderThreatDG 

DG CRITICAL INFRASTRUCTURE INSIDER THREAT INCIDENTS https://www.nationalinsiderthreatsig.org/crticial-infrastructure-insider-threats.html 

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://securityweekly.com/scw86

Defining Insider Threats / Going Beyond Traditional Definitions (What Is Really Happening Behind Firewalls) How Damaging And Costly An Insider Threat Incident Can Be? (Eye Opening Examples From 10+ Years Of Research) Creating An Insider Threat Mitigation Framework

Segment Resources:

INSIDER THREAT INCIDENTS E-MAGAZINE 2014 To Present The Insider Threat Incidents E-Magazine contains the largest publicly available source of Insider Threat incidents (2,700+ Incidents). View On This Link. Or Download The Flipboard App To View On Your Mobile Device https://flipboard.com/@cybercops911/insider-threat-incidents-magazine-resource-guide-tkh6a9b1z

INSIDER THREAT INCIDENT POSTINGS WITH DETAILS (500+ Incidents) https://www.insiderthreatdefense.us/category/insider-threat-incidents/

Incident Posting Notifications

Enter your e-mail address in the Subscriptions box on the right of this page. https://www.insiderthreatdefense.us/news/

INSIDER THREAT INCIDENTS COSTING $1 MILLION TO $1 BILLION + https://www.linkedin.com/post/edit/6696456113925230592/

INSIDER THREAT INCIDENT POSTINGS ON TWITTER https://twitter.com/InsiderThreatDG

DG CRITICAL INFRASTRUCTURE INSIDER THREAT INCIDENTS https://www.nationalinsiderthreatsig.org/crticial-infrastructure-insider-threats.html

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://securityweekly.com/scw86

This Week, in the Leadership and Communications section, The SEC Is Serious About Cybersecurity. Is Your Company?, CISA Urges Organizations to Avoid Bad Security Practices, IT leaders facing backlash from remote workers over cybersecurity measures, and more! 

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw231

Kevin Nolten, Director of Academic Outreach from Cyber.org, joins Business Security Weekly to discuss how cyber education is the key to solving the skills gap and developing the next generation of cybersecurity professionals. Kevin will share examples of how we, the cybersecurity community, can get involved in K-12 and higher education programs, strategies for developing young talent, and how Cyber.org's curriculum can be used to train your employees! 

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw231

This week in the AppSec News, Mike and John talk: OWASP Top 10 draft for 2021, bad practices noted by CISA, Azurescape cross-account takeover, Confluence RCE, WhatsApp image handling, API security tokens survey, & more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw165

Data from the ShiftLeft customer report shows that companies that have rebuilt their core testing processes around faster and more accurate static analysis are able to release more secure code at scale, scan more frequently, fixes earlier in the software development life cycle, have less security debt, and maintain more security fixes overall.

Segment Resources:

http://shiftleft.io/resources/appsec-shift-left-progress-report-2021?utm_source=cyber_risk_alliance&utm_medium=podcast

This segment is sponsored by ShiftLeft. Visit https://securityweekly.com/shiftleft to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw165

Benjamin will discuss securing iframes with the sandbox attribute. This segment is sponsored by Acunetix.

Visit https://securityweekly.com/acunetix to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw709

This week in the Security News: Hacking Honda, a fact about single-factor, disarming your home and alarming vulnerability disclosure response, btw, you have a Sudo vulnerability, NSO under investigation, Loki and 0days, Linux turns 30, SANS appoints a new president of the college, how much does your USB thumb drive weigh?, and When "Florida Woman" attacks!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw709

Paul presents a Technical Segment that walks through Nmap, Vulners scripts, & Flan Scan!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw709

This week in the Enterprise News, "inertia in cybersecurity strategy", Check Point acquires Avanan, Absolute DataExplorer, BreachQuest Launches with $4.4m in seed funding, Acronym Bingo, & More!!!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw241

It's time to think more broadly about the R in NDR. Incident responders need a full spectrum of response–from hunting and investigations to remediation–not just another alert cannon. While blocking and containment are important steps, complete incident response is about gathering forensic evidence, sharing it across teams to establish root cause, pulling together an actionable plan, and eradicating the risk or vulnerability from the organization’s environment. ExtraHop's Principal Engineer John Smith joins Security Weekly to discuss.

Segment Resources:

- ExtraHop Extends Response and Forensics Capabilities with Deep Threat Insights for Hybrid Cloud https://www.extrahop.com/company/press-releases/2021/revealx-360-innovations/?uniqueid=FJ07532845&utm_source=security-weekly&utm_medium=podcast&utm_campaign=2021-q3-security-weekly-pr-resource&utm_content=press-release&utm_term=no-term&utm_region=global&utm_product=security&utm_funnelstage=top&utm_version=no-version

- ExtraHop free and interactive demo https://www.extrahop.com/demo/?uniqueid=AN07532846&utm_source=security-weekly&utm_medium=podcast&utm_campaign=2021-q3-security-weekly-demo&utm_content=demo&utm_term=no-term&utm_region=global&utm_product=security&utm_funnelstage=top&utm_version=no-version

This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/extrahop to learn more about them!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw241

GitLab is unique in many ways, but our transparency value is pushing us to mature our Security posture faster than attackers. Discover how GitLab iterates quickly to adapt to a world where everyone can contribute.

Segment Resources: https://about.gitlab.com/handbook/values/#transparency

This segment is sponsored by GitLab. Visit https://securityweekly.com/gitlab to learn more about them!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw241

SMB needs to understand the importance of being PCI compliant and that just because the verbiage on a website says the vendor is compliant, doesn't make the merchant compliant. Just because it says it from a service provider standpoint, asking for a copy of their AOC is critical. If your merchant service provider is guiding you through the SAQ, or telling you to just check yes or no, they are coercing you into falsifying documents which is a breach of your agreement.

Segment Resources:

https://www.linkedin.com/pulse/what-matters-moreyour-vendor-relationship-your-client-bulin/?published=t

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://securityweekly.com/scw85

SMB needs to understand the importance of being PCI compliant and that just because the verbiage on a website says the vendor is compliant, doesn't make the merchant compliant. Just because it says it from a service provider standpoint, asking for a copy of their AOC is critical. If your merchant service provider is guiding you through the SAQ, or telling you to just check yes or no, they are coercing you into falsifying documents which is a breach of your agreement.

Segment Resources:

https://www.linkedin.com/pulse/what-matters-moreyour-vendor-relationship-your-client-bulin/?published=t

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://securityweekly.com/scw85

Looking into the first half of 2021, there are important indicators of what cyber adversaries are planning next. This will be a conversation about cyberthreat trends and looking into takeaways from big name attacks so far this year.

Show Notes: https://securityweekly.com/bsw230

Segment Resources: https://www.fortinet.com/fortiguard/labs https://www.fortinet.com/blog/threat-research

This segment is sponsored by Fortinet. Visit https://securityweekly.com/fortinet to learn more about them!

Visit https://www.securityweekly.com/bsw for all the latest episodes!

In the Leadership and Communications section, Executives in tech say staff attrition is rising, 7 in 10 Facility Managers Consider OT Cybersecurity a Major Concern, Consumers Concerned About Personal Data Collection, and more!

Show Notes: https://securityweekly.com/bsw230

Visit https://www.securityweekly.com/bsw for all the latest episodes! 

This week in the Application Security News, Mike and John talk: Flaws in Azure's CosmosDB, OpenSSL vulns in string handling, dating app location security, cloud security orienteering, detailed S3 threat model, & more!

Show Notes: https://securityweekly.com/asw164

Visit https://www.securityweekly.com/asw for all the latest episodes! 

In the segment Mike and Caroline will discuss Risk Tolerance and Risk Transfer. They'll touch on the following: risk ranking, risk transfer in supply chain, how to diversify security controls, time vs risk reduction vs vulnerability exposure all from a DevOps perspective. While also touching upon how security is not (and should not) be a gate.

Show Notes: https://securityweekly.com/asw164

Visit https://www.securityweekly.com/asw for all the latest episodes!

This week in the Security News: Some describe T-Mobile security as not good, if kids steal bitcoin just sue the parents, newsflash: unpatched vulnerabilities are exploited, insiders planting malware, LEDs can spy on you, hacking infusion pumps, PRISM variants, 1Password vulnerabilities, plugging in a mouse gives you admin, & yard sales!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw708