We’re getting closer to the Q1 2022 release of PCI DSS 4.0, which is expected to differ from the current PCI DSS 3.2.1 version in a few key ways. This includes giving organizations more options in how they become compliant, along with customized implementation. In this podcast, Chris Pin, VP of Privacy and Compliance at PKWARE, will discuss what customized implementation means for organizations, additional changes to 4.0, and why they’re important. And, while PCI 3.2.1 won’t be retired until 2024, it’s a good idea for companies to get started now with their 4.0 compliance strategy. After all, the road to compliance could be a long one, and 2025 will be here before we know it! 

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://securityweekly.com/scw91

Zero Trust has quickly become a cybersecurity mandate and also the most abused term in the industry. The core tenants of Zero Trust are rooted in the ability to deliver secure access, which is arguably the foundation and fundamentals of any Zero Trust architecture. Hence the rise of Zero Trust Network Access and demise of legacy access solutions like VPNs. In this episode, we discuss the role of Zero Trust Network Access in strengthening and simplifying access controls for today’s hybrid workforce as they connect from anywhere to multi-cloud, on-premises and even legacy applications. This includes how to reduce the attack surface due to digital sprawl and even reduce complexity for improved user-experience and operational efficiency.

This segment is sponsored by Appgate. Visit https://securityweekly.com/appgate to learn more about them!

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw236

The Security Weekly 25 Index hits an all-time high for the third straight quarter! In this segment, Matt, Jason, and Ben break down the cybersecurity market winners and losers, in both the public and private markets!

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw236

This Week in the AppSec News: View source good / vuln bad, IoT bad / rick-roll good, analyzing the iOS 15.0.2 patch to develop an exploit, bypassing reviews with GitHub Actions, & more NIST DevSecOps guidance!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw170

There's a plenitude of ways to do Dev(Sec)Ops, and each organization or even each team uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important to understand how to integrate a security scanner in your DevSecOps processes. It all comes down to speed, how fast can I scan the new deployment? Discussion around the challenges on how to integrate a DAST scanner in DevSecOps and some tips to make it easier.

This segment is sponsored by Probely. Visit https://securityweekly.com/probely to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw170

This week in the Security News: Following the ransomware money, the Mystery Snail, school cybersecurity is the law, sue anyone, just not security researchers, "hacking" a flight school, refusing bug bounties in favor of disclosure, Apple still treats researchers like dog poo, prosecuting people for reading HTML, giving up on security and a high school hacking prank that never wants to give you up and won't let you down!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw714

Sven will talk about GraphQL APIs. He is going to show common issues that arise from its usage and how to attack GraphQL applications.

This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw714

The world's top tech organizations are pursuing an open-source endpoint security strategy using osquery. We will dig into how osquery and Fleet can enable observation, collection, and investigation on endpoints. This open-source strategy eases deployment, reduces cost, improves trust, and provides flexibility to meaningfully improve security on the endpoint.

Segment Resources:

https://osquery.io

https://fleetdm.com

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw714

In the Enterprise Security News: Wiz raises $250 million at a staggering $6 billion valuation, Gretel.ai, another privacy engineering startup, raises $50 million, Forcepoint acquires Bitglass, Yubico releases a new line of biometric security keys, Facebook releases an open source tool for analyzing mobile app code, Venture capital needs to clear its, plate, or it can't have any pudding, Maritime security has a lot of security work to do, & don't forget to stick around for the weekly squirrel!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw246

Seeking to capitalize on the full potential of digital transformation, organizations are turning to serverless applications to accelerate development cycles, reduce operational complexities, and improve efficiencies. But as organizations embrace serverless applications, a majority are encountering security roadblocks that impede release cycles and/or ratchet up risk. This podcast explores findings and insights from a recent serverless application security report and plots actionable recommendations on how organizations can realize the comprehensive benefits of serverless applications without sacrificing security!

Segment Resources:

Whitepaper: Contrast Scan Is Faster, More Accurate, and More Efficient - https://www.contrastsecurity.com/white-paper-modern-application-security-scanning

eBook: Pipeline-Native Static Analysis Why It Is the Future of SAST - https://www.contrastsecurity.com/ebook-static-analysis-security-testing

Solution Brief: Contrast Scan: Modern Application Security Scanning - https://www.contrastsecurity.com/hubfs/DocumentsPDF/Contrast-Scan-Modern-Application-Security-Scanning_Solution%20Brief_Final.pdf

This segment is sponsored by Contrast Security. Visit https://securityweekly.com/contrast to learn more about them!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw246

A big part of preparing for Security Weekly news segments is reading press releases. Most of us also get emails whenever a cybersecurity vendor sends out a press release. Too many are frivolous, full of hyperbole, or just plain unreadable. We talk about why so many press releases are like this (there are legit reasons!) and how they could be improved.

What's wrong with press releases?

1. Frivolous Press Releases

2. Unintelligible Press Releases

3. Bending the Truth

4. Excessive hyperbole; death by adjective

5. FUD

Why are they like this?

1. Feeding the SEO beast

2. Written by committee

3. Need to appear successful

4. Need to show growth/progress

5. Need to differentiate from the competition

6. "if it bleeds it leads"

Fixing Press Releases

- When should you put out a press release?

- What should go into a press release?

- How should you write a press release?

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw246

Tune in for this discussion on social engineering and its merits on being recognized as a legitimate component of cyber security. We'll also dive into the whole notion of motive and intent as it pertains to deliberately misrepresenting yourself, or simply lying to your customer in order to get them to be more secure.

Segment Resources:

The Aspies Guide to Social Engineering: from DEF CON 27 Social Engineering Village: https://www.youtube.com/watch?v=5IraysvK38A

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://securityweekly.com/scw90

Tune in for this discussion on social engineering and its merits on being recognized as a legitimate component of cyber security. We'll also dive into the whole notion of motive and intent as it pertains to deliberately misrepresenting yourself, or simply lying to your customer in order to get them to be more secure.

Segment Resources:

The Aspies Guide to Social Engineering: from DEF CON 27 Social Engineering Village: https://www.youtube.com/watch?v=5IraysvK38A

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://securityweekly.com/scw90

In the Leadership and Communications section for this week: How to strive and thrive [in a meeting], 5 steps toward real zero trust security, Seven strategies for building a great security team, & more!

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw235

It is Cybersecurity Awareness Month, but security awareness is a lot tougher than just dedicating a month to awareness activities. Security awareness is a journey, requiring motivation along the way. Brian Reed, Cybersecurity Evangelist from Proofpoint, joins Business Security Weekly to discuss the security awareness journey and how the human elements can help motivate us. Brian will discuss how personalized content and gamification can help achieve better outcomes for organizations and the individual.

This segment is sponsored by Proofpoint. Visit https://securityweekly.com/proofpoint to learn more about them!

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw235

This week in the AppSec News, Mike and John talk: The Twitch breach, a path traversal in Apache httpd, Microsoft disables macros by default after almost 30 years, factors in a great cybersecurity program, & more!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw169

SBOM: What does it really tell you and the importance of having one for your organization.

- Finding and fixing known vulnerabilities in dependencies and container images

- Building a source of truth for packages to avoid malicious packages getting through

- Combining continuous packaging and security into a CI/CD pipeline

- Establishing Trust & Provenance in your Software Supply Chain

- Visibility in your Software Supply Chain with upstreams and signatures

This segment is sponsored by Cloudsmith. Visit https://securityweekly.com/cloudsmith to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw169

This week in the Security Weekly News: Brushing that data breach under the rug? Get sued by the US Government!, all your text messages belong to someone else, beware of the Python in your ESXi, Twitch leaks, when LANtennas attack, zero-trust fixes everything, recalled insulin pumps, Apache 0-day, you iPhone is always turned on, Apple pay hacked, & more!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw713

There are many options to choose from when setting up The Security Onion. The use cases are vast, including a NIDS (Zeek, Suricata), HIDS (Beats, Wazuh, osquery) and standalone instances for a SOC workstation and static analysis. I really like SO as a platform to collect all kinds of data from the network and from your systems (some even use the word XDR).

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw713

Today Dan DeCloss, CEO of PlexTrac, joins the panel to share results from a CyberRisk Alliance survey of 315 security practitioners in the U.S. and Canada. This research, sponsored by PlexTrac, shows a correlation between purple teaming and program maturity, which emphasizes the importance of adversary emulation in today’s security landscape. Tune in to get the scoop on the survey results and MUCH more!

This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw713

In the Enterprise Security News for this week: Orca Security raises all the money, Privacy engineering firms hit their funding stride, McAfee and FireEye merge, but where's RSA's dance partner? Akamai acquires Guardicore, NetApp picks up CloudCheckr, SPDX becomes the ISO standard for SBOMs, & Facebook shares details on how they accidentally Thanos snapped themselves! All that, our weekly Squirrel, and more, on this episode of the Enterprise Security Weekly News!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw245

Once again, it is Cybersecurity awareness month and we'll be talking with Ryan Kalember about the latest threats and other activities he and Proofpoint have going on this month. When it comes to threats, some tactics aren't changing, though they're still effective. There are some notable shifts though:

- Crews using Office 365 for lateral movement

- FIN7 reborn

- A sudden interest in exploits

- Increased patience and increased focus on the individual as the key to an attack

- SMB attacks look very different from large enterprise campaigns

This segment is sponsored by Proofpoint. Visit https://securityweekly.com/proofpoint to learn more about them!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw245

Sales teams are under more pressure than ever to locate and bring in new customers. The methods they use can range from clever to questionable. While some of the more ethically questionable methods can produce results, we wonder: do vendors realize what these methods could be potentially costing them? Richard Reinders joins us today to discuss how he handles one of the toughest challenges any security leader will have to face: interacting with vendors.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw245

This week we're talking all things ISO27001 with Wim Remes! We're starting with what it is, the who, what, where, when, why etc. then we'll talk about the bad and the good. Tune in for this special listener requested topic!

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://securityweekly.com/scw89

This week we're talking all things ISO27001 with Wim Remes! We're starting with what it is, the who, what, where, when, why etc. then we'll talk about the bad and the good. Tune in for this special listener requested topic!

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://securityweekly.com/scw89