DevOps teams have often been underserved by security tools. Modern appsec solutions need to fit within the existing workflows related to how software is built and deployed. But just dropping a tool into that pipeline isn't sufficient -- there are apps that haven't migrated to modern build processes or framework and many cloud-native apps demand different approaches to deployment. We'll cover the different approaches to adapting security tools to the needs of the developers.
This segment is sponsored by Contrast Security. Visit https://securityweekly.com/contrast to learn more about them!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw186
This discussion will provide a brief overview of the Incident Command System for Industrial Control Systems processes and describe how ICS4ICS will help companies better manage industrial cyber incidents. We will discuss how ICS4ICS will enable companies to work with government agencies and mutual aid partners when a cyber incident impacts an entire industrial sector or multiple sectors.
Segment Resources:
General info and to sign up for more information in our newsletter: https://gca.isa.org/ics4ics
Learn more about our call to volunteers: https://gca.isa.org/blog/ics4ics-will-improve-management-of-ics-cybersecurity-incidents
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw262
This week in the Enterprise News: eSentire raises $325M as it expands into services Beyond Identity raises $100M to build out MFA, Secureframe raises $56M to help folks with SOC 2 and HIPAA compliance, Nashville-based Phosphorus Cybersecurity raises $38M to secure IoT devices (curious about the name - what kind of Phosphorus? Could be dangerous!), anecdotes raises a $25M Series A to compete in the same space as Secureframe (lots of money for folks that ease compliance pains!), Cloudflare acquires, Area 1 Security for $162M, Darktrace acquires ASM vendor Cybersprint, Snyk acquires Fugue, Andy Ellis drops an SBOM in his latest opinion piece, the latest of several thought-provoking hot takes from him, CISA publishes a list of free tools and services, & more!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw262
Josh Corman joins to describe, in vivid detail, some of his experiences working for CISA, as a fed, & from the frontlines.
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://securityweekly.com/psw729
Cloud, DevOps, Kubernetes - the world has gone crazy. We don't have servers anymore - we have workloads, instances, and serverless. We have CI/CD pipelines. These workloads are distributed, immutable, and ephemeral (aka 'DIE' - hi Sounil!) in many cases. Today, we chat with Jimmy Vo about what it was like, as a detection engineer, to come from a traditional banking environment and suddenly get thrown into a world full of 'cloud-first' startups. "DevOps folks are nuts." --Jimmy Vo
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw262
Chris will tell the tale on how an electrical engineer got sucked backwards into the infosec abyss. Also, Chris will share some war stories about what he's seen...and be open to questions from Paul that his viewers will enjoy. Beware of dad jokes.
Segment Resources:
Presentations: https://www.slideshare.net/chrissistrunk
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://securityweekly.com/psw729
In the Security News for this week: Unskilled hacker linked to years of attacks on aviation, transport sectors, The Elite Hackers of the FSB, Bionic Eyes Go Dark, Herpaderping, & more!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://securityweekly.com/psw729
In the Leadership & Communications section for this week: What Is Security?, How to Team Up with IT for Cybersecurity, Executive Cybersecurity Leadership Program launches, and more!
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Show Notes: https://securityweekly.com/bsw251
The Business Information Security Officer, or BISO, is relatively new and somewhat controversial role. Does this role act as the CISO's non-technical liaison to the business units or as the CISO's deputy to oversee strategy implementation at a granular level? Is this new role a necessary career path for future CISOs or an entry point into security? The BSW hosts debate!
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Show Notes: https://securityweekly.com/bsw251
Lots of web hacking can be done directly from the browser. Throw in a proxy like Burp plus the browser's developer tools window and you've got a nearly complete toolkit. But nearly complete means there's still room for improvement. We'll talk about the tools to keep on hand, setting up practice targets, participating in bug bounties, and more resources to help you learn along the way. For tips on labs beyond just appsec, be sure to check out the Security Weekly webcast on "Do It Yourself: Building a Security Lab At Home" at https://securityweekly.com/webcasts/do-it-yourself-building-a-security-lab-at-home/
Segment resources:
- https://www.darkreading.com/careers-and-people/want-to-be-an-ethical-hacker-here-s-where-to-begin
- https://github.com/AdminTurnedDevOps/DevOps-The-Hard-Way-AWS
- https://owasp.org/www-project-juice-shop/
- https://owasp.org/www-project-vulnerable-web-applications-directory/
- https://portswigger.net/web-security
- https://azeria-labs.com/writing-arm-assembly-part-1/
- https://twitter.com/0xAs1F/status/1480604655952433155
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw185
Finally, in the Enterprise Security News, Securonix raises $1B in Vista-led round (it’s like they ate a unicorn!), Salt Security becomes a Unicorn, has not been eaten (yet), Legit Security raises a totally legit $26.5M Series A, Vicarius and Calamu raise Series As ,Permit.io, KSOC, Titaniam, Canonic Security, Allure Security, and SecureThings all pick up seed funding! We look at Big Tech’s cybersecurity funding and acquisitions, The rumor mill goes nuts over a Cisco/Splunk deal that’s probably not happening (maybe?) Why are cybersecurity asset management startups so hot right now? New products, unhelpful legislation, a major acquisition, & of course a few squirrel stories!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw261
This week in the Security News: To steal or collect a bug bounty, print bombing an NFL team, Webkit strikes again, hackers be framing, TIPC Linux kernels, is that an Airtag in your pocket or?, It was Russia unless it wasn't Russia, Cassandra and Magento, how not to redact, & more!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://securityweekly.com/psw728
This week in the Application Security News: RCE in Cassandra, why pixelization isn't good redaction, Rust's compiler is friendly, Edge adds arbitrary code guard to its WASM interpreter, & the difference between secure code and a secure product (as demonstrated by a DAO)
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw185
0patch is a simple but powerful service that provides tiny targeted security patches to Windows computers, eliminating the most critical vulnerabilities without restarting the computer or relaunching applications. A different approach to patching allows us to both create and deploy 0day patches much quicker than original vendors can with their traditional update processes.
Segment Resources:
0patch Blog with many posts on vulnerabilities and patches we make
0patch FAQ
https://0patch.zendesk.com/hc/en-us/categories/200441471
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw261
Yes, this is possible! We have incoporated into our vulhub-lab project a way to run Windows inside a Docker Container that is running on Linux. We didn't invent this technique but we will show you how to do it!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://securityweekly.com/psw728
Definitions of the word intelligence include a collection of information of military or political value as well as the ability to acquire and apply knowledge or skills. In cybersecurity, when we possess intelligence, we feed that data in our Security Operations Center (SOC) to further analyze the risk present. In this case, the risk is based on the probability of threats materializing and the impact they would have on the organization. We’re calling the output of that SOC Cyber Risk Intelligence. Cyber Risk Intelligence is the ability to think holistically about risk and provide information that decision makers can act on...not just analyze. Traditional Vendor Risk Management (VRM) processes focus on the gap, which is essentially information that needs to be further analyzed against the risk to the business. This is an additional step that takes time and effort, especially when different compliance frameworks and threats are constantly emerging.
Segment Resources: https://www.cybergrx.com/resources/research-and-insights/blog/beyond-risk-management-how-cyber-risk-intelligence-tools-are-changing-the-tpcrm-game
This segment is sponsored by CyberGRX. Visit https://securityweekly.com/cybergrx to learn more about them!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw261
Michael joins us to discuss the importance of information sharing, how to convey cybersecurity practice and topics to senior leaders, cybersecurity regulation, myths surrounding militarizing cyberspace, and more!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://securityweekly.com/psw728
In the Leadership and Communications section, 5 Leadership Lessons General Marshall can Teach Us, Cybersecurity incident response: The 6 steps to success, 6 Effective Tips to Politely Say No (that actually work!), and more!
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Show Notes: https://securityweekly.com/bsw250
How to move from legacy GRC processes and systems to a more automated approach that promotes visibility, agility, and alignment from assessment to Boardroom.
This segment is sponsored by CyberSaint . Visit https://securityweekly.com/cybersaint to learn more about them!
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Show Notes: https://securityweekly.com/bsw250
In the AppSec News: Docker and security boundaries, Google's year in vuln awards, 2021's year in web hacks, Apple AirTags and privacy, turning AIs onto RFCs for security, & facial recognition research!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw184
In light of the far-reaching Log4j vulnerability, it’s become increasingly clear that the modern developer can’t operate without a solid level of security expertise. Vulnerability management is not just about responding quickly but should be top-of-mind during all stages of software development from inception to delivery. Modern threats mean developers can’t assume security isn’t part of their job and push the burden of responsibility to their infrastructure teams. Doug Kersten, CISO of Appfire, will discuss how the nature of vulnerabilities today makes it critical for developers to make sure they’re building projects in a secure manner in order to quickly mitigate vulnerabilities – or they risk being left scrambling to respond when a threat hits.
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw184
Finally, in the Enterprise Security News, Security automation startup Cerby raises $12M, Virtual CISO startup Cynomi raises 3.5M to help SMBs automate cybersecurity, Keeper Security acquires Glyptodon (I’m 90% certain Keeper hasn’t just purchased the remains of an ancient, long-extinct armadillo), SecurityScorecard acquires LIFARS, a DFIR consulting firm, There’s a rumor that Microsoft is considering picking up Mandiant with all the extra cash still laying around after the Activision/Blizzard buy, & DHS launches the first-ever cyber safety review board!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw260
We discuss the current state of identity challenges in the enterprise with Branden Williams.
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw260
Qualys researcher, Wheel, will discuss the discovery of the 12 year old Linux vulnerability in PolicyKit - which Qualys had dubbed, PwnKit. Wheel will provide an overview of the vulnerability and then dive into a technical discussion of the research.
Segment Resources:
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://securityweekly.com/psw727
One of the key features of cryptocurrency, NFTs, and other blockchain-based technologies is the immutable ledger. Put another way, there's no clear way to implement an 'undo' button when it comes to blockchain. In more traditional situations, passwords can be reset. Financial institutions can issue a stop payment order.
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw260