A takeover of the MOBI TLD for $20, configuring an LLM for a CTF, firmware flaw in an SSD, Microsoft talks kernel resilience, six truths of cyber risk quantification, and more!
Show Notes: https://securityweekly.com/asw-299
When a conference positioned as a day of security for developers has to be canceled due to lack of interest from developers, it's important to understand why there was so little interest and why appsec should reconsider its approach to awareness. Dustin Lehr discusses how appsec can better engage and better deliver security concepts in a way that makes developers not only feel like their time is well used, but that the content appeals to them.
Segment Resources: - The Security Champion Program Success Guide -- A free guide that includes all steps necessary to build a successful security champion program, with real-world recommendations and examples: https://securitychampionsuccessguide.org/ - Let's Talk Software Security -- A free global virtual community where we host monthly open discussions on appsec topics: https://www.meetup.com/lets-talk-software-security/
Show Notes: https://securityweekly.com/asw-299
In the leadership and communications segment, Why Companies Should Consolidate Tech Roles in the C-Suite, End of an era: Security budget growth slows down, Global cybersecurity workforce growth flatlines, stalling at 5.5M pros, and more!
Show Notes: https://securityweekly.com/bsw-364
Cybersecurity is complex. We have threats, vulnerabilities, incidents, controls, risks, etc. But how do they all connect together to drive a cyber risk program? As an industry, we've struggled for 20+ years trying to boil this ocean. Maybe we've been going about it the wrong way.
Padraic O'Reilly, Founder and Chief Innovation Officer at CyberSaint, joins Business Security Weekly to discuss how AI can help us solve the cybersecurity data problem. Starting with simple mappings from risks to controls, CyberSaint is flipping the cyber risk management problem on it's head. Instead of working from the bottom up, CyberSaint is tackling the problem from the top down. Padraic will discuss how CyberSaint is using AI, practical AI, to address the complexities of cybersecurity data, including:
This segment is sponsored by CyberSaint . Visit https://securityweekly.com/cybersaint to learn more about them!
Show Notes: https://securityweekly.com/bsw-364
Ever wondered what it's like to be responsible for the cybersecurity of a sports team? How about when that sports team is one of the world's most successful Formula One teams? I can't describe how excited we are to share this interview. This interview is basically two huge F1 nerds who happen to also be cybersecurity veterans asking everything they've always wanted to know about what it takes to secure an F1 team.
For the folks out there that aren't familiar with this sport, Formula One is arguably the fastest, most watched, and most international automotive racing sport today. In the 2024 season, the racing series will feature ten teams traveling to 24 race tracks located in 21 different countries. Also, did you know that only two countries get more than one race? Italy gets to host two Grand Prix, and the United States gets to host three.
A HUGE thanks to Keeper Security and Darren Guccione for making this interview possible. This isn't a sponsored interview, but it was Keeper's PR team that pitched the idea for this interview to us, and as F1 fans, we're super grateful they did!
Segment Resources:
Show Notes: https://securityweekly.com/esw-375
We are a month away from Oktane -- the biggest identity event of the year. Okta is bringing thousands of identity industry thought leaders, IT and security executives, and other tech leaders together on October 15-17 to discuss the changing landscape for security and identity, how organizations are putting identity first, new Okta products, and more. Harish Peri, Senior Vice President of Product Marketing, joins Enterprise Security Weekly to discuss what people should expect from Oktane this year, the conversations that will take place at the event and why it’s important for security professionals to attend/tune in.
This segment is sponsored by Oktane. Visit https://securityweekly.com/oktane2024 and use discount code OKTNSC24 to pay only $100 for your full conference pass!
Show Notes: https://securityweekly.com/esw-375
Through the Fire and Li-On Flames, Lazarus, Whatsup, Scattered Spider, Hadooken, Dead People, Aaran Leyland, and More on the Security Weekly News.
Show Notes: https://securityweekly.com/swn-413
This week, in the enterprise security news,
Show Notes: https://securityweekly.com/esw-375
Don't tell the FCC there is a new Flipper firmware release, unpatchable?, argv[0] and sneaking past defenses, protect your registries, someone solved my UART RX problem, PKFail update, legal threats against security researchers documented, EDR bypass whack-a-mole continues, emulating PIs, VScode moonlights as a spy, Want to clone a YubiKey? All you need is $11,000, some fancy gear, and awkwardly close proximity to your victim, and Telegram’s encryption: it’s kinda like putting a 'Keep Out' sign but leaving the door unlocked.
Show Notes: https://securityweekly.com/psw-842
Lee comes on the show to discuss:
Show Notes: https://securityweekly.com/psw-842
AI Trucks, Solid Concrete, Sonicwall, Progress, Rust, Apple, and more, on this Edition of the Security Weekly News.
Show Notes: https://securityweekly.com/swn-412
Considerations in paying down tech debt, make Rust work on bare metal, ECDSA side-channel in Yubikeys, trade-offs in deploying SSO quickly, and more!
Show Notes: https://securityweekly.com/asw-298
In the leadership and communications segment, Blind Spots in the C-Suite & Boardroom, Evolving Cybersecurity: Aligning Strategy with Business Growth, How to Lead Like a Coach, and more!
Show Notes: https://securityweekly.com/bsw-363
Cybersecurity resilience, different from cyber resilience, is critical as threats grow in frequency and complexity. With digital innovation driving business, cybersecurity resilience is essential for maintaining stakeholder trust and compliance. But where do you start?
Theresa Lanowitz, Chief Evangelist at LevelBlue, joins Business Security Weekly to discuss how to align cybersecurity and the business, including the need to:
This segment is sponsored by LevelBlue. Visit https://securityweekly.com/levelblue to learn more about them!
Show Notes: https://securityweekly.com/bsw-363
Check out this episode from the SWN Vault, hand picked by main host Doug White! This SDL episode was initially published on August 9, 2017.
Doug explains the basics of how IP Addresses work, with help from Doug in an alternate dimension. Beware of the terminator!
Show Notes: https://securityweekly.com/vault-swn-20
Check out this episode from the ESW Vault, hand picked by main host Adrian Sanabria! This episode was initially published on April 21 2023.
Quantum computers are scaling rapidly. Soon, they will be powerful enough to solve previously unsolvable problems. But they come with a global challenge: fully-realized quantum computers will be able to break some of the most widely-used security protocols in the world. Dr. Vadim Lyubashevsky will discuss how quantum-safe cryptography protects against this potential future.
Segment Resources:
IBM Quantum Safe: https://www.ibm.com/quantum/quantum-safe IBM scientists help develop NIST’s quantum-safe standards: https://research.ibm.com/blog/nist-quantum-safe-protocols Government and industry experts recommend moving to quantum-safe cryptography: https://research.ibm.com/blog/economist-quantum-safe-replay
Show Notes: https://securityweekly.com/vault-esw-16
Exploring the Hacking Landscape with Mark Loveless, AKA SimpleNomad
Dive into the intricate world of cybersecurity with our featured guest, Mark Loveless, widely known by his handle SimpleNomad. With a rich history in the realm of information security, Mark is a seasoned professional, researcher, and thought leader.
Mark's journey spans decades, marked by a commitment to uncovering vulnerabilities and understanding the ever-changing threat landscape. As a prominent figure in the cybersecurity community, he has contributed significantly to the field, sharing insights, research findings, and expertise.
Join us in this podcast interview as Mark reflects on his experiences, discusses the evolution of cybersecurity challenges, and shares his perspectives on emerging trends. With a deep understanding of both offensive and defensive security, Mark brings a unique perspective to the conversation, offering valuable insights into the strategies and tactics employed by cybersecurity professionals.
As a respected voice in the industry, Mark Loveless has not only witnessed the evolution of cybersecurity but has actively shaped its trajectory through his contributions to research, writing, and speaking engagements. This episode provides a rare opportunity to gain knowledge from a cybersecurity veteran and explore the nuances of an ever-expanding digital landscape.
Tune in to discover the wisdom and experiences that have defined Mark Loveless's career and gain a deeper understanding of the complexities and challenges inherent in the world of cybersecurity.
Show Notes: https://securityweekly.com/vault-psw-12
Check out this episode from the SWN Vault, hand picked by main host Doug White! This SDL episode was initially published on November 8, 2017.
What is encryption anyway? Doug and Russel explain symmetric encryption, asymmetric encryption, and how crypto gets broken!
Show Notes: https://securityweekly.com/vault-swn-19
Check out this episode from the BSW Vault, hand picked by main host Matt Alderman! This episode was initially published on November 29, 2022.
Todd Fitzgerald, author of CISO Compass and host of CISO Stories, joins BSW to share his top leadership lessons from the first 100 episodes of CISO Stories. Todd interviews CISOs and gains insights into their challenges and how they are solving them. Don't miss this recap!
View CISO Stories podcast episodes here: https://www.scmagazine.com/podcast-show/the-ciso-stories-podcast
Show Notes: https://securityweekly.com/vault-bsw-13
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on May 9, 2023.
What does software resilience mean? Why is status quo application security unfit for the modern era of software? How can we move from security theater to security chaos engineering? This segment answers these questions and more.
Segment Resources:
Book -- https://securitychaoseng.com
Blog -- https://kellyshortridge.com/blog/posts/
Show Notes: https://securityweekly.com/vault-asw-13
In this interview, Maor Bin, CEO and Co-Founder of Adaptive Shield, discusses the evolving landscape of SaaS Security. He highlights the challenges posed by the security gap resulting from the rapid adoption of SaaS applications and why SaaS security is beyond just misconfiguration management.
Segment Resources: https://www.adaptive-shield.com/landing-page/the-annual-saas-security-survey-report-2025-ciso-plans-and-priorities/
This segment is sponsored by Adaptive Shield. Visit https://securityweekly.com/adaptiveshieldbh to download the Annual SaaS Security Survey Report!
Cybersecurity professionals are often confronted with ethical dilemmas that need to be carefully navigated. In 25 years of teaching incident handling and penetration testing, Ed has often been asked by his students for help in ethical decision-making. Ed will share some of their questions and his recommended approaches for addressing them. Ed also has a new book out, The Code of Honor, about cybersecurity ethics. All proceeds go to scholarships for college students.
Segment Resources: 1) Ed's book, published June 18, 2024: https://www.amazon.com/Code-Honor-Embracing-Ethics-Cybersecurity/dp/1394275862/ref=sr11?crid=1DSHPCXDIQ1VT&dib=eyJ2IjoiMSJ9.rmZX2-3mj1nI74iKkjbKkQSNKCuRjjn-QQ8qrzVy21tMRAXuKu5Qr5rPgtszkVd7zJMV7oVTuImUZIxMQfecnaRlNRfAVI5G7azyWi8lY.WHOujvlsQXPTJaHuEafwRC2WVKZe474eVXHn46kLiEY&dib_tag=se&keywords=skoudis&qid=1722767581&sprefix=skoudis%2Caps%2C90&sr=8-1
2) Holiday Hack Challenge - sans.org/holidayhack
Show Notes: https://securityweekly.com/esw-374
I often say that it isn't the concepts or ideas in cybersecurity that are bad, but the implementations of them. Sometimes the market timing is just wrong and the industry isn't ready for a particular technology (e.g. enterprise browsers). Other times, the technology just isn't ready yet (e.g. SIEMs needed better database technology and faster storage). Since the ideas are solid, we see these concepts return after a few years.
Application allowlisting is one of these product categories. Threatlocker has been around since 2017 and is now a late stage startup that has achieved market fit. We chat with the company's CEO and founder, Danny Jenkins to find out how they learned from the mistakes made before them, and differentiate from the technology some of us remember from the late 2000s and early 2010s.
Segment Resources:
This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them!
Show Notes: https://securityweekly.com/esw-374
Daleks, AVTECH, Palo Alto, VMWARE, Travel, California AI Dreamin', Aaran Leyland, and More on the Security Weekly News.
Show Notes: https://securityweekly.com/swn-411
The top priority on the CIS Critical Security Controls list has never changed: inventory and control of enterprise assets. Yet it remains one of the most challenging controls to implement, much less master. The refrain, "you can't secure what you don't know about" is as old as information security itself.
Complicating this task is the fact that improving asset management isn't an aspiration unique to the security team. IT, finance, facilities, and other groups within large enterprises are concerned with this as well. This often leads to challenges: should all these groups attempt to standardize on one common asset database or CMDB? Or should security go their own way, and purchase their own asset management tool?
Answering these questions would be a lot easier if we had someone with an IT asset management (ITAM) perspective, and fortunately, we do! Jeremy Boerger of Boerger Consulting joins us to help us understand the IT perspective, so we can understand if there are opportunities for security and IT to help each other out, or at least find some common ground!
Boerger Consulting Resources:
Show Notes: https://securityweekly.com/esw-374
This week: I want all the firmware, its not just TP-Link, CVEs for malware, BLE and your health, faking your own death, serial ports, stealthy Linux malware, call this number, finding all the Wordpress plugin vulnerabilities!
Show Notes: https://securityweekly.com/psw-841