In the leadership and communications section, CISO, The Board, and Cybersecurity, How CISOs Can Work With the CFO to Get the Best Security Budget, Building Effective and Skilled Teams Through Networking, Connectivity, and Communication, and more!

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw299

Ferrari refuses ransomware, OpenAI deals with security issues from cacheing, video killed a crypto ATM, GitHub rotates their RSA SSH key, bypassing CloudTrail, terms and techniques for measuring AI security and safety

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw234

We often see security as a thing that has definitive check boxes, end states and deliverables. Audits "end" and then start again, but if you are looking at security as a noun -- as in, a thing that gets done, you are falling short. Security must be a verb. You DO security, you do not HAVE security. Security weaves through every layer and goes beyond the IT assets or codebase.

This includes:

• Guerrilla marketing of gaining end-user buy-in for initiatives
• Iterative tuning of your data sources 
• Active engagement with real-time feedback from the user base and technical teams

Threat- and risk-informed decisions need to be capable of adapting when things get turned upside down. You need to create a culture and the associated processes to look at security like you do. Security teams and roadmaps are designed to look (often myopically) at specific "deliverables" and not so much at the vital signs of the security ecosystem in any given moment (and what that looks like OVER TIME, not at a moment IN time).

This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw299

Twitter, Tax Scams, Microsoft, Executive Orders, Pwn2Own, French Bans, and more on this edition of the Security Weekly News.

Visit https://www.securityweekly.com/swn for all the latest episodes!

Show Notes: https://securityweekly.com/swn284

With the increased interest and use of AI such as GTP 3/4, ChatGPT, GitHub Copilot, and internal modeling, there comes an array of use cases and examples for increased efficiency, but also inherent security risks that organizations should consider. In this talk, Invicti’s CTO & Head of Security Research Frank Catucci discusses potential use cases and talks through real-life examples of using AI in production environments. Frank delves into benefits, as well as security implications, touching on a number of security aspects to consider, including security from the supply chain perspective, SBOMs, licensing, as well as risk mitigation, and risk assessment. Frank also covers some of the types of attacks that might happen as a result of utilizing AI-generated code, like intellectual property leaking via a prompt injection attack, data poisoning, etc. And lastly, Frank shares the Invicti security team's real-life experience of utilizing AI, including early successes and failures.

Segment Resources:

• On-demand webinar on the topic of generative AI - https://www.scmagazine.com/cybercast/generative-ai-understanding-the-appsec-risks-and-how-dast-can-mitigate-them
• Invicti Research - https://www.invicti.com/blog/web-security/analyzing-security-github-copilot-suggestions/ - https://github.com/svenmorgenrothio/Prompt-Injection-Playground

This segment is sponsored by Invicti. Visit https://securityweekly.com/invicti to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw234

In this episode, Neatsun Ziv, co-founder and CEO of OX Security, takes a deep dive into software supply chain security. He focuses on the new Open Software Supply Chain Attack Reference (OSC&R), a first-of-its-kind framework for understanding techniques, tactics, and procedures (TTPs) used by attackers to compromise supply chains. OSC&R was forged by a group led by OX Security with cybersecurity pros from a number of companies, including Google, GitLab, FICO, Check Point, VISA and Fortinet.

Segment Resources:

• https://pbom.dev/
• https://github.com/pbom-dev/OSCAR

Visit https://www.securityweekly.com/asw for all the latest episodes! 

Show Notes: https://securityweekly.com/asw231

This week in the Enterprise News: Dope Security nabs $16M led by GV to build out secure web gateways designed to work on endpoints, not in the cloud. We take the mystery out of some recent funding. Microsoft 365's Copilot tries to do your job for you. Mapping failures with decision trees. An AI hires a human to solve a CAPCHA, because it needed help, and lies to the human about the reason why. You know what's different between AI and you? Those goosebumps on your arms right now and the ice water in your veins. AI can't do that. New drone designs that change everything & Cyber Startup Buzzword Bingo: 2023 Edition.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw310

This week Dr. Doug talks: TikTok, Github, CISA and More CISA, Netgear, Do Kwon and More on this episode of the Security Weekly News.

Visit https://www.securityweekly.com/swn for all the latest episodes!

Show Notes: https://securityweekly.com/swn283

The ioXt Alliance is a group of manufacturers, industry alliances, labs, and government organizations, dedicated to harmonizing best security practices and establishing testable standards. Our goal is to bring security, upgradability and transparency to the market and directly into the hands of consumers. Come learn about Smart Product security and what consumers should be asking for.

Segment Resources:

https://www.ioxtalliance.org/

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw310

SafeLiShare delivers tamperproof security from inside out across clouds and eliminate algorithmic complexity attacks and reverse never-ending cycles of defense using policy controlled Confidential Computing with secure enclave technology.

Segment Resources:

Presentation - https://1drv.ms/p/s!AqqNWej5CK8uhEoIZW5MUxMTQLJU

Blog - https://safelishare.com/blog/defining-confidential-computing/

Video - https://safelishare.com/data-privacy-resources/

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw310

In the Security News: Windows MSI tomfoolery, curl turns 8...point owe, who doesn't need a 7" laptop, glitching the ESP, your image really isn't redacted or cropped, brute forcing pins, SSRF and Lightsail, reversing D-Link firmware for the win, ICMP RCE OMG (but not really), update your Pixel and Samsung, hacking ATMs in 2023, breaking down Fortinet vulnerabilities, Jamming with an Arduino, it 315 Mega hurts, analyzing trojans in your chips, and the 4, er 1, er 3, okay well how to suck at math and the 4 Cs of Cybersecurity! All that, and more, on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw777

We sit down with Nico Waisman to discuss vulnerability research and other security-related topics!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw777

In the leadership and communications section, CISO: A Job in Search of a Description, The Rise of the BISO in Contemporary Cybersecurity, When More is Less: The Dangers of Over-Communication in Teams, and more!

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw298

Outlook can leak NTLM hashes, potential RCE in a chipset for Wi-Fi calling in phones (and autos!?), the design of OpenSSH's sandboxes, more on the direction of OWASP, celebrating 25 years of Curl.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw233

When CISOs report into CEOs it gives them more autonomy, empowers them with more decision making authority, and eliminates the inherent conflict of interest present when CISOs report into IT leaders like the CIO.

Segment Resources:

https://www.forrester.com/blogs/five-reasons-why-cisos-should-report-to-ceos

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw298

Dr. Doug talks: The Tang Dynasty, ZippyShare, NuGet, PinDuoDuo, Ernie, Lantern, HDD hard drives, and more on this edition of the Security Weekly News!

Visit https://www.securityweekly.com/swn for all the latest episodes!

Show Notes: https://securityweekly.com/swn282

Static analysis is the art of scrutinizing your code without building or running it. Common static analysis tools are formatters (which change whitespace and other trivia), linters (which detect likely best practice and style issues), and type checkers (which detect likely bugs). Each of these can aid in improving application security by detecting real issues at development-time.

Segment Resources:

• https://typescript-eslint.io 
• https://eslint.org
• https://blog.joshuakgoldberg.com

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw233

AI! Then, produce text that can’t be detected as written by an AI! The K-Shaped recovery of the cybersecurity industry, Software Security is More than Vulnerabilities, Microsoft Outlook hacks itself, Robert Downey Jr. gets into teh cyberz, & Reversing intoxication!

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw309

Financial Scams, Microsoft, BianLian, Leihigh Medical, CISA, Vile, and More on this episode of the Security Weekly News!

Visit https://www.securityweekly.com/swn for all the latest episodes!

Show Notes: https://securityweekly.com/swn281

Tap, tap - is this thing on? Why do defenders still struggle to detect attacks and attacker activities? Why do so many tools struggle to detect attacks? Today, we've got an expert on detection engineering to help us answer these questions. Thinkst's Canary and Canarytokens make in catching penetration testers and attackers stupidly simple. Thinkst Labs aims to push these tools even further. Casey will share some of the latest research coming out of labs, and we'll ponder why using deception for detection isn't yet a de facto best practice.

Segment Resources:

 https://canary.tools

https://canarytokens.org

 https://blog.thinkst.com

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw309

The CI/CD pipeline is the backbone of the software development process, so it's critical to ensure you are meeting and exceeding the most critical security measures. Throughout this podcast, Tal Morgenstern, Co-founder and CSO of Vulcan Cyber, will break down the process of how organizations can properly secure a CI/CD pipeline into a checklist of four key steps, as well as offer a handful of tools and tactics security leadership can use to bake risk-based vulnerability management into their CI/CD pipelines. He will explain how securing your CI/CD pipelines alone is not enough to reduce the chances of cyber attacks and the importance for organizations to not only maintain security at speed and scale, but quality at speed and scale. Finally, Tal will dive into how Vulcan Cyber helps organizations to streamline security tasks in every stage of the cyber-risk management process, integrating with their existing tools for true end-to-end risk management.

Segment Resources:

https://vulcan.io/

https://vulcan.io/platform/

https://vulcan.io/blog/ci-cd-security-5-best-practices/

 https://www.youtube.com/watch?v=nosAxWc-4dc

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw309

In the security news: AI on your PI, no flipper for you, stealing Tesla's by accident, firmware at scale, the future of the Linux desktop, protect your attributes, SOCKS5 for your Burp, TPM 2.0 vulnerabilities, the world's most vulnerable door device and hiding from "Real" hackers, sandwiches, robot lawyers, poisonis epipens, and profanity in your code! All that, and more, on this episode of Paul’s Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw776

Software supply chain attacks, those in which hackers target the "water supply" of software are on the rise. This makes software developers everywhere valid targets. We will discuss the developer perspective on software supply chain attacks.

Segment Resources:

https://in-toto.io

https://sigstore.dev

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw776

In this week's leadership and communications segment, we discuss overemphasizing metrics, delegation drawbacks, security culture starts at the top, and succeeding in security with economic insecurity.

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw297

Loom provides transparency on mishandling cookies, GitHub moves to require 2FA, TPM reference implementation includes a buffer overflow, Dropbox shares their security engineer ladder, multiple flaws in a smart intercom

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw232