Recorded December 16, 2019 at G-Unit Studios in Rhode Island!
- Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
- OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!
- We have officially migrated our mailing list to a new platform! Sign up for the list to receive invites to our virtual trainings, webcasts, and other content relative to your interests by visiting securityweekly.com/subscribe and clicking the button to join the list! You can also submit your suggestions for guests by going to securityweekly.com/guests and submitting the form! We'll review them monthly and reach out if they are a good fit!
- Our first-ever virtual training is happening on March 19th @11:00am ET, with Adam Kehler & Rob Harvey from Online Business Systems Risk, Security & Privacy Team. In this training you will learn how to generate a complex SHA-256 hashed password and then use password cracking tools to break it. Register for our upcoming trainings by visiting securityweekly.com, selecting the webcast/training drop down from the top menu bar and clicking registration.
Interview: Dave Ferguson, Qualys
Dave Ferguson is Director of Product Management for Web Application Security at Qualys. After writing code and developing applications for over a decade, Dave transitioned to focus on application security. Prior to Qualys, he led the global application security program at Sabre Corporation and worked as a Principal Consultant at FishNet Security (now Optiv). Dave is the author of the OWASP Forgot Password Cheat Sheet and holds CISSP and CSSLP certifications.
API Security – finding flaws, fixing them, and creating effective solutions
Dave will discuss the issue of latent vulnerabilities and how they may linger in your custom-coded web applications and APIs, presenting an enticing target for attackers.
- QSC19 - Las Vegas, session videos: https://www.qualys.com/qsc/2019/las-vegas/
- Video: Web Application Security https://vimeo.com/140103157
- Web Application Scanning Data Sheet: https://www.qualys.com/docs/web-application-scanning-datasheet.pdf
Bugs, Breaches, and More!
- Firecracker v0.18.0 and v0.19.0 vsock buffer overflow and the fix details.
- Binary Planting with the npm CLI is another way to describe one of our favorite attacks -- path traversal. Check out more details in the blog post as well.
If you build it, they will come
Learning & Tools
- Speculation & leakage: Timing side channels & multi-tenant computing from AWS re:invent. A great talk from a the perspective of a threat model where such attacks are a critical part of the threat model.
- How can we integrate security into the DevOps pipelines? By picking from many of the great resources in this article.
- Using CI/CD to turn ideas into software – quickly
Food for Thought
- Go passwordless to strengthen security and reduce costs -- and design your app to support these types of workflows, including account recovery.
- Why Is Security Missing in Many DevOps Implementations?