From Paul's Security Weekly
Recorded January 6, 202 at G-Unit Studios in Rhode Island!
- Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
- OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!
- We have officially migrated our mailing list to a new platform! Sign up for the list to receive invites to our virtual trainings, webcasts, and other content relative to your interests by visiting securityweekly.com/subscribe and clicking the button to join the list! You can also submit your suggestions for guests by going to securityweekly.com/guests and submitting the form! We'll review them monthly and reach out if they are a good fit!
- Our first-ever virtual training is happening on March 19th @11:00am ET, with Adam Kehler & Rob Harvey from Online Business Systems Risk, Security & Privacy Team. In this training you will learn how to generate a complex SHA-256 hashed password and then use password cracking tools to break it. Register for our upcoming trainings by visiting securityweekly.com, selecting the webcast/training drop down from the top menu bar and clicking registration.
Interview: Hillel Solow, Check Point
The Evolution of DevSecOps and AppSec Trends in 20/20
Much has evolved in a few short years with DevSecOps and application development and security. But just when we think we see everything clearly and have it all figured out, something new changes. Here we will discuss the unique ways organizations are leveraging serverless for their applications and how DevSecOps teams are working together to build out these architectures at a rapid pace in 2020.
Featured Flaws & Big Breaches
- Policy and Disclosure: 2020 Edition -- Positive changes to drive consistency, implementation of effective patches, and adoption of patched software.
- A look back & forward for bug bounties over the past decade, a thread from Katie Moussouris.
Cloud, Code & Controls
- 4 Ring Employees Fired For Spying on Customers reminds us that insider threats must be part of our product security threat models. It's also a callback to the "end-to-end security -- lifecycle protection" principle of privacy by design; enforce access controls and monitor and audit access to collected data.
Learning & Tools
- Exploit Fully Breaks SHA-1, Lowers the Attack Bar because SHA-1 is a Shambles. Not that you shouldn't have already moved on from SHA-1 before these attacks became more practical and cheaper.
- The open source licence debate: comprehension consternations & stipulation frustrations
Food for Thought
- Synopsys Buys Tinfoil
- Rotate Your Amazon RDS, Aurora, and Amazon DocumentDB (with MongoDB compatibility) Certificates and then review how you manage the cert rotation process for your own systems. And here's a tip: schedule your cert expirations for a Tuesday during business hours to minimize the scramble needed to deal with forgotten expirations.