- 1 Application Security Weekly Episode #116 - July 27, 2020
- 2 1. Fixing Vulnerabilities Effectively & Efficiently - 12:30 PM-01:00 PM
- 3 2. TaskRouter JS SDK, EL1/EL3 Vulnerability, & 234 Alexa Skills Store Violations - 01:00 PM-01:30 PM
Application Security Weekly Episode #116 - July 27, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. Fixing Vulnerabilities Effectively & Efficiently - 12:30 PM-01:00 PM
Join the Security Weekly Mailing List for webcast/virtual training announcements and to receive your personal invite to our Discord server by visiting <a href="https://securityweekly.com/subscribe" rel="nofollow">https://securityweekly.com/subscribe</a> and clicking the button to join the list!
Security Weekly is an official media partner for Virtual BlackHat 2020! To register and save $200, visit <a href="https://securityweekly.com/summercamp2020" rel="nofollow">https://securityweekly.com/summercamp2020</a> and click the register button. Discount code: “20SecWeekbh” Alongside Virtual BlackHat, we will be running our conference micro-interviews, you guessed it, virtually, in an event called Security Weekly Virtual Hacker Summer Camp, August 3 – August 6, 2020. Options, pricing and availability are all listed on the same page! Reserve your slot now to get your message out to BlackHat attendees!
What does it take to fix vulns effectively and efficiently? There’s no lack of vulns identified from bug bounties and vuln reporting programs, but not every vuln needs the same attention and not every vuln gets the attention it deserves.
John Matherly is Founder at Shodan
John Matherly is an Internet cartographer, engineer and founder of Shodan, the world's first search engine for the Internet-connected devices. He has been at the forefront of Internet of Things for the past 10 years and his research has been covered on CNN, Bloomberg, Washington Post and many other outlets. Prior to Shodan, John received a bachelors degree in bioengineering and worked as a software engineer on bioinformatics applications.
John Kinsella - Vice President of Container Security at Qualys Matt Alderman - CEO at Security Weekly Mike Shema - Product Security Lead at Square
2. TaskRouter JS SDK, EL1/EL3 Vulnerability, & 234 Alexa Skills Store Violations - 01:00 PM-01:30 PM
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting <a href="https://securityweekly.com/guests" rel="nofollow">https://securityweekly.com/guests</a> and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Learn how to keep your “internet self” safe in our next webcast on August 13th! Register for our upcoming webcasts or virtual trainings by visiting <a href="https://securityweekly.com/webcasts" rel="nofollow">https://securityweekly.com/webcasts</a>. Or visit <a href="http://securityweekly.com/ondemand" rel="nofollow">securityweekly.com/ondemand</a> to view our previously recorded webcasts!
TaskRouter JS SDK Security Incident, Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability, An EL1/EL3 coldboot vulnerability affecting 7 years of LG Android devices, Towards native security defenses for the web ecosystem, Academics smuggle 234 policy-violating skills on the Alexa Skills Store, Apple Security Research Device Program, and What is DevSecOps? Why it’s hard to do well!
John Kinsella's Content:
Matt Alderman's Content:
Mike Shema's Content:
- TaskRouter JS SDK Security Incident shows once again the dangerous combination of misconfigured cloud resources and the reliance of apps on those resources.
- Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability shows once again the dangerous combination of server-side path manipulation from client-supplied values.
- An EL1/EL3 coldboot vulnerability affecting 7 years of LG Android devices shows how a secure OS needs an equally secure device ecosystem.
- Towards native security defenses for the web ecosystem shows how browser developers are improving and implementing web standards to defeat classes of vulns.
- Academics smuggle 234 policy-violating skills on the Alexa Skills Store shows how to subvert Alexa to tell far more than it should.
- Apple Security Research Device Program shows more details about participating, although Google's Project Zero team won't be applying for Apple's SRD program.
- What is DevSecOps? Why it's hard to do well shows the familiar suggestions on making security successful and how DevOps contributes to that.