Asw118
Contents
Application Security Weekly Episode #118 - August 17, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. Immutable Security For Immutable Infrastructure - 12:30 PM-01:00 PM
Sponsored By
Announcements
-
Join the Security Weekly Mailing List for webcast/virtual training announcements and to receive your personal invite to our Discord server by visiting https://securityweekly.com/subscribe and clicking the button to join the list!
-
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Description
Cesar will demonstrate breach path prediction as well as other features.
This segment is sponsored by Accurics.
Visit https://securityweekly.com/accurics to learn more about them!
Guest(s)
Cesar Rodriguez
Cesar Rodriguez is Head of Developer Advocacy at Accurics
Cesar is the Head of Developer Advocacy at Accurics and has spent the last 10+ years working in the cloud security space, securing both private cloud in the military industry and public cloud in the financial sector. He is passionate about contributing to the developer community through open source projects (Terrascan), blogs, and participating in local meetups.
Hosts
John Kinsella - Vice President of Container Security at Qualys 
Matt Alderman - CEO at Security Weekly 
Mike Shema - Product Security Lead at Square
2. AWS S3 Crypto SDK, ReVoLTE Attack, & Microsoft Bug Bounties - 01:00 PM-01:30 PM
Announcements
-
Learn How to Create and Run a Conference, from some of the geniuses behind Layer8 Conference and Wild West Hackin Fest on August 19th! Our next technical training on August 27th will teach you about BootHole, SIGRed and SMBleed…Best Practices To Prioritize And Remediate Now! Learn How to Extend the Enterprise Network for Remote Workers and Protect Your Home Network on September 10th! Visit https://securityweekly.com/webcasts to see what we have coming up! Or visit securityweekly.com/ondemand to view our previously recorded webcasts!
Description
Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards, In-band key negotiation issue in AWS S3 Crypto SDK for golang, ReVoLTE attack can decrypt 4G (LTE) calls to eavesdrop on conversations, Hardware Security Is Hard: How Hardware Boundaries Define Platform Security, How to make your security team more business savvy, and more!
Hosts
John Kinsella's Content:
Articles
Matt Alderman's Content:
Articles
- Update your browser now! Chrome bug allows bypassing of CSP protection
- 3 Tips for Securing Open Source Software
- 4 best practices to avoid vulnerabilities in open-source code
- The state of application security: What the statistics tell us
Mike Shema's Content:
Articles
- Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards. However, the reward program's architect thinks the money could be better spent.
- In-band key negotiation issue in AWS S3 Crypto SDK for golang is one interesting result of crypto research that resulted in Updates to the Amazon S3 Encryption Client.
- The Devil’s in the Dependency returns to the state of software security to highlight the relation between programming language and dependency flaws, with additional discussion on the consideration of update chains.
- You Have No Idea Who Sent That Email, probably because you haven't reviewed the edge cases and ambiguity of email protocols. It's a lesson that holds for HTTP, web, and mobile apps as well.
- ReVoLTE attack can decrypt 4G (LTE) calls to eavesdrop on conversations, which ties together how the subtleties of encryption and the mismatches in implementation make systems vulnerable.
- Hardware Security Is Hard: How Hardware Boundaries Define Platform Security reminds us that mismatches in implementations doesn't just happen in email protocols, and that supply chain security has long-lasting implications in hardware.
- How to make your security team more business savvy, because dealing with flaws in dependencies, protocols, and hardware isn't done in a void that ignores the products that teams are building and the engineering choices they have to make.
