Application Security Weekly Episode #128 - November 02, 2020

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Azure App Service & Cloud-Native Signal Sciences Deployments - 12:30 PM-01:00 PM

Sponsored By

• 

Visit https://securityweekly.com/signalsciences for more information!

Announcements

• Join Amit Bareket, Co-founder & CEO of Perimeter 81 & Paul Asadoorian for a technical deep-dive into the problems inherent in legacy VPN technology. Together they will explore solutions for the modern workforce & how momentum toward perimeter-less architecture is helping redefine the future of cybersecurity. Register Now by visiting https://securityweekly.com/perimeter81

• Would you like to have all of your favorite Security Weekly content at your fingertips? Do you want to hear from Sam & Andrea when we have upcoming webcasts & technical trainings? Have a question for one of our illustrious hosts, someone from the Security Weekly team, or wish you could “hang” out with the Security Weekly crew & community? Subscribe on your favorite podcast catcher, sign up for our mailing list, and join our Discord Server to stay in the loop on all things Security Weekly! Visit: https://securityweekly.com/subscribe

Description

Discussing what enterprises have to do while adapting legacy apps in to Azure, while doing in a secure, steady way without leaving any gaps. Signal Sciences site extension makes sure your apps are covered across the board, and will protect any app in Azure.

This segment is sponsored by Signal Sciences.

Visit https://securityweekly.com/signalsciences to learn more about them!

Guest(s)

Alfred Chung

• 

  Alfred Chung is Sr. Product Manager at Signal Sciences
  

Alfred Chung is a senior product manager at Signal Sciences responsible for modules and the product deployment experience. Prior to Signal Sciences he worked on various enterprise security products in the endpoint security, vulnerability management, and application security spaces.

Hosts

• 

  John Kinsella - Vice President of Container Security at Qualys
• 

  Matt Alderman - CEO at Security Weekly
• 

  Mike Shema - Product Security Lead at Square

2. Lax IoT, Adobe Flash Croaks, Link Preview Vulns, & Security Theatre! - 01:00 PM-01:30 PM

Announcements

• Security Weekly, in partnership with CyberRisk Alliance, is excited to present Security Weekly Unlocked on December 10, 2020. This 1 day virtual event wraps up with the 15th anniversary edition of Paul’s Security Weekly live on Youtube! Visit https://securityweekly.com/unlocked to view the agenda and register for free!

• In our webcast on November 5th, we’ll show you how to build proper metrics and KPIs! Learn why you should stop trying to discover and classify data in our webcast on November 12th! Learn how to thwart attackers using deception in our November 19th technical training! Visit https://securityweekly.com/webcasts to see what we have coming up! Or visit securityweekly.com/ondemand to view our previously recorded webcasts!

Description

Lax IoT security exposes smart-irrigation systems, Adobe Flash goes truly end of line in one last update, confidential computing gets a turbo boost with Nitro, link previews show security and privacy problems, and security theatre gets an encore!

Hosts

John Kinsella's Content:

• 

Articles

Matt Alderman's Content:

• 

Articles

Mike Shema's Content:

• 

Articles

• Exit Stage Left: Eradicating Security Theater from processes and policies in how we build secure software. Check out the video as well. It's an important topic that we wanted to revisit from last episode.
• Lax Security Exposes Smart-Irrigation Systems to Attack Across the Globe also revisits consequence-driven engineering from last episode, and shows why passwordless defaults have different context based on what the device is meant to do. Industrial music on your IoT speakers is a little different than industrial systems on your IoT.
• Update for the removal of Adobe Flash Player: October 27, 2020 shows how to truly end-of-life an application -- you have to downgrade or restore your system to before this patch if you ever want to use Flash again (you don't).
• AWS Nitro Enclaves – Isolated EC2 Environments to Process Confidential Data based on a system that can attest to the integrity of its boot process and similar to Asylo on GCP.
• Home Depot Confirms Data Breach in Order Confirmation SNAFU is a good reminder that data breaches don't always need an external compromise or a cloud misconfiguration -- system errors and software mistakes can be just as dangerous, and can be just as important to your threat modeling discussions.
• Link Previews: How a Simple Feature Can Have Privacy and Security Risks in all sorts of apps, from email to chat to web sites with user-generated content. Most apps that process links have to consider these implications, which means most DevOps teams should be adding them to threat modeling discussions.
• Getting started in macOS security has some useful resources for macOS security. And, of course, there's the Apple Platform Security documentation that gives an overview of security components.