From Paul's Security Weekly
Enterprise Security Weekly #98
Recorded July 11, 2018 at G-Unit Studios in Rhode Island!
- We just released our 2018 Listener Survey; Please go to securityweekly.com/survey to help us continue to provide you with quality content that doesn't break the build.
- Mike Thompson joins us to show you how the threat intelligence space is transforming and what techniques security professionals can apply to stay a step ahead of threat actors by mapping their infrastructure. Register now @ securityweekly.com/domaintools
- Come to our Pool Cabana @ Black Hat and Def Con to pick up a free copy of "Cyber Hero Adventures". Here you will be able to get the comic book signed by Gary Berman.
Interview: Ferruh Mavituna, Netsparker
- coverage: today's web applications can have thousands of possible entry points so it is impossible for a team of pen testers to know about every one of them, let alone checking them for thousands of different vulnerability variants.
- more security checks (aka knowledge): when you hire a pen testers, or a team of pen tester he will check the web application for the type of vulnerabilities he knows off. On the other hand, when using a tool such as Netsparker, you have the knowledge of a team of security researchers. As a software development company, apart from having a full time dedicated team of researchers we have also learnt from all our customers, and the edge cases they report. So a scanner's "checklist" is definitely way more extensive than that of a pentester.
- up to date: since we have our own team of researchers users can rest assured that their web applications are being checked against the latest vulnerability variants / new vulnerabilities. Whereas when you recruit a pen tester it could be the case that he is not up to date with the latest "vulnerability / security trends".
- reduces human errors: web security is all about repetition. A pen tester checks every possible attack surface (he knows of) for a number of vulnerabilities. If such process is done manually the chances of making human errors, such as missing an input vector or forgetting about a certain type of attack, are very high. Though scanners do not get tired and do not make any mistakes and are really good at doing repetitive tasks.
- regression testing / integration into SDLC and similar flows: A pen tester / team of pen testers are not always available to check the code that was just submitted. Though with an automated tool such as Netsparker it is very easy to integrate it in the SDLC so a scan can be launched instantly when a developer commits new code.
- ensuring issues are solved before the web app is used in live environments: Netsparker has built-in "issue tracking system" and it automatically checks the fixes that developers commit. Therefore if the commit does not address the security issue they are advised straight away, thus ensuring all security issues are addressed on time.
- faster release cycle: since the team of pen testers are not always available a released could be stopped, thus slowing down production. If an automated tool is used then it can be easily scanned before published live, thus production and the release of fixes and most importantly new features is not slowed down.
- costs: small teams cannot keep up with today's development methods such as agile development. Even big teams, sometimes it is impossible to keep up with the "cycle" of multiple feature releases per day. Though an automated tool can scan a new commit / update in just a few minutes, which means you do not need to recruit an army of personnel to ensure all the web applications are secure.
- practicality: Similar to the above, in an agile development environment if the pen testers cannot keep up with the development pace then there are chances that vulnerabilities make it to the live environment. Though with automated scanning you ensure that everything that is used in live environments have been scanned for thousands of vulnerability variants.
Tech Segment: Joe McManus, Automox
Joe is also a professor at the College of Engineering at the University of Colorado at Boulder, where he teaches graduate courses in information security and forensics. Joe earned an MS degree from Carnegie Mellon University and a BS degree from the University of Maryland. He is getting his PhD in distributed IoT monitoring using citizen scientists and machine learning at the University of Colorado at Boulder.
- Dome9 Security Enhances Platform with Automatic Remediation - “The dynamic nature of the public cloud and its fluid perimeters create a very small window within which any potential issues such as exposed storage buckets need to be found and fixed before they are exploited by malicious actors,” said Zohar Alon, co-founder and CEO of Dome9 Security. “The most effective way to secure public cloud environments is through end-to-end automation and continuous enforcement of a strict security posture.”
- Thoma Bravo to buy majority stake in cybersecurity firm Centrify:... - Centrify was founded by Tom Kemp, Adam Au and Paul Moore in 2004, and offers user-verification software to over 5,000 organizations. For the fiscal year ended June 30, 2017, it posted sales of more than $100 million. Thoma Bravo has already invested in other cyber security firms such as DigiCert Inc, Bomgar Corp and LogRhythm Inc.
- SolarWinds acquires real-time threat-monitoring service Trusted Metrics | TechCrunch - Today’s acquisition of Trusted Metrics is clearly part of the company’s strategy to build out its security portfolio, and SolarWinds is actually rolling Trusted Metrics into a new security product called SolarWinds Threat Monitor. Like Trusted Metrics, SolarWinds Threat Monitor helps businesses protect their networks by automatically detecting suspicious activity and malware. “When we look at the rapidly changing IT security landscape, the proliferation of mass-marketed malware and the non-discriminatory approach of cybercriminals, we believe that real-time threat monitoring and management shouldn’t be a luxury, but an affordable option for everyone,” said SolarWinds CEO Kevin Thompson in today’s announcement.
- Mimecast Acquires Ataata - Ataata is a cyber security training and awareness platform designed to reduce human error in the workplace and help enable organizations to become more secure by changing the security culture of their employees. The acquisition will allow customers to measure cyber risk training effectiveness by converting behavior observations into actionable risk metrics for security professionals.
- AT&T to Acquire AlienVault - The acquisition of AlienVault will enable AT&T to expand its enterprise-grade security solutions portfolio and offerings to millions of small and medium-sized businesses. AlienVault’s innovative technology and security talent will help accelerate AT&T’s vision of enabling organizations of all sizes with effective cybersecurity solutions. The acquisition will combine AlienVault’s expertise in threat intelligence with AT&T’s cybersecurity solutions portfolio that includes threat detection and prevention as well as response technologies and services.
- SecureAuth + Core Security provides new authentication controls for Windows and Mac - Adaptive authentication provides the highest level of identity security without negatively impacting the user as risk checks – such as device recognition, geo-location, and threat detection services – are done behind the scenes. Multi-factor authentication methods, including Push-to-Accept and SMS one-time-passcodes, are required only if risks are detected.