ES Episode98

From Paul's Security Weekly
Jump to: navigation, search

Enterprise Security Weekly #98

Recorded July 11, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Joff Thyer
    SANS Instructor, penetration tester, and Security Researcher at Black Hills Information Security.
  • Annoucements:

    • We just released our 2018 Listener Survey; Please go to securityweekly.com/survey to help us continue to provide you with quality content that doesn't break the build.
    • Mike Thompson joins us to show you how the threat intelligence space is transforming and what techniques security professionals can apply to stay a step ahead of threat actors by mapping their infrastructure. Register now @ securityweekly.com/domaintools
    • Come to our Pool Cabana @ Black Hat and Def Con to pick up a free copy of "Cyber Hero Adventures". Here you will be able to get the comic book signed by Gary Berman.

    Interview: Ferruh Mavituna, Netsparker

    Ferruh Mavituna from Netsparker[1]
    Ferruh Mavituna is the Founder and Product Manager of Netsparker. He developed the first and only proof-based web security scanner with state-of-the-art, accurate vulnerability detection and exploitation features, used by thousands companies around the world today. From 2002-2006, he worked for Turkish Army and Police. Ferruh is a frequent speaker at several conferences about Web Application Security and has released several research papers and tools.


    Topics

    • coverage: today's web applications can have thousands of possible entry points so it is impossible for a team of pen testers to know about every one of them, let alone checking them for thousands of different vulnerability variants.
    • more security checks (aka knowledge): when you hire a pen testers, or a team of pen tester he will check the web application for the type of vulnerabilities he knows off. On the other hand, when using a tool such as Netsparker, you have the knowledge of a team of security researchers. As a software development company, apart from having a full time dedicated team of researchers we have also learnt from all our customers, and the edge cases they report. So a scanner's "checklist" is definitely way more extensive than that of a pentester.
    • up to date: since we have our own team of researchers users can rest assured that their web applications are being checked against the latest vulnerability variants / new vulnerabilities. Whereas when you recruit a pen tester it could be the case that he is not up to date with the latest "vulnerability / security trends".
    • reduces human errors: web security is all about repetition. A pen tester checks every possible attack surface (he knows of) for a number of vulnerabilities. If such process is done manually the chances of making human errors, such as missing an input vector or forgetting about a certain type of attack, are very high. Though scanners do not get tired and do not make any mistakes and are really good at doing repetitive tasks.
    • regression testing / integration into SDLC and similar flows: A pen tester / team of pen testers are not always available to check the code that was just submitted. Though with an automated tool such as Netsparker it is very easy to integrate it in the SDLC so a scan can be launched instantly when a developer commits new code.
    • ensuring issues are solved before the web app is used in live environments: Netsparker has built-in "issue tracking system" and it automatically checks the fixes that developers commit. Therefore if the commit does not address the security issue they are advised straight away, thus ensuring all security issues are addressed on time.
    • faster release cycle: since the team of pen testers are not always available a released could be stopped, thus slowing down production. If an automated tool is used then it can be easily scanned before published live, thus production and the release of fixes and most importantly new features is not slowed down.
    • costs: small teams cannot keep up with today's development methods such as agile development. Even big teams, sometimes it is impossible to keep up with the "cycle" of multiple feature releases per day. Though an automated tool can scan a new commit / update in just a few minutes, which means you do not need to recruit an army of personnel to ensure all the web applications are secure.
    • practicality: Similar to the above, in an agile development environment if the pen testers cannot keep up with the development pace then there are chances that vulnerabilities make it to the live environment. Though with automated scanning you ensure that everything that is used in live environments have been scanned for thousands of vulnerability variants.

    Tech Segment: Joe McManus, Automox

    Joe McManus
    is the CISO at Automox.
    Joe McManus is an expert and industry advisor in the field of information security. He currently serves as the CISO of Automox, provider of cloud-based, cross-platform patching software. He is also a senior researcher at CERT, part of the Software Engineering Institute at Carnegie Mellon University, where he specializes in large scale network monitoring, network forensics and incident response. Working closely with federal law enforcement, he has helped create tools and techniques for investigation and incident response.

    Joe is also a professor at the College of Engineering at the University of Colorado at Boulder, where he teaches graduate courses in information security and forensics. Joe earned an MS degree from Carnegie Mellon University and a BS degree from the University of Maryland. He is getting his PhD in distributed IoT monitoring using citizen scientists and machine learning at the University of Colorado at Boulder.


    Enterprise News

    1. Dome9 Security Enhances Platform with Automatic Remediation - “The dynamic nature of the public cloud and its fluid perimeters create a very small window within which any potential issues such as exposed storage buckets need to be found and fixed before they are exploited by malicious actors,” said Zohar Alon, co-founder and CEO of Dome9 Security. “The most effective way to secure public cloud environments is through end-to-end automation and continuous enforcement of a strict security posture.”
    2. Thoma Bravo to buy majority stake in cybersecurity firm Centrify:... - Centrify was founded by Tom Kemp, Adam Au and Paul Moore in 2004, and offers user-verification software to over 5,000 organizations. For the fiscal year ended June 30, 2017, it posted sales of more than $100 million. Thoma Bravo has already invested in other cyber security firms such as DigiCert Inc, Bomgar Corp and LogRhythm Inc.
    3. SolarWinds acquires real-time threat-monitoring service Trusted Metrics | TechCrunch - Today’s acquisition of Trusted Metrics is clearly part of the company’s strategy to build out its security portfolio, and SolarWinds is actually rolling Trusted Metrics into a new security product called SolarWinds Threat Monitor. Like Trusted Metrics, SolarWinds Threat Monitor helps businesses protect their networks by automatically detecting suspicious activity and malware. “When we look at the rapidly changing IT security landscape, the proliferation of mass-marketed malware and the non-discriminatory approach of cybercriminals, we believe that real-time threat monitoring and management shouldn’t be a luxury, but an affordable option for everyone,” said SolarWinds CEO Kevin Thompson in today’s announcement.
    4. Mimecast Acquires Ataata - Ataata is a cyber security training and awareness platform designed to reduce human error in the workplace and help enable organizations to become more secure by changing the security culture of their employees. The acquisition will allow customers to measure cyber risk training effectiveness by converting behavior observations into actionable risk metrics for security professionals.
    5. AT&T to Acquire AlienVault - The acquisition of AlienVault will enable AT&T to expand its enterprise-grade security solutions portfolio and offerings to millions of small and medium-sized businesses. AlienVault’s innovative technology and security talent will help accelerate AT&T’s vision of enabling organizations of all sizes with effective cybersecurity solutions. The acquisition will combine AlienVault’s expertise in threat intelligence with AT&T’s cybersecurity solutions portfolio that includes threat detection and prevention as well as response technologies and services.
    6. SecureAuth + Core Security provides new authentication controls for Windows and Mac - Adaptive authentication provides the highest level of identity security without negatively impacting the user as risk checks – such as device recognition, geo-location, and threat detection services – are done behind the scenes. Multi-factor authentication methods, including Push-to-Accept and SMS one-time-passcodes, are required only if risks are detected.

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+