Episode557

From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly #557

Recorded April 26, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Larry Pesce
    Senior Managing Consultant and Director of Research at InGuardians, SANS Instructor.
  • Announcements

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Check out SOURCE Boston 2018 from May 9th - 10th! Go to sourceconference.com and register using the code SW75WMKW to get a $75 discount!

    Interview: Ferruh Mavituna, Netsparker - 6:00PM-6:45PM

    Ferruh Mavituna from Netsparker[1]
    Ferruh Mavituna is the Founder and Product Manager of Netsparker. He developed the first and only proof-based web security scanner with state-of-the-art, accurate vulnerability detection and exploitation features, used by thousands companies around the world today. From 2002-2006, he worked for Turkish Army and Police. Ferruh is a frequent speaker at several conferences about Web Application Security and has released several research papers and tools. Netsparker Hawk: https://www.netsparker.com/blog/docs-and-faqs/netsparker-hawk-detects-ssrf-out-of-band-vulnerabilities/


    • Why does dynamic web application security testing in the SDLC matter?
      • Finding bugs early in the process is less expensive
      • The code is still fresh in the developer's mind
      • In DevOps, it is important to have a continuous feedback loop to support continuous release cycles
      • Developers are constantly learning how to write more secure code
    • What are the common problems associated with implementing DAST / SAST / IAST and similar solutions in SDLC?
    • Why don't we see DAST in SDLC in many organizations?
      • Perception of false positives
      • Potential impacts on performance
      • The Lopsided nature of application security teams vs. the size of apps / websites / enterprises security needs
    • Integrating DAST into the SDLC is the solution because:
      • The SDLC is the right place to tackle the problem
      • Automation is a requirement to keep pace with the speed and volume of development

    Tech Seg: Jeff Man, Recap of RSA - 6:45-7:45PM

  • Jeff Man
    Cryptanalyst,
    infosec analyst, pioneering ex-NSA pen tester, PCI specialist & certified security curmudgeon.
    Currently a Sr. InfoSec Consultant for Online Business Systems.
  • Some other people's opinions on RSA:

    1. RSA 2018: Not As Messy As Before? - Security Boulevard
    2. Is it time to kill the pen test? | Salted Hash Ep 22
    3. HackerOne CEO Talks Bug Bounty Programs at RSA Conference
    4. Is Cyber-Security Getting Better or Getting Worse?
    5. DevOps Connect: DevSecOps Day at RSA demonstrates how the thinking around secure software has evolved

    Security News - 7:45PM-8:30PM

    Paul's Stories

    1. Website down! DDoS-for-hire site Webstresser shut by crime agencies
    2. Western Digital My Cloud EX2 NAS Device Leaks Files
    3. Equifax has spent $242.7 million on its data breach so far | ZDNet
    4. Startup Offers $3 Million to Anyone Who Can Hack the iPhone
    5. Beyond CI/CD: How Continuous Hacking of Docker Containers and Pipeline Driven Security Keeps Ygrene Secure - The New Stack
    6. John McAfee-Backed Cryptocurrencys Thousands of Investors Exposed in Data Breach
    7. New Tool Detects Evil Maid Attacks on Mac Laptops | SecurityWeek.Com
    8. A Step-by-Step Guide to Making Your Penetration Test a Success
    9. New Skill Let Amazon Alexa Spy on Users
    10. It's Time to Take GitHub Threats Seriously
    11. Hijack of Amazons internet domain service used to reroute web traffic for two hours unnoticed
    12. Hackers find devious way to break into hotel rooms
    13. OMG The Stupid It Burns
    14. Advanced Hackers Infect X-Ray Machines In Healthcare Espionage

    OT Story Of The Week

    1. Man Who Caught Super-Gonorrhea Bug Gets Cured, But Experts Fear More Cases Might Be Reported

    Larry's Stories

    1. Spoofing hotel keys, 10 years in the making
    2. Why we need to be concerned about SDR for enterprise: everything is now a transmitter
    3. Sirenjack rebuttal from AMT Systems
    4. Drupalgeddon continues
    5. Atlanta's lack of preparedness will cost them dearly
    6. A new Alexa skill to spy on you....with caveats

    Jeff's Stories

    1. Fight to Get SMBs PCI Compliant a Losing Battle
    2. Cost of cyber breaches to middle market businesses quadruples
    3. Ransomware, healthcare and incident response: Lessons from the Allscripts attack (Part 1)
    4. Customers describe the impact of the Allscripts ransomware attack (Part 2)
    5. SamSam explained: Everything you need to know about this opportunistic group of threat actors (Part 3)
    6. Yahoo’s Successor to Pay $35 Million in Settlement Over Cyberbreach


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+