From Paul's Security Weekly
Paul's Security Weekly #557
Recorded April 26, 2018 at G-Unit Studios in Rhode Island!
- Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
- Check out SOURCE Boston 2018 from May 9th - 10th! Go to sourceconference.com and register using the code SW75WMKW to get a $75 discount!
Interview: Ferruh Mavituna, Netsparker - 6:00PM-6:45PMhttps://www.netsparker.com/blog/docs-and-faqs/netsparker-hawk-detects-ssrf-out-of-band-vulnerabilities/
- Why does dynamic web application security testing in the SDLC matter?
- Finding bugs early in the process is less expensive
- The code is still fresh in the developer's mind
- In DevOps, it is important to have a continuous feedback loop to support continuous release cycles
- Developers are constantly learning how to write more secure code
- What are the common problems associated with implementing DAST / SAST / IAST and similar solutions in SDLC?
- Why don't we see DAST in SDLC in many organizations?
- Perception of false positives
- Potential impacts on performance
- The Lopsided nature of application security teams vs. the size of apps / websites / enterprises security needs
- Integrating DAST into the SDLC is the solution because:
- The SDLC is the right place to tackle the problem
- Automation is a requirement to keep pace with the speed and volume of development
Tech Seg: Jeff Man, Recap of RSA - 6:45-7:45PM
Some other people's opinions on RSA:
- RSA 2018: Not As Messy As Before? - Security Boulevard
- Is it time to kill the pen test? | Salted Hash Ep 22
- HackerOne CEO Talks Bug Bounty Programs at RSA Conference
- Is Cyber-Security Getting Better or Getting Worse?
- DevOps Connect: DevSecOps Day at RSA demonstrates how the thinking around secure software has evolved
Security News - 7:45PM-8:30PM
- Website down! DDoS-for-hire site Webstresser shut by crime agencies
- Western Digital My Cloud EX2 NAS Device Leaks Files
- Equifax has spent $242.7 million on its data breach so far | ZDNet
- Startup Offers $3 Million to Anyone Who Can Hack the iPhone
- Beyond CI/CD: How Continuous Hacking of Docker Containers and Pipeline Driven Security Keeps Ygrene Secure - The New Stack
- John McAfee-Backed Cryptocurrencys Thousands of Investors Exposed in Data Breach
- New Tool Detects Evil Maid Attacks on Mac Laptops | SecurityWeek.Com
- A Step-by-Step Guide to Making Your Penetration Test a Success
- New Skill Let Amazon Alexa Spy on Users
- It's Time to Take GitHub Threats Seriously
- Hijack of Amazons internet domain service used to reroute web traffic for two hours unnoticed
- Hackers find devious way to break into hotel rooms
- OMG The Stupid It Burns
- Advanced Hackers Infect X-Ray Machines In Healthcare Espionage
OT Story Of The Week
- Spoofing hotel keys, 10 years in the making
- Why we need to be concerned about SDR for enterprise: everything is now a transmitter
- Sirenjack rebuttal from AMT Systems
- Drupalgeddon continues
- Atlanta's lack of preparedness will cost them dearly
- A new Alexa skill to spy on you....with caveats
- Fight to Get SMBs PCI Compliant a Losing Battle
- Cost of cyber breaches to middle market businesses quadruples
- Ransomware, healthcare and incident response: Lessons from the Allscripts attack (Part 1)
- Customers describe the impact of the Allscripts ransomware attack (Part 2)
- SamSam explained: Everything you need to know about this opportunistic group of threat actors (Part 3)
- Yahoo’s Successor to Pay $35 Million in Settlement Over Cyberbreach