Changes

From Security Weekly Wiki
Jump to navigationJump to search
== Episode Audio ==
<!--
<div align="center">
{{#widget:SoundCloud
|id=651835745729106618
|width=75%
|height=100
}}
</div>
-->
==Hosts==
{{Template:Matt}}
= Interview: Dave Ferguson, [https://securityweekly.com/qualys Qualys] =
[[File:DaveFerguson.jpg|right|220px|thumb|<center>'''[https://twitter.com/_sc0rn Dave Ferguson]'''<br> is the Director of Product Management, WAS at [https://securityweekly.com/qualys Qualys].</center>]] Dave Ferguson is Director of Product Management for Web Application Security at Qualys. After writing code and developing applications for over a decade, Dave transitioned to focus on application security. Prior to Qualys, he led the global application security program at Sabre Corporation and worked as a Principal Consultant at FishNet Security (now Optiv). Dave is the author of the OWASP Forgot Password Cheat Sheet and holds CISSP and CSSLP certifications.<br><br>'''Segment Topic:'''<br>Moving API Security up the Stack the impact of lingering vulnerabilitiesfinding flaws, fixing them, and creating effective solutions<br><br>'''Segment Description:'''<br>Dave will discuss the issue of latent vulnerabilities and how they may linger in your custom-coded web applications and APIs, presenting an enticing target for cyber-attackers.<br><br>'''Segment Resources:'''<br>
* QSC19 - Las Vegas, session videos: https://www.qualys.com/qsc/2019/las-vegas/
* https://www.qualys.com/apps/web-app-scanning/
===== Bugs, Breaches, and More! =====
* [https://seclists.org/oss-sec/2019/q4/141 Firecracker v0.18.0 and v0.19.0 vsock buffer overflow] and the [https://github.com/firecracker-microvm/firecracker/issues/1462 fix details].
* [https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli Binary Planting with the npm CLI] is another way to describe one of our favorite attacks -- path traversal. Check out more details in the [https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/ blog post] as well.
===== If you build it, they will come =====
* [https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/ GitLab Doles Out Half a Million Bucks to White Hats]
===== Learning & Tools =====
* [https://www.portal.reinvent.awsevents.com/connect/sessionDetail.ww?SESSION_ID=99692&csrftkn=4XP9-U8C5-0TGY-PJW6-G1VZ-DZPN-EZC3-HI1H Speculation & leakage: Timing side channels & multi-tenant computing] from AWS re:invent. A great talk from a the perspective of a threat model where such attacks are a critical part of the threat model.
* [https://medium.com/swlh/how-to-integrate-security-on-the-devops-pipeline-e36dea836d7b How can we integrate security into the DevOps pipelines?] By picking from many of the great resources in this article.
* [https://www.computerweekly.com/feature/Using-CI-CD-to-turn-ideas-into-software-quickly Using CI/CD to turn ideas into software – quickly]
===== Food for Thought =====
* [https://www.microsoft.com/security/blog/2019/12/11/go-passwordless-strengthen-security-reduce-costs/ Go passwordless to strengthen security and reduce costs] -- and design your app to support these types of workflows, including account recovery.* [https://devops.com/why-is-security-missing-in-many-devops-implementations/ Why Is Security Missing in Many DevOps Implementations?]
{{SocialMedia}}
1,067

edits

Navigation menu