From Security Weekly Wiki
Jump to navigationJump to search
== Episode Audio ==
<div align="center">
= Interview: Dave Ferguson, [ Qualys] =
[[File:DaveFerguson.jpg|right|220px|thumb|<center>'''[ Dave Ferguson]'''<br> is the Director of Product Management, WAS at [ Qualys].</center>]] Dave Ferguson is Director of Product Management for Web Application Security at Qualys. After writing code and developing applications for over a decade, Dave transitioned to focus on application security. Prior to Qualys, he led the global application security program at Sabre Corporation and worked as a Principal Consultant at FishNet Security (now Optiv). Dave is the author of the OWASP Forgot Password Cheat Sheet and holds CISSP and CSSLP certifications.<br><br>'''Segment Topic:'''<br>Moving API Security up the Stack the impact of lingering vulnerabilitiesfinding flaws, fixing them, and creating effective solutions<br><br>'''Segment Description:'''<br>Dave will discuss the issue of latent vulnerabilities and how they may linger in your custom-coded web applications and APIs, presenting an enticing target for cyber-attackers.<br><br>'''Segment Resources:'''<br>
* QSC19 - Las Vegas, session videos:
===== Bugs, Breaches, and More! =====
* [ Firecracker v0.18.0 and v0.19.0 vsock buffer overflow] and the [ fix details].
* [ Binary Planting with the npm CLI] is another way to describe one of our favorite attacks -- path traversal. Check out more details in the [ blog post] as well.
===== If you build it, they will come =====
* [ GitLab Doles Out Half a Million Bucks to White Hats]
===== Learning & Tools =====
* [ Speculation & leakage: Timing side channels & multi-tenant computing] from AWS re:invent. A great talk from a the perspective of a threat model where such attacks are a critical part of the threat model.
* [ How can we integrate security into the DevOps pipelines?] By picking from many of the great resources in this article.
* [ Using CI/CD to turn ideas into software – quickly]
===== Food for Thought =====
* [ Go passwordless to strengthen security and reduce costs] -- and design your app to support these types of workflows, including account recovery.* [ Why Is Security Missing in Many DevOps Implementations?]


Navigation menu