From Paul's Security Weekly
Recorded January 6, 202 at G-Unit Studios in Rhode Island!
- Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
- Attend RSA Conference 2020, February 24-28 in San Francisco, CA! Visit securityweekly.com/rsac2020 to sponsor an interview with us on-site at the conference or register using our code to save $150!
- OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!
Interview: Hillel Solow, Check Point
The Evolution of DevSecOps and AppSec Trends in 20/20
Much has evolved in a few short years with DevSecOps and application development and security. But just when we think we see everything clearly and have it all figured out, something new changes. Here we will discuss the unique ways organizations are leveraging serverless for their applications and how DevSecOps teams are working together to build out these architectures at a rapid pace in 2020.
Featured Flaws & Big Breaches
- Policy and Disclosure: 2020 Edition -- Positive changes to drive consistency, implementation of effective patches, and adoption of patched software.
- A look back & forward for bug bounties over the past decade, a thread from Katie Moussouris.
Cloud, Code & Controls
- 4 Ring Employees Fired For Spying on Customers reminds us that insider threats must be part of our product security threat models. It's also a callback to the "end-to-end security -- lifecycle protection" principle of privacy by design; enforce access controls and monitor and audit access to collected data.
Learning & Tools
- Exploit Fully Breaks SHA-1, Lowers the Attack Bar because SHA-1 is a Shambles. Not that you shouldn't have already moved on from SHA-1 before these attacks became more practical and cheaper.
- The open source licence debate: comprehension consternations & stipulation frustrations
Food for Thought
- Synopsys Buys Tinfoil
- Rotate Your Amazon RDS, Aurora, and Amazon DocumentDB (with MongoDB compatibility) Certificates and then review how you manage the cert rotation process for your own systems. And here's a tip: schedule your cert expirations for a Tuesday during business hours to minimize the scramble needed to deal with forgotten expirations.