Difference between revisions of "ASWEpisode93"

From Security Weekly Wiki
Jump to navigationJump to search
(Created page with "''Recorded January 27, 202 at G-Unit Studios in Rhode Island!'' == Episode Audio == <!-- <div align="center"> {{#widget:SoundCloud |id=651835745 |width=75% |height=100 |color...")
 
 
(10 intermediate revisions by 2 users not shown)
Line 2: Line 2:
  
 
== Episode Audio ==
 
== Episode Audio ==
<!--
+
 
 
<div align="center">
 
<div align="center">
 
{{#widget:SoundCloud
 
{{#widget:SoundCloud
|id=651835745
+
|id=750906187
 
|width=75%
 
|width=75%
 
|height=100
 
|height=100
Line 12: Line 12:
 
}}
 
}}
 
</div>
 
</div>
-->
+
 
 
==Hosts==
 
==Hosts==
 
{{Template:Shema}}
 
{{Template:Shema}}
Line 22: Line 22:
 
<br>
 
<br>
  
= Interview: Jack Butler, [https://securityweekly.com/guardsquare] =
+
= Interview: John Butler, [https://securityweekly.com/guardsquare Guardsquare] =
<!-- [[File:HillelSolow.jpg|right|250px|thumb|<center>'''[https://twitter.com/hsolow Hillel Solow]'''is the CTO of [https://www.checkpoint.com/ Check Point]</center>]] -->
+
[[File:JackButler.jpg|right|250px|thumb|<center>'''[https://twitter.com/johnjackbutler John Butler]'''is the Solutions Engineer of [https://securityweekly.com/guardsquare Guardsquare].</center>]] John Butler is a presales engineer at GuardSquare. Before joining GuardSquare, John worked as a security consultant, providing network and web application penetration testing. He holds several certifications in offensive security and is an active OWASP member.<br><br>'''Segment Topic:'''<br>Dynamically protecting mobile applications with RASP<br><br>'''Segment Description:'''<br>Mobile applications are a rapidly growing attack surface and the tools and techniques being used to compromise these environments are constantly evolving. As the provider in mobile application protection mapping to two out of 10 security risks found in the OWASP Mobile Top 10, Guardsquare is most effective in providing advanced detection for on-device and off-device attacks. Guardsquare’s RASP library adds resilience and prevents a vast array of dynamic attack vectors by providing detection for indicators of threat and compromise, including hooking, jailbreaking, rooting, code tampering - as well providing obstruction for debugger and emulator attachments of all types.
 
<br><br>
 
<br><br>
 +
 
==News==
 
==News==
  
 
===== Featured Flaws & Big Breaches =====
 
===== Featured Flaws & Big Breaches =====
 +
* [https://www.zerodayinitiative.com/blog/2020/1/21/pwn2own-miami-2020-schedule-and-live-results Pwn2Own Miami -- Schedule and Live Results] show just how profitable deserialization, information leaks, and out-of-bounds flaws are.
 +
* [https://www.csoonline.com/article/3516093/insecure-configurations-expose-ge-healthcare-devices-to-attacks.html Insecure configurations expose GE Healthcare devices to attacks] demonstrate more simple flaws with high impacts.
  
 
===== Cloud, Code & Controls =====
 
===== Cloud, Code & Controls =====
 +
* [https://www.zdnet.com/google-amp/article/iot-security-your-smart-devices-must-have-these-three-features-to-be-secure/ IoT security: Your smart devices must have these three features to be secure]
 +
* [https://www.darkreading.com/cloud/nsa-offers-guidance-on-mitigating-cloud-flaws/d/d-id/1336871 NSA Offers Guidance] on [https://media.defense.gov/2020/Jan/22/2002237484/-1/-1/0/CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121.PDF Mitigating Cloud Vulnerabilities] across four major classes of misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities that represent the majority of known vulns.
 +
* [https://www.microsoft.com/security/blog/2020/01/23/azure-security-benchmark-90-security-compliance-best-practices-azure-workloads/ Azure Security Benchmark—90 security and compliance best practices for your workloads in Azure]
  
 
===== Learning & Tools =====
 
===== Learning & Tools =====
 +
* [https://research.nccgroup.com/2020/01/24/tool-release-enumerating-docker-registries-with-go-pillage-registries/ Tool Release – Enumerating Docker Registries with go-pillage-registries] for pentesters searching for useful information.
 +
* [https://www.darkreading.com/deconstructing-web-cache-deception-attacks-theyre-bad-now-what/a/d-id/1336845 Deconstructing Web Cache Deception Attacks] is another class of problems like HTTP Response Smuggling that takes advantage of inconsistencies in systems that handle web traffic. Check out [https://seclab.ccs.neu.edu/static/publications/sec2020wcd.pdf their research] for even more details.
  
 
===== Food for Thought =====
 
===== Food for Thought =====
 +
* [https://www.freethesandbox.org/ It Is Time To Free The Sandbox!] or at least consider what impact that would have on the ecosystem.
  
 
{{SocialMedia}}
 
{{SocialMedia}}

Latest revision as of 16:57, 3 February 2020

Recorded January 27, 202 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Mike Shema
    is the Product Security Lead of Square.
  • John Kinsella
    is the Vice President of Container Security for Qualys.
  • Matt Alderman
    CEO at Security Weekly, Strategic Advisor, and Wizard of Entrepreneurship
  • Announcements

    • Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
    • OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!
    • We have officially migrated our mailing list to a new platform! Sign up for the list to receive invites to our virtual trainings, webcasts, and other content relative to your interests by visiting securityweekly.com/subscribe and clicking the button to join the list! You can also submit your suggestions for guests by going to securityweekly.com/guests and submitting the form! We'll review them monthly and reach out if they are a good fit!
    • Our first-ever virtual training is happening on March 19th @11:00am ET, with Adam Kehler & Rob Harvey from Online Business Systems Risk, Security & Privacy Team. In this training you will learn how to generate a complex SHA-256 hashed password and then use password cracking tools to break it. Register for our upcoming trainings by visiting securityweekly.com, selecting the webcast/training drop down from the top menu bar and clicking registration.


    Interview: John Butler, Guardsquare

    John Butleris the Solutions Engineer of Guardsquare.

    John Butler is a presales engineer at GuardSquare. Before joining GuardSquare, John worked as a security consultant, providing network and web application penetration testing. He holds several certifications in offensive security and is an active OWASP member.

    Segment Topic:
    Dynamically protecting mobile applications with RASP

    Segment Description:
    Mobile applications are a rapidly growing attack surface and the tools and techniques being used to compromise these environments are constantly evolving. As the provider in mobile application protection mapping to two out of 10 security risks found in the OWASP Mobile Top 10, Guardsquare is most effective in providing advanced detection for on-device and off-device attacks. Guardsquare’s RASP library adds resilience and prevents a vast array of dynamic attack vectors by providing detection for indicators of threat and compromise, including hooking, jailbreaking, rooting, code tampering - as well providing obstruction for debugger and emulator attachments of all types.



    News

    Featured Flaws & Big Breaches
    Cloud, Code & Controls
    Learning & Tools
    Food for Thought


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+