Difference between revisions of "ASWEpisode95"

From Security Weekly Wiki
Jump to navigationJump to search
(Created page with "''Recorded February 10, 2020 at G-Unit Studios in Rhode Island!'' == Episode Audio == <!-- <div align="center"> {{#widget:SoundCloud |id=651835745 |width=75% |height=100 |col...")
Line 34: Line 34:
===== Featured Flaws & Big Breaches =====
===== Flaws, Breaches, & Threats =====
* [https://www.perimeterx.com/tech-blog/2020/whatsapp-fs-read-vuln-disclosure/ Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access]
* [https://blogs.dropbox.com/tech/2020/02/dropbox-bug-bounty-program-has-paid-out-over-1000000/ Dropbox bug bounty program has paid out over $1,000,000]. It's not exactly a goal of programs to reach payout milestones quickly, but it is good to see this kind of information sharing in addition to awarding researchers.
===== Cloud, Code & Controls =====
===== Cloud, Code & Controls =====
* [https://devops.com/report-pins-cloud-security-woes-on-flawed-devops-processes/ Report Pins Cloud Security Woes on Flawed DevOps Processes]. This doesn't mean infrastructure as code is flawed, just that writing any code is prone to flaws and DevOps teams must have automation and processes to minimize and find mistakes.
===== Learning & Tools =====
===== Learning & Tools =====
* [https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/ Ghost in the shell: Investigating web shell attacks]. Appsec doesn't end once you've deployed your code, you need to monitor it and respond to events.
===== Food for Thought =====
===== Food for Thought =====
* [https://privacy.twitter.com/en/blog/2020/an-incident-impacting-your-account-identity An Incident Impacting your Account Identity] from Twitter, which highlights yet another type of API abuse that must be addressed by more than just following top 10 lists.
* [https://ww.9to5google.com/2020/02/03/google-photos-video-strangers/ Some Google Photos videos in ‘Takeout’ backups were sent to strangers last November], which shows how data access controls must be in place throughout the lifetime of data.

Revision as of 05:47, 10 February 2020

Recorded February 10, 2020 at G-Unit Studios in Rhode Island!

Episode Audio


  • Mike Shema
    is the Product Security Lead of Square.
  • John Kinsella
    is the Vice President of Container Security for Qualys.
  • Matt Alderman
    CEO at Security Weekly, Strategic Advisor, and Wizard of Entrepreneurship
  • Announcements

    • Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
    • OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!
    • We have officially migrated our mailing list to a new platform! Sign up for the list to receive invites to our virtual trainings, webcasts, and other content relative to your interests by visiting securityweekly.com/subscribe and clicking the button to join the list! You can also submit your suggestions for guests by going to securityweekly.com/guests and submitting the form! We'll review them monthly and reach out if they are a good fit!
    • Our first-ever virtual training is happening on March 19th @11:00am ET, with Adam Kehler & Rob Harvey from Online Business Systems Risk, Security & Privacy Team. In this training you will learn how to generate a complex SHA-256 hashed password and then use password cracking tools to break it. Register for our upcoming trainings by visiting securityweekly.com, selecting the webcast/training drop down from the top menu bar and clicking registration.

    Interview: Shaun Lamb, Guardsquare

    Shaun Lambis the Principal Application Security Architect of SAS Institue.

    JShaun Lamb works as a Principle Application Security Architect at SAS Institute where he focuses on application, API, and container security. With a background in web application development, he strives to design solutions that make it easy for developers and administrators to apply security controls. Shaun holds a CSSLP and has presented at conferences such as:

    Segment Topic:
    Mitigating at Design Time

    Segment Description:

    • Discuss strategies for how best to design applications so they are "secure by default" and have fewer incidents and vulnerabilities.
    • How DevOp or DevSecOps positively changes the relationship between security and development/operations including: the application design process, security testing, and security education programs.
    • The security impact of applications moving to a microservices based architecture running on Docker/Kubernetes and the role of an API Gateway.


    Flaws, Breaches, & Threats
    Cloud, Code & Controls
    Learning & Tools
    Food for Thought

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+