Recorded February 10, 2020 at G-Unit Studios in Rhode Island!
- Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
- OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!
- We have officially migrated our mailing list to a new platform! Sign up for the list to receive invites to our virtual trainings, webcasts, and other content relative to your interests by visiting securityweekly.com/subscribe and clicking the button to join the list! You can also submit your suggestions for guests by going to securityweekly.com/guests and submitting the form! We'll review them monthly and reach out if they are a good fit!
- Our first-ever virtual training is happening on March 19th @11:00am ET, with Adam Kehler & Rob Harvey from Online Business Systems Risk, Security & Privacy Team. In this training you will learn how to generate a complex SHA-256 hashed password and then use password cracking tools to break it. Register for our upcoming trainings by visiting securityweekly.com, selecting the webcast/training drop down from the top menu bar and clicking registration.
Interview: Shaun Lamb, SAS Institute, Guardsquare
Shaun Lamb works as a Principle Application Security Architect at SAS Institute where he focuses on application, API, and container security. With a background in web application development, he strives to design solutions that make it easy for developers and administrators to apply security controls. Shaun holds a CSSLP and has presented at conferences such as:
- Triangle InfoSeCon (https://www.triangleinfosecon.com/)
- All Things Open (https://allthingsopen.org/) and will be presenting at InfoSec World (https://www.infosecworldusa.com/2020/conference-program) in March.
Mitigating at Design Time
- Discuss strategies for how best to design applications so they are "secure by default" and have fewer incidents and vulnerabilities.
- How DevOp or DevSecOps positively changes the relationship between security and development/operations including: the application design process, security testing, and security education programs.
- The security impact of applications moving to a microservices based architecture running on Docker/Kubernetes and the role of an API Gateway.
Flaws, Breaches, & Threats
- Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access
- Dropbox bug bounty program has paid out over $1,000,000. It's not exactly a goal of programs to reach payout milestones quickly, but it is good to see this kind of information sharing in addition to awarding researchers.
- Boeing's 2nd Starliner software glitch could have led to an in-space collision
- LINEAR EMERGE E3 ACCESS CONTROLLER ACTIVELY BEING EXPLOITED
Cloud, Code & Controls
- Report Pins Cloud Security Woes on Flawed DevOps Processes. This doesn't mean infrastructure as code is flawed, just that writing any code is prone to flaws and DevOps teams must have automation and processes to minimize and find mistakes.
Learning & Tools
- Ghost in the shell: Investigating web shell attacks. Appsec doesn't end once you've deployed your code, you need to monitor it and respond to events.
Food for Thought
- An Incident Impacting your Account Identity from Twitter, which highlights yet another type of API abuse that must be addressed by more than just following top 10 lists.
- Some Google Photos videos in ‘Takeout’ backups were sent to strangers last November, which shows how data access controls must be in place throughout the lifetime of data.