Episodi
-
With hundreds or thousands of SaaS apps to secure with no traditional perimeter, Identity becomes the focal point for SaaS Security in the modern enterprise. Yet with Shadow IT, now recast as Business-Led IT, quickly becoming normal practice, it’s more complicated than trying to centralize all identities with an Identity Provider (IdP) for Single Sign-On (SSO). So the question becomes, “How do you enable the business while still providing security oversight and governance?”
This segment is sponsored by Savvy. Visit https://securityweekly.com/savvy to learn more about them!
CISOs encounter challenges in securing data amidst the rapid growth driven by Cloud and GenAI applications. In this segment, we will delve into how Bedrock Security powers frictionless data security, empowering CISOs to securely manage data sprawl, allowing their businesses to operate at optimal speed, without compromising security.
Segment Resources:
Bedrock Security: https://www.bedrock.security/
Bedrock Security X/Twitter: https://twitter.com/bedrocksec
Bedrock Security LinkedIn: https://www.linkedin.com/company/bedrocksec/
House Rx (customer) Case Study: https://tinyurl.com/35v48wx7
Introductory Whitepaper: https://tinyurl.com/5yjeu92b
Innovation Sandbox 2024: https://www.businesswire.com/news/home/20240402284910/en/Bedrock-Security-Named-RSA-Conference-2024-Innovation-Sandbox-Finalist
This segment is sponsored by Bedrock Security. Visit https://securityweekly.com/bedrockrsac to learn more about them!
Show Notes: https://securityweekly.com/vault-asw-10
-
Check out this interview from the ASW Vault, hand picked by main host Mike Shema! This segment was originally published on April 18, 2023.
We talk with Ben about the rewards, hazards, and fun of bug bounty programs. Then we find out different ways to build successful and welcoming communities.
Show Notes: https://securityweekly.com/vault-asw-9
-
Episodi mancanti?
-
The challenge of evaluating threat alerts in aggregate – what a collection and sequence of threat signals tell us about an attacker’s sophistication and motives – has bedeviled SOC teams since the dawn of the Iron Age. Vectra AI CTO Oliver Tavakoli will discuss how the design principles of our XDR platform deal with this challenge and how GenAI impacts this perspective.
Segment Resources:
Vectra AI Platform Video: https://vimeo.com/916801622
Blog: https://www.vectra.ai/blog/what-is-xdr-the-promise-of-xdr-capabilities-explained
Blog: https://www.vectra.ai/blog/xdr-explored-the-evolution-and-impact-of-extended-detection-and-response
MXDR Calculator: https://www.vectra.ai/calculators/mxdr-value-calculator
This segment is sponsored by Vectra AI. Visit https://securityweekly.com/vectrarsac to learn more about them!
In this interview, we will discuss the network security challenges of business applications and how they can also be the solution. AlgoSec has spent over two decades tackling tough security issues in some of the world’s most complex networks. Now, they’re applying their expertise to hybrid networks—where customers are combining their on-premise resources along with multiple cloud providers.
Segment Resources: https://www.algosec.com/resources/
This segment is sponsored by AlgoSec. Visit https://securityweekly.com/algosecrsac to learn more about them!
Show Notes: https://securityweekly.com/asw-286
-
Secure coding education should be more than a list of issues or repeating generic advice. Liran Tal explains his approach to teaching developers through examples that start with exploiting known vulns and end with discussions on possible fixes. Not only does this create a more engaging experience, but it also relies on code that looks familiar to developers rather than contrived or overly simplistic examples.
Segment resources:
https://github.com/lirantal https://cheatsheetseries.owasp.org/cheatsheets/NPMSecurityCheat_Sheet.html https://lirantal.com/blog/poor-express-authentication-patterns-nodejsShow Notes: https://securityweekly.com/asw-286
-
How companies are benefiting from the enterprise browser. It's not just security when talking about the enterprise browser. It's the marriage between security AND productivity. In this interview, Mike will provide real live case studies on how different enterprises are benefitting.
Segment Resources:
https://www.island.io/resources https://www.island.io/pressThis segment is sponsored by Island. Visit https://www.securityweekly.com/islandrsac to learn more about them!
The cybersecurity landscape continues to transform, with a growing focus on mitigating supply chain vulnerabilities, enforcing data governance, and incorporating AI into security measures. This transformation promises to steer DevSecOps teams toward software development processes with efficiency and security at the forefront. Josh Lemos, Chief Information Security Officer at GitLab will discuss the role of AI in securing software and data supply chains and helping developers work more efficiently while creating more secure code.
This segment is sponsored by GitLab. Visit https://securityweekly.com/gitlabrsac to learn more about them!
Show Notes: https://securityweekly.com/asw-285
-
Everyone is interested in generative AIs and LLMs, and everyone is looking for use cases and apps to apply them to. Just as the early days of the web inspired the original OWASP Top 10 over 20 years ago, the experimentation and adoption of LLMs has inspired a Top 10 list of their own. Sandy Dunn talks about why the list looks so familiar in many ways -- after all, LLMs are still software. But the list captures some new concepts that anyone looking to use LLMs or generative AIs should be aware of.
https://llmtop10.com/ https://github.com/OWASP/www-project-top-10-for-large-language-model-applications/wiki/Educational-Resources https://owasp.org/www-project-ai-security-and-privacy-guide/ https://gandalf.lakera.ai/ https://quarkiq.com/blogShow Notes: https://securityweekly.com/asw-285
-
We already have bug bounties for web apps so it was only a matter of time before we would have bounties for AI-related bugs. Keith Hoodlet shares his experience winning first place in the DOD's inaugural AI bias bounty program. He explains how his education in psychology helped fill in the lack of resources in testing an AI's bias. Then we discuss how organizations should approach the very different concepts of AI security and AI safety.
Segment Resources:
https://securing.dev/posts/hacking-ai-bias/ https://www.defense.gov/News/Releases/Release/Article/3659519/cdao-launches-first-dod-ai-bias-bounty-focused-on-unknown-risks-in-llms/Show Notes: https://securityweekly.com/asw-284
-
A lot of AI security has nothing to do with AI -- things like data privacy, access controls, and identity are concerns for any new software and in many cases AI concerns look more like old-school API concerns. But...there are still important aspects to AI safety and security, from prompt injection to jailbreaking to authenticity. Caleb Sima explains why it's important to understand the different types of AI and the practical tasks necessary to secure how it's used.
Segment resources:
https://calebsima.com/2023/08/16/demystifing-llms-and-threats/ https://www.youtube.com/watch?v=qgDtOu17E&t=1sShow Notes: https://securityweekly.com/asw-284
-
Companies deploy tools (usually lots of tools) to address different threats to supply chain security. Melinda Marks shares some of the chaos those companies still face when trying to prioritize investments, measure risk, and scale their solutions to keep pace with their development. Not only are companies still figuring out supply chain, but now they're bracing for the coming of genAI and how that will just further highlight the current struggles they're having with data security and data privacy.
Segment Resources:
Complete Survey Results: The Growing Complexity of Securing the Software Supply Chain
https://research.esg-global.com/reportaction/515201781/TocShow Notes: https://securityweekly.com/asw-283
-
How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve.
Segment resources:
https://crashoverride.com/blog/welcome-zap-to-the-open-source-fellowship https://www.zaproxy.org https://crashoverride.com/blog/are-there-too-many-bubbles-of-similar-security-effortsShow Notes: https://securityweekly.com/asw-282
-
There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career.
Segment resources:
https://kickstartseceng.comShow Notes: https://securityweekly.com/asw-281
-
We look into the supply chain saga of the XZ Utils backdoor. It's a wild story of a carefully planned long con to add malicious code to a commonly used package that many SSH connections rely on. It hits themes from social engineering and abuse of trust to obscuring the changes and suppressing warnings. It also has a few lessons about software development, the social and economic dynamics of open source, and strategies for patching software.
It's an exciting topic partially because so much other appsec is boring. And that boring stuff is important to get right first. We also talk about what parts of this that orgs should be worried about and what types of threats they should be prioritizing instead.
Segment Resources:
https://tukaani.org/xz-backdoor/ https://news.risky.biz/risky-biz-news-supply-chain-attack-in-linuxland/ https://www.zdnet.com/article/this-backdoor-almost-infected-linux-everywhere-the-xz-utils-close-call/#ftag=RSSbaffb68 https://therecord.media/malicious-backdoor-code-linux-red-hat-cisa https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 https://duo.com/decipher/carefully-crafted-campaign-led-to-xz-utils-backdoor https://boehs.org/node/everything-i-know-about-the-xz-backdoorShow Notes: https://securityweekly.com/asw-280
-
Sometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths. We talk about some of our favorite (as in most disliked) myths to point out how oversimplified slogans and oversimplified threat models lead to bad advice -- and why bad advice can make users less secure.
Segment resources:
https://www.oreilly.com/library/view/cybersecurity-myths-and/9780137929214/Show Notes: https://securityweekly.com/asw-279
-
One of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only important to understand how to make a user's life easier, but in defining who that user is in the first place.
Segment resources:
https://www.usenix.org/conference/8th-usenix-security-symposium/why-johnny-cant-encrypt-usability-evaluation-pgp-50Show Notes: https://securityweekly.com/asw-278
- Mostra di più