Controversy within the OWASP Top 10 RC (S02E02) – Application Security PodCast
Play episode

On this episode of the application security podcast, Robert and I jump over a wall. Just kidding. This isn’t Top Gear. This is our second episode of season two of the #AppSec PodCast. Robert and I talk about the OWASP Top 10 2017 release candidate. We walk through what is the OWASP Top 10, and what [...]

The post Controversy within the OWASP Top 10 RC (S02E02) – Application Security PodCast appeared first on Security Journey Podcasts.

Cyber Work
Cyber Work
Infosec
Protecting sensitive information: Growing data, regulations and risks
The amount of data organizations hold has exploded — along with the risk it poses. Today’s guest is Very Good Security CEO and co-founder Mahmoud Abdelkader, who wants to solve the problem of sensitive data by removing it from the equation (by replacing it with decoy data). It’s an intriguing idea as having less worry about data security frees resources up to focus on other areas of cybersecurity. Mahmoud talks about the future of data security, how these new solutions do and don’t help with privacy regulations, and what cybersecurity professionals can do to prepare for a future where the amount of data continues to grow every year. – Get your free security awareness toolkit: http://infosecinstitute.com/ncsam2020  – Enter code “cyberwork” to get 30 days of free training with Infosec Skills: https://www.infosecinstitute.com/skills/ – View transcripts and additional episodes: https://www.infosecinstitute.com/podcast Mahmoud Abdelkader is the CEO and co-founder of Very Good Security. He was previously CTO and co-founder of Balanced Payments (exited to Stripe). Prior to that, Mahmoud designed automated product matching systems at Milo.com (acquired by eBay) and built high-frequency trading systems for Wachovia Securities, now a part of Wells Fargo. With experience ranging from Wall Street to early-stage startups, Mahmoud is passionate about democratizing data security. He started Very Good Security to make best-in-class security and compliance attainable for businesses of all sizes. *About Infosec* At Infosec, we believe knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with certifications and skills training. We also empower all employees with security awareness training to stay cybersafe at work and home. Driven by smart people wanting to do good, Infosec educates entire organizations to defend themselves from cybercrime. It’s what we do every day — equipping everyone with the latest security skills and confidence to be safe online. Learn more at infosecinstitute.com.
35 min
Defense in Depth
Defense in Depth
Allan Alford and David Spark
Measuring the Success of Your Security Program
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-measuring-the-success-of-your-security-program/) How does a CISO measure the performance of their security program? Sure, there are metrics, but what are you measuring against? Is it a framework or the quality of protection? How do you tell if your program is improving and growing? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Chad Boeckmann (@SDS_Advisor), CEO, TrustMAPP. TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs. On this episode of Defense in Depth, you’ll learn: * The process is very systematic. Start with knowing your risks, how you're going to track them, and the controls you're going to put them in place to manage them. Simple to say, hard to do. * Security risk is just one of a multitude risks a business faces. * Data's whereabouts is a moving target. Having confidence in its location and protections is key to managing overall risk. * Constantly be asking who has access to the data and what communications processes are you using to share that information between humans and machines. * Discuss with leadership as to how you will judge success and what metrics you will use. C-suite will need to lead the discussion with security providing guidance as to what they can and can't measure. * If you're measuring security's performance this is a great opportunity for security to tell its story and prove its value, ultimately setting it up for increased budget and participation from others. * An informal metric for success could be how often is security getting invited to informal meetings. * Overall positive sentiment of security by non-security employees. * How well are you able to build (are people eager to work with you?) and maintain your staff? * Another "out of the box" metric to consider are opportunity costs. How many contracts are you losing because you were incapable of meeting a potential customer's security standards? * Strong debate as to what is the goal of a security program: Risk reduction or risk management? It's very possible that you are currently managing risk well and the additional cost to reduce risk is not necessary.
27 min
David Bombal
David Bombal
David Bombal
#204: David Bombal: Never Use TFTP Or FTP!
Both TFTP and FTP are insecure protocols. Everything is sent in clear text - including all usernames and passwords. Don't use them. Get the full Wireshark course for $9: bit.ly/wireshark9 Need help? Join my Discord: discord.com/invite/usKSyzb Free Wireshark and Ethical Hacking Course: Video #7. Watch the entire series here: bit.ly/wiresharkhacking Menu Overview: 0:00 Start Capture: 0:48 Ping test: 1:00 Copy files using TFTP: 1:40 Filter for TFTP: 2:27 Follow UDP stream: 2:45 FTP intro: 3:53 Upload a file using FTP: 4:16 Filter for FTP: 4:35 Follow TCP stream: 4:47 Download TFTP pcapng file here: bit.ly/311IjXc Download FTP pcapng file here: bit.ly/3iUlz1A Don't use TFTP or FTP! It sends everything in clear text. That means that someone can capture everything you send on the network - including usernames and passwords. In this course I'm going to show you how to capture packets from a network, how to capture passwords, replay voice conversations, view routing protocol updates and many more options. Do you know network protocols? Do you know how to hack? Want to learn wireshark and have some fun with Ethical hacking? This is the course for you: Learn Wireshark practically. Wireshark pcapng files provided so you can practice while you learn! There is so much to learn in this course: - Capture Telnet, FTP, TFTP, HTTP passwords. - Replay VoIP conversations. - Capture routing protocol (OSPF) authentication passwords. - Troubleshoot network issues. - Free software. - Free downloadable pcapng files. - Answer quiz questions. The course is very practical. You can practice while you learn! Learn how to analyze and interpret network protocols and leverage Wireshark for what it was originally intended: Deep Packet Inspection and network analysis. Protocols we capture and discuss in this course include: - Telnet - FTP - TFTP - HTTP - VoIP - OSPF - EIGRP - DNS - ICMP
7 min
Microsoft Cloud IT Pro Podcast
Microsoft Cloud IT Pro Podcast
Ben Stegink, Scott Hoag
Episode 199 – Azure AD, SDP, and Outages, Oh My!
In Episode 199, Ben and Scott talk through the latest outage for Azure and the RCA that was released for the event, Microsoft 365 Lighthouse, and some of the latest premium connectors released for Power Automate. Sponsors Sperry Software – Powerful Outlook Add-ins developed to make your email life easy even if you’re too busy to manage your inbox ShareGate - ShareGate's industry-leading products help IT professionals worldwide migrate their business to the Office 365 or SharePoint, automate their Office 365 governance, and understand their Azure usage & costs Office365AdminPortal.com - Providing admins the knowledge and tools to run Office 365 successfully Intelligink - We focus on the Microsoft Cloud so you can focus on your business Show Notes RCA - Authentication errors across multiple Microsoft services and Azure Active Directory integrated applications (Tracking ID SM79-F88) Microsoft posts root cause analysis for this week’s big Microsoft 365 login issues Network connectivity in the Microsoft 365 Admin Center preview available Announcing Microsoft 365 Lighthouse for Managed Service Providers serving small & medium customers aka.ms/LighthouseNextStep Nine New Connectors Released in September 2020 – Now 400 Connectors! Azure AD Identity Protection (Preview) Microsoft 365 compliance (Preview) SharePoint Syntex Pricing About the sponsors Every business will eventually have to move to the cloud and adapt to it. That’s a fact. ShareGate helps with that. Our industry-leading products help IT professionals worldwide migrate their business to the Office 365 or SharePoint, automate their Office 365 governance, and understand their Azure usage & costs. Visit https://sharegate.com/ to learn more. Sperry Software, Inc focuses primarily on Microsoft Outlook and more recently Microsoft Office 365, where a plethora of tools and plugins that work with email have been developed. These tools can be extended for almost any situation where email is involved, including automating workflows (e.g., automatically save emails as PDF or automatically archive emails that are over 30 days old), modifying potentially bad user behaviors (e.g., alert the user to suspected phishing emails or prompt the user if they are going to inadvertently reply to all), and increased email security (e.g., prompt the user with a customizable warning if they are about to send an email outside the organization). Get started today by visiting www.SperrySoftware.com/CloudIT Intelligink utilizes their skill and passion for the Microsoft cloud to empower their customers with the freedom to focus on their core business. They partner with them to implement and administer their cloud technology deployments and solutions. Visit Intelligink.com for more info.
32 min
The Social-Engineer Podcast
The Social-Engineer Podcast
Social-Engineer, LLC
Ep. 134 – Altered Memories and Alternate Realities with Dr. Elizabeth Loftus
In this episode, Chris Hadnagy and Ryan MacDougall are joined by distinguished professor: Elizabeth Loftus. Listen in to understand the vulnerabilities in human memories and how they are sometimes exploited. Learn to defend against attacks on your memory and how this info can be applied in the information security industry. 00:01 – Introduction to Elizabeth Loftus and her research on the malleability of human memory. 01:41 – Elizabeth's reasoning for researching human memory. 03:12 – What our faulty memory means for eyewitness testimonies. 04:20 – How the phrasing of a question can distort someone's memory. 06:27 – Is it possible to verify the accuracy of a memory? 10:34 – Trying hard to remember something can sometimes lead to the creation of a false memory. 11:22 – Elizabeth's experience with the trial of George Franklin. 14:13 – How can we protect ourselves from having our memories modified? 14:21 – The similarities between preventing false memories and preventing scams. 20:40 – “What the heck is going on in the world of Social-Engineer: COVID Style.” Practical Open Source Intelligence For Everyday Social Engineers * 11-12 November 2020 - VIRTUAL Advanced Practical Social Engineering Training * 17-20 November, 2020 - VIRTUAL The Human Hacking Conference - Orlando, FL March 11-13, 2021 2021 Training Schedule Book: Human Hacking: Win Friends, Influence People, and Leave Them Better Off for Having Met You Website: social-engineer.com Website: social-engineer.org 25:43 – How hypnosis therapy often generates false memories. 30:21 – How to protect yourself from having your memories altered. 32:58 – The prevalence and impact of misinformation on social media. 38:30 – Elizabeth’s website, Ted Talk and books. Elizabeth F. Loftus’ UCI School of Social Ecology Website Ted Talk at TedGlobal 2013 Books by Elizabeth 39:44 – Elizabeth’s book recommendations. Mistakes Were Made (but Not by Me) 41:50 – Outro Social-Engineer.org Newsletter Framework Blog Social-Engineer.com The Innocent Lives Foundation The Innocent Lives Foundation on Twitter The Human Hacking Conference The Human Hacking Conference on Twitter Human Hacking Book Chris on Twitter Social-Engineer on Twitter Social-Engineer on Facebook Social-Engineer on LinkedIn Social-Engineer on Instagram Social-Engineer on Slack
46 min
The Cloudcast
The Cloudcast
Cloudcast Media
Confidential Computing
Vikas Bhatia (@vikascb, Head of Product, Azure Confidential Computing) and Ron Perez (@ronprz, Intel Fellow, Security Architecture) talk about the technologies and architecture behind Azure Confidential Computing *SHOW: *472 *SHOW SPONSOR LINKS:* * CloudAcademy -Build hands-on technical skills. Get measurable results.  * Get 50% of the monthly price of CloudAcademy by using code CLOUDCAST * Datadog Security Monitoring Homepage - Modern Monitoring and Analytics * Try Datadog yourself by starting a free, 14-day trial today. Listeners of this podcast will also receive a free Datadog T-shirt. * BMC Wants to Know if your business is on its A-Game * BMC Autonomous Digital Enterprise *CLOUD NEWS OF THE WEEK *- http://bit.ly/cloudcast-cnotw *PodCTL Podcast is Back (Enterprise Kubernetes) *- http://podctl.com *SHOW NOTES:* * Azure Confidential Computing * Intel and Microsoft Azure partnership page * Intel® SGX: Moving Beyond Encrypted Data to Encrypted Computing * Confidential Computing Consortium (website) *Topic 1 *- Welcome to the show. Before we dig into today’s discussion, can you give us a little bit about your background? *Topic 2 *- Defense in Depth is a strategy that has long been in place in Enterprise computing. We’ve seen previous approaches that connected the OS or Application with the Hardware (e.g. Intel TXT). How has this space evolved over the last few years, and what are some of the reasons why we need another level of depth? *Topic 3* - Let’s talk about the technology basics of Confidential Computing. What are the software elements (Application, OS, SDK) and what are the hardware elements?  *Topic 4 *-  What is the normal migration path for a company to move workloads into Confidential Computing environments? Is this primarily for new workloads, or does it apply to existing applications too?  *Topic 5 *- Azure has the ability to deliver either Confidential VMs, or recently added Confidential containers along with AKS. When does it make sense to be confidential in one part of the stack vs. other?  *Topic 6 *- What are some areas where you’re seeing the broader ecosystem (e.g. technology partners or end-user customers) beginning to expand out the functionality of Confidential Computing? *FEEDBACK?* * Email: show at thecloudcast dot net * Twitter: @thecloudcastnet
40 min
The Engineering Leadership Podcast
The Engineering Leadership Podcast
ELC
"The Imperfect Path" with Erica Lockheimer VPE, LinkedIn Learning @ LinkedIn #28
Erica Lockheimer shares with us her imperfect path to engineering leadership, why the unconventional path matters, and what you can do as an individual leader & organization to empower engineering leaders with unconventional backgrounds. Plus you’ll also hear how to overcome self-doubt and launch an apprenticeship program! “Whether you're a manager or whether you're an individual contributor, you are a leader in your role. Use the voice that you've earned in the seat that you own.  What can you personally do to create a different outcome. And all of us have that power  in a role that we have.” - Erica Lockheimer ERICA LOCKHEIMER, VP OF ENGINEERING, LINKEDIN LEARNING @ LINKEDIN Prior to LinkedIn Learning, Erica served as the VP of Engineering heading the Growth Engineering team, where her focus was on increasing growth in new members and deepening engagement with members across LinkedIn's products.  She started the Growth Team from the ground up to now a high performing 120-person team. She is also responsible for LinkedIn's Women In Tech (WIT) initiative that is focused on empowering women in technical roles within the company.  Prior to LinkedIn, she worked at Good Technology as Director of Server Engineering, In 2014 and 2015, Erica was also voted amongst the top 22 women engineers in the world by Business Insider.  Erica is a San Francisco Bay Area native, has 2 kids, loves to run and is a graduate from San Jose State University with a B.S. in Computer Engineering. RESOURCES About REACH: _https://careers.linkedin.com/reach/AboutReach_ Shalini Agarwal, LinkedIn REACH Lead & Eng Leader _https://www.linkedin.com/in/shalini-agarwal-5b735b2/_ SHOWNOTES * Erica’s first experience on a hiring committee (2:28) * Erica’s imperfect path to engineering leadership (6:51) * Erica’s career decision-making criteria (12:01) * How to overcome self-doubt (13:32) * Jerry’s personal story of the “imperfect path” (16:25) * Other "unconventional paths" to engineering leadership (17:27) * How Erica evaluates potential in people (25:03) * What type of support to provide when you’re pushing people outside their comfort zone (27:44) * How to create more opportunities for unconventional candidates in the hiring funnel through LinkedIn REACH (30:20) * About apprenticeship programs (35:41) * How to start launching your apprenticeship program (39:25) * How diverse teams impact product and change outcomes (41:12) * How to have a conversation about bias in your algorithm (43:44) * Final words of wisdom for those with “unconventional” backgrounds (45:07) ELC SUMMIT 2020 Accelerate your growth as an engineering leader at the ELC Summit! Learn from 100+ _incredible speakers__._ Talks cover tons of well-rounded curated _topics_. There will be opportunities for hands-on practice through _workshops__ _(+ other programs),  and speed networking with other eng leaders through our own _custom-built platform_! Details & tickets @ http://elcsummit.com Join our community of software engineering leaders @ https://sfelc.com/ --- Send in a voice message: https://anchor.fm/engineeringleadership/message
52 min
Talk Python To Me [Full History]
Talk Python To Me [Full History]
Michael Kennedy (@mkennedy)
#287 Testing without dependencies, mocking in Python
We know our unit tests should be relatively independent from other parts of the system. For example, running a test shouldn't generally call a credit card possessing API and talk to a database when your goal is just to test the argument validation. And yet, your method does all three of those and more. What do you do? Some languages use elaborate dependency passing frameworks that go under the banner of inversion of control (IoC) and dependency injections (DI). In Python, the most common fix is to temporarily redefine what those two functions do using patching and mocking. On this episode, we welcome back Anna-Lena Pokes to talk us through the whole spectrum of test doubles, dummies, mocks, and more. Links from the show *Anna-Lena's personal site*: alpopkes.com *100 Days of Code episode*: talkpython.fm/186 *Anna-Lena on Github*: github.com *PyCon talk from Lisa Road (2018) - “Demystifying the patch function”*: youtube.com *PyCon talk from Edwin Jung (2019) - Mocking and Patching Pitfalls*: youtube.com *Keynote talk “Finding Magic in Python” (about magical universe* *project)*: youtube.com *Blog post about mocking in Python*: alpopkes.com *Stackoverflow post on difference between stubs and mocks*: stackoverflow.com *Freezegun project*: github.com *KI Macht Schule (AI goes to school)*: ki-macht-schule.de *Code Combat*: codecombat.com *PDB++*: github.com Sponsors Linode Monday.com Talk Python Training
1 hr 3 min
More episodes
Search
Clear search
Close search
Google apps
Main menu