ModSecurity and #AppSec (S02E19) – Application Security PodCast
Play episode

On this weeks episode of the #AppSec Podcast, Robert and Chris are joined by Tin Zaw, an advocate for ModSecurity. He dives into its background, the use of rules, and the many advantages. Rate us on iTunes and provide a positive comment, please!

The post ModSecurity and #AppSec (S02E19) – Application Security PodCast appeared first on Security Journey Podcasts.

Defense in Depth
Defense in Depth
Allan Alford and David Spark
Leaked Secrets in Code Repositories
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-leaked-secrets-in-code-repositories/) Secrets, such as passwords and credentials, are out in the open just sitting there in code repositories. Why do these secrets even exist in public? What's their danger? And how can they be found and removed? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Jérémy Thomas, CEO, GitGuardian. Thanks to this week's podcast sponsor GitGuardian. GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline. On this episode of Defense in Depth, you’ll learn: * Putting passwords and other credential information inside of code simply happens. It is done by developers for purposes of efficiency, laziness, or simply forgot to take it out. * Given that exposing secrets is done by developers, these secrets appear in code everywhere, most notably in public code repositories like GitHub. * Exposed credentials can appear in SIEMS as it's being exported from the developers' code. * There is a shared responsibility model and cloud providers do have some ability to scan code, but ultimately code you put in your programs is your responsibility. * Scanning public code repositories should be your first step. You don't want to be adding code that has known issues. * Next step is to scan your own code and get alerts if your developers are adding secrets (wittingly or unwittingly) in their code. If you alert in real-time, it fits naturally within the DevOps pipeline and they will improve their secure coding skills. * Another option to deal with exposed secrets is to sidestep the problem completely and put in additional layers of security, most notably multi-factor authentication (MFA). A great idea, and yes, you should definitely include this very secure step, but it doesn't eliminate the problem. There are far too many authentication layers (many automated) for you to put MFA on everything. There will always be many moments of exposure.
29 min
Cyber Work
Cyber Work
Infosec
Protecting sensitive information: Growing data, regulations and risks
The amount of data organizations hold has exploded — along with the risk it poses. Today’s guest is Very Good Security CEO and co-founder Mahmoud Abdelkader, who wants to solve the problem of sensitive data by removing it from the equation (by replacing it with decoy data). It’s an intriguing idea as having less worry about data security frees resources up to focus on other areas of cybersecurity. Mahmoud talks about the future of data security, how these new solutions do and don’t help with privacy regulations, and what cybersecurity professionals can do to prepare for a future where the amount of data continues to grow every year. – Get your free security awareness toolkit: http://infosecinstitute.com/ncsam2020  – Enter code “cyberwork” to get 30 days of free training with Infosec Skills: https://www.infosecinstitute.com/skills/ – View transcripts and additional episodes: https://www.infosecinstitute.com/podcast Mahmoud Abdelkader is the CEO and co-founder of Very Good Security. He was previously CTO and co-founder of Balanced Payments (exited to Stripe). Prior to that, Mahmoud designed automated product matching systems at Milo.com (acquired by eBay) and built high-frequency trading systems for Wachovia Securities, now a part of Wells Fargo. With experience ranging from Wall Street to early-stage startups, Mahmoud is passionate about democratizing data security. He started Very Good Security to make best-in-class security and compliance attainable for businesses of all sizes. *About Infosec* At Infosec, we believe knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with certifications and skills training. We also empower all employees with security awareness training to stay cybersafe at work and home. Driven by smart people wanting to do good, Infosec educates entire organizations to defend themselves from cybercrime. It’s what we do every day — equipping everyone with the latest security skills and confidence to be safe online. Learn more at infosecinstitute.com.
35 min
The Artists of Data Science
The Artists of Data Science
Harpreet Sahota
Fighting Churn with Data Science | Carl Gold, PhD
Carl is a former Wall Street Quant turned data scientist who is leading the battle against churn, using data as his weapon. A data scientist, he uses a variety of tools and techniques to analyze data around online systems, and his expertise has led to the creation of the Subscription Economy Index. Currently, he’s the Chief Data Scientist at Zuora - a comprehensive subscription management platform and newly public Silicon Valley “unicorn” with more than 1,000 customers worldwide. FIND CARL ONLINE Website: https://fightchurnwithdata.com/ LinkedIn: https://www.linkedin.com/in/carlgold/ Twitter: https://twitter.com/carl24k GitHub: https://github.com/carl24k WHAT YOU'LL LEARN [00:16:01] What is churn? [00:21:48] Metrics for understanding churn [00:24:01] Feature engineering for churn [00:27:22] Why ratio metrics are the best best in your battle against churn [00:33:09] Dealing with outliers [00:39:34] More feature engineering tips QUOTES [09:06] "When I started out, of course, people thought machine learning was trash...No one was that interested in machine learning back in the early 2000s. It wasn't until after Google essentially had showed how much they could do with machine learning in a production environment with big data." [12:22] "It should enable better decisions, too. Not just faster decisions by getting the right data to the right people and giving them the right tools. We really should see companies making more optimal decisions." [13:30] "There should be like a Hippocratic Oath for Data scientists, which means that goes beyond just you don't want to make mistakes. It means that you shouldn't be working on those, you know, on those dangerous applications. " [22:04] "the features that you choose in my mind are really the main part of solving any data science problem and not the algorithm. I show actually in my book that if you do a good job on your feature engineering, the algorithm that you choose is not that important for your accuracy. So feature engineering always has number one importance in Data science" SHOW NOTES [00:01:31] Introduction for our guest [00:02:54] Carl’s path into data science [00:04:30] The fascination with churn [00:08:04] How much more hyped do you think the field has become since you first broke into it? [00:09:41] Where do you see the field headed in the next two to five years? [00:11:20] What do you think would be the biggest positive impact that Data science will have on society in the next two to five years? [00:12:36] What do you think would be the scariest application of machine learning and data science in the next two to five years? [00:13:17] As practitioners of machine learning, what do you think would be some of our biggest concerns when we're out there doing our work? [00:16:01] What is Churn? Is that what we do we make butter. [00:17:27] So why is churn so hard to fight? [00:21:48] The importance of metrics in our battle against churn [00:24:01] How do we go from raw event data to metrics? [00:24:45] How do cohorts help us analyze, predict, and understand churn? [00:27:22] What are ratio metrics and why are they so powerful? [00:33:09] Why are outliers so problematic to deal with? model and get information from them, but without them ruining your numbers. [00:34:57] What are some common mistakes that you've seen Data scientists make when it comes to dealing with outliers? [00:39:14] How to be more thoughtful when it comes to feature engineering? [00:42:31] Debunking the common misconception that the choice of algorithm is the most important thing that contributes to model performance. [00:43:56] Your features don’t need to be the most creative [00:45:28] Your job isn’t over once you deploy the model [00:49:05] What are some things that we need to monitor and track - the context of churn - to make sure that our model is doing what it should be, that is performing as we've designed it? [00:50:26] How COVID is messing up everyone’s churn models [00:53:14] Is data science an art or science? [00:55:24] What are some soft skills that Data scientists are missing that are really going to help them take their careers to the next level? [00:56:51] How could a data scientist develop their business acumen and their product sense [00:57:44] What to do with these crazy job descriptions [00:59:27] What’s the one thing you want people to learn from your story? [01:00:39] The lightning round Special Guest: Carl Gold, Phd.
1 hr 9 min
David Bombal
David Bombal
David Bombal
#204: David Bombal: Never Use TFTP Or FTP!
Both TFTP and FTP are insecure protocols. Everything is sent in clear text - including all usernames and passwords. Don't use them. Get the full Wireshark course for $9: bit.ly/wireshark9 Need help? Join my Discord: discord.com/invite/usKSyzb Free Wireshark and Ethical Hacking Course: Video #7. Watch the entire series here: bit.ly/wiresharkhacking Menu Overview: 0:00 Start Capture: 0:48 Ping test: 1:00 Copy files using TFTP: 1:40 Filter for TFTP: 2:27 Follow UDP stream: 2:45 FTP intro: 3:53 Upload a file using FTP: 4:16 Filter for FTP: 4:35 Follow TCP stream: 4:47 Download TFTP pcapng file here: bit.ly/311IjXc Download FTP pcapng file here: bit.ly/3iUlz1A Don't use TFTP or FTP! It sends everything in clear text. That means that someone can capture everything you send on the network - including usernames and passwords. In this course I'm going to show you how to capture packets from a network, how to capture passwords, replay voice conversations, view routing protocol updates and many more options. Do you know network protocols? Do you know how to hack? Want to learn wireshark and have some fun with Ethical hacking? This is the course for you: Learn Wireshark practically. Wireshark pcapng files provided so you can practice while you learn! There is so much to learn in this course: - Capture Telnet, FTP, TFTP, HTTP passwords. - Replay VoIP conversations. - Capture routing protocol (OSPF) authentication passwords. - Troubleshoot network issues. - Free software. - Free downloadable pcapng files. - Answer quiz questions. The course is very practical. You can practice while you learn! Learn how to analyze and interpret network protocols and leverage Wireshark for what it was originally intended: Deep Packet Inspection and network analysis. Protocols we capture and discuss in this course include: - Telnet - FTP - TFTP - HTTP - VoIP - OSPF - EIGRP - DNS - ICMP
7 min
More episodes
Search
Clear search
Close search
Google apps
Main menu