Erez Yalon — The OWASP API Security Project
Play episode · 37 min

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez joins us to speak about the new OWASP API Security Project, and more specifically, the new API Security Top 10. We hope you enjoy [...]

The post Erez Yalon — The OWASP API Security Project appeared first on Security Journey Podcasts.

Defense in Depth
Defense in Depth
Allan Alford and David Spark
Measuring the Success of Your Security Program
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-measuring-the-success-of-your-security-program/) How does a CISO measure the performance of their security program? Sure, there are metrics, but what are you measuring against? Is it a framework or the quality of protection? How do you tell if your program is improving and growing? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Chad Boeckmann (@SDS_Advisor), CEO, TrustMAPP. TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs. On this episode of Defense in Depth, you’ll learn: * The process is very systematic. Start with knowing your risks, how you're going to track them, and the controls you're going to put them in place to manage them. Simple to say, hard to do. * Security risk is just one of a multitude risks a business faces. * Data's whereabouts is a moving target. Having confidence in its location and protections is key to managing overall risk. * Constantly be asking who has access to the data and what communications processes are you using to share that information between humans and machines. * Discuss with leadership as to how you will judge success and what metrics you will use. C-suite will need to lead the discussion with security providing guidance as to what they can and can't measure. * If you're measuring security's performance this is a great opportunity for security to tell its story and prove its value, ultimately setting it up for increased budget and participation from others. * An informal metric for success could be how often is security getting invited to informal meetings. * Overall positive sentiment of security by non-security employees. * How well are you able to build (are people eager to work with you?) and maintain your staff? * Another "out of the box" metric to consider are opportunity costs. How many contracts are you losing because you were incapable of meeting a potential customer's security standards? * Strong debate as to what is the goal of a security program: Risk reduction or risk management? It's very possible that you are currently managing risk well and the additional cost to reduce risk is not necessary.
27 min
David Bombal
David Bombal
David Bombal
#204: David Bombal: Never Use TFTP Or FTP!
Both TFTP and FTP are insecure protocols. Everything is sent in clear text - including all usernames and passwords. Don't use them. Get the full Wireshark course for $9: bit.ly/wireshark9 Need help? Join my Discord: discord.com/invite/usKSyzb Free Wireshark and Ethical Hacking Course: Video #7. Watch the entire series here: bit.ly/wiresharkhacking Menu Overview: 0:00 Start Capture: 0:48 Ping test: 1:00 Copy files using TFTP: 1:40 Filter for TFTP: 2:27 Follow UDP stream: 2:45 FTP intro: 3:53 Upload a file using FTP: 4:16 Filter for FTP: 4:35 Follow TCP stream: 4:47 Download TFTP pcapng file here: bit.ly/311IjXc Download FTP pcapng file here: bit.ly/3iUlz1A Don't use TFTP or FTP! It sends everything in clear text. That means that someone can capture everything you send on the network - including usernames and passwords. In this course I'm going to show you how to capture packets from a network, how to capture passwords, replay voice conversations, view routing protocol updates and many more options. Do you know network protocols? Do you know how to hack? Want to learn wireshark and have some fun with Ethical hacking? This is the course for you: Learn Wireshark practically. Wireshark pcapng files provided so you can practice while you learn! There is so much to learn in this course: - Capture Telnet, FTP, TFTP, HTTP passwords. - Replay VoIP conversations. - Capture routing protocol (OSPF) authentication passwords. - Troubleshoot network issues. - Free software. - Free downloadable pcapng files. - Answer quiz questions. The course is very practical. You can practice while you learn! Learn how to analyze and interpret network protocols and leverage Wireshark for what it was originally intended: Deep Packet Inspection and network analysis. Protocols we capture and discuss in this course include: - Telnet - FTP - TFTP - HTTP - VoIP - OSPF - EIGRP - DNS - ICMP
7 min
The Azure Podcast
The Azure Podcast
Sujit D'Mello
Episode 350 - Azure Time Series Insights
The data IoT devices provide are now considered a valuable resource for companies to make decisions and predictions. Diego Viso, a Principal PM Manager, discuss with us how Time Series Insights can be leveraged for real-time insights and large data analytics to drive operation improvements.    Media File: https://azpodcast.blob.core.windows.net/episodes/Episode350.mp3   Resources: * Official launch announcement on Azure.com * Our refreshed ACOM page with a fresh new video * Landing page * Pricing Page * Our documentation * Azure Time Series Gen2 documentation * Walk through our tutorial * Azure Architecture Center - IIoT architecture guidance * Our videos * Build 2020 - Make your IoT data useful with an end-to-end analytics platform, Azure Time Series Insights * Channel 9 IoT Show - Deep Dive: Analyzing IoT data using Times Series Insights * Channel 9 IoT Show - Using Azure Time Series Insights to create an industrial IoT analytics platform.   Other Updates: Zone Redundancy for Azure Cache for Redis now in preview https://azure.microsoft.com/en-us/blog/zone-redundancy-for-azure-cache-for-redis-now-in-preview/ Azure and Intel commit to delivering next generation confidential computing https://azure.microsoft.com/en-us/blog/azure-and-intel-commit-to-delivering-next-generation-confidential-computing/ Announcing advanced Azure Machine Learning nanodegree program with Udacity https://azure.microsoft.com/en-us/blog/announcing-advanced-azure-machine-learning-nanodegree-program-with-udacity/ Azure DevTest Labs - Create a network isolated lab   https://azure.microsoft.com/en-us/updates/azure-devtest-labs-create-a-network-isolated-lab/
Hacker Public Radio
Hacker Public Radio
Hacker Public Radio
HPR3186: A light bulb moment, part 2
_A very brief history of lighting _ Natural light first came from fire Then using oil and fat with a wick Early candles used animal fat this smelled awful and tended to spit Some parts of world used whole animals as candles These early candles gave so little light that people generally just went to bed at sunset Electric lighting started first by Humphry Davy in the early 1800’s using an arc, this was developed into commercial lighting in the 1840s Arc lighting needed a complex mechanism to gradually push the contacts together as they burnt away Gas lighting started around the 1850s this was improved in the 1870 with the advent of the Gas mantel. Thomas Edison develop the electric light bulb in 1879 using a carbon filament. It took a great deal of effort to convince people to use it because gas lighting was so well established and worked well. Many houses in Britain didn't install electric lighting until the 1930s Finally electricity won as it could be used for so many other things. _The tungsten filament bulb_ The filament within the bulb is made up of a tungsten coiled coil wire. This is done because the more compactly a filament can be wound the less heat is lost to the surroundings and the brighter the bulb will glow. _The tungsten halogen bulb_ The next progression was tungsten halogen bulb, these bulbs are more efficient and give out twice as much light as ordinary bulbs and usually last twice as long. All filament lights waste a lot of energy producing heat. An ordinary light bulb only gives out 10% of its energy as light, the rest is wasted as heat. _Fluorescent neon lights_ Fluorescent neon lights were invented in 1905 by a French man called George Claude. These were used for advertising mainly in America. _Fluorescent strip light_ The first fluorescent light was introduced in 1939 it uses the same principle as the neon light but incorporates a filament at both ends. It is filled with argon and mercury vapour. It mainly gives off ultra violet light the tube is coated on the inside with chemicals to convert the output to mostly visible light using a property called fluorescence. Fluorescent tubes are four times as efficient as normal incandescent light bulbs and run cool. The first energy efficient light bulbs were just fluorescent lights folded into a compact bulb shape. _Sodium lights_ Sodium lights used mainly in street lighting are twice as efficient again as fluorescent bulbs they give off a rather horrible orange colour. The first commercial high-pressure sodium lamps were available in 1965 from companies in the United States, the United Kingdom, and the Netherlands; at introduction a 400 watt lamp would produce around 100 lumens per watt https://en.wikipedia.org/wiki/Sodium-vapor_lamp The next big development was LED lighting which I'll cover in my next episode.
Cloud Security Podcast
Cloud Security Podcast
Kaizenteq Team
CONTINUOUS MONITORING FOR CONTROLS & VULNERABILITIES - DANIEL MIESSLER
In this episode of the Virtual Coffee with Ashish edition, we spoke with Daniel Miessler * Host: Ashish Rajan - Twitter @hashishrajan * Guest: Daniel Miessler - Linkedin @danielmiessler In this episode, Daniel & Ashish spoke about * What was your path into CyberSecurity * Continuous Monitoring(CM) or Continuous Auditing - is that the same thing for you? * CI/CD, one would assume CM is obvious, or is CM more of a mature organisation thing? * At what point, should an organisation consider Continuous Monitoring? Do smaller organisations need to think about it as well? * What is BugBounty? * How do we find more about BugBounty resources for continuous monitoring? * Are you using Python for automation? * How to manage risk around Bounty program? * What suggestions do you have for continuous monitoring in a multi cloud environment? * Have you added any machine learning algorithms to your methodology or KO moves? * How can one start with automation when looking for vulnerability Continuously * How do you scale inventory for resources? * Can you use it to find fake phishing websites? * Custom code vs product for continuous monitoring? * Is there alert fatigue in continuous monitoring? * Why is it important to do continuous monitoring? * Does everyone in tech or in general need to have a personal brand? Tips for Personal Branding for audience that enjoys blogging or podcasting? ShowNotes and Episode Transcript on www.cloudsecuritypodcast.tv Twitter - @kaizenteq @hashishrajan If you want to watch videos of this and previous episodes: - Twitch Channel: https://lnkd.in/gxhFrqw - Youtube Channel: https://lnkd.in/gUHqSai
49 min
Brakeing Down Security Podcast
Brakeing Down Security Podcast
Bryan Brake, Amanda Berlin, Brian Boettcher
2020-037-Katie Moussouris, Implementing VCMM, diversity in job descriptions - Part 2
Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity The scope of the VCMM (what is it?) VCMM - Vulnerability Coordination Maturity Model https://www.lutasecurity.com/vcmm Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers? You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in? Will this work for internal security or red teams as well, or is this more suited to bug bounties? What’s the timeline for this process? “We need something for a product launch next week…” Stakeholders involved? CISO? Security team? IT? Devs? What precipitates the need for this? Maturity? Vuln Disclosure? Are the ISO docs required for this to work, or will they assist in an easier outcome? https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/ https://www.rsaconference.com/industry-topics/video/bug-bounty-programs-arent-enough-for-todays-cyber-threats-katie-moussouris-rsac 10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html https://www.nbcnews.com/tech/security/how-teenage-fortnite-player-found-apple-s-facetime-bug-why-n963961 How does an org use this to communicate vulnerabilities in their own products? What’s the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream? Incentive “no legal action will be taken”. People want money… not tours, not 10-point font. How do you convince ‘good’ bug writers to want to help you for a ‘thank you’? Should incentive be a ‘Level 3’ or would you consider it not ready for prime-time? https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/ Vuln reporting Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn’t bother and deal with a 3rd party. If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier? Security.txt? Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS) SLA to reply to all bugs? Standardized disclosure form for discoveries? Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf ISO 29147:2018 - $150 USD https://www.iso.org/standard/72311.html ISO 30111:2019 - $95 USD https://www.iso.org/standard/69725.html ISO 27034-7:2018 - $150 USD https://www.iso.org/standard/66229.html Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
39 min
Cyber Work
Cyber Work
Infosec
Protecting sensitive information: Growing data, regulations and risks
The amount of data organizations hold has exploded — along with the risk it poses. Today’s guest is Very Good Security CEO and co-founder Mahmoud Abdelkader, who wants to solve the problem of sensitive data by removing it from the equation (by replacing it with decoy data). It’s an intriguing idea as having less worry about data security frees resources up to focus on other areas of cybersecurity. Mahmoud talks about the future of data security, how these new solutions do and don’t help with privacy regulations, and what cybersecurity professionals can do to prepare for a future where the amount of data continues to grow every year. – Get your free security awareness toolkit: http://infosecinstitute.com/ncsam2020  – Enter code “cyberwork” to get 30 days of free training with Infosec Skills: https://www.infosecinstitute.com/skills/ – View transcripts and additional episodes: https://www.infosecinstitute.com/podcast Mahmoud Abdelkader is the CEO and co-founder of Very Good Security. He was previously CTO and co-founder of Balanced Payments (exited to Stripe). Prior to that, Mahmoud designed automated product matching systems at Milo.com (acquired by eBay) and built high-frequency trading systems for Wachovia Securities, now a part of Wells Fargo. With experience ranging from Wall Street to early-stage startups, Mahmoud is passionate about democratizing data security. He started Very Good Security to make best-in-class security and compliance attainable for businesses of all sizes. *About Infosec* At Infosec, we believe knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with certifications and skills training. We also empower all employees with security awareness training to stay cybersafe at work and home. Driven by smart people wanting to do good, Infosec educates entire organizations to defend themselves from cybercrime. It’s what we do every day — equipping everyone with the latest security skills and confidence to be safe online. Learn more at infosecinstitute.com.
35 min
More episodes
Search
Clear search
Close search
Google apps
Main menu