Zsolt Imre — Fuzz testing is easy
Play episode · 38 min

Zsolt is the founder and CTO of GUARDARA with more than 15 years of experience in cybersecurity, both on the offensive and defensive side. Zsolt explains fuzz testing, who does it, and why. He also helps us to understand how to deal with fuzz testing results, and how to get started doing fuzz testing on [...]

The post Zsolt Imre — Fuzz testing is easy appeared first on Security Journey Podcasts.

Brakeing Down Security Podcast
Brakeing Down Security Podcast
Bryan Brake, Amanda Berlin, Brian Boettcher
2020-037-Katie Moussouris, Implementing VCMM, diversity in job descriptions - Part 2
Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity The scope of the VCMM (what is it?) VCMM - Vulnerability Coordination Maturity Model https://www.lutasecurity.com/vcmm Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers? You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in? Will this work for internal security or red teams as well, or is this more suited to bug bounties? What’s the timeline for this process? “We need something for a product launch next week…” Stakeholders involved? CISO? Security team? IT? Devs? What precipitates the need for this? Maturity? Vuln Disclosure? Are the ISO docs required for this to work, or will they assist in an easier outcome? https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/ https://www.rsaconference.com/industry-topics/video/bug-bounty-programs-arent-enough-for-todays-cyber-threats-katie-moussouris-rsac 10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html https://www.nbcnews.com/tech/security/how-teenage-fortnite-player-found-apple-s-facetime-bug-why-n963961 How does an org use this to communicate vulnerabilities in their own products? What’s the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream? Incentive “no legal action will be taken”. People want money… not tours, not 10-point font. How do you convince ‘good’ bug writers to want to help you for a ‘thank you’? Should incentive be a ‘Level 3’ or would you consider it not ready for prime-time? https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/ Vuln reporting Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn’t bother and deal with a 3rd party. If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier? Security.txt? Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS) SLA to reply to all bugs? Standardized disclosure form for discoveries? Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf ISO 29147:2018 - $150 USD https://www.iso.org/standard/72311.html ISO 30111:2019 - $95 USD https://www.iso.org/standard/69725.html ISO 27034-7:2018 - $150 USD https://www.iso.org/standard/66229.html Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic #Brakesec Store!: https://brakesec.com/teepub #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
39 min
CISO-Security Vendor Relationship Podcast
CISO-Security Vendor Relationship Podcast
Mike Johnson and David Spark
Can a Robot Be Concerned About Your Privacy?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/can-a-robot-be-concerned-about-your-privacy/) I want AI to be efficient, but I also want my space. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Rebecca Weekly (@rebeccalipon), senior director of hyperscale strategy and execution, senior principal engineer, Intel. Thanks to this week's podcast sponsor, Intel. Intel’s new suite of security features in the upcoming Xeon Scalable platform improves data confidentiality and integrity in a world that increasingly relies on it. Features like Intel SGX further enable confidential computing scenarios — crucial for organizations in regulated industries to meet growing security requirements and protect sensitive data. On this week's episode Why is everybody talking about this now "The lack of women in cybersecurity leaves the online world at greater risk," stated Naomi Schalit of The Conversation. Mollie Chard of Capgemini shared the article that generated a lot of conversation. Naomi hit many issues we've discussed before like diversity offers different viewpoints, which is critical for building a cybersecurity program. I would like to focus on the dynamic of the security team. I've been in testosterone-fueled environments and things change dramatically when just one woman enters the room. And it changes even more when there are more women. What is that dynamic, why is it valuable, and what's the danger of the all-male environment? Well that didn’t work out the way we expected At the end of every show I ask our guests, "Are you hiring?" And prior to COVID, almost everyone said desperately, "YES, we're hiring." That has changed dramatically for the worse since COVID started. Emma Brighton has a story on InfoSecurity Magazine about the real shortage that's happening. Problems she points to are the need to secure more communications channels, security people being offloaded to do IT support, and the competition for skilled talent. What is COVID doing to our security environment and our staff? What's Worse?! Everyone in the loop or out of the loop? Please, Enough. No, More. Today's topic is security on the chipset. We have never talked about this on the show, but now we've got someone from Intel and it seemed appropriate now would be the time to do just that. What have we heard enough about chip-level security, and what would we like to hear a lot more? Are we having communication issues Will the fight to maintain privacy always be in conflict? The people who collect data always want more information so they can get greater insights. Outside of regulations, they have no incentive to maintain privacy. As we're collecting more and more information automatically and artificial intelligence systems are making decisions for us, can AI systems be made privacy aware while still being effective at gaining insights? What would that even look like?
34 min
7 Minute Security
7 Minute Security
Brian Johnson
7MS #437: Homecoming and Home ioT Security - Part 3
Hello! This episode is a true homecoming in that I actually recorded it from home. Yay! WARNING!!! WARNING!!! This episode contains a ton of singing. If you don't like singing, do not listen!!! With that said, I wanted to follow up on part 1 and 2 of this series and share some additional cool tools that others have told me about in regards to securing and monitoring all your ioTs! * Home Assistant - is described on its Wikipedia page as "a free and open-source home automation software designed to be the central control system in a smart home or smart house." You can quickly grab the HA image and dump it on an SD card with Balena Etcher and be up and running in minutes. I found HA a bit overkill/complicated for my needs, but my pal Hackernovice (on 7MS Slack) says this video demonstrates why he really loves it. * Prometheus, recommended by our pal Mojodojo101, is "a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true." I found a great RPi install guide that will help you get it up and running in a snap. I love the capabilitiesand possibilities of Prometheus, but much like Home Assistant, it quickly got to "more than I need" territory. The final thing we talk about today is trying to answer this question: with so many of my ioTs tied to some cloud app/service, how do I keep these accounts themselves as secure as possible? Songs sung in this episode include: * Follow Through by Gavin DeGraw * Livin' on a Prayer * The Look that Says You Love Me (Brian Johnson) * Goodness of God
40 min
Defense in Depth
Defense in Depth
Allan Alford and David Spark
Measuring the Success of Your Security Program
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-measuring-the-success-of-your-security-program/) How does a CISO measure the performance of their security program? Sure, there are metrics, but what are you measuring against? Is it a framework or the quality of protection? How do you tell if your program is improving and growing? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest is Chad Boeckmann (@SDS_Advisor), CEO, TrustMAPP. TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs. On this episode of Defense in Depth, you’ll learn: * The process is very systematic. Start with knowing your risks, how you're going to track them, and the controls you're going to put them in place to manage them. Simple to say, hard to do. * Security risk is just one of a multitude risks a business faces. * Data's whereabouts is a moving target. Having confidence in its location and protections is key to managing overall risk. * Constantly be asking who has access to the data and what communications processes are you using to share that information between humans and machines. * Discuss with leadership as to how you will judge success and what metrics you will use. C-suite will need to lead the discussion with security providing guidance as to what they can and can't measure. * If you're measuring security's performance this is a great opportunity for security to tell its story and prove its value, ultimately setting it up for increased budget and participation from others. * An informal metric for success could be how often is security getting invited to informal meetings. * Overall positive sentiment of security by non-security employees. * How well are you able to build (are people eager to work with you?) and maintain your staff? * Another "out of the box" metric to consider are opportunity costs. How many contracts are you losing because you were incapable of meeting a potential customer's security standards? * Strong debate as to what is the goal of a security program: Risk reduction or risk management? It's very possible that you are currently managing risk well and the additional cost to reduce risk is not necessary.
27 min
AWS TechChat
AWS TechChat
AWS TechChat
Episode 75 - Amazon EventBridge & Amazon AppFlow Special
In this themed episode of AWS TechChat, I am joined by Gabe Hollombe and we look at two relatively new AWS Services - Amazon EventBridge and Amazon AppFlow. We start the show revisiting a messaging foundation and what are the gaps Amazon EventBridge fills in our product portfolio. We discuss that Amazon EventBridge is a serverless event bus that makes it easy to connect applications together using data from your own applications, SaaS applications, and AWS services before contrasting Amazon EventBridge to Amazon CloudWatch Events. Then we pivot to Amazon EventBridge Schema Registry which allows you to discover, create, and manage OpenAPI schemas for events on Amazon EventBridge. You can find schemas for existing AWS services, create and upload custom schemas, or generate a schema based on events on an event bus. Lastly we talk about Amazon AppFlow, an even newer AWS service. Amazon AppFlow allows you to securely transfer data between SaaS applications like Salesforce, Marketo, and Slack with AWS services like Amazon Simple Storage Service (S3) and Amazon Redshift in just a few clicks. Speakers: Shane Baldacchino - Edge Specialist Solutions Architect, ANZ, AWS Gabe Hollombe - Principal Developer Advocate, AWS Resources: Amazon EventBridge https://aws.amazon.com/eventbridge/ Amazon CloudWatch Events https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html Amazon EventBridge Schema Registry https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-schemas.html Amazon AppFlow https://aws.amazon.com/appflow/ AWS Events: AWS Modern Applications Online Series https://aws.amazon.com/events/application/modern-applications/ AWSome Day Online Conference https://aws.amazon.com/events/awsome-day/awsome-day-online/ AWS Data, Databases, and Analytics Online Series https://aws.amazon.com/events/data-analytics-series/ AWS Builders Online Series on-demand http://aws.amazon.com/events/builders-online-series/ AWS Summit Online on-demand - http://aws.amazon.com/events/summits/online AWS Events and Webinars - http://aws.amazon.com/events/
45 min
More episodes
Clear search
Close search
Google apps
Main menu