Everything Looks Crazy – ASW #156
Full Audio
View Show IndexSegments
1. Scaling Your Application Security Program – Clint Gibler – ASW #156
In this segment with Clint Gibler, learn: * Why secure defaults are higher ROI than finding vulnerabilities * How modern AppSec teams are working with their engineering counterparts * Targeting vulnerability classes, avoiding bug whack-a-mole * The latest innovations in lightweight static analysis
Segment Resources:
https://semgrep.dev/ https://github.com/returntocorp/semgrep https://github.com/returntocorp/semgrep-rules 2020 GlobalAppSec SF https://docs.google.com/presentation/d/14PjOViz2dE6iToOyoFkBQRUfkEHGX-celIiybDQZA/edit https://tldrsec.com/
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!
Guest
Clint Gibler is the Head of Security Research for r2c, a startup working on giving security tools directly to developers. Previously, Clint was a Research Director at NCC Group, a global security consulting firm, where he helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies ranging from large enterprises to new startups. Clint has previously spoken at conferences including BlackHat USA, AppSec USA/EU/Cali, BSidesSF, and many DevSecCons. Clint holds a Ph.D. in Computer Science from the University of California, Davis. Want to keep up with security research? Check out *tl;dr sec*, Clint’s newsletter that contains summaries of artisanally curated, top talks and useful security links and resources from around the web. https://tldrsec.com/
Hosts
2. Semgrep, Microsoft Signs With Rootkits, ATT&CK/D3FEND, & Injured Android – ASW #156
This week in the AppSec News: Visual Studio Code's Workplace Trust, Injured Android an insecure mobile app, Microsoft accidentally signed driver with rootkits, The NSA funds a new sister Matrix to ATT&CK: D3FEND, & "Ransomware: maybe it's you, not them?", and more!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Hosts
- 1. Visual Studio Code’s Workplace TrustThe May release of Visual Studio Code added something called Workspace Trust - what looks like a significant improvement in the safety for browsing code from within VSCode. Functionality includes being able to prevent code execution from running Tasks, debugging, workplace settings, or extensions. Looks like they have these features for either workplace or folder granularity.
- 2. Microsoft accidentally signed driver with rootkitsMicrosoft signed a signature request from a vendor that contained malicious software, without either the vendors or Microsoft's awareness. While Microsoft as since signed a clean version, the question is how did this get signed in the first place?
- 3. Ransomware isn’t out of control – security teams areHere's a think piece for us to...think about what we want and expect our security teams to do. While in any environment we need everybody to work on security together, security teams and management must set the direction and goals for us. With that guidance - how can we better prevent security issues, whether they're ransomware or others?
- 4. What are the odds someone will find and exploit this?Up to 80% of developers are releasing software with some known vulnerability. How can we improve that stat?