Application security, DevOps, Vulnerability management

A Cesspool of Images – ASW #133

This week, we welcome Mike Manrod, CISO of Grand Canyon University, joined by John Delaroderie, Security Solutions Architect at Qualys, to discuss his approach to web application security with an emphasis on improving knowledge of web application vulnerabilities and the external attack surface, and his approach to reducing the number of opportunities an attacker has to compromise our information and infrastructure! In the Application Security News, An old security bug in the Play library still affects 8% of apps in Google Play, Project Zero researcher spends six months to reboot an iPhone (in an epic manner), GitHub looks at the security of repos within its Octoverse, the OWASP Web Security Testing Guide gets a minor bump, and XS-Leaks get more attention.

Visit https://securityweekly.com/qualys to learn more about them!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. Security Web Applications Against Modern Threats – John Delaroderie, Mike Manrod – ASW #133

Mike Manrod, CISO of Grand Canyon University, joined by John Delaroderie, Security Solutions Architect at Qualys, will discuss his approach to web application security with an emphasis on improving knowledge of web application vulnerabilities and the external attack surface, and his approach to reducing the number of opportunities an attacker has to compromise our information and infrastructure.

This segment is sponsored by Qualys.

Visit https://securityweekly.com/qualys to learn more about them!

Sponsored By

Qualys

Announcements

  • SCYTHE is offering a FREE purple team workshop where attendees get hands-on in an isolated enterprise environment for three hours! It is scheduled for December 9th (the day before Security Weekly Unlocked!) Register for this free workshop now: https://securityweekly.com/purpleteamsw

  • Tomorrow is the big day! The virtual doors open for the first-ever Security Weekly Unlocked virtual event at 10:30am and the last round table should end around 9:30pm! We have an outstanding line-up of presenters, who will be answering questions LIVE in our Discord server during their presentations! Make sure you register for this FREE event before it's too late! Visit https://securityweekly.com/unlocked to view the line-up and register!

Guests

John Delaroderie
John Delaroderie
Security Solutions Architect at Qualys

John Delaroderie is a Security Solution Architect and Subject Matter Expert for Web Application Scanning. He has been with Qualys since early 2018, and prior to that he worked for a variety of government agencies and private organizations in the fields of cyber security, incident response, digital forensics, and systems integrations.

Mike Manrod
Mike Manrod
CISO at Grand Canyon Education

Mike Manrod presently serves as the Chief Information Security Officer for Grand Canyon Education, responsible for leading the security team and formulating the vision and strategy for protecting students, staff and information assets across the enterprise. Previous experiences include serving as a threat prevention expert for Check Point and working as a consultant and analyst for other large enterprise customers.

He is also a co-author/contributor for the joint book project, Understanding New Security Threats published by Routledge in 2019.

Hosts

Mike Shema
Mike Shema
Security Partner at Square
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
Matt Alderman
Matt Alderman
VP, Product at Living Security

2. Google Play Bug, GitHub, iPhone Radio Reboots, & Docker Hub Vulns – ASW #133

An old security bug in the Play library still affects 8% of apps in Google Play, Project Zero researcher spends six months to reboot an iPhone (in an epic manner), GitHub looks at the security of repos within its Octoverse, the OWASP Web Security Testing Guide gets a minor bump, and XS-Leaks get more attention.

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Mike Shema
Mike Shema
Security Partner at Square
  1. 1. 8% of all Google Play apps vulnerable to old security bug - that demonstrates once again the software supply chain challenge of applying updates that software vendors supply.
  2. 2. Project Zero: An iOS zero-click radio proximity exploit odyssey - is an epic read about the saga of radio, protocols, buffers, and surprising swarms of susceptible software that didn't see it coming.
  3. 3. OWASP Web Security Testing Guide – v4.2 - this version must be the answer to life, the universe, and everything you wanted to know about web security testing!
  4. 4. Cross-site leaks wiki - describes a vuln that's truly cross-site and truly sneaky. And, if you'd like to dive deeper into configuring effective site policies to protect your web app, check "Reining in the Web’s Inconsistencies with Site Policy" at https://publications.cispa.saarland/3214/7/calzavara2021reining.pdf
  5. 5. The State of the Octoverse - supplies a perspective on open source and security as seen by GitHub and shared with all of us.
  6. 6. Open source software security vulnerabilities exist for over four years before detection - which is the other headline you could give to GitHub's State of the Octoverse.
  7. 7. Antipatterns That Hurt DevOps Implementations - might sound familiar and, fortunately, also sound like they can be turned into constructive collaboration.
John Kinsella
John Kinsella
Co-founder & CTO at Cysense
prestitial ad