Everything Looks Crazy – ASW #156

Announcements

• Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

• Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

Guest

Clint Gibler

Head of Security Research at r2c

Clint Gibler is the Head of Security Research for r2c, a startup working on giving security tools directly to developers. Previously, Clint was a Research Director at NCC Group, a global security consulting firm, where he helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies ranging from large enterprises to new startups. Clint has previously spoken at conferences including BlackHat USA, AppSec USA/EU/Cali, BSidesSF, and many DevSecCons. Clint holds a Ph.D. in Computer Science from the University of California, Davis. Want to keep up with security research? Check out *tl;dr sec*, Clint’s newsletter that contains summaries of artisanally curated, top talks and useful security links and resources from around the web. https://tldrsec.com/

Hosts

Adrian Sanabria

Principal Researcher at The Defenders Initiative

@sawaba

https://adriansanabria.com

John Kinsella

Senior Engineering Leader at AWS

@jlk_

Announcements

• Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Hosts

Adrian Sanabria

Principal Researcher at The Defenders Initiative

@sawaba

https://adriansanabria.com

1. 1. D3FEND Matrix
2. 2. Semgrep: The Surgical Static Analysis Tool
3. 3. InjuredAndroid – CTF
4. 4. I know what I didn’t do last summer!
5. 5. Lightning Components: A treatise on Apex Security from an External Perspective – AppOmni %
6. 6. The Fault in Our Stars

John Kinsella

Senior Engineering Leader at AWS

@jlk_

1. 1. Visual Studio Code’s Workplace Trust
   The May release of Visual Studio Code added something called Workspace Trust - what looks like a significant improvement in the safety for browsing code from within VSCode. Functionality includes being able to prevent code execution from running Tasks, debugging, workplace settings, or extensions. Looks like they have these features for either workplace or folder granularity.
2. 2. Microsoft accidentally signed driver with rootkits
   Microsoft signed a signature request from a vendor that contained malicious software, without either the vendors or Microsoft's awareness. While Microsoft as since signed a clean version, the question is how did this get signed in the first place?
3. 3. Ransomware isn’t out of control – security teams are
   Here's a think piece for us to...think about what we want and expect our security teams to do. While in any environment we need everybody to work on security together, security teams and management must set the direction and goals for us. With that guidance - how can we better prevent security issues, whether they're ransomware or others?
4. 4. What are the odds someone will find and exploit this?
   Up to 80% of developers are releasing software with some known vulnerability. How can we improve that stat?