Happy Holidays! – ESW #255
Full Audio
View Show IndexSegments
1. Bringing Autonomy to AppSec – Dr. David Brumley – ESW #255
Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren’t going to go away with current approaches like SAST and SCA. Why? They are: -40 years old, with little innovation -Haven’t solved the problem.
In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different: -Prove bugs, rather than trying to list all of them. -Zero false positives, which leads to better autonomy.
Segment Resources:
Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge
Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them
Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Guest
Dr. Brumley is the CEO and co-founder of ForAllSecure, a company with the mission to secure the world’s software. He is also is an Associate Professor at Carnegie Mellon University (currently on leave) with a primary appointment in the Electrical and Computer Engineering Department and a courtesy appointment in the Computer Science Department. He is also the previous Director of CyLab, the CMU Security and Privacy Institute. His research focuses on software security.
Prof. Brumley received his Ph.D. in Computer Science from Carnegie Mellon University, an MS in Computer Science from Stanford University, and a BA in Mathematics from the University of Northern Colorado. He served as a Computer Security Officer for Stanford University from 1998-2002 and handled thousands of computer security incidents in that capacity. He is the faculty mentor for the CMU Hacking Team Plaid Parliament of Pwning (PPP), which is ranked internationally as one of the top teams in the world according to ctftime.org. The team was ranked #1 in 2011, #2 in 2012, and #1 in 2013, and won DefCon 2013. He received the USENIX Security best paper awards in 2003 and 2007, an ICSE distinguished paper award in 2014.
Prof. Brumley honors include being selected for the 2010 DARPA CSSP program and 2013 DARPA Information Science and Technology Advisory Board, a 2010 NSF CAREER award, a 2010 United States Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama (the highest award in the US for early career scientists according to wikipedia), and a 2013 Sloan Foundation award.
Hosts
2. Dragons & Unicorns, Phishing Training, GreyNoise, & Becoming Domain Admin – ESW #255
In the Enterprise Security News for this week, ZeroFox has a $1.4 billion dollar blank check, Corellium raises a $25m series A, GreyNoise makes its data free to help out Log4j sufferers, AWS suffers its third outage in a month (coincidentally hindering GreyNoise’s efforts), Ditching Unicorns for Dragons, Yet another easy way to become domain admin, thanks Microsoft, New report finds that current phishing training isn’t effective and is even potentially harmful, & more!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
We had an absolute blast putting together this year's SW Unlocked virtual event! All presentations are now available on-demand for your viewing pleasure. Please visit https://securityweekly.com/unlocked to register and watch now!
Hosts
- 1. FUNDING: Corellium Secures $25M Series A Round, Led by Paladin Capital Group with Participation from Cisco Investments
- 2. TRENDS: Why the startup world needs to ditch “unicorns” for “dragons”
- 3. GOING PUBLIC: Cybersecurity Saas company ZeroFox to go public via merger with SPAC in deal valued at about $1.4 billion
- 4. REPORTS: Phishing in Organizations: Findings from a Large-Scale and Long-Term StudySecurity awareness training might be less valuable than we had thought. Potentially harmful, even?
- 5. SUPPLY CHAIN: AWS suffers third outage of the monthhttps://arstechnica.com/information-technology/2021/12/aws-suffers-third-outage-of-the-month/
- 6. VULNERABILITIES: Microsoft warns of easy Windows domain takeover via Active Directory bugsThis title is evergreen - both historically and into the future.
- 7. LOG4J: As Log4j sent defenders scrambling, this startup made its threat data free
- 8. RUMORS: SentinelOne’s $2.5 billion takeover of Orca Security falls through after shares plummet
- 9. SQUIRREL: Tardigrade is first multicellular organism to be quantum entangled
- 10. SQUIRREL: RadioShack Returns as a Crypto Company
3. ESW End-of-Year Wrap Up – ESW #255
In our final security weekly segment of the year, we're wrapping up by reminiscing about 2021's biggest, craziest, and most interesting stories. We'll chat about our favorite interviews of the year. Finally, we're sharing our hopes for 2022. What could make it better? Will it be the year we break free from ransomware? Will cyber insurance providers drop all their policyholders? All this, and cryptic hints from Adrian and Tyler!
It has been a crazy year and we're looking forward to keeping you informed throughout 2022 as well!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Hosts
