Pokémon & Synthwave & Hair & Hats – ASW #135

Announcements

• Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

• Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Mike Shema

Security Partner at Square

John Kinsella

Co-founder & CTO at Cysense

Announcements

• Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

• If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Hosts

Mike Shema

Security Partner at Square

1. 1. Microsoft Internal Solorigate Investigation Update
   Microsoft searches for supply chain fallout from SolarWinds, cleans out malicious binaries, and finds a compromised account accessed source code -- but their threat models already considered an attacker's knowledge of source. Plus, with the ability to reverse engineer binary security patches, how important is source code anyway?
2. 2. Risk8s Business: Risk Analysis of Kubernetes Clusters
   Even if you're not maintaining your own Kubernetes clusters, this is a good example of building up a threat model to assess the risk of a system and take steps towards hardening it against attacks and misconfigurations.
3. 3. Apple: Here’s how to secure an iPhone or Apple ID ‘when personal safety is at risk’
   Apple describes threats to iPhones and Apple IDs for different populations of users in a way that sets aside security jargon and focuses on how to help users make informed decisions. You can download the manual directly from https://manuals.info.apple.com/MANUALS/1000/MA1976/en_US/device-and-data-access-when-personal-safety-is-at-risk.pdf
4. 4. Firefox to ship ‘network partitioning’ as a new anti-tracking defense
   Firefox takes a security-by-design approach to address the abuse of side channels in browsers, from timing attacks to cache hits. You can read more about Client-Side Storage Partitioning at https://github.com/privacycg/storage-partitioning
5. 5. 3 Metrics That Will Indicate We’re Taking Security Seriously
   While these aren't intended to be prescriptive metrics, the underlying discussion is a step towards the distinction between "What are the consequences of insecure software" and "What ought to be the consequences".
6. 6. Python is dead. Long live Python!
   We covered this one year ago on episode 90. So...is Python 2 still part of your CI/CD pipeline? Is it in use in production systems? Did you migrate off it using a process that you'll be able to repeat for the next end-of-life software component?
7. 7. 6 Security Team Goals for DevSecOps in 2020
   We covered this one year ago on episode 90. So...did you make any progress towards these goals? What's left to do? What do you still want to improve on?

John Kinsella

Co-founder & CTO at Cysense