Total Recall – ASW #139
This week, we welcome Alissa Knight, Partner at Knight Ink, to discuss Being a Serial Entrepreneur, Business Leader, & Hacker! Alissa Knight has spent her career going against industry and social norms as both a Transgendered and Lesbian business leader and hacker. Learn more about her, her achievements as a published author, her recent vulnerability research in hacking law enforcement vehicles, mHealth apps and APIs, her life as a hacker, and barriers she's broken down in business. In the AppSec News, Funding bounties or finding bugs, how should we invest? Talks from Enigma Conference on memory unsafety and 0-days. Coming trends in API security and a review of research from 2020!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
1. Being a Serial Entrepreneur, Business Leader, & Hacker – Alissa Knight – ASW #139
Alissa Knight has spent her career going against industry and social norms as both a Transgendered and Lesbian business leader and hacker. Learn more about her, her achievements as a published author, her recent vulnerability research in hacking law enforcement vehicles, mHealth apps and APIs, her recent screenplay for her new TV series, her life as a hacker, and barriers she's broken down in business.
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
Alissa Knight is a partner at Knight Group where she’s the Director and Executive Producer at Knight Studios, and partner at Knight Ink, Knight Events, and Knight Publishing. She’s a recovering hacker of 22 years after being arrested for hacking into a government network at 17. Over the last two decades, Alissa has sold numerous cybersecurity startups to public companies as a serial entrepreneur and is a published author. Alissa is now an award-winning filmmaker at Knight Studios where she produces scripted narrative short and feature films in cybersecurity crime dramas for vendors as a form of disruptive content marketing.
2. BBPLR, API Security Trends, Memory Unsafety, & Patching 0-Days – ASW #139
Funding bounties or finding bugs, how should we invest? Talks from Enigma Conference on memory unsafety and 0-days. Coming trends in API security and a review of research from 2020.
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
- 1. Bug Bounty Program of Last ResortThis paper answers what it might cost to fund bounties for critical open-source projects. Which also raises a question of what might it cost to fund code refactoring and hardening for critical open-source projects. It also references a paper from WEIS 2019 (https://weis2019.econinfosec.org/wp-content/uploads/sites/6/2019/05/WEIS_2019_paper_36.pdf). We talked about this conference and a few papers back in episode 136.
- 2. Google’s Payout to Bug Hunters Hits New HighAs a bug bounty of first resort, Google pays quite a bit for software flaws in Android, Chrome, and its other properties. But it's nowhere near the scale suggested in the other article this week about the bounty of last resort.
- 3. API Security TrendsAnother vendor state of security report, this time with a focus on what incidents have been hitting APIs. Read it along with their take on "OpenAPI Specification: Perception vs. Reality" (https://devops.com/openapi-specification-perception-vs-reality/) and how the industry might improve API security.
- 4. NCC Group’s 2020 Annual Research ReportA wealth of reading for research, tools, and presentations from 2020. Each item has helpful context so you can choose what appeals to your interests or what might be relevant to your organization.
- 5. Establishing a Scalable Collaboration Between Security and DevOpsA discussion of research on DevOps skillsets, what organizations are worried about, where containers fit within a DevOps strategy, and where Security sits among all this. And for bonus reading material, check out their other article about keeping Availability on the Security radar (https://capsule8.com/blog/bringing-your-a-game-availability-for-security-people-2/).
- 6. Quantifying Memory Unsafety and Reactions to ItA talk from Enigma 2021 that brings data to the journey of understanding the implications of C and C++. How much does programming language choice affect software security? How much _has_ programming language choice impacted the population of vulns?
- 7. The State of 0-Day in-the-Wild ExploitationA talk from Enigma 2021 that brings data to the discussion of finding vulns and patching them. Check out the companion article on Project Zero at https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html
- 8. Privacy and Security Nutrition Labels to Inform IoT ConsumersA talk from Enigma 2021 that brings visualization and communication of security and privacy issues in IoT to consumers. Find out more about these labels on their site at https://www.iotsecurityprivacy.org.
- 1. Apple patches 28 code execution vulnerabilitiesApple released updated info about what was patched in last week's ios/watchos/tvos/macos updates. Quite a few bugs...