wordpress_ASW_News-0.png

Security Weekly

Application Security Weekly

North America

Application Security

Container security

Cloud Security

Threat modeling

Privacy

Podcast

AirTags & Threat Models, Qualcomm Modem Vuln, Exim RCE(s), & Binary Hardening – ASW #150

Related Events

Capsule8-Mar2021-PromoBlue.png

Risk Management

Cybersecurity Asset Management

Architecture

DevOps

Cloud

Endpoint security

Hardware Security

Strategy

Vulnerability management

Patch Management

Cybercast

Preparing Linux Hosts for Unexpected Threats

(Aired on June 22, 2021) Earn up to 3 CPE&#8217;s Here’s the challenge: Web applications are progressively extending the range of critical business operations they support. But software development for cloud-native environments requires continuous security oversight. Against this backdrop, cybersecurity leaders and strategists must strike a balance between accelerating a business’s go-to-market and safeguarding the applications that fuel its growth and productivity. Producing quality code quickly and securely is always the goal. But efforts to integrate security into the software development cycle is more often perceived as a roadblock than a catalyst. Hear from top experts in a series of discussions and presentations focused on application security, topics include: • How to map application security requirements to compliance frameworks • Embracing and extending DevSecOps principles • Standardizing application security policies within business lines Discover how modern application security programs can operate at the speed and scale that’s required to empower, not deter, the business. 



AGENDA 11:00 AM ET KEYNOTE | Preventing the exhaust ports: How not to build a Death Star with your&nbsp;SDLC Kevin Johnson,&nbsp;CEO, Secure Ideas Millions of stormtroopers and galactic empire citizens were lost because engineers didn&#8217;t understand their design flaws.&nbsp;While this is a great movie reference, the reality is that organizations are deploying applications with their version of this fatal flaw every day.&nbsp;In this presentation, Kevin Johnson of Secure Ideas will walk attendees through various examples of application flaws, using real applications he and his team have tested.&nbsp;He will then discuss how the flaws happened and methods for improving your SDLC and security integration to prevent them in the future.&nbsp;



<div class="wp-block-group"><div class="wp-block-group__inner-container">
<div class="wp-block-group"><div class="wp-block-group__inner-container">
<div class="wp-block-group"><div class="wp-block-group__inner-container">
11:55&nbsp;AM ET Beyond DAST: A DAST-first tool with IAST depth&nbsp; Mark Schembri,&nbsp;Technical Solutions Engineer, Invicti The versatility of modern dynamic tools brings advantages that extend far beyond the typical vulnerability scanning functionality. The inclusion of&nbsp;True IAST functionality maintains the advantages of a DAST solution while going deeper than ever to identify and verify more vulnerabilities with access to the application code. You will learn how&nbsp;Netsparker’s&nbsp;IAST capabilities will help you:



<ul id="block-b68249d0-2801-474a-9579-3e43be3ede32" class="has-vivid-red-color has-text-color"><li>Find more&nbsp;vulnerabilities&nbsp;</li><li>Further reduce false positives&nbsp;</li><li>Simplify&nbsp;remediation</li></ul>
</div></div>
</div></div>
</div></div>



<div class="wp-block-group"><div class="wp-block-group__inner-container">
<div class="wp-block-group has-text-color" style="color:#444444"><div class="wp-block-group__inner-container">
<div class="wp-block-group"><div class="wp-block-group__inner-container">
12:35 PM ET Embed&nbsp;sophisticated&nbsp;bot&nbsp;detection into your CI/CD&nbsp;pipeline with a&nbsp;single&nbsp;line of&nbsp;code. Peter Craig,&nbsp;Director of Product Marketing, Human Security Enterprises find it increasingly difficult to defend web applications from automated attacks.&nbsp;Even when apps function as intended, they are vulnerable to criminals using sophisticated bots that mimic human behavior using mouse movements, keystrokes, and fake browser behaviors.&nbsp;Solution: By embedding effective, multilayered, bot detection and mitigation, you can protect your application from automated attacks while providing insight to development on the tactics your adversaries used and the resources they targeted.&nbsp;Learn how you can:&nbsp;



<div class="wp-block-group"><div class="wp-block-group__inner-container">
<ul class="has-vivid-red-color has-text-color"><li>Detect even the most sophisticated, dynamic bots and gain full transparency into each&nbsp;detection&nbsp;</li><li>Mitigate malicious bots and nonstandard traffic in&nbsp;real-time&nbsp;</li><li>Enhance your application user experience with minimal performance&nbsp;impact</li></ul>



1:15 PM ET KEYNOTE | Scorched earth: Empirical research in hacking and securing&nbsp;APIs&nbsp; Alissa Knight,&nbsp;Partner,&nbsp;Knight Ink Application programming interfaces (APIs) are now everywhere, powering the way we live, work and play. But when authentication and authorization is broken, it opens everything up from the data these APIs are serving to remote control of connected passenger vehicles. Unfortunately, many organizations are using the wrong security control to secure their APIs, akin to using a hammer to nail in a screw. Cybersecurity professionals must ensure that APIs are secured correctly, so every request is authenticated and authorized. Solutions should interdict the traffic and ensure the traffic destined for the API is not synthetically generated by malicious tools. In this keynote session, Alissa Knight will share:



<ul id="block-822071bb-1a89-4e27-a30c-b01348f9155b" class="has-vivid-red-color has-text-color"><li>Several years of empirical data gleaned from her hacking of banks, automobile manufacturers, and healthcare providers and payers through their&nbsp;APIs</li><li>What her research produced when the wrong security control was used to secure these&nbsp;APIs</li><li>What you should be looking for in your API threat management solution</li><li>Most importantly, what the indicators of compromise are to the specific tactics and techniques used to breach&nbsp;APIs</li></ul>



1:55 PM ET Between the&nbsp;chair and&nbsp;keyboard J. Wolfgang Goerlich,&nbsp;Advisory CISO, Duo Security&nbsp;at Cisco People ultimately decide our security posture. The dreaded end-users.&nbsp;People performing conscientiously&nbsp;and consistently is a lofty goal. Risk management gives us the process to follow.&nbsp;Control&nbsp;frameworks&nbsp;give&nbsp;us the standards to set and meet. Yet it is people who ultimately decide our security posture.&nbsp;In this presentation, we look at the psychology and behavior science of individuals making risk decisions and leaders affecting culture change, and how it affects the security of organizations and the applications on which they rely.&nbsp;Attendees will leave with insights and pragmatic tactics for improving the human element in risk and compliance.



2:35 PM ET How to determine what your open-source risks look like&nbsp; David Lindner,&nbsp;CISO, Contrast Security&nbsp; Studies show that upwards of 80% of software code is comprised of open-source libraries. But the reality is that less than 10% of classes within active libraries are ever invoked by the application. Yet, open-source libraries contain significant vulnerability and licensing risks with 34 CVEs per application on average and 35% of applications containing a copyleft license. Attend this session to learn what open-source risks matter and how to focus on fixing them quickly and easily.



3:15 PM ET Best practices for developers for master security&nbsp; Anna Rozin,&nbsp;Director of R&amp;D,&nbsp;WhiteSource Shiri Arad&nbsp;Ivtsan,&nbsp;Director of Product,&nbsp;WhiteSource When you ask developers what they think of security, they will likely go into the situation without much enthusiasm as in their mind – security is slowing them down and holding them back from doing their “actual” job. But – it doesn’t necessarily have to be that way. The friction between developers and security teams can be&nbsp;reduced if the right tools and processes are in place. Want to learn how handling security can be quick, efficient and integrate into daily workflows?&nbsp;Join Anna Rozin, director of R&amp;D at&nbsp;WhiteSource, and Shiri Arad&nbsp;Ivtsan, director of product at&nbsp;WhiteSource, who will share their hands-on experience in managing&nbsp;open source&nbsp;components with WhiteSource tools. In this session you&#8217;ll learn:



<ul class="has-vivid-red-color has-text-color"><li>Practical advice on testing, managing and fixing vulnerabilities in&nbsp;open source&nbsp;code&nbsp;packages&nbsp;</li><li>The tools and processes to handle security in a fast and effective&nbsp;way&nbsp;</li><li>How to empower developers with security data through prioritization and remediation tips&nbsp;</li></ul>



<div class="wp-block-group"><div class="wp-block-group__inner-container">
3:55 PM ET KEYNOTE | Preventing the next&nbsp;SolarWinds: A look at the evolving app security&nbsp;landscape Keith&nbsp;Hoodlet,&nbsp;Director, Application Experience, Thermo Fisher Scientific Attackers targeting vulnerabilities in applications are growing more sophisticated – looking beyond the low hanging fruit of consumer apps to enterprise software that provides an avenue in for widespread network compromise across an expansive supply chain. Keith&nbsp;Hoodlet,&nbsp;director of application experience at Thermo Fisher Scientific, speaks about the evolving tactics for infiltrating the network via gaps in software security, and must-do-defensive strategies to prevent the next SolarWinds or Accellion hack.&nbsp; 
</div></div>
</div></div>
</div></div>
</div></div>
</div></div>

Generic_215x132_bannerNEW4

eSummit

Integrating Application Security: Reengineering AppSec as a business catalyst

Scale and speed are two words that aren’t typically synonymous with cybersecurity, but that’s all changing. As organizations continue to expand their digital capabilities and reach — harnessing cloud technology’s power along the way — they’re increasingly embracing DevSecOps — an approach in which development, security and operations work together, in a fully integrated process from kick-off to delivery.



At the heart of DevSecOps is an assumption that optimal security is built in, rather than applied as a ring fence around applications and data. Reaching an ideal state of fast, efficient, and&nbsp;secure&nbsp;development, requires shifting security left and out of its customary position at the end of a waterfall process.



To bring you up to speed, SC Media is hosting a new virtual conference focused on DevSecOps for the Cloud. Scheduled from March 23-24, it will provide instruction and insights on key topics, including:&nbsp;



<ul><li>How to establish a comprehensive DevSecOps program</li><li>Integrating your security team within a DevSecOps framework</li><li>Understanding DevSecOps implications for application security implications, asset management and more</li></ul>



Featuring keynotes by: Paul Asadoorian, Chief Innovation Officer,&nbsp;CyberRisk&nbsp;Alliance Larry&nbsp;Maccherone, Distinguished Engineer,&nbsp;DevSecOps&nbsp;Transformation, Comcast&nbsp; Ted Harrington, Executive Partner, Independent Security Evaluators&nbsp; Alan Hohn, Chief Engineer, Lockheed Martin Software Factory&nbsp; Webcasts with: Shift Identity Left: Enable Secure Velocity at Scale&nbsp; Ivan Dwyer, Group Product Marketing Manager, Okta



The Future of Network Security&nbsp; Lisa, Sales Engineer,&nbsp;FireMon



Maintaining security posture in high velocity environments&nbsp; Cameron Smith, Director of Product Management at Gigamon



How Twilio Scaled through Dev-First Security and&nbsp;DevSecOps&nbsp; Yashvier&nbsp;Kosaraju, Head of Product Security, Twilio&nbsp; Simon Maple, VP of Community and Developer Relations,&nbsp;Snyk



DevSecOps&nbsp;&amp; Cloud Security: 5 Tips&nbsp;From&nbsp;The&nbsp;Frontlines&nbsp; Alex Jones, Information Security, Cobalt



Design Thinking for Securing DevOps&nbsp; J. Wolfgang Goerlich, Advisory CISO, Duo Security&nbsp;



Nukes in the Cloud, Exploring Next-Generation Critical Infrastructure Vulnerabilities&nbsp; Alexander Heid serves, Chief Research &amp; Development Officer,&nbsp;SecurityScorecard&nbsp;



Improving Collaboration between IT &amp; Security Teams with Next Generation Antivirus&nbsp; Elizabeth&nbsp;Schultheisz, Product Line Marketing Manager, VMware Carbon Black Cloud Business Unit Bob&nbsp;Plankers,&nbsp;Senior Technical Marketing Architect, VMware&nbsp; Katherine&nbsp;Chipdey,&nbsp;Specialist Solutions Engineer, VMware’s Security Business Unit&nbsp;



A Practical Approach for Injecting Sec into DevOps&nbsp; Jon Jarboe,&nbsp;Accurics&nbsp;&nbsp;



Creating a feedback loop: How&nbsp;DevSecOps&nbsp;fosters collaboration&nbsp; Shannon Lietz, Leader &amp; Director,&nbsp;DevSecOps, Intuit&nbsp;



To keep your business on the cutting edge of development — and security — register now.

Training

Secure Cloud Series: DevSecOps in High-Velocity Environments

wordpress_ASW_161_Appsec-0.png

Router Auth Bypass, Weak IoT RNG, HTTP/2 Request Smuggling, & Kindle Fuzzing – ASW #161

wordpress_SWN_140_-_Wrap_Up-0.png

Security Weekly News

Encryption

Backup and recovery

Third-party risk

DDOS

Configuration management

Security awareness

OSINT

Security Research

Deception

Physical Security

Black Hat Recap, Cisco Patches, CISA Task Force, & LockBit 2.0 – Wrap Up – SWN #140

wordpress_SWN_138_-_News-0.png

Identity and Access

Intrusion detection

Pen testing

Bug bounties

Incident response

Forensics

Threat hunting

Insider threat

Compliance

PyPI Malware, PetitPotam Attack, NSA Device Guidance, & Meteor Wiper – Wrap Up – SWN #138

AirTags & Threat Models, Qualcomm Modem Vuln, Exim RCE(s), & Binary Hardening – ASW #150

AirTags & Threat Models, Qualcomm Modem Vuln, Exim RCE(s), & Binary Hardening

Hosts

Announcements

Related

Application Security Weekly Router Auth Bypass, Weak IoT RNG, HTTP/2 Request Smuggling, & Kindle Fuzzing – ASW #161

Security Weekly News Black Hat Recap, Cisco Patches, CISA Task Force, & LockBit 2.0 – Wrap Up – SWN #140

Security Weekly News PyPI Malware, PetitPotam Attack, NSA Device Guidance, & Meteor Wiper – Wrap Up – SWN #138