wordpress_ASW_149_-_News-0.png

Security Weekly

Identity and access

Application security

DevOps

Endpoint Security

Device Security

BadAlloc Vulns, Gatekeeper Bypass, & More Spectre in Micro-Op Caches – ASW #149

North America

Podcast

Related Events

Earn up to 6.5 CPE credits by attending this virtual event



Securing cloud-as-infrastructure must be a shared responsibility between IT/security professionals; DevOps teams; and cloud-based SaaS, PaaS and IaaS providers. As part of this effort, stakeholders must take steps to deter cloud leaks and misconfigurations, avoid careless API mismanagement, and ensure that cloud services clients and providers have clearly communicated security expectations to each other.&nbsp;



Join SC Media on May 17-18 as we convene industry leading practitioners and experts to learn how to secure cloud infrastructure and topics including:



<ul><li>Results from CyberRisk Alliance&#8217;s Cloud Security Research Survey</li><li>Developing a user-centered model for safely storing content in the cloud&nbsp;</li><li>Assessing cloud services providers, and how to enter a shared responsibility agreement&nbsp;</li><li>Tips for secure cloud-based app development&nbsp;</li><li>The cloud’s lingering privacy and data sovereignty issues&nbsp; </li></ul>



<h2>FEATURED SPEAKERS</h2>



<figure class="wp-block-image size-full is-resized"><img src="https://files.scmagazine.com/wp-content/uploads/2022/05/ContentBlock-01.png" alt="" class="wp-image-243296" width="605" height="519" srcset="https://files.scmagazine.com/wp-content/uploads/2022/05/ContentBlock-01.png 650w, https://files.scmagazine.com/wp-content/uploads/2022/05/ContentBlock-01-300x258.png 300w" sizes="(max-width: 605px) 100vw, 605px" /></figure>



<h2> Agenda</h2>



DAY 1 | May 17&nbsp;



10:45 AM ET&nbsp; Program Opens&nbsp;



11:00 AM ET&nbsp; Opening Keynote – A user-centric approach to securing content in the cloud Dan Meacham: VP, Global Security and Operations &amp; CSO/CISO, Legendary Entertainment



In April 2022, the Motion Picture Association reportedly revealed an expanded industry effort to secure creative content that’s developed and stored in the cloud. The initiative is a high-priority one, considering that insecure cloud access and misconfigurations can result in damaging leaks, piracy and even extortion if the content falls into the wrong hands. In this session, Dan Meacham, CISO at Legendary Entertainment, will discuss these latest developments in the media and entertainment space and how they are relevant to other industries that also must safeguard their highly sensitive assets and materials. Dan will also reveal how he developed a user-centric cloud architecture that has allowed Legendary to secure the remote editing of entertainment projects anywhere in the world.&nbsp;



11:30 AM ET&nbsp; Managing cloud security risks…IYKYK. Maristelle Bagis Hosaka: Director, Product Marketing – Cloud Security, Fortinet&nbsp;



Digital transformation has been a critical enabler for the rapid acceleration in cloud adoption.&nbsp; Despite the benefits, rapid adoption has also outpaced many organizations’ cloud security expertise, preventing them from properly securing their cloud environments and leaving them exposed to potential threats.&nbsp; With over 80% of organizations adopting the cloud, security risk often accumulates faster than it is resolved and mitigated.&nbsp; Understanding the risks in the cloud and how to best work as a team is essential for effectively mitigating risk and choosing the right tools.&nbsp; This session will highlight some of the most common cloud risks and explore the ways to mitigate them.&nbsp; &nbsp;



12:00 PM ET&nbsp; AppSec best practices for securing cloud-based web apps and APIs Sonali Shah: Chief Product Officer, Invicti Security&nbsp;



Web apps and APIs present a major risk for organizations of all sizes, according to the Verizon DBIR about two of every five breaches originate in a web app – and the problem is only growing. And in most organizations, innovation pressures still outweigh security priorities. So, what can AppSec professionals do to reduce their web attack surface? In this presentation, Invicti Security Chief Product Officer Sonali Shah dives into the top five AppSec risks that every organization should be aware of and provides best practices for securing cloud-based web apps and APIs.&nbsp;



12:30 PM ET Penetrating the cloud: uncovering&nbsp;unknown vulns Seth Art: Principal Security Consultant, Bishop Fox Nate Robb:&nbsp;Senior Operator with Bishop Fox&nbsp;



For an increasing number of organizations, the explosion in attack surfaces has reached unmanageable levels amid the widespread adoption of cloud services. In fact, 79% of companies have experienced at least one cloud data breach in the last 18 months, often due to unknown vulnerabilities. &nbsp;



One of the key challenges in the unprecedented growth in cloud infrastructure is understanding which vulnerabilities and misconfigurations are the most exploitable and impactful. While many organizations spend a lot of time fixing the issues they can easily identify with tools, tools have limitations and often do not operate in the same vein as a hacker. Uniquely, an offensive security approach offers the ability to identify the type of attack paths that a malicious attacker will actually take and, therefore, better prepare against. &nbsp;



1:00 PM ET &nbsp; BREAK | Visit Solutions Center&nbsp;



1:15 PM ET&nbsp; Research Session: Cloud security:&nbsp;findings&nbsp;from a CRA business intelligence research study&nbsp; &nbsp;&nbsp; Matt Alderman, EVP, Foresight, CyberRiskAlliance Bill Brenner, VP, Custom Content, CyberRiskAlliance 



What are the main challenges security teams face when it comes to securing their cloud implementations? In this session, CyberRisk Alliance Business Intelligence’s Matt Alderman and Bill Brenner review the findings of a research study Business Intelligence conducted last month among 303 IT cybersecurity decision makers. They will focus on the specific challenges organizations face, and how to overcome those challenges.



2:00 PM ET&nbsp; 10 Steps to cloud security success in 2022. Richard Beckett: Senior Product Manager, Sophos Public Cloud Security Team



With busy IT teams how do you make sure you’re making the right cloud security decisions in 2022? Join Sophos as we discuss how to operationalize your cloud security approach, adding the right security tools and expertise to help you reduce security risk, increase cloud security posture, and improve the efficiency of your security program and internal teams. &nbsp;



2:30 PM ET Planning and building a strategy for comprehensive cloud infrastructure security Lior Zatlavi: Sr. Cloud Security Architect, Ermetic



With so many different variables to consider when designing and implementing a security strategy for your AWS, Azure or GCP environment, it is difficult to organize everything or take the first step. You need a guide to help set priorities and build a plan of action.



Outlining best practices and compliance standards is a good place to start. But these alone don’t enable you to actually assess the maturity of your current cloud security practices and build a roadmap for continuous improvement.



To this end, we created the Cloud Security Maturity Model, a lightweight and easy to understand framework that defines the key guidelines for a comprehensive cloud security strategy. It serves as a guide for prioritizing and implementing security controls and procedures.



3:00 PM ET Enabling trust in cloud-as-infrastructure Seema Kathuria Senior Product Marketing Manager, Cisco/Duo



While there are numerous benefits of adopting cloud-as-infrastructure including cost savings, access and availability of compute resources and services, scalability, and resource optimization, security is not inherent and cannot be taken lightly. Organizations must plan and prepare for mitigating security risks to protect the business and assets hosted in a cloud environment.



In this session, we will discuss security implications of adopting cloud-as-infrastructure and best practices organizations should consider for risk management and enhancing trust in the cloud.



3:30 PM ET&nbsp; Closing Keynote,- Burning questions to ask when developing a shared responsibility agreement Jim Reavis: Co-founder &amp; CEO, Cloud Security Alliance&nbsp;&nbsp;



Cloud service providers and their clients must enter into a shared responsibility model, whereby the two parties divvy up control of all security-related matters and decide who is accountable when an incident occurs. To reach this understanding, organizations must first assess the security capabilities and histories of prospective cloud services providers. Then they must ask the right questions to these third-party providers to determine if they are the right fit, and to ensure that any shared responsibility model is mutually beneficial. This session will review the most important metrics to assess the efficacy of cloud services providers and the key questions you must ask as you negotiate a shared responsibility contract. DAY 2 | MAY 18 &nbsp; 10:45 AM ET&nbsp; Program Opens&nbsp;



11:00 AM ET&nbsp; Opening Keynote &#8211; Privacy shield reborn? the cloud’s lingering privacy and data sovereignty issues Sujit Raman: Partner, Sidley Austin LLP + former Associate Deputy Attorney General, DOJ&nbsp;



Privacy and data sovereignty concerns continue to swirl around companies that manage their assets in the cloud – especially whenever data crosses international boundaries. Just this past March, it was reported that the U.S. and European Union were close to finalizing a new data-sharing pact that would replace the old Privacy Shield agreement that was nullified in 2020 by the EU Court of Justice’s “Schrems II” decision. In this session, Sujit Raman, who coordinated the DOJ’s response to EU court’s decision while serving as an associate deputy attorney general, will share his views on this latest developments, including what needs to be in the latest data-sharing agreement for it to pass muster with the EU courts and privacy advocates. He will also weigh in on other lingering data privacy and jurisdiction concerns that must still be resolved.



11:30 AM ET Survivorship bias, growing attack surface and finding your weakest links when moving to the cloud Fredrik Nordberg Almroth: security researcher and Detectify co-founder&nbsp;



With more organizations moving to the cloud, new systems being exposed online and growing moving parts, security risks continue to change leading to increased complexity. Alongside, the lack of transparency leads to an expanding attack surface that is hard to defend from attackers. Companies &#8211; irrespective of the sector &#8211; must address the issue of the increasing web-facing attack surfaces and in this session, Fredrik will talk about why it is the most pressing issue facing CISOs today.&nbsp; 12:00 PM ET&nbsp; Developer-focused security from code to cloud, and back to code Jim Armstrong: Senior Director, Product Marketing, Synk&nbsp;



Cloud and DevOps practices blur the boundary between application development and the production cloud environment. Solutions that satisfy the needs of only the development team -or- the security &amp; operations teams, in isolation, don’t help where organizations need it the most: reducing security risk while ALSO increasing the speed of application delivery.&nbsp;



12:30 PM ET&nbsp; Silver linings: self-learning ai for cloud and Saas Maria Fung, Technical Manager, Darktrace Holdings 



Cloud and SaaS platforms have created digital environments where businesses can innovate, collaborate, and share more than ever before. However, this is often at the cost of visibility and control. In this session, Maria Fung, Darktrace’s Technical Manager will discuss the challenges of securing cloud and SaaS applications. Discover why Self-Learning AI is best-in-class in protecting organizations’ dynamic workforces and constantly changing digital infrastructure.



1:00 PM ET&nbsp; Break&nbsp;



1:15 PM ET Thought leadership panel: API apprehension: improving API security amidst rampant cloud-based services adoption Jack Hart: Vice President, Information Security Architect, City National Bank Sonya Moisset: Security Advisory Board Member &amp; Ambassador, OpenUK; Omar Shabir Peerzada: Cyber Security Architect, Neiman Marcus



As APIs grow exponentially in number across web and mobile app ecosystems, businesses are increasingly challenged to achieve the visibility, governance and standardization they need in order to prevent and detect code vulnerabilities that open the door to threat activity. Factors contributing to API sprawl include increased adoption of cloud-based services and microservices architectures, version control issues stemming from continuous software development, complex integration challenges, and siloed product and dev teams working on their own separate projects. This panel will examine why API sprawl has created a fertile breeding ground for cyber threats, and what developers and security professionals must do to institute more responsible API policies and practices.



2:00 PM ET&nbsp; Security blind spots in the era of cloud communication &amp; collaboration: are you protected? Shlomi Levin: Security Researcher &amp; Co-Founder, Perception Point &nbsp;



The need to communicate, collaborate and do business on a global level has created a proliferation of cloud-based applications and services. Email. Cloud Storage. Messaging platforms. CRM. Digital Apps and Services. Organizations continue to add new cloud channels to support their business needs. But with new channels come new security blind spots that must be addressed. &nbsp;



2:30 PM ET Hidden risks of using open source software Maciej Mensfeld: Director of Product, White Source Software



With each passing year, open source software use increases. But this trend does not come without a price. Modern software’s heavy reliance on open source components created space for exploitation by malicious actors. New threats are challenging to detect and to protect against. This session should arm you with knowledge about the risks and practical countermeasures you can take to avoid becoming a victim



3:00 PM ET&nbsp; Injection vulnerability: What do developer’s actually know? Amy Baker: Chief Marketing Officer, HackedEDU&nbsp;



In this session, we will discuss the application security landscape and what role secure development training plays in it. We will highlight data from over 100,000 training sessions on our Secure Coding Platform, focused on one of the most common vulnerabilities, injection. We will highlight what developers know today about injection and how you can use that data to build a plan for secure coding training inside your organization.&nbsp;



3:30 PM ET&nbsp; Closing Keynote: The most common visibility and compliance lapses in your cloud vendors&#8217; environments. Kayne McGladrey: Senior Member, IEEE &amp; Cybersecurity Strategist, Ascent Solutions&nbsp;



Whenever a key business function is hosted by a cloud-based vendor, your organization cedes a certain amount of control to the service provider. And that sometimes means that your security team lacks visibility into how this third party handles sensitive data and to what degree it successfully meets regulatory compliance standards around privacy and data security. This session will identify some of the most common gaps in visibility and compliance to develop between companies and their SaaS, PaaS and IaaS providers, and explain the root causes behind these lapses so that your own company hopefully can avoid some of these pitfalls.&nbsp;

eSummit_SecuringCloud_448x275-01

Cloud security

Asset Management

Cloud

eSummit

Securing Cloud-as-Infrastructure

Tanium-July-Promo-Image-7-2021-1920×1080-1

Architecture

Strategy

Incident response

Threat intelligence

Threat modeling

Uncategorized

Unsubcategorized

Blue team

Cybercast

How to Implement Cloud Security That Actually Works: Lessons From the Front Lines

(Aired on June 22, 2021) Earn up to 3 CPE&#8217;s Here’s the challenge: Web applications are progressively extending the range of critical business operations they support. But software development for cloud-native environments requires continuous security oversight. Against this backdrop, cybersecurity leaders and strategists must strike a balance between accelerating a business’s go-to-market and safeguarding the applications that fuel its growth and productivity. Producing quality code quickly and securely is always the goal. But efforts to integrate security into the software development cycle is more often perceived as a roadblock than a catalyst. Hear from top experts in a series of discussions and presentations focused on application security, topics include: • How to map application security requirements to compliance frameworks • Embracing and extending DevSecOps principles • Standardizing application security policies within business lines Discover how modern application security programs can operate at the speed and scale that’s required to empower, not deter, the business. 



AGENDA 11:00 AM ET KEYNOTE | Preventing the exhaust ports: How not to build a Death Star with your&nbsp;SDLC Kevin Johnson,&nbsp;CEO, Secure Ideas Millions of stormtroopers and galactic empire citizens were lost because engineers didn&#8217;t understand their design flaws.&nbsp;While this is a great movie reference, the reality is that organizations are deploying applications with their version of this fatal flaw every day.&nbsp;In this presentation, Kevin Johnson of Secure Ideas will walk attendees through various examples of application flaws, using real applications he and his team have tested.&nbsp;He will then discuss how the flaws happened and methods for improving your SDLC and security integration to prevent them in the future.&nbsp;



<div class="wp-container-628d08dd29c4a wp-block-group"><div class="wp-block-group__inner-container">
<div class="wp-container-628d08dd29a65 wp-block-group"><div class="wp-block-group__inner-container">
<div class="wp-container-628d08dd29863 wp-block-group"><div class="wp-block-group__inner-container">
11:55&nbsp;AM ET Beyond DAST: A DAST-first tool with IAST depth&nbsp; Mark Schembri,&nbsp;Technical Solutions Engineer, Invicti The versatility of modern dynamic tools brings advantages that extend far beyond the typical vulnerability scanning functionality. The inclusion of&nbsp;True IAST functionality maintains the advantages of a DAST solution while going deeper than ever to identify and verify more vulnerabilities with access to the application code. You will learn how&nbsp;Netsparker’s&nbsp;IAST capabilities will help you:



<ul id="block-b68249d0-2801-474a-9579-3e43be3ede32" class="has-vivid-red-color has-text-color"><li>Find more&nbsp;vulnerabilities&nbsp;</li><li>Further reduce false positives&nbsp;</li><li>Simplify&nbsp;remediation</li></ul>
</div></div>
</div></div>
</div></div>



<div class="wp-container-628d08dd2a633 wp-block-group"><div class="wp-block-group__inner-container">
<div class="wp-container-628d08dd2a45f wp-block-group has-text-color" style="color:#444444"><div class="wp-block-group__inner-container">
<div class="wp-container-628d08dd2a289 wp-block-group"><div class="wp-block-group__inner-container">
12:35 PM ET Embed&nbsp;sophisticated&nbsp;bot&nbsp;detection into your CI/CD&nbsp;pipeline with a&nbsp;single&nbsp;line of&nbsp;code. Peter Craig,&nbsp;Director of Product Marketing, Human Security Enterprises find it increasingly difficult to defend web applications from automated attacks.&nbsp;Even when apps function as intended, they are vulnerable to criminals using sophisticated bots that mimic human behavior using mouse movements, keystrokes, and fake browser behaviors.&nbsp;Solution: By embedding effective, multilayered, bot detection and mitigation, you can protect your application from automated attacks while providing insight to development on the tactics your adversaries used and the resources they targeted.&nbsp;Learn how you can:&nbsp;



<div class="wp-container-628d08dd2a0b5 wp-block-group"><div class="wp-block-group__inner-container">
<ul class="has-vivid-red-color has-text-color"><li>Detect even the most sophisticated, dynamic bots and gain full transparency into each&nbsp;detection&nbsp;</li><li>Mitigate malicious bots and nonstandard traffic in&nbsp;real-time&nbsp;</li><li>Enhance your application user experience with minimal performance&nbsp;impact</li></ul>



1:15 PM ET KEYNOTE | Scorched earth: Empirical research in hacking and securing&nbsp;APIs&nbsp; Alissa Knight,&nbsp;Partner,&nbsp;Knight Ink Application programming interfaces (APIs) are now everywhere, powering the way we live, work and play. But when authentication and authorization is broken, it opens everything up from the data these APIs are serving to remote control of connected passenger vehicles. Unfortunately, many organizations are using the wrong security control to secure their APIs, akin to using a hammer to nail in a screw. Cybersecurity professionals must ensure that APIs are secured correctly, so every request is authenticated and authorized. Solutions should interdict the traffic and ensure the traffic destined for the API is not synthetically generated by malicious tools. In this keynote session, Alissa Knight will share:



<ul id="block-822071bb-1a89-4e27-a30c-b01348f9155b" class="has-vivid-red-color has-text-color"><li>Several years of empirical data gleaned from her hacking of banks, automobile manufacturers, and healthcare providers and payers through their&nbsp;APIs</li><li>What her research produced when the wrong security control was used to secure these&nbsp;APIs</li><li>What you should be looking for in your API threat management solution</li><li>Most importantly, what the indicators of compromise are to the specific tactics and techniques used to breach&nbsp;APIs</li></ul>



1:55 PM ET Between the&nbsp;chair and&nbsp;keyboard J. Wolfgang Goerlich,&nbsp;Advisory CISO, Duo Security&nbsp;at Cisco People ultimately decide our security posture. The dreaded end-users.&nbsp;People performing conscientiously&nbsp;and consistently is a lofty goal. Risk management gives us the process to follow.&nbsp;Control&nbsp;frameworks&nbsp;give&nbsp;us the standards to set and meet. Yet it is people who ultimately decide our security posture.&nbsp;In this presentation, we look at the psychology and behavior science of individuals making risk decisions and leaders affecting culture change, and how it affects the security of organizations and the applications on which they rely.&nbsp;Attendees will leave with insights and pragmatic tactics for improving the human element in risk and compliance.



2:35 PM ET How to determine what your open-source risks look like&nbsp; David Lindner,&nbsp;CISO, Contrast Security&nbsp; Studies show that upwards of 80% of software code is comprised of open-source libraries. But the reality is that less than 10% of classes within active libraries are ever invoked by the application. Yet, open-source libraries contain significant vulnerability and licensing risks with 34 CVEs per application on average and 35% of applications containing a copyleft license. Attend this session to learn what open-source risks matter and how to focus on fixing them quickly and easily.



3:15 PM ET Best practices for developers for master security&nbsp; Anna Rozin,&nbsp;Director of R&amp;D,&nbsp;WhiteSource Shiri Arad&nbsp;Ivtsan,&nbsp;Director of Product,&nbsp;WhiteSource When you ask developers what they think of security, they will likely go into the situation without much enthusiasm as in their mind – security is slowing them down and holding them back from doing their “actual” job. But – it doesn’t necessarily have to be that way. The friction between developers and security teams can be&nbsp;reduced if the right tools and processes are in place. Want to learn how handling security can be quick, efficient and integrate into daily workflows?&nbsp;Join Anna Rozin, director of R&amp;D at&nbsp;WhiteSource, and Shiri Arad&nbsp;Ivtsan, director of product at&nbsp;WhiteSource, who will share their hands-on experience in managing&nbsp;open source&nbsp;components with WhiteSource tools. In this session you&#8217;ll learn:



<ul class="has-vivid-red-color has-text-color"><li>Practical advice on testing, managing and fixing vulnerabilities in&nbsp;open source&nbsp;code&nbsp;packages&nbsp;</li><li>The tools and processes to handle security in a fast and effective&nbsp;way&nbsp;</li><li>How to empower developers with security data through prioritization and remediation tips&nbsp;</li></ul>



<div class="wp-container-628d08dd29ed7 wp-block-group"><div class="wp-block-group__inner-container">
3:55 PM ET KEYNOTE | Preventing the next&nbsp;SolarWinds: A look at the evolving app security&nbsp;landscape Keith&nbsp;Hoodlet,&nbsp;Director, Application Experience, Thermo Fisher Scientific Attackers targeting vulnerabilities in applications are growing more sophisticated – looking beyond the low hanging fruit of consumer apps to enterprise software that provides an avenue in for widespread network compromise across an expansive supply chain. Keith&nbsp;Hoodlet,&nbsp;director of application experience at Thermo Fisher Scientific, speaks about the evolving tactics for infiltrating the network via gaps in software security, and must-do-defensive strategies to prevent the next SolarWinds or Accellion hack.&nbsp; 
</div></div>
</div></div>
</div></div>
</div></div>
</div></div>

Generic_215x132_bannerNEW4

Container security

Vulnerability management

Integrating Application Security: Reengineering AppSec as a business catalyst

SAP Corporate Headquarters

Perspective

Why security teams need to automate DevSecOps for SAP

Latest Consumer Technology Products On Display At CES 2016

Zero trust

News

Few IT pros say they have ‘mastered’ security in cloud-native environments

DavidStewart

Analysis

CEO David Stewart talks about how Approov’s cloud-native technology protects API keys

Application Security Weekly

BadAlloc Vulns, Gatekeeper Bypass, & More Spectre in Micro-Op Caches – ASW #149

BadAlloc Vulns, Gatekeeper Bypass, & More Spectre in Micro-Op Caches

Hosts

Announcements

Related

Why security teams need to automate DevSecOps for SAP

Few IT pros say they have ‘mastered’ security in cloud-native environments

CEO David Stewart talks about how Approov’s cloud-native technology protects API keys