POPULARITY
Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren't going to go away with current approaches like SAST and SCA. Why? They are: -40 years old, with little innovation -Haven't solved the problem. In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different: -Prove bugs, rather than trying to list all of them. -Zero false positives, which leads to better autonomy. Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Show Notes: https://securityweekly.com/vault-esw-12
Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren't going to go away with current approaches like SAST and SCA. Why? They are: -40 years old, with little innovation -Haven't solved the problem. In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different: -Prove bugs, rather than trying to list all of them. -Zero false positives, which leads to better autonomy. Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Show Notes: https://securityweekly.com/vault-esw-12
Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren't going to go away with current approaches like SAST and SCA. Why? They are: -40 years old, with little innovation -Haven't solved the problem. In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different: -Prove bugs, rather than trying to list all of them. -Zero false positives, which leads to better autonomy. Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Show Notes: https://securityweekly.com/vault-esw-12
Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren't going to go away with current approaches like SAST and SCA. Why? They are: -40 years old, with little innovation -Haven't solved the problem. In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different: -Prove bugs, rather than trying to list all of them. -Zero false positives, which leads to better autonomy. Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Show Notes: https://securityweekly.com/vault-esw-12
David Brumley, a cybersecurity professor at Carnegie Mellon and CEO of software security firm, ForAllSecure, sits down to talk about the AI Executive Order that was recently signed. Ben's story reviews the outlines of a new Executive Order on AI. Dave's got one organization's attempts to look at data provenance in AI. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. Links to stories: Biden signs AI executive order, the most expansive regulatory attempt yet AI researchers uncover ethical, legal risks to using popular data sets Caveat Briefing A companion weekly newsletter is available CyberWire Pro members on the CyberWire's website. If you are a member, make sure you subscribe to receive our weekly wrap-up of privacy, policy, and research news, focused on incidents, techniques, tips, compliance, rights, trends, threats, policy, and influence ops delivered to you inbox each Thursday. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you. Learn more about your ad choices. Visit megaphone.fm/adchoices
The Hive ransomware gang may be back, and rebranded. Coinminers exploit AWS IAM credentials. LockBit claims to have obtained sensitive information from Boeing. Ukrainian auxiliaries disrupt Internet service in Russian-occupied territory, while internet and telecoms are down in Gaza. Deepfakes have an effect even when they're not used. Joe Carrigan explains executive impersonations on social media. Our guest is David Brumley, cybersecurity professor at Carnegie Mellon and CEO of software security firm, ForAllSecure, discussing spooky zero days and vulnerabilities. And President Biden releases a US Executive Order on artificial intelligence. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/207 Selected reading. New Hunters International ransomware possible rebrand of Hive (BleepingComputer) CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys (Palo Alto Networks Unit 42) Boeing assessing Lockbit hacking gang threat of sensitive data leak (Reuters) Ukrainian hackers disrupt internet providers in Russia-occupied territories (Record) Israel steps up air and ground attacks in Gaza and cuts off the territory's communications (AP News) The Destruction of Gaza's Internet Is Complete (WIRED) Rocket Alert Apps Warn Israelis of Incoming Attacks While Gaza Is Left in the Dark (WIRED). Elon Musk's Starlink to help Gaza amid internet blackout (Record) Families of Hostages Kidnapped by Hamas Turn to Phone Pings for Proof of Life (WIRED) Israel Taps Blacklisted Pegasus Maker to Track Hostages in Gaza (Bloomberg) A.I. Muddies Israel-Hamas War in Unexpected Way (New York Times) FACT SHEET: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (The White House) Administration Actions on AI (AI.gov) The US Executive Order on artificial intelligence is out. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
There's cybersecurity, and then there's cyberwarfare. My next guest is both an academic and a practitioner of cyber wargames. He's here to update us on the types of exercises going on right now in federal agencies. David Brumley is CEO of AllSecure, and recently returned to Carnegie Mellon University as a computer science professor. Learn more about your ad choices. Visit podcastchoices.com/adchoicesSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
There's cybersecurity, and then there's cyberwarfare. My next guest is both an academic and a practitioner of cyber wargames. He's here to update us on the types of exercises going on right now in federal agencies. David Brumley is CEO of AllSecure, and recently returned to Carnegie Mellon University as a computer science professor. Learn more about your ad choices. Visit megaphone.fm/adchoices
In today's episode of Category Visionaries, we speak with David Brumley, CEO of ForAllSecure, an automated security testing platform that's raised over $38 Million in funding, about how a hacker mindset in defensive security can turn the tables on aggressors, and give your cyberdefense the edge in the endless technology arms race. By deploying automated systems to construct a comprehensive map of an enterprise's existing security landscape, built on an off-the-shelf code, ForAllSecure identifies exactly where action should be taken to tighten up any potential cracks in your defenses before a disastrous incursion ever occurs. We also spoke about David's colorful life before transitioning to a career in the tech startup space, what it was like setting out to disrupt Silicon Valley in the 1990s and how things have changed since then, and why hostility in public discourse is just par for the course when you challenge established industry dogma. Without paying too much attention to the category creation complex, David sees ForAllSecure as forging its own niche based exclusively on the efficacy of its software solutions. Topics Discussed: How David decided to change his life, and how one crazy night led him to the world of technology solutions How Silicon Valley got its start in the University sphere, and how things have changed since the years of classified ads to become billion dollar investment opportunities Why disrupting industry dogma inevitably brings public backlash, and how David manages to move beyond it by focusing on solutions Why the hard part of building a business isn't having a vision, but holding onto your vision when things don't go your way How recognising the utility of research is the only way to really move an industry forward with cutting-edge technology Why ForAllSecure started with enterprise-led sales, but found new opportunities by developing PLG channels to build adoption from the ground up Favorite book: The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers
David Brumley is the founder and CEO of ForAllSecure, a startup spun out of Carnegie Mellon University, that has raised over $36 million. The company provides cutting edge cybersecurity solutions to Fortune 500 companies and government agencies, including the Department of Defense. Straight out of college, David Brumley worked in IT at Stanford University fixing and securing issues with the university's open network. His challenges motivated him to pursue towards a decade-long research quest to solve the problem of real-time, automated testing and security compliance. This research led to the founding of ForAllSecure and their first product “MAYHEM”, which scans software for bugs, generates exploits, and fixes vulnerabilities. In this episode, Aaron and David talk about selling security to the Department of Defense, how he raised millions of dollars from Tier 1 VCs, and how his startup is the culmination of more than a decade of academic research. David Brumley's Challenge: Look at what you're good at and pay it forward. Connect with David Brumley Linkedin Twitter Website If you liked this interview, check out the episode Naval Ravikant's Wisdom w/ Eric Jorgenson where they talked about the power of leverage and how to use more of it. Underwritten by Piper Creative Piper Creative makes creating podcasts, vlogs, and videos easy. How? Click here and Learn more. We work with Fortune 500s, medium-sized companies, and entrepreneurs. Follow Piper as we grow YouTube Subscribe on iTunes | Stitcher | Overcast | Spotify
This week, Dr. David Brumley from ForAllSecure is with us to discuss Bringing Autonomy to Appsec Then, in the enterprise security news, ZeroFox has a $1.4 billion dollar blank check, Corellium raises a $25m series A, GreyNoise makes its data free to help out Log4j sufferers, AWS suffers its third outage in a month (coincidentally hindering GreyNoise's efforts), Ditching Unicorns for Dragons, Yet another easy way to become domain admin, thanks Microsoft, New report finds that current phishing training isn't effective and is even potentially harmful. Finally, we'll take a look at some of the biggest stories and interviews we discussed this year on ESW and will wrap with our thoughts and hopes for 2022. Show Notes: https://securityweekly.com/esw255 Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
This week, Dr. David Brumley from ForAllSecure is with us to discuss Bringing Autonomy to Appsec Then, in the enterprise security news, ZeroFox has a $1.4 billion dollar blank check, Corellium raises a $25m series A, GreyNoise makes its data free to help out Log4j sufferers, AWS suffers its third outage in a month (coincidentally hindering GreyNoise's efforts), Ditching Unicorns for Dragons, Yet another easy way to become domain admin, thanks Microsoft, New report finds that current phishing training isn't effective and is even potentially harmful. Finally, we'll take a look at some of the biggest stories and interviews we discussed this year on ESW and will wrap with our thoughts and hopes for 2022. Show Notes: https://securityweekly.com/esw255 Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren't going to go away with current approaches like SAST and SCA. Why? They are: -40 years old, with little innovation -Haven't solved the problem. In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different: -Prove bugs, rather than trying to list all of them. -Zero false positives, which leads to better autonomy. Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw255
Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren't going to go away with current approaches like SAST and SCA. Why? They are: -40 years old, with little innovation -Haven't solved the problem. In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different: -Prove bugs, rather than trying to list all of them. -Zero false positives, which leads to better autonomy. Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw255
David Brumley is the CEO of ForAllSecure, a cybersecurity company whose products are based on Mayhem, the amazing machine that David designed to autonomously and in real-time apply patching and continuous penetration testing. In this episode of Cybersecurity Unplugged, Brumley discusses: Software flaw detection and how Brumley developed Mayhem; Brumley's contract with the Pentagon to find coding flaws in operating systems and custom programs used by the US military; Legal barriers to autonomously fixing software bugs.
In this episode, Dr Simon McKenzie talks with Professor Ryan Ko about the prospects and risks of cyber autonomy. Programs and systems are being developed that automate cyber defence, allowing them to self-discover, prove and correct software vulnerabilities at real-time. Some are even capable of doing more than defending, but can also attack other systems in the computer network, all without direct human oversight.Professor Ryan Ko is Chair and Director of Cyber Security at the University of Queensland and is also Deputy Head of School (External Engagement) at the School of Information Technology and Electrical Engineering. His research in cyber security focuses on returning control of data to cloud computing users, reducing users' reliance on trusting third-parties and focusses on (1) provenance logging and reconstruction, traceability and (2) privacy-preserving data processing. Along with his academic research, he has advised companies and governments on managing cybersecurity risks. Further readingRyan Ko, 'Cyber Autonomy: Automating the Hacker', preprint of chapter in Reuben Steff, Joe Burton, Simona R. Soare, Emerging Technologies and International Security: Machines, the State, and War (Routledge, 2020).David Brumley, The Cyber Grand Challenge and the Future of Cyber-Autonomy (2018) USENIX, ;login: ,43(2).Team Shellphish, Cyber Grand Shellphish.
David Brumley, professor of electrical and computer engineering at Carnegie Mellon University and CEO of ForAllSecure, joins Dennis Fisher to talk about the importance of software security and the software supply chain as well as the need for better cooperation between developers and security teams.
A contractor for Russia’s FSB security agency was apparently breached. NSO Group says its Pegasus software can now obtain access to private messages held in major cloud services. Iranian cyber operations are said to be spiking, and Tehran is paying particular attention to LinkedIn. Colleges and universities are experiencing ERP issues, and a minor wave of bogus student applications. Equifax receives its judgment. And there’s a sentence in the case of the NSA hoarder. Joe Carrigan from JHU ISI on Android apps circumventing privacy permission settings. Guest is David Brumley from ForAllSecure on autonomous security and DevSecOps. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_22.html Support our show
Secure software depends on people finding vulnerabilities and deploying fixes before they are exploited in the wild. This has lead to a world of security researchers and bug bounties directed at finding new vulnerabilities. As dedicated as security researchers are, there is a vast ocean of software in existence, waiting for someone to find and exploit the next security vulnerability for profit or nefarious uses. With autonomous vehicles on the horizon, is there an autonomous solution to finding and fixing software vulnerabilities? Enter DARPA Cyber Grand Challenge winner “Mayhem”, created by a team of researchers from Carnegie Mellon University who spun out security startup ForAllSecure. And they have a BHAG (Big Hairy Audacious Goal). "Our vision is to check the world’s software for exploitable bugs so they can be fixed before attackers use them to hack computers”. Mayhem has moved on from capture the flag contests to observing and finding vulnerabilities in DoD software and is working its way to corporate systems. In this episode of DevOps Chats we talk with David Brumley, ForAllSecure co-founder and CEO, and CMU professor about the technology behind Mayhem, how it observes software as it executes, and injects changes to effect and observe new and potentially exploitable behaviors. More information about Mayhem is also available at www.forallsecure.com.
Josh and Kurt talk to David Brumley. The CEO of ForAllSecure and professor at CMU. We discuss when David's team won the Cyber Grand Challenge, what the future of automated security looks like, and what ForAllSecure is doing. It's a fascinating window into the future of the industry.
Hackers are in high demand by companies to help strengthen their security, but there's currently a shortage of talent. CyLab director David Brumley argues that the problem is that society at-large does not fully understand what hacking means. In this episode, we'll hear from four members of CMU's top internationally ranked hacking team, the Plaid Parliament of Pwning, about how they got into hacking, and why.
Hackers are in high demand by companies to help strengthen their security, but there's currently a shortage of talent. CyLab director David Brumley argues that the problem is that society at-large does not fully understand what hacking means. In this episode, we'll hear from four members of CMU's top internationally ranked hacking team, the Plaid Parliament of Pwning, about how they got into hacking, and why.
Some of the fastest-changing technology is occurring in cyberspace, often outpacing existing norms and ethics around the use of such technology. Autonomous weapons are already a reality, but defense departments and politicians are only now beginning to grapple with how to use them. Before long, can we expect to see a weapon system that has no human at all in the decision chain? Tim Maurer, co-director of Carnegie Endowment's Cyber Policy Initiative and David Brumley, director of Carnegie Mellon's Security & Privacy Institute, sat down with Tom Carver to discuss these important issues.
David Brumley President & DirectorCarnegie Mellon Univeristy’s CyLab Checking the World's Software for Exploitable Bugs Follow along with the slide show here. To Carnegie Mellon University’s David Brumley, hacking is “not something just bad guys do.” Brumley, a professor and director of the CyLab Institute at Carnegie Mellon University will discuss the important science behind hacking at Carnegie Science Center’s next Café Scientifique on Monday, Oct. 5, from 7 – 9 pm. Brumley and his team at Carnegie Mellon’s CyLab (cyber security lab) envision a world in which software is automatically checked for exploitable bugs, giving people the ability to trust their computers. The demand for cybersecurity professionals is growing, and Carnegie Mellon University is working to train students interested in the field. Brumley is an associate professor who focuses on software security, with appointments in the Electrical and Computer Engineering Department and the Computer Science Department. He is the faculty mentor for the CMU Hacking Team Plaid Parliament of Pwning (PPP), which is ranked internationally as one of the top teams in the world. Brumley’s honors include a 2010 NSF CAREER award, a 2010 United States Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama, the highest award in the U.S. for early career scientists, and a 2013 Sloan Foundation award. Brumley is the 2015 winner of the Carnegie Science Award in the University/Post-Secondary Educator category. He was lauded for recognizing the need for novel approaches to STEM education, leading him to spearhead picoCTF, a national cyber security game and contest targeted at exciting young minds about computer security. Brumley attended the University of Northern Colorado for his bachelor’s degree in mathematics, Stanford University for his master’s degree in computer science, and, most recently, CMU for his PhD in computer science. At Stanford, he worked as a computer security officer, solving thousands of computer security incidents in a four-year span. Recorded on Monday, October 5, 2015 at Carnegie Science Center in Pittsburgh, PA.