Podcasts about magecart

How prepared is your organization to tackle the growing threat of client-side attacks? In this episode of the Tech Talks Daily Podcast, I sit down with Lynn Marks, Senior Product Director at Imperva, a Thales company, to discuss the rise of Magecart attacks and the implications of the newly updated PCI DSS 4.0 standards. Client-side attacks, like Magecart, have been a looming threat since 2015, gaining significant traction as digital transformation accelerated during the global pandemic. As more businesses moved their operations online, the landscape for these attacks became increasingly fertile, putting sensitive customer data at risk. With the recent release of PCI DSS 4.0, the stakes have never been higher for organizations processing payments online. Lynn dives into the specifics of how these attacks operate, targeting vulnerable JavaScript to steal data directly from users, often without detection. We explore the key updates in PCI DSS 4.0, particularly the new requirements that demand businesses inventory, authorize, and monitor client-side scripts more rigorously. Lynn shares practical insights on how companies can navigate these requirements, mitigate risks, and enhance cross-team communication to protect against these sophisticated threats. What strategies should your business adopt to stay ahead of client-side attackers, and how can you ensure compliance with the evolving security standards? Tune in to this episode for an in-depth conversation on safeguarding your online transactions and staying resilient in the face of emerging cyber threats. After listening, I'd love to hear your thoughts—how is your organization adapting to the new PCI DSS 4.0 requirements?

Acuity downplays its recent breach. IcedID gives way to a new malware strain. Russia arrests alleged credit card thieves. Wiz uncovers security flaws in Hugging Face AI models. NERC and the E-ISAC review lessons learned from simulated attacks on the electrical grid. UK police track honey traps targeting MPs. Microsoft says China is actively trying to influence US elections. A major global lens maker suffers a cyber attack.  Guest Dick O'Brien from the Symantec Threat Hunter Team shares how ransomware operators adapt to disruption. And SEO under threat of legal action.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Dick O'Brien from Symantec Threat Hunter Team by Broadcom shares how ransomware operators adapt to disruption. Get more details in the blog: Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption. Selected Reading Acuity Responds to US Government Data Theft Claims, Says Hackers Obtained Old Info (SecurityWeek) New Latrodectus malware replaces IcedID in network breaches (bleepingcomputer) Magecart-style hackers charged by Russia in theft of 160,000 credit cards (The Record) Wiz Discovers Flaws in GenAI Models Enabling Customer Data Theft (Infosecurity Magazine) Lessons learned from electrical grid security exercise (nerc) British police investigating ‘honey trap' WhatsApp messages sent to MPs (The Record) China is trying to influence US elections with AI, Microsoft claims (siliconrepublic) Lens Maker Hoya Scrambling to Restore Systems Following Cyberattack (SecurityWeek) A ‘Law Firm' of AI Generated Lawyers Is Sending Fake Threats as an SEO Scam (404 Media) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

In this episode of the Retail & Hospitality ISAC podcast, host Luke Vander Linden is joined by Target team members Ryan Miller, senior director of cyber security and cyber threat intelligence, and Leah Schwartzman, lead cyber security analyst, cyber threat intelligence, to discuss the ever-evolving threat landscape. They'll provide insight on how retailers can better prepare for the upcoming holiday season. Luke is then joined by Anthony Lauro, director of security technology and strategy at Akamai Technologies to discuss three Magecart-style attack campaigns that Akamai has been tracking since the beginning of 2023. To learn more about these attacks, visit Akamai's blog. Finally, Luke talks to our latest member spotlight feature Michael Francess, senior manager of cybersecurity advanced threat and response at Wyndham Hotels & Resorts. We were able to talk with Michael about his fascination with cybersecurity during his youth, his role at Wyndham, and how the RH-ISAC community has impacted him.

Disinformation and Hacktivism in the war between Hamas and Israel. KillNet and the IT Army of Ukraine say they'll follow ICRC guidelines. The current state of DPRK cyber operations. The Grayling cyberespionage group is active against Taiwan. A Magecart campaign abuses 404 pages. 23andMe suffers abreach. Voter records in Washington, DC, have been compromised. In our Solution Spotlight, Simone Petrella speaks with Raytheon's Jon Check about supporting and shaping the next generation of the cyber workforce. Grady Summers from SailPoint outlines the importance of organizations managing and protecting access to critical data. And a look at CISOs willingness to pay ransom.  For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/193 Selected reading. The Israel-Hamas War Is Drowning X in Disinformation (WIRED)  As false war information spreads on X, Musk promotes unvetted accounts (Washington Post)  Elon Musk's X Cut Disinformation-Fighting Tool Ahead of Israel-Hamas Conflict (The Information)  US opinion divided amid battle for narrative over Hamas attack on Israel (the Guardian) Zelensky Compares Assault by Hamas on Israel to Moscow's Invasion of Ukraine (New York Times)  Russia cites ‘concern' but does not condemn Hamas attack on Israel (Washington Post)  The Israel–Hamas Conflict: Implications for the Cyber Threat Landscape (ReliaQuest)  Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App  Hacktivism erupts in Middle East as Israel declares war (Register)  The Israel-Hamas War Erupts in Digital Chaos (WIRED)  Hacktivists in Palestine and Israel after SCADA and other industrial control systems (Cybernews)  Hackers Join In on Israel-Hamas War With Disruptive Cyberattacks  (SecurityWeek) Israel's government, media websites hit with cyberattacks (Cybernews)  Website of Jerusalem Post crashes after multiple cyberattacks (OpIndia)  Ukraine cyber-conflict: Hacking gangs vow to de-escalate (BBC News)  North Korea Suspected in Massive Hack of DeFi Project Mixin (OODA Loop)  Assessed Cyber Structure and Alignments of North Korea in 2023 (Mandiant)  Grayling: Previously Unseen Threat Actor Targets Multiple Organizations in Taiwan (Symantec) The Art of Concealment: A New Magecart Campaign That's Abusing 404 Pages (Akamai)  Hacker Claims to Have Data of 7 Million 23andMe Users from DNA Service (Hack Read)  23andMe user data breached in credential-stuffing attack (Engadget)  ‘Your DNA is for sale on the black market': 23andMe data breach exposes customers (The Daily Dot)  23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews (WIRED)  23andMe data breach affects a million users with Jewish heritage (Dataconomy) D.C. voter records for sale in cybercrime forum (CyberScoop)  Hackers access voter information in DC Board of Elections data breach (WTOP News)  DC Board of Elections investigates voter data breach (NBC4 Washington)  The CISO Report (Splunk) October 2023 Patch Tuesday forecast: Operating system updates and zero-days aplenty (Help Net Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

A New Magento campaign is discovered. Gootloader malware-as-a-service afflicts law firms. Researchers find security flaws affecting cryptowallets. Panasonic warns of increasing attacks against IoT. A Belarusian cyberespionage campaign outlined. The five cyber phases of Russia's hybrid war, and lessons in resilience from Ukraine's experience. In our Threat Vector segment, Kristopher Russo, Senior Threat Researcher for Unit 42 joins David Moulton to discuss Muddled Libra. Kayla Williams from Devo describes their work benefiting the community at BlackHat. And a new DARPA challenge seeks to bring artificial intelligence to cybersecurity. On this segment of Threat Vector, Kristopher Russo, Senior Threat Researcher for Unit 42, joins host David Moulton to discuss Muddled Libra. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/152 Threat Vector links. Threat Group Assessment: Muddled Libra Selected reading. Xurum: New Magento Campaign Discovered (Akamai) Gootloader: Why your Legal Document Search May End in Misery (Trustwave) Fireblocks Researchers Uncover Vulnerabilities Impacting Dozens of Major Wallet Providers (Fireblocks) New BitForge cryptocurrency wallet flaws lets hackers steal crypto (BleepingCompute Panasonic Warns That IoT Malware Attack Cycles Are Accelerating (WIRED)  MoustachedBouncer: Espionage against foreign diplomats in Belarus (We Live Security)  Belarus hackers target foreign diplomats with help of local ISPs, researchers say (TechCrunch)  Pro-Russian hackers claim attacks on French, Dutch websites (Record)  Zhora: Russia's cyber 'war crimes' will outlast invasion (Register) The Power of Resilience (Cybersecurity and Infrastructure Security Agency CISA) Biden-Harris Administration Launches Artificial Intelligence Cyber Challenge to Protect America's Critical Software (The White House) AIxCC (AIxCC) The Biden administration wants to put AI to the test for cybersecurity (Washington Post)

Critical Vulnerability in MoveIT Transfer Actively Exploited https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft Atomic Wallet Compromise https://www.bleepingcomputer.com/news/security/atomic-wallet-hacks-lead-to-over-35-million-in-crypto-stolen/ Magecart Update https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains

Critical Vulnerability in MoveIT Transfer Actively Exploited https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft Atomic Wallet Compromise https://www.bleepingcomputer.com/news/security/atomic-wallet-hacks-lead-to-over-35-million-in-crypto-stolen/ Magecart Update https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains

LOBSHOT is a cryptowallet stealer abusing Google Ads. Coronation phishbait. A known CCTV vulnerability is currently being exploited. T-Mobile discloses another, smaller data breach. New Magecart exploits. Preliminary lessons from cyber operations during Russia's war. Rob Boyce from Accenture shares insights from RSA Conference. Our special guest is NSA Director of Cybersecurity Rob Joyce. And Europol announces a major dark web market takedown. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/84 Selected reading. New LOBSHOT malware gives hackers hidden VNC access to Windows devices (BleepingComputer) New 'Lobshot' hVNC Malware Used by Russian Cybercriminals (SecurityWeek) Elastic Security Labs discovers the LOBSHOT malware (Elastic Blog) Researchers see surge in scam websites linked to coronation (Computer Weekly)  TBK DVR Authentication Bypass Attack (FortiGuard)  T-Mobile discloses second data breach since the start of 2023 (BleepingComputer)  T-Mobile discloses 2nd data breach of 2023, this one leaking account PINs and more (Ars Technica)  T-Mobile Announces Another Data Breach (CNET) Magecart threat actor rolls out convincing modal forms (Malwarebytes) Cyber lessons from Ukraine: Prepare for prolonged conflict, not a knockout blow (Breaking Defense) 288 dark web vendors arrested in major marketplace seizure (Europol)

Welcome to Cyber Briefing, a short newsletter that informs you about the latest cybersecurity advisories, alerts and incidents every weekday. First time seeing this? Please subscribe.

This week Dr. Doug tells us Where baby chips come from, PhilTel, AMI, Proot, Magecart, LockBit, scattered spider, Jason Wood, and more on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn260

This week Dr. Doug tells us Where baby chips come from, PhilTel, AMI, Proot, Magecart, LockBit, scattered spider, Jason Wood, and more on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn260

This week Dr. Doug tells us Where baby chips come from, PhilTel, AMI, Proot, Magecart, LockBit, scattered spider, Jason Wood, and more on the Security Weekly News!   Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn260

All links and images for this episode can be found on CISO Series If you want to build a successful cybersecurity team, you need to be diverse, mostly in thought. But that diversity in thought usually is the result of people with diverse backgrounds who have had different experiences and have solved problems differently. It's actually really hard to hire a diverse team because what you want to do is simply hire people who look, talk, and sound like you. People who come from the same background as you. While that may work for building friends, it's not necessarily the best solution when building a team to secure your company. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is George Finney (@wellawaresecure), CISO, Southern Methodist University and author of “Well Aware: The Nine Cybersecurity Habits to Protect Your Future” and "Project Zero Trust." Thanks to our podcast sponsor, Feroot Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Our automated, client-side, data protection capabilities increase web application visibility, facilitate threat analysis, and detect and protect from client-side attacks, such as Magecart, XSS, e-skimming, and other threats focused on front-end web applications. In this episode: What are the personality types you need on your staff? Can you be a vCISO if you're not a CISO first. And if you're a vCISO without ever being a CISO, are you just a cybersecurity consultant? Also, what are some creative uses of honeypots most users don't consider?

Your host: Joseph Maxwell, Founder and CEO of SwiftOtter, Inc. Special Guest: Talesh Seeparsan, eCommerce Security Consultant and Strategist Security is one of those topics like taxes where we have to just do it. Talking to someone like Talesh Seeparsan about security on our Magento sites, however, totally changes the game! We say this every time, but this might be one of our favorite episodes to date! Talesh gives us some insight into some of the biggest hacks he has encountered, and some tips on how to prevent security breaches. Show Notes 0:00 Show Intro 1:46 Some of the big names in eCommerce Security 3:50 A typical day for Talesh 4:59 Some common examples of poorly-written code 6:23 The cost of a bug like a security breach 9:06 Quantifying an average breach 12:01 "The mind of an attacker" 14:37 The importance of keeping your extensions up to date 18:20 Humans tend to be the biggest security risk 19:51 Writing regular expressions with security in mind 22:41 Magecart attack 24:51 A security breach due to a reused password 27:56 The value in whitelisting specific IPs 29:56 Outro Connect with Talesh: LinkedIn Twitter Connect with Joseph: LinkedIn Twitter https://swiftotter.com https://twitter.com/Swift_Otter https://www.facebook.com/SwiftOtterInc Do YOU have an incredible debugging story to share? Send your story to brandym@swiftotter.com and you might be our next podcast guest! This podcast exists to inspire, educate and entertain eCommerce developers who are serious about improving their skills and advancing their careers! Have you joined the free SwiftOtter Slack community? It's exploding and we don't want you to miss out. You can join for free and get plugged into what might be the best group of collaborating developers around!

In today's podcast we cover four crucial cyber and technology topics, including: 1.Confluence hard-coded password flaw fixed 2.Magecart targets restaurant platforms to steal 50k transaction details 3.Lockbit claims Italian Revenue Agency as latest victim 4.Department of Justice seizes Bitcoin from North Korean attackers I'd love feedback, feel free to send your comments and feedback to  | cyberandtechwithmike@gmail.com

A daily look at the relevant information security news from overnight - 20 July, 2022Episode 269 - 20 July 2022Knauf Knocked Out- https://www.bleepingcomputer.com/news/security/building-materials-giant-knauf-hit-by-black-basta-ransomware-gang/Rusty Luna - https://thehackernews.com/2022/07/new-rust-based-ransomware-family.htmlGPS Over-Tracking - https://www.zdnet.com/article/flaws-in-a-popular-gps-tracker-could-allow-hackers-to-track-or-stop-vehicles-say-security-researchers/Oracle Patchfest- https://www.securityweek.com/oracle-releases-349-new-security-patches-july-2022-cpu Magicart Skim - https://docs.google.com/document/d/1Kse6lMi7hJEg1wDnVS_ZEND2pZOEMT4a9We3erCPsXE/editHi, I'm Paul Torgersen. It's Wednesday July 20th, 2022, and from Victoria, this is a look at the information security news from overnight. From BleepingComputer.com:The Knauf Group, a large Germany based building materials company, has announced it has been the target of a cyberattack that has disrupted its business operations. Their global IT team has shut down all systems to isolate the incident. Knauf has not confirmed it is a ransomware attack, but the Black Basta group has claimed responsibility for the attack on their extortion site. So far they claim to have released about 20% of the information they stole, which indicates they are likely still hopeful to receive a ransom from the victim. From TheHackerNews.com:Researchers have disclosed a brand-new ransomware family written in Rust, that Kaspersky Labs has named Luna. The ransomware is fairly simple and appears to be in its early development. It is designed to be used by Russian speaking threat actors, and can run on Windows, Linux, and ESXi systems. From ZDNet.com:Critical security vulnerabilities in the MiCODUS MV720 vehicle GPS tracker could be used to remotely track, stop or even take control of vehicles in which it is installed. These devices are popular with large companies and government entities, with approximately 1.5 million of them currently in use in 169 countries. Researchers at BitSight, who found the flaws, say these devices should not be used until patches are available. No word from MiCODUS on when that might be. From SecurityWeek.com:Oracle's quarterly Critical Patch Update has a total of 349 new security patches, including 230 for vulnerabilities that can be exploited by remote, unauthenticated attackers. 64 of the vulnerabilities are rated critical, with four of those scoring a ten out of ten. Financial Services Applications received the largest number of fixes, followed by Oracle Communications, then Fusion Middleware. Get your patch on kids. And last today, from ThreatPost.com:A Magecart campaign has been skimming payment-card credentials from customers using three online restaurant-ordering systems. The attack has affected over 300 restaurants and compromised at least 50,000 cards so far, which have already been offered up for sale on the dark web. The platforms impacted are MenuDrive, Harbortouch, and InTouchPOS. That's all for me today. Have a great rest of your day. Like and subscribe, and until next tomorrow, be safe out there.

Roaming Mantis, the FBI, Magecarts, CloudMensis, FreePBX, Russia, and liquid-cooled laptops, we also have a special guest, Rich Mogull from Firemon on this episode of the Security Weekly News.   This segment is sponsored by FireMon. Visit https://securityweekly.com/firemon to learn more about them!   Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn224

Microsoft 365 outage, Adobe shuns security, Magecart scale, Phishing & Biden Cybersecurity News CyberHub Podcast June 22nd, 2022 Today's Headlines and the latest #cybernews from the desk of the #CISO: Microsoft reveals cause behind this week's Microsoft 365 outage Adobe Acrobat Reader Shuns Security Products Due to Compatibility Issues Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign Europol Busts Phishing Gang Responsible for Millions in Losses Biden signs a pair of cybersecurity bills into law Story Links: https://www.bleepingcomputer.com/news/microsoft/microsoft-reveals-cause-behind-this-week-s-microsoft-365-outage/ https://www.securityweek.com/adobe-acrobat-reader-shuns-security-products-due-compatibility-issues https://thehackernews.com/2022/06/newly-discovered-magecart.html https://thehackernews.com/2022/06/europol-busts-phishing-gang-responsible.html https://therecord.media/biden-signs-a-pair-of-cybersecurity-bills-into-law/ “The Microsoft Doctrine” by James Azar now on Substack https://jamesazar.substack.com/p/the-microsoft-doctrine The Practitioner Brief is sponsored by: Your BRAND here - Contact us for opportunities today! ****** Find James Azar Host of CyberHub Podcast, CISO Talk, Goodbye Privacy, Digital Debate, and Other Side of Cyber James on Linkedin: https://www.linkedin.com/in/james-azar-a1655316/ Telegram: CyberHub Podcast ****** Sign up for our newsletter with the best of CyberHub Podcast delivered to your inbox once a month: http://bit.ly/cyberhubengage-newsletter ****** Website: https://www.cyberhubpodcast.com Youtube: https://www.youtube.com/c/TheCyberHubPodcast Rumble: https://rumble.com/c/c-1353861 s Facebook: https://www.facebook.com/CyberHubpodcast/ Linkedin: https://www.linkedin.com/company/cyberhubpodcast/ Twitter: https://twitter.com/cyberhubpodcast Instagram: https://www.instagram.com/cyberhubpodcast Listen here: https://linktr.ee/cyberhubpodcast The Hub of the Infosec Community. Our mission is to provide substantive and quality content that's more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure. Thank you for watching and Please Don't forget to Like this video and Subscribe to my Channel! #cybernews #infosec #cybersecurity #cyberhubpodcast #practitionerbrief #cisotalk #ciso #infosecnews #infosec #infosecurity #cybersecuritytips #podcast #technews #tinkertribe #givingback #securitytribe #securitygang #informationsecurity

Leaked Conti chats confirm gang's ability to conduct firmware-based attacks Critical UNISOC chip vulnerability affects millions of Android smartphones ExpressVPN removes servers in India after refusing to comply with government order Thanks to today's episode sponsor, Feroot Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Inspector and Pageguard, Feroot's automated data protection solutions, increase code visibility, facilitate threat analysis, and detect and protect from dangerous client-side attacks, such as Magecart, cross-site scripting, e-skimming, and other threats focused on front-end JavaScript and web applications. Learn more at www.feroot.com. For the stories behind the headlines, head to CISOseries.com.

Europol shuts down FluBot Hive ransomware kicks Costa Rica when its down CISA issues advisory on voting machine vulnerabilities Thanks to today's episode sponsor, Feroot Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Inspector and Pageguard, Feroot's automated data protection solutions, increase code visibility, facilitate threat analysis, and detect and protect from dangerous client-side attacks, such as Magecart, cross-site scripting, e-skimming, and other threats focused on front-end JavaScript and web applications. Learn more at www.feroot.com.

Follina vulnerability under active exploitation Tension inside Google over conduct of fired researcher IBM to pay $1.6 billion for poaching customer account Thanks to today's episode sponsor, Feroot Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Inspector and Pageguard, Feroot's automated data protection solutions, increase code visibility, facilitate threat analysis, and detect and protect from dangerous client-side attacks, such as Magecart, cross-site scripting, e-skimming, and other threats focused on front-end JavaScript and web applications. Learn more at www.feroot.com. For the stories behind the headlines, head to CISOseries.com

China censoring open-source code Follina zero-day hits Office EnemyBot botnet acts fast Thanks to today's episode sponsor, Feroot Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Inspector and Pageguard, Feroot's automated data protection solutions, increase code visibility, facilitate threat analysis, and detect and protect from dangerous client-side attacks, such as Magecart, cross-site scripting, e-skimming, and other threats focused on front-end JavaScript and web applications. Learn more at www.feroot.com.

Pro-Russian hacker group KillNet plans to attack Italy today Microsoft warns that hackers are using more advanced techniques to steal credit card data China makes offer to ten nations help to run their cyber-defenses Thanks to today's episode sponsor, Feroot Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Inspector and Pageguard, Feroot's automated data protection solutions, increase code visibility, facilitate threat analysis, and detect and protect from dangerous client-side attacks, such as Magecart, cross-site scripting, e-skimming, and other threats focused on front-end JavaScript and web applications. Learn more at www.feroot.com. For the stories behind the headlines, head to CISOseries.com.

Global security spending set to hit $198bn by 2025 New malware loader Bumblebee adopted by known ransomware access brokers Cloudflare thwarts record DDoS attack Thanks to today's episode sponsor, Feroot Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Inspector and Pageguard, Feroot's automated data protection solutions, increase code visibility, facilitate threat analysis, and detect and protect from dangerous client-side attacks, such as Magecart, cross-site scripting, e-skimming, and other threats focused on front-end JavaScript and web applications. Learn more at www.feroot.com. For the stories behind the headlines, head to CISOseries.com.

Russia experiences hacks at scale State Department puts a price on NetPetya's head Two-thirds of organizations hit with ransomware Thanks to today's episode sponsor, Feroot Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Inspector and Pageguard, Feroot's automated data protection solutions, increase code visibility, facilitate threat analysis, and detect and protect from dangerous client-side attacks, such as Magecart, cross-site scripting, e-skimming, and other threats focused on front-end JavaScript and web applications. Learn more at www.feroot.com.

Elon Musk's Twitter takeover could be bad for security and privacy Stormous Ransomware targets Coca Cola US offers $10 million reward for help locating Russian hackers Thanks to today's episode sponsor, Feroot Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Inspector and Pageguard, Feroot's automated data protection solutions, increase code visibility, facilitate threat analysis, and detect and protect from dangerous client-side attacks, such as Magecart, cross-site scripting, e-skimming, and other threats focused on front-end JavaScript and web applications. Learn more at www.feroot.com. For the stories behind the headlines, head to CISOseries.com.

Mandiant finds record zero-days in 2021 Bored Ape Yacht Club hacked Oracle patches critical Java vulnerability Thanks to today's episode sponsor, Feroot Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Inspector and Pageguard, Feroot's automated data protection solutions, increase code visibility, facilitate threat analysis, and detect and protect from dangerous client-side attacks, such as Magecart, cross-site scripting, e-skimming, and other threats focused on front-end JavaScript and web applications. Learn more at www.feroot.com.

Hackers find 122 vulnerabilities, 27 deemed critical, during first round of DHS bug bounty program Anonymous has leaked 5.8 TB of Russian data since declaring cyber war AWS's Log4j patches blew holes in its own security Thanks to today's episode sponsor, Feroot Feroot secures client-side web applications so that businesses can deliver a flawless and safe digital user experience to their customers. Inspector and Pageguard, Feroot's automated data protection solutions, increase code visibility, facilitate threat analysis, and detect and protect from dangerous client-side attacks, such as Magecart, cross-site scripting, e-skimming, and other threats focused on front-end JavaScript and web applications. Learn more at www.feroot.com. For the stories behind the headlines, head to CISOseries.com.

With all of your focus and investment on 3rd party risk management, there is likely still a blind-side that remains unaddressed. It is an area that should be moved to the top of your priority list - both for its potential to cause material losses in the form of response costs and fines and judgements, and for the ease in which it can be mitigated. It is a risk introduced by the 3rd party vendors you rely upon (and the nth parties they work with) to power and enhance your website. The threat of JavaScript based attacks - click-jacking, digital skimming, formjacking, defacement, "Magecart" - exists for any organization collecting sensitive data or conducting transactions through their web properties. Attacks of this type have done damage to some of the biggest brands in the world - costing household names like British Airways tens of millions - and they happen by the hundreds per month. Already in 2022, we've seen headlines of major client-side attacks like the one that hit Segway - potentially impacting nearly a million consumers. This is an area of exposure introduced through your own code, and by your partners, that can only be addressed at the client-side. It remains widely unaddressed, as focus in website security to this point has been on securing the server side. Join us for an exploration of the threat of these attacks, real-world examples of the material impact they have caused, and dialogue on the approaches to mitigating this risk with pros and cons of each.   Segment Resources: Our core whitepaper https://info.sourcedefense.com/event/client-side-white-paper-2022?leadsource=White%20Paper Blog on the blind side topic https://sourcedefense.com/resources/blog/wheres-the-blind-side-in-your-3rd-party-risk-its-on-the-client-side/ Free risk report on attendee's web properties https://sourcedefense.com/check-your-exposure/   This segment is sponsored by Source Defense. Visit https://securityweekly.com/sourcedefense to learn more about them!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw733

With all of your focus and investment on 3rd party risk management, there is likely still a blind-side that remains unaddressed. It is an area that should be moved to the top of your priority list - both for its potential to cause material losses in the form of response costs and fines and judgements, and for the ease in which it can be mitigated. It is a risk introduced by the 3rd party vendors you rely upon (and the nth parties they work with) to power and enhance your website. The threat of JavaScript based attacks - click-jacking, digital skimming, formjacking, defacement, "Magecart" - exists for any organization collecting sensitive data or conducting transactions through their web properties. Attacks of this type have done damage to some of the biggest brands in the world - costing household names like British Airways tens of millions - and they happen by the hundreds per month. Already in 2022, we've seen headlines of major client-side attacks like the one that hit Segway - potentially impacting nearly a million consumers. This is an area of exposure introduced through your own code, and by your partners, that can only be addressed at the client-side. It remains widely unaddressed, as focus in website security to this point has been on securing the server side. Join us for an exploration of the threat of these attacks, real-world examples of the material impact they have caused, and dialogue on the approaches to mitigating this risk with pros and cons of each.   Segment Resources: Our core whitepaper https://info.sourcedefense.com/event/client-side-white-paper-2022?leadsource=White%20Paper Blog on the blind side topic https://sourcedefense.com/resources/blog/wheres-the-blind-side-in-your-3rd-party-risk-its-on-the-client-side/ Free risk report on attendee's web properties https://sourcedefense.com/check-your-exposure/   This segment is sponsored by Source Defense. Visit https://securityweekly.com/sourcedefense to learn more about them!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw733

Canada's foreign ministry hacked Hactivists target Belarus rail system to stop Russian military buildup Segway victimized by Magecart attack Thanks to our episode sponsor, deepwatch Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together. For the stories behind the headlines, head to CISOseries.com

Conti continues, undeterred. Magecart skimmers are infesting WooCommerce instances. Users are finding url redirection attacks difficult to detect. A quick look at the workings of the Hive ransomware gang. Russia blocks Tor. The US Senate holds hearings on social media and adolescent mental health. Dinah Davis from Arctic Wolf on assessing your security posture. Our guest Neal Dennis of Cyware discusses Automation And Unification. And Grinchbots are still prowling for presents.  For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/235

What does the bleeding edge of Magecart-style attacks look like? Why do sophisticated security professionals at large, respected retailers find themselves struggling to detect these attacks? How can merchants up their cyber security game and do better preventing these kinds of attacks? Idan Cohen, CEO of Reflectiz, shares years of cybersecurity experience to shed light on the true extent and potential damage of malicious code injections.

This week, Matt Mosley and Kash Izadseta cover Magecart with Source Defense's Solutions Architect Matthew McGurik! 1.What is Magecart and how to protect your environment! Links mentioned in this episode: https://events.pcisecuritystandards.org/global2021/speakers/ https://www.linkedin.com/in/matthew-mcguirk-2b930530/ https://www.linkedin.com/in/kashizadseta https://www.linkedin.com/in/mattmosley1 http://tevoratalks.com Instagram, Twitter, Facebook: @TevoraTalks

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: Ubiquiti insider blows whistle on breach Cyber insurer ransomwared Project Zero burned a Western counterterrorism operation Australian parliament, media, politicians all under attack Executive Order would require vendors to notify US government of incidents Much, much more… This week’s sponsor guest is a special one. Metasploit creator and Rumble.run founder HD Moore will join us to talk all about his new venture, the Rumble asset discovery tool. It’s an absolutely fantastic interview, as you’d expect from HD. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing. Show notes Whistleblower: Ubiquiti Breach “Catastrophic” — Krebs on Security SHAREHOLDER ALERT: Ubiquiti, Inc. Investigated for Possible Securities Laws Violations by Block & Leviton LLP; Investors Should Contact the Firm Ubiquiti tells customers to change passwords after security breach | ZDNet Top insurer CNA disconnects systems after cyberattack London's biggest school trust hit by ransomware | The Record by Recorded Future Industrial giant Honeywell says it has ‘returned to service’ after cyber intrusion Nine says it has isolated source of cyber attack Cyber attack on Channel Nine: Government assistance requested by network Nine Entertainment warns ransomware recovery 'will take time' - Security - iTnews AFP, NSW Police investigating cyber attack on Nine 'State actor' behind Nine Network cyber attack, , tech expert says Australia investigates reported hacks aimed at parliament, media Australian Minister’s Phone Hacked as Report Reveals Hong Kong Link Australian ministers are targets in Telegram phishing scam, Australia/NZ News & Top Stories - The Straits Times Hackers target German lawmakers in an election year Exclusive: Software vendors would have to disclose breaches to U.S. government users under new order: draft | Reuters Facebook disrupts Beijing's Uyghur hacking campaign | The Record by Recorded Future Google's unusual move to shut down an active counterterrorism operation being conducted by a Western democracy | MIT Technology Review Apple releases iPhone, iPad and Watch security patches for zero-day bug under active attack | TechCrunch US lacks visibility into digital espionage at home, NSA boss says The Dark Web Is Teeming With Vaccine Listings Right Now | WIRED Credit Card Hacking Forum Gets Hacked, Exposing 300,000 Hackers’ Accounts T-Mobile, Verizon, AT&T Stop SMS Hijacks After Motherboard Investigation New 5G protocol vulnerabilities allow location tracking | The Record by Recorded Future PHP's Git server hacked to add backdoors to PHP source code SSRF vulnerability in NPM package Netmask impacts up to 279k projects | The Daily Swig H2C smuggling proves effective against Azure, Cloudflare Access, and more | The Daily Swig Security researcher launches GoFundMe campaign to fight legal threat over vulnerability disclosure | The Daily Swig Cloudflare launches JavaScript dependency dashboard utility to warn against Magecart-style malfeasance | The Daily Swig Microsoft Teams is the first target for new app-focused bug bounty program | The Daily Swig Slack Says Letting Anyone Message Anyone With Few Limits Was ‘a Mistake’ No, I Did Not Hack Your MS Exchange Server — Krebs on Security

Turvakäräjät swag-kauppahttps://teespring.com/turvakarajatHelSec virtual meetup #5-tallenteethttps://www.youtube.com/playlist?list=PLJDd2aYn8T1CNLdxEdmv_asNyFZVijskAHakkeriradion rahoituskampanjahttps://mesenaatti.me/1916/tehdaan-yhdessa-hakkeriradio/Velikanin / H7 tekemä HelSec ANSI-taideteoshttps://twitter.com/velikani/status/1336394148006551555?s=20FireEyen julkaisu SolarWinds Orion-tuotteeseen ujutestusta takaovestahttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.htmlYdinaseet vaarassa SolarWinds-takaoven vuoksihttps://www.bleepingcomputer.com/news/security/solarwinds-hackers-breach-us-nuclear-weapons-agency/ZDNetin uutisoinnit SolarWinds-aiheestahttps://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/https://www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/Volexityn analyysi hyökkäyksestähttps://www.helpnetsecurity.com/2020/12/16/solarwinds-hackers-capabilities/Helsingin Sanomien uutisointi SolarWinds-tapauksestahttps://www.hs.fi/ulkomaat/art-2000007687185.htmlVinoth Kumarin twiitti FTP-tunnuksistahttps://twitter.com/vinodsparrow/status/1338431183588188160?s=21Ghidran debugger-ominaisuus julkaistuhttps://github.com/NationalSecurityAgency/ghidra/tree/debuggerTutkijat onnistuivat lähettämään dataa käyttämällä muistia WiFi-korttinahttps://www.zdnet.com/google-amp/article/academics-turn-ram-into-wifi-cards-to-steal-data-from-air-gapped-systems/AIR-FI tieteellinen artikkelihttps://arxiv.org/pdf/2012.06884.pdf Magecart-kollektiivi on ollut aktiivinen luottokorttitietojen varastamisessahttps://www.bleepingcomputer.com/news/security/stealthy-magecart-malware-mistakenly-leaks-list-of-hacked-stores/https://www.bleepingcomputer.com/news/security/credit-card-stealer-hides-in-css-files-of-hacked-online-stores/https://www.bleepingcomputer.com/news/security/credit-card-stealing-malware-hides-in-social-media-sharing-icons/SanSecin tutkimus Magecartin käyttämästä remote access trojan (RAT)-haittaohjelmasta, joka vuotaa Magecartin uhrien tiedothttps://sansec.io/research/ecommerce-rat-leaks-victimsRevolut-virtuaalipankkihttps://www.revolut.com/Yritykset kärsivät verkkorikollisuudesta selvästi useammin Suomessa kuin muualla Euroopassahttps://yle.fi/uutiset/3-11695621DoppelPaymer-kiristyshaittaohjelmaryhmittymä häiriköi uhrejansa nykyään puhelimitsehttps://www.zdnet.com/article/fbi-says-doppelpaymer-ransomware-gang-is-harassing-victims-who-refuse-to-pay/F-Securen 2021 kyberakatemiahttps://emp.jobylon.com/jobs/70516-f-secure-cyber-security-academy-2021-finland/

WordPress 5.6 was released this week with a new feature called application passwords. In this episode we talk about how application passwords work, where to find them in your WordPress installation, and why Wordfence decided to turn these off by default in version 7.4.14. We also talk about a new Magecart attack that places card skimmers inside of CSS files, MailPoet joining WooCommerce and what this means for eCommerce on WordPress sites. FireEye, one of the largest security firms, reported they were hacked by a nation state APT group, and a wormable zero-click vulnerability was found in Microsoft Teams.

Howdy! On “giving Tuesday” we are “giving” you the best privacy and security stories yet. AI and privacy feature high on the list, from AI aimed at truck drivers to office 365 workers and sticking with the theme comes our AI generated title this week for the Privacy and Security update. Using the semrush(dot)com/title-generator/ and the two most coherent results for your delectation: “The Best It Privacy & Security tricks For Your First Date” “8 It Privacy & Security Things that Are Hiding under Your Bed” (It really had to be the second option for this week's update…) … from there we move into GDPR fines, DNA hacking, and Magecart attacks. We swap voice commands for laser to instruct your Alexa device and highlight some other privacy concerns from Amazon. We finish with a delightful interview where privacy and GDPR appear not to be foremost thoughts in the mind of psychic Uri Geller. This is the best collection yet, so let's get the road train rolling! --- Send in a voice message: https://anchor.fm/rps5/message

Building High Performing Security Teams - The Skills Gap vs The Talent Shortage: Cybrary CEO and Co-Founder Ryan Corey sits down with Security Weekly to chat about the trends they are seeing in Cybersecurity skill development among high performing teams. Ryan will share some highlights from Cybrary's recent Cybersecurity Skills Gap Survey Report.   This segment is sponsored by Cybrary. Visit https://cybrary.it/solved to learn more about them!   Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn85

Building High Performing Security Teams - The Skills Gap vs The Talent Shortage: Cybrary CEO and Co-Founder Ryan Corey sits down with Security Weekly to chat about the trends they are seeing in Cybersecurity skill development among high performing teams. Ryan will share some highlights from Cybrary's recent Cybersecurity Skills Gap Survey Report.   Show Notes: https://securityweekly.com/swn85 Visit https://cybrary.it/solved to learn more about them!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Building High Performing Security Teams - The Skills Gap vs The Talent Shortage: Cybrary CEO and Co-Founder Ryan Corey sits down with Security Weekly to chat about the trends they are seeing in Cybersecurity skill development among high performing teams. Ryan will share some highlights from Cybrary's recent Cybersecurity Skills Gap Survey Report.   Show Notes: https://securityweekly.com/swn85 Visit https://cybrary.it/solved to learn more about them!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

You will see Cybersecurity and Hacking related News from 7th October 2020 to 13th October 2020 which includes news as follows: 7th October 2020 ⦿ ALERT! Hackers targeting IoT devices with a new P2P botnet malware: 00:05 ⦿ OceanLotus hackers injecting malware in Windows error report: 00:28 ⦿ Brave Browser enters dark web with its own Tor Onion service: 01:00 8th October 2020 ⦿ Researchers Find Vulnerabilities in Microsoft Azure Cloud Service: 01:15 ⦿ Chowbus food delivery service suffers breach; trove of data stolen: 01:30 ⦿ Comcast voice remote control could be turned into spying tool: 01:42 9th October 2020 ⦿ 55 New Security Flaws Reported in Apple Software and Services: 02:02 ⦿ 100s of schools at risk after Magecart attack on Wisepay: 02:32 ⦿ Microsoft warns of new Android ransomware blackmailing victims: 03:02 10th October 2020 ⦿ Marketing firm Friendemic exposed 2.7 million customer records: 03:19 ⦿ Researcher uploaded spyware on official Fitbit store: 03:43 ⦿ Clop ransomware hits Software AG, demands $20 million+ ransom: 04:10 12th October 2020 ⦿ 3TB of clips from exposed home security cameras posted online: 04:20 13th October 2020 ⦿ Microsoft and Other Tech Companies Take Down TrickBot Botnet: 04:55 ⦿ Hackers exploit VPN, Windows flaws to influence US elections: 05:18 --- Send in a voice message: https://anchor.fm/quitehacker/message

In today's podcast we cover four crucial cyber and technology topics, including: 1. United Nations International Maritime Organization (IMO) disclose a cyber attack 2. Fullz House cyber group compromises Boom! Mobile phone carrier 3. Australia-based Snewpit exposes users data via misconfigured cloud storage 4. Criminals still over 100,000 USD for Swiss University employees via cyber attack I'd love feedback, feel free to send your comments and feedback to | cyberandtechwithmike@gmail.com

Cloudflare Warp + NordVPN on iOS Leads to Traffic in the Clear https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/ WhatsApp Bug https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/ MacOS Catalina and Safari Update Released https://www.macrumors.com/2019/10/07/apple-releases-macos-catalina/ https://support.apple.com/en-us/HT201222 (nothing new yet) Magecart Still Going Strong https://www.theregister.co.uk/2019/10/04/magecart/ (original RiskIQ report requires Registration)

You may not recognize the name Magecart, but you've seen its impact. A set of sophisticated hacking groups, Magecart has been behind some of the bigger hacks of the past few years, from British Airways to Ticketmaster, all with the singular goal of stealing credit card numbers. Think of them as the ATM skimmers of the web. And thanks to poor security hygiene, they've managed to hit 17,000 domains in the past few months alone.

Philippe De Ryck joins the show to talk all things security: the importance and why you should be taking active steps, how to do it in your codebase effectively, and what can happen during a breach. Philippe De Ryck: Pragmatic Web Security Resources: OWASP Top 10 OWASP Top 10 Proactive Controls Please join us in these conversations! If you or someone you know would be a perfect guest, please get in touch with us at contact@frontside.io. Our goal is to get people thinking on the platform level which includes tooling, internalization, state management, routing, upgrade, and the data layer. This show was produced by Mandy Moore, aka @therubyrep of DevReps, LLC. Transcript: CHARLES: Hello and welcome to The Frontside Podcast, a place where we talk about user interfaces and everything that you need to know to build them right. My name is Charles Lowell, a developer here at The Frontside. Joining me, also hosting today is Taras Mankovsky. Hello, Taras. TARAS: Hello, hello. CHARLES: And as always, we're going to be talking about web platforms, UI platforms, and the practices that go into them. And here to talk with us today about a pillar of the platform that I certainly don't know that much about, and so, I'm actually really happy to have this guest on to talk about it is Philippe De Ryck who owns his own company called Pragmatic Web Security. I understand you do trainings and are just generally involved in the small space. So, welcome, Philippe. PHILIPPE: Hi. Nice to meet you. CHARLES: Wow! I almost even don't even know where to start with this subject because I'm kind of like the hippie developer mindset where it's like, "LaÖlaÖlaÖlaÖlaÖ we're in this open land and nothing's ever bad going to happen and we're just going to put code out there," and nobody would ever take advantage of any holes or anything like that. And I think that a lot of developers share that mentality and that's how we end up with major, major security breaches. And so, like I said, this is something that I'm actually very eager to learn but I almost even don't know where to start. I need training, man. [Laughter] PHILIPPE: Well, that's good to hear. No, you're totally right about that. If you're not into security, it seems like this fast space for a lot is happening and you don't really know how or why and what really matters to you and should I even be worried about this. And let me start by addressing the very first thing. Yes, you should be worried because maybe you're not building something that somebody cares about but you always have something that somebody wants, even the simplest of attacks always targets a valuable resource. Just to give you a very simple idea today, cryptocurrency is all the hype and you have a taker that's just aiming to misuse your users' computers to mine crypto coins because it essentially saves them a bunch on electricity cost. So, there's always something to grab. Usually, it's data or services or worse. But even in the most minimal cases, you have hardware, you have devices, you have network capacity that somebody might want to abuse. So yes, security, I would say, always matters. CHARLES: What's the best way to get started? You said understanding that everything we do, we're holding onto resources that might be valuable, that someone might want to seize but I'm just getting started with my application. I don't know anything about security. Where do I get started on just understanding the space? And then before I even look at tools that I wantÖ PHILIPPE: You want the honest answer for that? [Laughter] PHILIPPE: The honest answer is probably hire someone who has security knowledge. I don't mean this in a bad way. I've come a very long way in my career doing what I do now. And if I look at that, if you are aiming as a developer with no knowledge about security to build a secure application, it's going to be very hard. There's a lot of things you need to know, intrinsic knowledge. These are not things you can simply read a small book in a week, you know all of these security things that you'll know what to do. So, if you have no previous experience at all, I suggest to find some help. CHARLES: Right. It's like saying, "Hey, you've never written a data layer before but you want to go out and you want to write a massively distributed system where you have all these notes talking to each other. You're not going to read the O'Reilly book 'How to Build Distributed Systems' in a week and go out and do the same thing." It's the same thing with security. You need to understand the entire context. And there's no substitute for experience. PHILIPPE: Sorry, I actually like that comparison because in a sense, you're right, it's like these other very complex topics you don't expect to learn that in a week or a month and right a functioning data layer. But the difference is if you fail at writing that data layer, your application is probably not going to work. While if you fail at securing the application or seeing potential vulnerabilities, it's still going to work just a bit more than you anticipated. It's going to result leaking all your data to an attacker or opening all doors so that they can gain access to your server, stuff like that. So, I would say that the consequences of not getting it right are, at least in the beginning, very invisible. It's only after things happened that it's like, "Oh, crap!" And you should pay attention to that. CHARLES: Yeah. And then you have these back doors and these leaks that are set in stone and may be very hard to change. PHILIPPE: Yeah, absolutely. And honestly, the worst part of the breach is for a company, it might be reputation damage. But what you really should be worried about is all that personal information that's being leaked to, most cases, publicly leaked to anyone but in other cases, it's sold on [inaudible] markets and actually abused by people looking for someone else's identity or credit card information or stuff like that. And the companies usually get away with some bad press, maybe a small dip in their stock price but eventually, they'll bounce back. But it's the users that suffer from these breaches for a very, very long time. TARAS: What do you see the kind of hot zones around concerns that companies have around security? Because I imagine it's hard to be concerned about everything, so they're probably thinking about specific things like this thing worries us. Like what kind of things do you see companies and teams need to worry about? PHILIPPE: That's an interesting question. You have all different kinds of companies and all different levels of security awareness and what they're worrying about. I would say if you have the companies that are not very good at or don't have very much security knowledge, they're probably not to worry about things because otherwise, they would have started investing in improving their practices. If you look at the companies that are at least very aware of the landscape, I'm not saying that anybody here is perfect, but some of the companies are actually doing quite a good job. One of the most interesting challenges today is dealing with dependencies. So, all of your packages, you depend on npm, Maven, Python packages, Ruby gems, and so on. All of them form a huge attack factor in most applications today. That's definitely a problem that a lot of companies struggle with and it's very hard to find good solutions. TARAS: GitHub recently, I saw their vulnerability alert service that I've been getting a lot of notifications from on some of the open source libraries that we use. They have a lot of dependencies. And a lot of projects have the same dependencies. So, the moment that one notification goes on, it like lights up on all of the GitHub repos that I have. So, I have been going through and like updating dependencies and all those libraries. PHILIPPE: Yeah, that's a very good example. Absolutely. A lot of the projects we build today usually start out by installing a bunch of dependencies. Even before you've written the first line of code, you already have a massive code base that you are relying upon. And a single vulnerability in a code base might be enough, it's not always the case, but it might be enough to compromise your application. And that leaves you, as a developer, in a very hard place because you haven't written any lines of code yet. You have built a vulnerable application and that starting point can be very terrifying. So, there's a lot of reports on this. And actually, if you want some numbers, 78% of the vulnerabilities discovered in existing applications like the ones you mentioned. If GitHub alerts you like, "Hey, there's a problem in one of your dependencies," it's often even an indirect dependency, meaning that you include a framework, if you include React or Express or whatever you're building, that one of your dependencies of one of those projects actually has a vulnerability. If you look at the trees of these packages, they get quite big that it's not dozens but it's thousands of packages that we're talking about. CHARLES: Yeah that's the other thing is how do you know how to interpret these security vulnerabilities because some of them, we get a lot of security vulnerabilities for node packages but we only use them for our development tools to build frontend. So, if we're building a React application and there's some security vulnerability in some node packages that we're using in our build tool, then that doesn't actually get deployed to the frontend. So, maybe it's not a concern but if we were actually using it to build a server, then it would be absolutely critical. And so, how do you evaluate because the same security vulnerability is not a vulnerability in one context, but might be in another or maybe I'm thinking about it wrong. You see what I mean? PHILIPPE: Yeah, sure. I totally get what you mean. Actually, I have observed the same things. I also get these security alerts on my projects, and sometimes it's devDependency, so it seems like we don't need to care about that. You're right in the sense that you have to assess the criticality of such a report. So, they will have a rating, a severity rating saying like, "This is a minor issue," or, "This is a major issue," that should be a first indication. And then a second thing to look at is, of course, how are these things used in practice. It's not because it's a devDependency that it's not exploitable because it all depends on what is the vulnerability. If there's an intentional malicious backdoor in the library and you're building that on your build server, it might give an attacker access to your build server. So, that might not be something you actually want to do. So in that case, it does matter. Of course, if it's only stuff you run locally, you can say like, "OK, this is less important." But usually, updating or fixing these vulnerabilities also requires less effort because there's no building and deploying to production servers either. So, it's a matter of staying up-to-date with these. And one of the things that people struggle with is handling this in a lot of different applications. You mentioned you had a lot of GitHub repos and the vulnerability starts popping up in all of them and you have to fix and update all of them. You can imagine that major companies struggle with that, as well, especially if you have quite a few different technologies. Managing all of that is insanely hard. CHARLES: Right, because you just usually look at it and you're like, "Oh, I've got to download this." And maybe, "I haven't used it this repo for a while. I've got to clone it up, I've got to update the dependency. I've got to make sure I run all my tests locally, then run all the tests in CI and make sure I didn't break anything by upgrading. I might have fixed closed security hole but broken my functionality." And so, make sure that that is all intact and then push it out to production. Even on the small, it's like I'm looking, "OK, maybe this is going to take me 30 to 45 minutes." But if you have four or five of those things, you're looking at half your day or maybe even the whole day being gone and that's if you have the processes in place to do those automated verification. If you have a very high confidence in your deployment pipeline which I don't think a lot of places have. So, it sounds like these are complementary, like you really need in order to keep a secure application, you have to keep it up-to-date because I think what I'm hearing is you should just evaluate all the threats. You should fix it if you can. The first part of my question is, am I kidding myself when I say, "Oh, I can ignore this one because it's just local or it's just a devDependency." PHILIPPE: The answer to that question is briefly, I would say they are less critical. CHARLES: That's cool. PHILIPPE: In general, the rule is update if you can. And actually some of the tools out there that monitor vulnerabilities, they will automatically create a pull request in your repo saying to upgrade to this version and then you can automatically run your tests if you have them, and you can very quickly see whether some conflicts are generated by updating that dependency - yes or no. And in most cases, if it's a minor version bump, it's going to work as expected and you can easily push out the new version without that vulnerability. So, I would say fix if you can. If it goes quickly, then definitely fix them. But I would focus on non-devDependencies first instead of devDependencies. CHARLES: Yeah. PHILIPPE: Second thing I wanted to add is you paint a very grim picture saying you have to spend a lot of time updating these issues and I can totally understand that happening the very first time you look into this. There's going to be some stuff in there, I can guarantee that. But if you do this regularly, the effort becomes less and less because once you have up-to-date libraries, the problem is bad but it's not like we have 50 new vulnerabilities every day, fortunately. CHARLES: Right. PHILIPPE: So, once you have done that, it's going to be a bit less intensive than you might anticipate at first glance. Of course, if you're using these projects, if you're reusing the same library, then you'll have to update them everywhere. That's the downside, of course. CHARLES: It's probably a little bit dangerous to be assessing the criticality of the security threats yourself if you're not an expert, and kind of in the same way, it's dangerous to be assessing an architecture if you don't have an expertise in our architecture, I guess is the thing, because you might not understand the threat. PHILIPPE: Yeah, that's, again, absolutely true. It again depends very much on how it's deployed and what it's used for. That's going to be one important aspect. Another thing that might be very useful is, how deep is the dependency that creates the vulnerability or has the vulnerability? Because for example, if you have your tree of dependencies, if you dependency is like five or six levels deep, the chances of malicious data are reaching that specific vulnerability, and that specific library is going to be fairly small. Because usually, libraries have a lot of features and you only use part of them in your application. So, the other one is address of the features is just sitting there and if it's never used and it's also not exploitable. So, that might play a role as well. I saw a presentation about a month or two months ago from how Uber manages these things and they struggled with a lot of those things as well. And they eventually decided that they really care about vulnerabilities going three levels deep. And something that goes deeper is considered to be less relevant or less urgent to update because chances of exploitability are going to be very small. CHARLES: That's actually really interesting. TARAS: One thing that got me thinking about something that is actually happening right now. A friend of mine has a WordPress site that was hacked. But what's interesting about WordPress, I think the fact that WordPress site was hacked is not really a surprise but I think what's interesting about that is that the frequency and the sophistication of these attacks has increased. The tooling has improved also in the WordPress ecosystem. But at the same time, I think there is actually more people that are aware of the kind of exploits that could be done. There are a lot of people going after WordPress sites, but it kind of makes me think that there's probably going to be a time when the vectors of attack for web applications are going to become pretty well known as well. Because of the architecture, there are a fewer of them. But as the awareness of the actual architecture becomes more common, I think the angles of attack are going to become more interesting. Like one of the things that I was reading about a couple days ago is that there are some researchers that found a way to attract users based on a combination of JavaScript APIs that are available in the browser. So, they are actually able to fingerprint users based on the kind of things that they're using, the application for [inaudible] extensions they have installed. I think people are going to get more creative. And that's kind of scary because we've seen this happen already in WordPress and people are greedy. So, there are going to be ways. I think there's going to be more people looking at how to get into and how to exploit these vulnerabilities. PHILIPPE: Yeah. That's actually a couple of very good examples that illustrate the underlying issue. So, this browser-based tracking of users, it's called browser fingerprinting and it's been going on for a while. Back when I did my PhD, I had colleagues working on those things and you have other people at universities doing research on this. And yes, you can use things like JavaScript APIs in the browser to identify a particular user with a very high probability. It's not perfect but it's usually enough to identify a user for ad tracking or those purposes. By the way, these things also have a legitimate purpose. So, they are also used to keep track of a particular user to prevent things like session hijacking or detect problem logins or stuff like that, so they can also have a legitimate use case next to tracking. But they very clearly show how security will always be a cat and mouse game. Tracking used to be easy. You just set a cookie in a browser and the cookie was there next time and you knew who the user was. And then, users became a bit more savvy. You had browser extensions trying to block listings because let's be honest, they're kind of shady. So, users probably don't want that. And then the attacker started moving towards other things and getting more advanced. And you see that in other areas of security, as well. So, I consider that a good thing because as we make things harder for attackers, they will have to get more creative and it will become more difficult to exploit or to take advantage of applications. That's the good side. The bad side or the dark side of that equation is that unfortunately, the vulnerabilities are not going away. It's not because we now have these somewhat more advanced attacks using advanced features or even CView-based vulnerabilities that the old things like SQL injection and [inaudible] have disappeared in applications. That's also not true and that means that it makes it just a bit more harder for everyone on the defensive side to build more secure applications. You're going to have to know about the old stuff and you have to learn about the new stuff. CHARLES: Again, we come back to that idea. It's all a bit overwhelming. Aside from the solution of like, "Hey, let's hire Phillippe. Let's hire some other security expert." We were actually in your training, and obviously, I don't want to divulge all the secrets or whatever. If we were to attend your training, what do you see is the most important thing for people to know? PHILIPPE: There's no secrets there. [Chuckles] What I teach is web security. I kind of like to think I teach that in a very structured and methodical way. But in the end, there's no secrets and I don't mind talking about this here on the podcast because I honestly believe that everyone should know as much as they can about security. What do I teach? I can talk about specifics but I can also talk about generic things. One of the general takeaways is that one of the best things in my opinion that a developer can do is realize when they don't know something and actually admit that they don't know something, instead of just doing something. Maybe having like a brief thought like, "Hmm, is this secure? Well, it's probably good. I'm going to deploy it anyway. We'll see what happens." That is not the right way of doing things. If you do something and you recognize like, "Hey, this might be security sensitive. We're dealing with customer information here. We're dealing with healthcare information. We might want to look at what plays a role here," and then you can go ask someone who does. You probably have a colleague with a bit more security knowledge, so you can ask him like, "Hey Jim, or whatever your name is, do you think that this is OK or should we do something special here?" Very much like you are doing, asking me questions right here. That's one important takeaway that I hope everyone leaves with after a training class because not knowing something and realizing that you don't know it allows you to find someone who actually does. That still leaves us with that point which you wanted to sidestep. CHARLES: [Chuckles] PHILIPPE: A second thing is to realize that security is not a target. It's not something you're going to hit. It's not a holy goal that after working really hard for two years, you're going to hit this security milestone and you're done. It's always going to be a cat and mouse game. It's always going to be a moving target but that's OK. That's how things are. And that's the same with all other things in the world essentially. It's an evolving topic and you'll need to be ready to evolve with that as well. TARAS: One of the challenges that I see into quite often in teams is that at the individual level, people really try to do their best, maybe the best of their abilities. But it's often, when it comes to being part of a group, it's often like they do best within the kind of cultural environment that exists. I'm curious if you've seen good or kind of environments or cultures for engineering teams that are conducive to good security. Are there kind of systems or processes the companies put in place that you've seen to be very effective in preventing problems? Have you encountered anything like this? PHILIPPE: Ideally, you have developers that are very well educated about security but honestly, it's going to be insanely hard to find these people because a developer not only has to be educated about security, they also need to know about UI design and JavaScript frameworks and other frameworks and all of these things. And it's virtually impossible to find someone up-to-date on all of these things. So, what most companies do today that seems to work quite well, even though it's very hard to judge whether it's working or not, is they work with security champions. So, you typically have a dev team and within a dev team, you would have a security champion, one or two or five, depends on how large your teams are, of course, that is knowledgeable about security. So, that developer has some knowledge. He's not an expert but he knows about common attacks and common dangers and how to potentially address them in the application. So, having that person embedded in the team allows the team to be security aware because when you have a team meeting like, "Hey, how are we going to solve this particular problem?" That person will be able to inject security knowledge like, "Hey, that seems like a good idea but if we're using SQL in the backend, we need to ensure that we don't suffer from SQL injection." Or if you're using a NoSQL database, it's going to be NoSQL injection and so on. And that already elevates the level of security in the team. And then, of course, security champions themselves are not going to be security experts. They're mainly developers just with a security focus. So, they should be able to escalate problems up to people with more knowledge, like a security team which can be a small security team within their organization that people can easily reach out to, to ask like, "Hey, we're doing something here and I know that this is security relevant and I'm not entirely sure what's happening here. So, can we get a review of this part of your application?" Or, "Can you guys sit on the meeting to see what's going on and what's happening there?" And I think that structure also makes sense. It's still going to be hard to build secure applications because there's still a lot of things to address, but at least, your teams get some awareness. And then of course, you can help your security champions to become better and they will get better over time. You can augment them with the security architects. You can train your security champions separately with more in-depth knowledge and so on. And that veteran or that setup seems to work quite well in many large organizations today. CHARLES: Yeah. I like that. It gets me to thinking, so having the having the security champions, having people who have this as part of, not their specialization, but at least part of their focus, being in the room, being part of the conversation because we try and do that and provide that service when it comes to UI but we also have a bunch of processes that kind of automate the awareness of quality. So, the classic one is your CI pipeline, your deployment pipeline. So, you're automating your advancement to production. You're automating your QA. It's still no substitute for having someone who's thinking about how to have that quality outcome but you still have some way of verifying that the outcome is quality. Are there tools out there that you can do to kind of keep your project on the security Rails. I'm thinking something that we we've done recently is having preview apps, so that we get a tight feedback loop of being able to deploy a preview version of your application that's on a branch but it's talking to a real backend. There's a lot of more software and services that are supporting this and it's kind of become an integral part of our workflow. So, testing automated deployment preview apps, there's this kind of suite of tools to make sure that the feedback loops are tight and that the quality is verified even though you have people, you also have people guiding that quality. It's just making sure that the standards are met. Is there a similar set of tools and processes in the security space so that we've got these champions out there, they're being part of the conversations. They're making suggestions but they can't be everywhere at once. And is there a way to make sure that the kind of the ways that they're guiding the application, just verifying that the application is going in that direction? Or an alarm bell has sounded. We mentioned one which is the automated pull request with the, "Hey, you got this dependency and there was a pull request." Are there more things like that, I guess, is what I'm saying. PHILIPPE: Yes, there are. But I would dare to say not enough. So yes, you have some security tools you can integrate in your pipeline that do some automated scanning and they tried to find certain issues and alert you of those issues. So, these things do exist but they have their limitations. A tool can scan an application. Some of the findings are going to be easy and fairly trivial, but it's good to have the check in place nonetheless. But some of the more advanced issues are very likely to be undetectable by those automated tools because they require a large amount of skill and expertise to actually craft and exploit to abuse that particular feature in an application. So, we do have some limitations but I like discretion because I do believe that we need to leverage these mechanisms to ensure that we can improve the security quality of our applications. A very simple thing you can do is you can run an automated dependency check when you build the application and you can use that to decide to halt deployment when it's a severe vulnerability or go ahead anyway when you consider this to be acceptable because if you automate all of those things, things can go wrong as well. We can talk about that in a second. So yeah, these things can be done. But what I strongly encourage people to do to ensure that they can kind of improve the code quality is to flag certain known bad code patterns. So if you're building an Angular or a React application, if you're using functions that output go directly into the template, that's going to be very dangerous. So, we know these functions in Angular, they're called bypassSecurityTrustHtml, bypass security should be kind of a trigger and this kind of security irrelevant. And in React, that property is called Dangerously Set innerHTML, also indicating like a 'developer watch out what you're doing'. So, what you could do is you could set up code scanning tools that actually flag these things whenever they appear in application because sometimes people make mistakes. You hire an intern and they don't really know the impact of using that property and they use it anyway which would cause cross-site scripting vulnerability. If you're code scanning to flag these things ensures that it doesn't get pushed to production unless it's a benign case which is actually approved to be in there, then you can definitely stop some of these attacks coming on for sure or some of these vulnerabilities happening. TARAS: I think the hardest thing to understand is when someone doesn't understand what they're doing that what they will create is so cryptic that I think any tool that tries to figure out what it is that person is doing I think will have a really hard time. The person making the thing doesn't understand what they're doing, then the system is not going to understand what they're doing which makes me think that one of the things that we think about a lot at Frontside is this idea of trying to understand the system from the outside as kind of looking at a system as a black box and wonder what kind of tools are available specifically for inspecting the application from the outside, like as if somehow understanding what the application is doing based on what's actually going on inside of the runtime and then notifying someone that there could be something off in the application, but through exercising the [inaudible] things like, for example, memory leaks is not something you can catch unless you have a test suite that has like a thousand tests and then you will see over time that your application is actually leaking memory. But if you run individual tests, you'll never see that. I wonder if there's anything like that for security where at runtime, there's actually a way to understand that there might be some kind of a pattern that's incorrect in the application. PHILIPPE: If only, if only. It depends on who you ask. There is such a concept that's called Dynamic Application Security Testing. Essentially, what you do there is you run the application, you feed it all kinds of inputs, and you monitor when something bad happens. And that means that you have detected vulnerability. So, these things do exist. But unfortunately, their efficiency is not always that good. It very much depends on what kind of security problems you're trying to detect. And they can, for example, detect some instances of things like cross-site scripting or SQL injection or things like that. But there will always be limitations. I've seen tools like that being run as an application where you actually know there's a vulnerability because it has been exploited. There is a manual written exploits and the tool still doesn't find any vulnerabilities which is not surprising, because these things are really hard to make an abstraction of to be able to find that in an automated way with a tool. If you would have such a tool that would be, I think, that [inaudible] would be a lot better. I think there's a lot of funders working on that. But at the moment, those tools are not going to be our savior to build more secure applications. CHARLES: Yes. I mean, it's kind of like linting, right? Or you can make tests. We've been through this kind of all the features or the aspects that we want our application to have, whether it be accessibility. There's certainly a very comprehensive suite of lint level checks that you can run to make sure that your application is accessible. You can run a suite of three thousand things and if it triggers any of these things, then yes, your application won't be accessible but it's not a substitute for thinking through the accessibility architecture. The same thing goes with code linting. You're not going to solve bugs with a linter that makes sure that it's formatted and that you're declaring your variables right and that you're not shadowing things. But you can definitely eliminate a whole classes of things that might be put in there just for maybe even you know what you're doing and you're just forgetful. PHILIPPE: Yes, these rules exist, as well. They're not extensive but there are linting rules for Angular used for security, for example. But the problem in linting is that they are very useful to find potential instances of security relevant features or security relevant functionality. But the linting rule alone cannot decide whether something is OK or not. Just to give you a very simple example, if you use the bypassSecurityTrustHtml function, if you give that function a static snippet of HTML, that's going to be fine unless you write your own attack essentially. But if you feed that function user inputs, you're going to be in a lot of trouble. And making that distinction with a linter is going to be difficult unless you have a static string in the arguments. But if once you start having that from variables to dynamically decide to have a different code path, then that's going to be very, very difficult to decide automatically. So, yes, you can use that to find the places in the application where you should be looking for, in this example, a cross-site scripting in Angular but the linting alone is not going to give you an answer whether this is OK or not. That still requires knowledge of how Angular handles this things, what happens, and how you can do things safely. TARAS: Sounds like we keep going back to nothing beats having knowledgeable developers. PHILIPPE: Yes. Unfortunately, that is true. However, with that said, I want to highlight that frameworks like Angular, well mainly Angular, make things a lot better for developers because yes, you still need knowledgeable developers but the ways to introduce a cross-site scripting vulnerability in an Angular application are actually very, very limited. It's not going to be one, but there's going to be maybe three or four things you need to be aware of, and then you should be set. While if you would have done the same for PHP, it's going to be 50,000 things you need to be aware of that are potentially dangerous. So, yes, frameworks and libraries and all of these abstractions make it a lot better and I really like that. That's why I always refer to abstract things away in a library so that you actually have the ability to look for this dangerous code patterns using linting rules in your code base and that you can, at least, inspect the go to see whether it's OK or not, even though you might not be able to make an automatic decision. You, at least, know where to look and what to approve or how to change in the code base. TARAS: I think that's one of the things that oftentimes is not taken into account that the frameworks are different. And I think of big differences in how much -- like right now, the most popular framework, I think, React. But it's such a thin layer, it's such a small part of the framework that you can hardly call it a framework. But it is something that companies rely on. But then when you consider how much of that code that you need to write, to make React into a complete framework for your company, the amount of code that your team has to write versus the amount of code that your team has to write when you use something like Angular or Ember, there's definitely a lot less parts of the framework that you need to write or a lot less parts of the framework you need to choose from what's available in the ecosystem. Like in Angler and Ember, and I'm not sure what the story is with the view, but the pieces, they come from kind of a trusted source and they've been kind of battle tested against a lot of applications. But I don't think that enters into consideration when companies are choosing between Angular or whatever that might be because they're thinking like what is going to be easiest for us. What is going be [inaudible] for developers? They're not thinking about how much of the framework are we going to need to put together to make this work. CHARLES: I can say it sounds, Taras, like almost what you're saying is by using the frameworks that have been battle tested, you actually get to avail yourself of code that actually has security champions kind of baked into it, right? Is that what you were saying? You keep coming back to 'you need developers who are knowledgeable about security', and if you're using kind of a larger framework that covers more use cases, you're going to get that. Do you think that that is generally true, Philippe? PHILIPPE: Yeah. I think it is and that's why I mentioned that I liked Angular before because Angular actually does offer a full framework. And because they do that, they made a lot of choices for developers and some of these choices have a very, very big and positive impact on security. On the other hand, if you make those decisions, you become an opinionated framework and some people don't like that. They actually want the freedom to follow their own paths and then a less full featured framework like React might be an easier way to go. CHARLES: But I think what happens is folks don't enter into that decision with their eyes open to the fact that they then now need to be their own security champion because they just don't even see it. We said the most dangerous thing is the things that you don't know. PHILIPPE: Yeah, absolutely. And I totally agree. That's something that's at least a couple of years and probably still today, many companies moving into this space struggle like, "Which framework do we choose and why do we choose one or the other and which one will still be there in three years because we don't want to switch to another thing in three years," which is risky to our developers. I like that you said that Angular has this security champion knowledge built in because in Angular 2 and every version behind it, but the new version of Angular essentially, they spent a lot of time on security and they learned from their mistakes in the first version because there were some and they took that and they built a more robust framework with security built in by design or by out-of-the-box. Angular offers, for example, very strong protection against cross-site scripting. It's just there, it's always on and unless you actively sidestep it, it's going to protect you. And that's one of the things I really like about Angular and how they did that. CHARLES: Yeah, that's one of the things that I really like too because I remember there was a blog post back, this is probably, I don't know, almost 10 years ago now, maybe seven or eight years, where someone was comparing why they were more interested in using, their servers were implemented in Ruby and why it was better to use Rails than just Sinatra which is just a very, very, very lightweight HTTP framework. And one of the things that he was pointing to was this new vulnerability was discovered and if you were using Rails, the middle way where the middle square stack is managed by the framework, you just upgrade a minor version of Rails. And now, by default, there's this middleware that prevents this entire class of attack. PHILIPPE: Was that a cross-site request forgery? CHARLES: I think it might have been. PHILIPPE: I think Rails was one of the first to offer built in automatically on support for that. So yeah, that was a very good early example of how that can work really well. CHARLES: And the advantage from the developers' standpoint, because the contrast that, if you'd been writing your application in Sinatra which is this is very, very low level based right on top of rack and you're managing the middleware stack yourself and there are no opinions, then not only do you have to like fix this security vulnerability, you have to understand it. You have to get to do a lot of research to really come up with what's going on, how is this going to affect my application and then I can deploy a fix. And that's like a huge amount of time, whereas you have the freedom to not even understand the attack. I mean, it's always better to understand but you can defer that understanding invariably knowing that you're kind of invulnerable to it. And I think for people who enjoy kind of pretending, not pretending, but that the security world doesn't exist and say, "Hey, I want to focus and specialize on these other areas and attain deep knowledge there." It's very reassuring to know that if a defense for a novel attack comes out, I can avail myself of it just by bumping a version number. PHILIPPE: Yeah, absolutely. If you have everything in place to actually upgrade to that version that fixes those, that's a preferable solution. Towards the future, I believe it's going to be crucial to ensure that we can actually keep things up-to-date because everything that's being built today is going to require continuous updates for the lifetime of the application. I definitely hope that the frameworks get better and more secure and start following these patterns of naming the potentially insecure functions with something that indicates that they are insecure. I think that's definitely a good way forward. CHARLES: Yeah. Can I ask one more question? Because this is something that is always something that I wonder about whenever you talk about any aspect of a system. And part of it is folks will not appreciate good architecture until they've experienced some sort of pain associated with not having that architecture in place. Their project fails because they couldn't implement a set of features without it taking months and years and they just ran out of runway, ran out of deadline. Those types of people who've been on those projects appreciate having a nimble system internally, good tooling. Folks who have experienced good tooling understand how much time they could save, and so, have a very low tolerance for bad tooling. A tool takes too long or is misbehaved or is not well put together, they just can't stand because they know how much time they're losing with security. Is there a way to get people to care about it without having some sort of breach, without having gotten smacked in the face? When you do your trainings, is it generally, "Hey, someone has experienced a breach here, and so they want to bring you in." Or is there some way to get people raise awareness of the problems they don't have to experience that pain but can just experience only the benefit? PHILIPPE: That's, again, a very good question and that's also a very good illustration of why security is so hard. Because if you get everything right, nothing happens. [Laughter] PHILIPPE: Or it might be if nothing happens, that nobody cares enough to actually try something against your application. So, there's no positive confirmation if you've done a good job. You can keep putting things off but eventually, there's going to be vulnerability and it's a matter of how you respond to it. We recently had a cross-site scripting in Google's homepage, one of the most visited pages on the web. And somebody figured out that there were some weird browser thing that could be abused and that resulted in a vulnerability on, let's say, such a simple page. So, even there, things can go wrong. So, what would be a good way to draw with some awareness about this is I would recommend following some simple new resources or some Twitter feeds. I have some security relevant articles there but plenty of other people in the industry have as well. And when you read such an article about security incidents, just think about whether this could happen to you or not. And that should probably scare the shit out of you. Simple examples like the Equifax breach, one of the biggest, most impactful breaches of the past few years happened because of an Apache library that was not updated. I think the Apache library, they had a known vulnerability in there. We knew about it. We had a patch, yet it took too long to install that patch and the attackers abused that vulnerability. This is something that probably can happen to each and every one of us because the attacks started, I think, 72 hours after the vulnerability and the patch had been published. So, ask yourself, "Would I have updated my servers in three days after I got that vulnerability report on GitHub?" Yes or no. And if the answer is no, then the same thing can happen to you. Other cases: Magecart is a very big problem, people injecting credit card skimming malware in the JavaScript library. Are you including third party JavaScript libraries? If yes, then chances are that this can happen to you. And there's nothing preventing someone from exploiting that. It's probably just because you got lucky that nobody tried to do that. And the same thing you see now with all these attacks npm packages where people actively try to get you to install a malicious package as one of your dependencies. And again, everybody can fall victim to these things. So, if you read the articles with that mindset, I probably guess that your security awareness will grow rapidly and you will start caring about that very fast. CHARLES: Yeah. TARAS: Lots to think about. CHARLES: Yeah, there's lots to think about because the next thing that occurs to me is how do you even know if you've been targeted. Because a good attacker is not even going to let you know. PHILIPPE: Yeah. CHARLES: It's just better to siphon off your blood, like you said, than to kill the -- you want to be a vampire bat and come to the same cow every night and just take a little bit of blood rather than the lion that kills the cow and then the cow's gone. PHILIPPE: I would say constant monitoring is going to be crucial and you need that data for all kinds of different purposes. You need to monitor everything that happens, first of all, for a post-mortem analysis. If something happens, you want to be able to see how bad it was. This user apparently got a full admin access and if you have decent monitoring, you will be able to retrace his steps to see what they did or did not get. So, that is one very good use case. A second use case is you can use that data to detect attacks. Usually when the attacks are noisy, it's an automated scanning tool but it might be an attacker trying to do things. Again, that may be something very useful for you to act on to see if there is a problem to prevent that user from connecting, or so on. And then, another very good use case of these things is actually inspecting the logs manually as an ops engineer or whatever, who is responsible for doing that, because that might again yield new insights. I've been talking to someone who said that they discovered an abuse of one of their APIs just by looking at the logs manually and detecting a strange pattern and looking and digging deeper into it. And the automated monitoring tools that they had installed that trigger on certain events like a mass amount of requests to the authentication and stuff like that, they did not catch this particular abuse. So, I would say monitoring there is absolutely crucial, for sure. TARAS: So, the takeaway is higher attentive knowledgeable developers who will learn about security. PHILIPPE: I would say the takeaway is security knowledge is essential for every developer. So, I encourage every developer to at least have a little bit of interest in security. I'm not saying that everyone should be a security expert. We should at least know about that the most common vulnerabilities in web applications, what they mean, what they might result in, and what to be on the lookout for. So yes, I think that's one of the crucial things to start with. And then within an organization, you should have someone to fall back on in case that there are security relevant things that you actually can talk to someone who does see a bigger picture or maybe the full security picture to decide whether these things are a problem or not. I think we're closing or nearing the end here, but one of the things we haven't talked about is how to actually get started in security. What if you are interested in security after hearing this podcast and you want to get started? I want to give you just a few pointers so that you actually know where to look. One of the first things to look at is OWASP. And OWASP is the Open Web Application Security Project. It's essentially a nonprofit that has the mission to improve the security posture or knowledge of developers, and they have a lot of resources on various different topics. They have a lot of tools available and things like that. What you want to start with as a developer is the OWASP Top 10, which is a list of the 10 most common vulnerabilities that exist in applications, just to open your eyes like these things exist in applications today and are definitely a problem. And then, there's a complementary Top 10 called the Proactive Controls and that's about how you, as a developer, can actually prevent these things. So, what should we know about implementing security, which guidelines should we follow. And these two documents are a very good place to start. And then there is a huge community that's actually mostly very eager to help people figure out the right way of doing things and solving these problems we have in our ecosystems. TARAS: Awesome. That's great. Thank you very much. CHARLES: Yeah. I'll take that in. That is really, really helpful. Well, thank you very much, Philippe, for coming on and talking about security. I actually feel a lot better rather than usually I'm thinking about securities kind of stresses me out. [Laughs] PHILIPPE: You can bury the problem but it's going to return in the future anyway, so you might as well get onboard and start learning. It's not that scary if you actually -- it's a lot of fun. So, you should learn about security. CHARLES: Well, I am looking forward to diving in. If anyone wants to get in touch with you, how would they do that on Twitter or Email? PHILIPPE: Yeah, sure. I'm on Twitter. I'm always happy to chat about security. You can reach me by Email as well. I'm very easy to reach. And I'll be happy to help out people with questions. Sure. CHARLES: All right. Thank you so much, Philippe. Thank you for listening. If you or someone you know has something to say about building user interfaces that simply must be heard, please get in touch with us. We can be found on Twitter at @TheFrontside or over just plain old Email at contact@frontside.io. Thanks and see you next time.

Forbes Website Infected by Magecart https://twitter.com/bad_packets/status/1128517905765683201 Malware Randomizes TLS Ciphers https://blogs.akamai.com/sitr/2019/05/bots-tampering-with-tls-to-avoid-detection.html Google Recalls Titan Security Keys https://security.googleblog.com/2019/05/titan-keys-update.html SAMBA Update https://www.samba.org/samba/security/CVE-2018-16860.html SAP Patches https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032

RCE Vulnerability in Dell Support Assist https://d4stiny.github.io/Remote-Code-Execution-on-most-Dell-computers/ Creston Multiple Vulnerabilities https://www.crestron.com/en-US/Security/Security_Advisories Polymorphic Skimmer Targeting 57 different Payment Gateways https://labs.sansec.io/2019/04/29/polymorphic-skimmer-57-payment-gateways/ More Attacks Against S/Mime and PGP Signed Email https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf

Emotet Backend Analysis https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/ Kaspersky Vs. Chromecast https://www.bleepingcomputer.com/news/security/kaspersky-av-having-certificate-conflicts-with-google-chromecast/ MageCart Updates https://www.riskiq.com/research/inside-magecart/

Microsoft Patch Tuesday https://isc.sans.edu/forums/diary/October+2018+Microsoft+Patch+Tuesday/24186/ Adobe Updates https://helpx.adobe.com/security.html Magecart Infects "Shopper Approved" Plugin https://www.riskiq.com/blog/labs/magecart-shopper-approved/