Podcasts about owasp top ten

Kubernetes Security, Region Cloud Disaster i inne tematy w nowym odcinku Short #70! Patoarchitekci analizują narzędzie Kubescape, które wychodzi z Sandboxa CNCF i oferuje alternatywę dla drogich rozwiązań komercyjnych. Przygotuj się na dyskusję o zniszczonych regionach chmurowych i wektorowym pojedynku OpenSearch vs Elastic. Nowy Grafana Loki 3.4 wprowadza wsparcie dla Thanos Object Storage, a Promtail przechodzi do Grafana Alloy. Raport o Infrastructure as Code ujawnia, że mimo popularności, tylko 1/3 organizacji ma zautomatyzowane 75% obciążeń. Śmieszne anty-wzorce managerskie pokazują, dlaczego najlepszy developer niekoniecznie powinien zarządzać ludźmi. Sprawdź, czy Twoja aplikacja należy do 52% przechodzących test OWASP Top Ten! Zaciekawi Cię też funkcja multi-node cluster w Docker Desktop, która pozwala uruchomić do 10 węzłów Kubernetes na jednej maszynie. Posłuchaj i przekonaj się, czy Twoje podejście do optymalizacji nie jest przypadkiem przedwczesne.   A teraz nie ma co się obijać!

Join Chris Romeo and Robert Hurlbut as they sit down with Andrew Van Der Stok, a leading web application security specialist and executive director at OWASP. In this episode, Andrew discusses the latest with the OWASP Top 10 Project, the importance of data collection, and the need for developer engagement. Learn about the methodology behind building the OWASP Top 10, the significance of framework security, and much more. Tune in to get vital insights that could shape the future of web application security. Don't miss this informative discussion!Previous episodes with Andrew Van Der StockAndrew van der Stock — Taking Application Security to the MassesAndrew van der Stock and Brian Glas -- The Future of the OWASP Top 10Books mentioned in the episode:The Crown Road by Iain BanksEdward Tufte FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Steve Wilson and Gavin Klondike are part of the core team for the OWASP Top 10 for Large Language Model Applications project. They join Robert and Chris to discuss the implementation and potential challenges of AI, and present the OWASP Top Ten for LLM version 1.0. Steve and Gavin provide insights into the issues of prompt injection, insecure output handling, training data poisoning, and others. Specifically, they emphasize the significance of understanding the risk of allowing excessive agency to LLMs and the role of secure plugin designs in mitigating vulnerabilities.The conversation dives deep into the importance of secure supply chains in AI development, looking at the potential risks associated with downloading anonymous models from community-sharing platforms like Huggingface. The discussion also highlights the potential threat implications of hallucinations, where AI produces results based on what it thinks it's expected to produce and tends to please people, rather than generating factually accurate results. Wilson and Klondike also discuss how certain standard programming principles, such as 'least privilege', can be applied to AI development. They encourage developers to conscientiously manage the extent of privileges they give to their models to avert discrepancies and miscommunications from excessive agency. They conclude the discussion with a forward-looking perspective on how the OWASP Top Ten for LLM Applications will develop in the future.Links:OWASP Top Ten for LLM Applications project homepage:https://owasp.org/www-project-top-10-for-large-language-model-applications/OWASP Top Ten for LLM Applications summary PDF: https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-slides-v1_1.pdfFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Jim Manico, Founder and CEO of Manicode Security, a secure coding education firm. They discuss the various challenges around certain items on the OWASP Top Ten list, including server side request forgery and access control, and how security and developers can partner for better logging and alerting. They also talk about the courses Jim offers and why the biggest one in demand today is AI and security. Topics discussed: What are the biggest changes in the OWASP Top Ten, and the challenges that accompany two of the list's issues: server side request forgery and access control. What issue is Jim surprised to see on the OWASP Top Ten. How developers and security can work more closely together to create a better approach to logging and alerting. Why the best approach to DevOps is to have it as a service and a liaison team, not as a merger of individuals from across the organization. Why training on AI and security is increasing in demand today. How security professionals and developers are like professional wrestling superstars.  

In episode 81 of the We Hack Purple Podcast host Tanya Janca spoke to Diana Kelley, Chief Information Security Officer (CISO) at Protect AI. Diana and Tanya worked together at Microsoft, and to say that Diana is a pillar of the information security industry is somewhat of an understatement. Together they discussed problems with Large Language Models (LLMs) ingesting crappy code, and bad licenses, the OSSF (and it's goodness), and that sometimes people don't even realize they are breaking software licences when they use what an LLM has produced.We discussed the fact that if a CVE comes out for a library an LLM gave you, but it didn't identify it with the correct name of the library, you wouldn't receive notifications about it. She clarified how ML pipelines are set up, how data scientists work, with insecure juniper laptops all over the place (perhaps a generalization on my part). We discussed how data science seems to be a topic a lot of CISOs are pretending aren't in their domain to protect, but both of us agreed that is not so. They have some of the most valuable data your organization can possess.We also covered best practices for securing MLSec, the OWASP Top Ten for LLMs, and the new free community her company has started MLSECOPS. She also released an update version of her book, Practical Cyber Security Architecture!.Diana Links:Diana on LinkedInhttps://www.wicys.org/. (of course!)https://mlsecops.com/OSS Jupyter Notebook scanner here: https://nbdefense.ai/https://protectai.com/ Her book https://www.packtpub.com/product/practical-cybersecurity-architecture-second-edition/9781837637164.Bio: Diana Kelley is the Chief Information Security Officer (CISO) for Protect AI. She also serves on the boards of Cyber Future Foundation, WiCyS, and The Executive Women's Forum (EWF). Diana was Cybersecurity Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group (now Gartner), a Manager at KPMG, CTO and co-founder of SecurityCurve, and Chief vCISO at SaltCybersecurity..Very special thanks to our sponsor!Semgrep Supply Chain's reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.Get Your Free Trial Here! Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Check out Semgrep Code HERE

How do we do security in the world of AI and LLMs? A great place to start is with an OWASP project tasked with creating a standardized guideline for building secure AI applications with large language models such as ChatGPT. Enter OWASP Top Ten for LLMs, and Steve Wilson, the project leader.You'll experience Large Language Models (LLMs) and their implications in AI. Steve explains how the introduction of ChatGPT marked a significant shift in the AI landscape. He elaborates on the concept of LLMs, their functioning, and the unique properties that emerge when used at a large scale.Traditional OWASP Top Ten issues like SQL injection and broken authorization are still applicable when dealing with AI applications, and the  OWASP API Top Ten could be layered onto these considerations. Think about it -- AI applications have web frontends.A new discipline of AI security engineering is on the horizon, focusing on the security of large language models and the applications that access them. A focus on both AI safety AND security must occur.We look forward to the release of the 1.0 version of the OWASP Top Ten for LLMs. Join the discussion today on OWASP Slack, and help form the new list.FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Patoarchitekci Short! Więcej o AI  i kwestiach regulacyjnych, OWASP Top Ten, open source w serwisach cloudowych... i nie tylko! Nasze sociale i linki Materiały do odcinka

Show Notes: A FFP interview with Guy Podjarny. Guy is a renowned entrepreneur and technologist who currently serves as the co-founder and president at Snyk, a leading cloud-native security company. Guy also hosts of The Secure Developer podcast, and is an O'Reilly author.  Prior to Snyk, Guy Podjarny co-founded Blaze, a groundbreaking web security startup that was later acquired by Akamai Technologies. With over two decades of experience in the software industry, Guy is recognized as a thought leader in the field of application security and has contributed to several open-source projects, including OWASP Top Ten and the Node.js security project. He is also a frequent speaker at industry events and has authored the book "Securing Open Source Libraries" to help developers improve the security of their software. As a passionate advocate for secure software development, Guy is dedicated to empowering developers to write secure code from the start. His mission with Snyk is to democratize security and make it accessible to all developers, regardless of their level of expertise. Under his leadership, Snyk has grown rapidly and become a trusted partner for many of the world's leading companies. Guy's innovative thinking and commitment to building a better, more secure digital world have earned him numerous accolades. Hear Guy Podjarny's perspective on: Invisible Security Providing Value Risk Reduction ROI Calculator Justifying Expenses Aligning On Price Messaging Is Definition Power Statements Product Problem Understanding Value Holding Complexity Primary Bits Core Messaging Links: Guy Podjarny on ⁠Twitter⁠ ⁠Snyk⁠ ⁠The Secure Developer Podcast⁠ Guy Podjarny on ⁠GitHub⁠ We are currently hiring at ⁠Stellate⁠. If you got interested in potentially working with us, please take a look at our ⁠hiring page⁠.

Show Notes: A FFP interview with Guy Podjarny. Guy is a renowned entrepreneur and technologist who currently serves as the co-founder and president at Snyk, a leading cloud-native security company. Guy also hosts of The Secure Developer podcast, and is an O'Reilly author.  Prior to Snyk, Guy Podjarny co-founded Blaze, a groundbreaking web security startup that was later acquired by Akamai Technologies. With over two decades of experience in the software industry, Guy is recognized as a thought leader in the field of application security and has contributed to several open-source projects, including OWASP Top Ten and the Node.js security project. He is also a frequent speaker at industry events and has authored the book "Securing Open Source Libraries" to help developers improve the security of their software. As a passionate advocate for secure software development, Guy is dedicated to empowering developers to write secure code from the start. His mission with Snyk is to democratize security and make it accessible to all developers, regardless of their level of expertise. Under his leadership, Snyk has grown rapidly and become a trusted partner for many of the world's leading companies. Guy's innovative thinking and commitment to building a better, more secure digital world have earned him numerous accolades. Hear Guy Podjarny's perspective on: Heavybit Environment High Standards Functionality vs Security Monetizing Security Explosive Growth Founder Image Humility Culture Unsolved Problems Appreciating Success Celebrating Teams Hiring Leadership Execution Ability Vision & Hustle Assessing Leadership Replacing Executives Retaining Leaders Heads Of X Inflated Titles Links: Guy Podjarny on ⁠Twitter⁠ ⁠Snyk⁠ ⁠The Secure Developer Podcast⁠ Guy Podjarny on ⁠GitHub⁠ We are currently hiring at ⁠Stellate⁠. If you got interested in potentially working with us, please take a look at our ⁠hiring page⁠.

Show Notes: A FFP interview with Guy Podjarny. Guy is a renowned entrepreneur and technologist who currently serves as the co-founder and president at Snyk, a leading cloud-native security company. Guy also hosts of The Secure Developer podcast, and is an O'Reilly author.  Prior to Snyk, Guy Podjarny co-founded Blaze, a groundbreaking web security startup that was later acquired by Akamai Technologies. With over two decades of experience in the software industry, Guy is recognized as a thought leader in the field of application security and has contributed to several open-source projects, including OWASP Top Ten and the Node.js security project. He is also a frequent speaker at industry events and has authored the book "Securing Open Source Libraries" to help developers improve the security of their software. As a passionate advocate for secure software development, Guy is dedicated to empowering developers to write secure code from the start. His mission with Snyk is to democratize security and make it accessible to all developers, regardless of their level of expertise. Under his leadership, Snyk has grown rapidly and become a trusted partner for many of the world's leading companies. Guy's innovative thinking and commitment to building a better, more secure digital world have earned him numerous accolades. Hear Guy Podjarny's perspective on: Outside Perspective Family Grounding Adapting Scale Managing Family Life Disconnecting Travel Rules Importance Of Vacations Inflection Points Dev Tools Companies Product User Fit Embracing Security Depth vs. Breadth Narrow But Deep Product Buyer Fit Links: Guy Podjarny on ⁠Twitter⁠ ⁠Snyk⁠ ⁠The Secure Developer Podcast⁠ Guy Podjarny on ⁠GitHub⁠ We are currently hiring at ⁠Stellate⁠. If you got interested in potentially working with us, please take a look at our ⁠hiring page⁠.

Show Notes: A FFP interview with Guy Podjarny. Guy is a renowned entrepreneur and technologist who currently serves as the co-founder and president at Snyk, a leading cloud-native security company. Guy also hosts of The Secure Developer podcast, and is an O'Reilly author.  Prior to Snyk, Guy Podjarny co-founded Blaze, a groundbreaking web security startup that was later acquired by Akamai Technologies. With over two decades of experience in the software industry, Guy is recognized as a thought leader in the field of application security and has contributed to several open-source projects, including OWASP Top Ten and the Node.js security project. He is also a frequent speaker at industry events and has authored the book "Securing Open Source Libraries" to help developers improve the security of their software. As a passionate advocate for secure software development, Guy is dedicated to empowering developers to write secure code from the start. His mission with Snyk is to democratize security and make it accessible to all developers, regardless of their level of expertise. Under his leadership, Snyk has grown rapidly and become a trusted partner for many of the world's leading companies. Guy's innovative thinking and commitment to building a better, more secure digital world have earned him numerous accolades. Hear Guy Podjarny's perspective on: Guy Podjarny's Journey Typical Week Replacing Himself Growing Quickly Snyk & Blaze Product Vision Looking Ahead Angel Investing External Perspectives Becoming A CTO Holistic Big Picture Quality Co-Founders Israel Branch Addictive Rollercoaster Links: Guy Podjarny on ⁠Twitter⁠ ⁠Snyk⁠ ⁠The Secure Developer Podcast⁠ Guy Podjarny on ⁠GitHub⁠ We are currently hiring at ⁠Stellate⁠. If you got interested in potentially working with us, please take a look at our ⁠hiring page⁠.

In today's episode of Elixir Wizards, Michael Lubas, founder of Paraxial.io, joins hosts Owen Bickford and Bilal Hankins to discuss security in the Elixir and Phoenix ecosystem. Lubas shares his insights on the most common security risks developers face, recent threats, and how Elixir developers can prepare for the future. Common security risks, including SQL injection and cross-site scripting, and how to mitigate these threats The importance of rate limiting and bot detection to prevent spam SMS messages Continuous security testing to maintain a secure application and avoid breaches Tools and resources available in the Elixir and Phoenix ecosystem to enhance security The Guardian library for authentication and authorization Take a drink every time someone says "bot" The difference between "bots" and AI language models The potential for evolving authentication, such as Passkeys over WebSocket How Elixir compares to other languages due to its immutability and the ability to trace user input Potion Shop, a vulnerable Phoenix application designed to test security Talking Tom, Sneaker Bots, and teenage hackers! The importance of security awareness and early planning in application development The impact of open-source software on application security How to address vulnerabilities in third-party libraries Conducting security audits and implementing security measures Links in this episode: Michael Lubas Email - michael@paraxial.io LinkedIn - https://www.linkedin.com/in/michaellubas/ Paraxial.io - https://paraxial.io/ Blog/Mailing List - https://paraxial.io/blog/index Potion Shop - https://paraxial.io/blog/potion-shop Elixir/Phoenix Security Live Coding: Preventing SQL Injection in Ecto Twitter - https://twitter.com/paraxialio LinkedIn - https://www.linkedin.com/company/paraxial-io/ GenServer Social - https://genserver.social/paraxial YouTube - https://www.youtube.com/@paraxial5874 Griffin Byatt on Sobelow: ElixirConf 2017 - Plugging the Security Holes in Your Phoenix Application (https://www.youtube.com/watch?v=w3lKmFsmlvQ) Erlang Ecosystem Foundation: Security Working Group - https://erlef.org/wg/security Article by Bram - Client-Side Enforcement of LiveView Security (https://blog.voltone.net/post/31) Special Guest: Michael Lubas.

Cześć! Za nami niespełna czteromiesięczna przerwa od ostatniej obecności Łukasza Wołka w roli gospodarza podcastu, co wcale nie oznacza, że prezes Grupy Eura7 narzekał na brak obowiązków - w tym czasie skupił się na organizacji webinarów, które znajdziecie TUTAJ. Tym razem gościnnie przy mikrofonie towarzyszyć mu będzie Karol Teterycz, nasz wieloletni Technical Leader. Rozmowa oparta będzie na trzech filarach, między którymi Panowie będą płynnie przechodzić. Mowa o gwarancji, oprogramowaniu oraz bezpieczeństwie a to wszystko z naszym autorskim systemem zarządzania treścią w tle. Zostanie podjęta próba odpowiedzi na wiele pytań dotyczących nie tylko Grupy Eura7, ale również branżowych standardów, błędów, testów oraz przewagi korzystania z własnego oprogramowania. Podczas całej dyskusji zostanie przywołanych wiele nazw i skrótów niewiele mówiących laikom, m.in. framework, cross-site scripting, MVC, IDE, Elasticsearch, czy Redis. Co oczywiste, na omówienie każdego z zagadnień zostanie poświęcony czas pozwalający na wyczerpanie tematu, stąd prawie godzinny materiał. Tym bardziej gorąco zapraszamy Was do odsłuchu, gdyż najnowszy epizod pozwoli Wam, nie tylko dowiedzieć się jak pracujemy, ale również posłuchać o narzędziach, z których korzystamy.A Wy, jak myślicie - skąd wzięło się akurat 7 lat gwarancji?Grupa Eura7 to nie tylko 23 lata na rynku, ale również współprace z wieloma dużymi firmami (m.in. Śnieżka, Vistula, Malopolska.pl, Tato.Net, Nordweld, Sokołów, Colfarm), które pozwoliły nam na pozyskiwanie sprawdzonych informacji i najefektywniejsze wykorzystywanie ich w praktyce do budowania firmowego know-how.Z tego odcinka dowiecie się: Czy dodawanie gwarancji do usług IT jest standardem w branży?Co obejmuje oferowana przez nas gwarancja?Czym są błędy ukryte i kiedy mogą się ujawnić?Jak testuje się produkty cyfrowe?Co to jest peak?Czy podczas testów możliwe jest wyeliminowanie wszystkich błędów?Kiedy przydaje się gwarancja?Czym jest OWASP Top Ten?Jakie nowe oprogramowanie wdrożyliśmy w Grupie Eura7?Co to framework?Co zyskujemy, korzystając z frameworków?Czemu akurat 7 lat gwarancji?Czym jest cross-site scripting?Jak się testuje oprogramowanie oparte na frameworkach?Jaka jest przewaga własnego oprogramowania nad open-source softwarem?Jaki framework wykorzystaliśmy do stworzenia platformy?Który framework jest aktualnie najpopularniejszy na rynku?Co rozumiemy przez skróty MVC oraz IDE?Jakie korzyści płyną z korzystania z Elasticsearch?Czym jest Redis?Co możemy tworzyć na naszej autorskiej platformie?Czy z racji pracy na autorskiej platformie Klient jest na nas skazany?Dołącz do grupy networkingowej podcastu Marketing Ludzkim Głosem:https://www.facebook.com/groups/MarketingLudzkimGlosem/

Show Notes: A FFP interview with Guy Podjarny. Guy is a renowned entrepreneur and technologist who currently serves as the co-founder and president at Snyk, a leading cloud-native security company. Guy also hosts of The Secure Developer podcast, and is an O'Reilly author.  Prior to Snyk, Guy Podjarny co-founded Blaze, a groundbreaking web security startup that was later acquired by Akamai Technologies. With over two decades of experience in the software industry, Guy is recognized as a thought leader in the field of application security and has contributed to several open-source projects, including OWASP Top Ten and the Node.js security project. He is also a frequent speaker at industry events and has authored the book "Securing Open Source Libraries" to help developers improve the security of their software. As a passionate advocate for secure software development, Guy is dedicated to empowering developers to write secure code from the start. His mission with Snyk is to democratize security and make it accessible to all developers, regardless of their level of expertise. Under his leadership, Snyk has grown rapidly and become a trusted partner for many of the world's leading companies. Guy's innovative thinking and commitment to building a better, more secure digital world have earned him numerous accolades. Hear Guy Podjarny's perspective on: Puzzle Connoisseur Guy Podjarny's Journey Growing Quickly Snyk & Blaze Product Vision Looking Ahead Quality Co-Founders External Perspectives Becoming A CTO Holistic Big Picture Israel Branch Co-Founder Trust Addictive Rollercoaster Family Grounding Importance Of Vacations Managing Family Life Developer Tooling Embracing Security Narrow But Deep Product Buyer Fit Snyk's Inflection Point Snyk's Culture Hiring Leadership Heads Of X Failing Leaders Selling Something Invisible Aligning On Value Total Addressable Market Messaging Is Definition Holding Complexity Alleviating Complexity Links: Guy Podjarny on ⁠Twitter⁠ ⁠Snyk⁠ ⁠The Secure Developer Podcast⁠ Guy Podjarny on ⁠GitHub⁠ We are currently hiring at ⁠Stellate⁠. If you got interested in potentially working with us, please take a look at our ⁠hiring page⁠.

In this episode, we talk about application security with guest Tanya Janca. Hear our discussion on the tension between authentication and authorization, the prevalence of API security flaws, the upcoming open comment period for the new version of the OWASP Top Ten, and the inadequacy of API security measures. We also discussed the importance of designing an effective security program for different industry companies, the differences between CSPM and CASB, the use of tools, and the importance of keeping up with updates. Read the associated short blog on Application Security: https://www.horangi.com/blog/exploring-the-challenges-of-application-security - About Horangi Cybersecurity -- More information about the Ask A CISO podcast: https://www.horangi.com/resources/ask-a-ciso-podcast About Horangi Cyber Security: https://www.horangi.com - About the Guest -- Tanya's LinkedIn: https://www.linkedin.com/in/tanya-janca/ SheHacksPurple: https://shehackspurple.ca/ - Get Tanya's book here -- https://a.co/d/cY33RL0

Penetration testing is a vital part of a robust security program, but the traditional pentesting model is in a rut. Assessments happen infrequently, the scope is often very broad, and the report is usually overwhelming. What if you could increase the overall ROI of your pentesting program and avoid these limitations? Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is a great start, but a pentest could provide exponential value by applying a more strategic approach. In this episode of CyberWire-X, the CyberWire's Rick Howard and Dave Bittner discuss what it means to "shift left" with your penetration testing by working on a threat-informed test plan with guests and Hash Table members Bob Turner, the Field CSO of Fortinet, Etay Maor, the Senior Director for Security Strategy at Cato Networks, and Dan DeCloss, the Founder and CEO of our episode sponsor PlexTrac. 

Michael Bargury is the Co-Founder and CTO of Zenity, where he helps companies secure their low-code/no-code apps. In the past, he headed security product efforts at Azure, focused on IoT, APIs and IaC. Michael is passionate about all things related to cloud, SaaS and low-code security and spends his time finding ways they could go wrong. He also leads the OWASP low-code security project and writes about it on DarkReading. Michael is a regular speaker at OWASP, BSides and DEFCON conferences. Michael joins us to unpack Low Code / No Code and the new OWASP Top Ten that defines specific risks against Low/No Code. We hope you enjoy this conversation with...Michael Bargury.Visit our website: https://www.securityjourney.com/resources/application-security-podcast FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/channel/UCfrTGqjSsFCQW4k6TueuY-A Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Application Security Podcast is brought to you by Security Journey. Security Journey delivers secure coding training to development teams and those who support them. They help enterprises reduce vulnerabilities through application security education for developers and everyone in the SDLC. TRY OUR TRAINING ➜ https://info.securityjourney.com/try-our-training

Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is great, but what other value can a pentest provide by shifting your mindset further left or with a more strategic approach? How often do you focus on the overall ROI of your penetration testing program? This talk will explore what it means to “shift left” with your penetration testing by working on a threat informed test plan. Using a threat informed test plan will provide more value from your pentesting program and gain efficiency in your security testing pipeline. This talk applies to both consultants and internal security teams. Segment Resources: Hack Your Pentesting Routine WP: https://plextrac.com/resources/white-papers/hack-your-pentesting-routine/ Effective Purple Teaming WP: https://plextrac.com/effective-purple-teaming/ This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them!   In the Security News: submerged under blankets in a popcorn tin is where they found it, Indirect Branch Tracking, don't hack me bro, we're here from the government to scan your systems, Fizzling out security, static and dynamic analysis for the win, BYODC, Bring your own domain controller, application context matters, if you want an update better have an Intel CPU, one-time programs, urlscan is leaking, hacking load balancers, and its all about the company you keep.   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw763

Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is great, but what other value can a pentest provide by shifting your mindset further left or with a more strategic approach? How often do you focus on the overall ROI of your penetration testing program? This talk will explore what it means to “shift left” with your penetration testing by working on a threat informed test plan. Using a threat informed test plan will provide more value from your pentesting program and gain efficiency in your security testing pipeline. This talk applies to both consultants and internal security teams. Segment Resources: Hack Your Pentesting Routine WP: https://plextrac.com/resources/white-papers/hack-your-pentesting-routine/ Effective Purple Teaming WP: https://plextrac.com/effective-purple-teaming/   This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw763

Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is great, but what other value can a pentest provide by shifting your mindset further left or with a more strategic approach? How often do you focus on the overall ROI of your penetration testing program? This talk will explore what it means to “shift left” with your penetration testing by working on a threat informed test plan. Using a threat informed test plan will provide more value from your pentesting program and gain efficiency in your security testing pipeline. This talk applies to both consultants and internal security teams. Segment Resources: Hack Your Pentesting Routine WP: https://plextrac.com/resources/white-papers/hack-your-pentesting-routine/ Effective Purple Teaming WP: https://plextrac.com/effective-purple-teaming/ This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them!   In the Security News: submerged under blankets in a popcorn tin is where they found it, Indirect Branch Tracking, don't hack me bro, we're here from the government to scan your systems, Fizzling out security, static and dynamic analysis for the win, BYODC, Bring your own domain controller, application context matters, if you want an update better have an Intel CPU, one-time programs, urlscan is leaking, hacking load balancers, and its all about the company you keep.   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/psw763

Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is great, but what other value can a pentest provide by shifting your mindset further left or with a more strategic approach? How often do you focus on the overall ROI of your penetration testing program? This talk will explore what it means to “shift left” with your penetration testing by working on a threat informed test plan. Using a threat informed test plan will provide more value from your pentesting program and gain efficiency in your security testing pipeline. This talk applies to both consultants and internal security teams. Segment Resources: Hack Your Pentesting Routine WP: https://plextrac.com/resources/white-papers/hack-your-pentesting-routine/ Effective Purple Teaming WP: https://plextrac.com/effective-purple-teaming/   This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw763

How do you become a Cyber Security Expert? Hello and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to talk about how to provide advice and mentoring to help people understand how to become a cybersecurity expert.  As always, please follow us on LinkedIn, and subscribe to our podcasts. As a security leader, part of your role is to develop your people.  That may not be written anywhere in your job description and will probably never be on a formal interview or evaluation, but after years of being entrusted with leadership positions, I have learned what differentiates true leaders from those who just accomplish a great deal is the making of the effort to develop your people. Now, you may have heard the phrase, "take care of your people," but I'll take issue with that.  I take care of my dog.  I take care of a family member who is sick, injured, or incapacitated.  Why?  Because they are not capable of performing all of life's requirements on their own.  For the most part, your people can do this.  If you are constantly doing things for people who could have otherwise done it themselves, you run the risk of creating learned helplessness syndrome.  People, and even animals, can become conditioned to not do what they otherwise could do out of a belief that someone else will do it for them.  I am NOT going to get political here, so don't worry about that.  Rather, I want to point out that effective leaders develop their people so that they may become independent actors and eventually become effective leaders themselves.  In my opinion, you should measure your success by the promotion rate of the people entrusted to you, not by your own personal career advancement or financial success. That brings me to the subject of today's podcast -- how do you counsel and mentor others on how to become a cyber security expert?  If you are listening to this podcast, there's a very good chance that you already are an expert in our field, but if not, keep listening and imagine that you are mentoring yourself, because these lessons can apply to you without having seek out a mentor.  Some people figure it out, and when asked their secret, they're like Bill Murray in the movie Stripes, "We trained ourselves, sir!"  But most of the time, career mastery involves learning from a number of others. Today on CISO Tradecraft we are going to analyze the question, " How do you become a Cyber Security Expert?"  I'm going to address this topic as if I were addressing someone in search of an answer.  Don't tune out early because you feel you've already accomplished this.  Keep listening so you can get a sense of what more you could be doing for your direct reports and any proteges you may have. Let's start at the beginning.  Imagine being a high school kid with absolutely zero work experience (other than maybe a paper route -- do kids still do that?)  You see someone that tells you they have a cool job where they get paid to ethically hack into computers.  Later on, you meet a second person that says they make really good money stopping bad actors from breaking into banks.  Somehow these ideas stick into your brain, and you start to say to yourself, you know both of those jobs sound pretty cool.  You begin to see yourself having a career in Cyber Security.  You definitely prefer it to jobs that require a lot of manual labor and start at a low pay.  So, you start thinking, "how I can gain the skills necessary to land a dream job in cyber security that also pays well?" At CISO Tradecraft we believe that there are really four building blocks that create subject matter experts in most jobs.  The four building blocks are: Getting an education Getting certifications Getting relevant job experience, and Building your personal brand So, let's explore these in detail. Number 1:  Getting an education.  When most people think about getting an education after high school, they usually talk about getting an associate's or a bachelor's degree.  If you were to look at most Chief Information Security Officers, you will see the majority of them earn a bachelor's degree in Computer Science, an Information Systems or Technology degree from a college of business such as a BS in Management of Information Systems (MIS) or Computer Information Systems, or more recently a related discipline such as a degree in Cyber Security. An associate degree is a great start for many, particularly if you don't have the money to pay for a four-year university degree right out of high school.  Tuition and debt can rack up pretty quickly, leaving some students deeply in debt, and for some, that huge bill is a non-starter.  Fortunately, community colleges offer quality educational opportunities at very competitive rates relative to four-year degree institutions.  For example, Baltimore County Community College charges $122 per credit hour for in-county residents.  A couple of miles away, Johns Hopkins University charges $2,016 per credit hour.  Now, that's a HUGE difference -- over 16 times if you do the math.  Now, Hopkins does have some wonderful facilities and excellent faculty, but when it comes to first- and second-year undergraduate studies, is the quality and content of the education THAT different?  Well, that's up to you to decide. The important take-away is, no one should decide NOT to pursue a cybersecurity education because of lack of money.  You can get started at any age on an associate degree, and that may give you enough to go on to get your first job.  However, if you want to continue on to bachelor's degree, don't give up.  Later I'll explain about a program that has been around since 2000 and has provided over 3,300 students with scholarships AND job placement after graduation. Back to those going directly for a bachelor's degree.  Now, the good news is that your chosen profession is likely to pay quite well, so not only are you likely to be able to pay off the investment you make in your education, but it will return dividends many times that which you paid, for the rest of your career.  Think of financing a degree like financing a house.  In exchange for your monthly mortgage payment, you get to enjoy a roof over your head and anything else you do with your home.  As a cybersecurity professional, in exchange for your monthly student loan payment, you get to earn well-above average incomes relative to your non-security peers, and hopefully enjoy a rewarding career.  And, like the right house, the value of your career should increase over time making your investment in your own education one of your best performing assets. Does this mean that you 100% need a bachelor's degree to get a job in cyber?  No, it does not.  There are plenty of cyber professionals that speak at Blackhat and DEF CON who have never obtained a college degree.  However, if ten applicants are going for an extremely competitive job and only seven of the ten applicants have a college degree in IT or Cyber, you shouldn't be surprised when HR shortens the list of qualified applicants to only the top five applicants all having college degrees.  It may not be fair, but it's common.  Plus, a U.S. Census Bureau study showed that folks who have a bachelor's degree make half a million dollars more over a career than those with an associate degree, and 1.6 times what a high school diploma holder may earn over a lifetime.  So, if you want more career opportunities and want to monetize your future, get past that HR checkbox that looks for a 4-year degree. Now, some people (usually those who don't want to do academic work) will say that a formal education isn't necessary for success.  After all, Bill Gates and Mark Zuckerberg were college dropouts, and they're both worth billions.  True, but that's a false argument that there's a cause-and-effect relationship there.  Both were undergraduates at Harvard University when they developed their business ideas.  So, if someone wants to assert a degree isn't necessary, counter with you'll agree once they are accepted into Harvard, and they produce a viable business plan as a teenager while attending classes. You see, completing four years of education in a field of study proves a few things.  I've interviewed candidates that said they took all of the computer science and cybersecurity courses they wanted and didn't feel a need to "waste time" with fuzzy studies such as history and English composition.  Okay, I'll accept that that person had a more focused education.  But consider the precedent here.  When a course looked uninteresting or difficult, that candidate just passed on the opportunity.  In the world of jobs and careers, there are going to be tasks that are uninteresting or difficult, and no one wants to do them, but they have to get done.  As a boss, do you want someone who has shown the pe  d completed it with an A (or maybe even a B), or do you want someone who passed when the going got a little rough?  The business world isn't academia where you're free to pick and choose whether to complete requirements.  Stuff has to get done, and someone who has a modified form of learned helplessness will most likely not follow through when that boring task comes due.   Remember I said I was going to tell you how to deal with the unfortunate situation where a prospective student doesn't have enough money to pay for college?  There are a couple of ways to meet that challenge.  It's time to talk to your rich uncle about paying for college.  That uncle is Uncle Sam.  Uncle Sam can easily finance your college so you can earn your degrees in Cyber Security.  However, Uncle Sam will want you to work for the government in return for paying for your education.  Two example scholarships that you could look into are the Reserve Officer Training Corps (ROTC) and Scholarship for Service (SFS).  ROTC is an officer accession program offered at more than 1,700 colleges and universities   across the United States to prepare young adults to become officers in the U.S. Military.  For scholarship students, ROTC pays 100% of tuition, fees, books, and a modest stipend for living expenses.  A successful degree program can qualify an Army second lieutenant for a Military Occupation Specialty (or MOS) such as a 17A Cyber Operations Officer, a 17B Cyber and Electronic Warfare Officer, or a 17D Cyber Capabilities Development Officer, a great start to a cybersecurity career. For the Navy, a graduating Ensign may commission as an 1810 Cryptologic Warfare Officer, 1820 Information Professional Officer, 1830 Intelligence Officer, or an 1840 Cyber Warfare Engineer.  The Navy uses designators rather than MOS's to delineate career patterns.  These designators have changed significantly over the last dozen years and may continue to evolve.  The Marine Corps has a 1702 cyberspace officer MOS.  Note that the Navy and the Marine Corps share a commissioning source in NROTC (Navy ROTC), and unlike the Army that has over 1,000 schools that participate in AROTC and the Air Force that has 1,100 associated universities in 145 detachments, there are only 63 Navy ROTC units or consortiums, although cross-town affiliates include nearly one hundred more colleges and universities. There are a lot of details that pertain to ROTC, and if you're serious about entering upon a military officer career, it's well worth the time and effort to do your research.  Not all ROTC students receive a scholarship; some receive military instruction throughout their four years and are offered a commission upon graduation.  Three- and four-year scholarship students incur a military obligation at the beginning of sophomore year, two-year scholarship students at the beginning of junior year, and one-year scholarship students at the start of senior year.  The military obligation today is eight years, usually the first four of which are on active duty; the rest may be completed in the reserves.  If you flunk out of school, you are rewarded with an enlistment rather than a commission.  These numbers were different when I was in ROTC, and they may have changed since this podcast was recorded, so make sure you get the latest information to make an informed decision. What if you want to serve your country but you're not inclined to serve in the military, or have some medical condition that may keep you from vigorous physical activity, or had engaged in recreational chemical use or other youthful indiscretions that may have disqualified you from further ROTC consideration?  There is another program worth investigating.   The National Science Foundation provides educational grants through the Scholarship For Service program or SFS for short.  SFS is a government scholarship that will pay up to 3 years of costs for undergraduate and even graduate (MS or PhD) educational degree programs.  It's understood that government agencies do not have the flexibility to match private sector salaries in cyber security.  However, by offering scholarships up front, qualified professionals may choose to stay in government service; hence SFS continues as a sourcing engine for Federal employees.  Unlike ROTC, a participant in SFS will incur an obligation to work in a non-DoD branch of the Federal government for a duration equal to the number of years of scholarship provided. In addition to tuition and education-related fees, undergraduate scholarship recipients receive $25,000 in annual academic stipends, while graduate students receive $34,000 per year.  In addition, an additional $6,000 is provided for certifications, and even travel to the SFS Job Fair in Washington DC. That job fair is an interesting affair.  I was honored to be the keynote speaker at the SFS job fair back in 2008.  I saw entities and agencies of the Federal government that I didn't even know existed, but they all had a cybersecurity requirement, and they all were actively hiring.  SFS students qualify for "excepted service" appointments, which means they can be hired through an expedited process.  These have been virtual the last couple of years due to COVID-19 but expect in-person events to resume in the future. I wrote a recommendation for a young lady whom I've known since she was born (her mom is a childhood friend of mine), and as an electrical engineering student in her sophomore year, she was selected for a two-year SFS scholarship.  A good way to make mom and dad happy knowing they're not going to be working until 80 to pay off their kid's education bills. In exchange for a two-year scholarship, SFS will usually require a student to complete a summer internship between the first and second years of school and then work two years in a government agency after graduation.  The biggest benefit to the Scholarship for Service is you can work at a variety of places.  So, if your dream is to be a nation state hacker for the NSA, CIA, or the FBI then this offers a great chance of getting in.  These three-letter agencies heavily recruit from these programs.  As I mentioned, there are a lot of other agencies as well.  You could find work at the State Department, Department of Health and Human Services, the Department of Education, the Federal Reserve Board, and I think I remember the United States Agency for International Development (USAID).  Federal executive agencies, Congress, interstate agencies, and even state, local, or tribal governments can satisfy the service requirement.  So, you can get paid to go to college and have a rewarding job in the government that builds a nice background for your career. How would you put all this together?  I spent nine years as an advisor to the National CyberWatch Center.  Founded as CyberWatch I in 2005, it started as a Washington D.C. and Mid-Atlantic regional effort to increase the quantity and quality of the information assurance workforce.  In 2009, we received a National Science Foundation award and grants that allowed the program to go nationwide.  Today, over 370 colleges and universities are in the program.  So why the history lesson? What we did was align curriculum between two-year colleges and four-year universities, such that a student who took the designated courses in an associate degree program would have 100% of those credits transfer to the four-year university.  That is HUGE.  Without getting into the boring details, schools would certify to the Committee on National Security Systems (CNSS) (formerly known as the National Security Telecommunications and Information Systems Security Committee or NSTISSC) national training standard for INFOSEC professionals known as NSTISSI 4011.  Now with the help of an SFS scholarship, a student with little to no financial resources can earn an associate degree locally, proceed to a bachelor's degree from a respected university, have a guaranteed job coming out of school, and HAVE NO STUDENT DEBT.  Parents, are you listening carefully?  Successfully following that advice can save $100,000 and place your child on course for success. OK, so let's fast forward 3 years and say that you are getting closer to finishing a degree in Cyber Security or Computer Science.  Is there anything else that you can do while performing a summer internship?    That brings us to our second building block.  Getting certifications.   Number Two:  Getting a Certification  Earning certifications are another key step to demonstrate that you have technical skills in cyber security.  Usually, technology changes rapidly.  That means that universities typically don't provide specialized training in Windows 11, Oracle Databases, Amazon Web Services, or the latest programming language.  Thus, while you may come out of a computer science degree with knowledge on how to write C++ and JavaScript, there are a lot of skills that you often lack to be quite knowledgeable in the workforce.  Additionally, most colleges teach only the free version of software.  In class you don't expect to learn how to deploy Antivirus software to thousands of endpoints from a vendor that would be in a Gartner Magic quadrant, yet that is exactly what you might encounter in the workplace.  So, let's look at some certifications that can help you establish your expertise as a cyber professional.  We usually recommend entry level certifications from CompTIA as a great starting point.  CompTIA has some good certifications that can teach you the basics in technology.  For example: CompTIA A+ can teach you how to work an IT Help Desk.  CompTIA Network+ can teach you about troubleshooting, configuring, and managing networks CompTIA Linux+ can help you learn how to perform as a system administrator supporting Linux Systems CompTIA Server+ ensures you have the skills to work in data centers as well as on-premises or hybrid environments. Remember it's really hard to protect a technology that you know nothing about so these are easy ways to get great experience in a technology.  If you want a certification such as these from CompTIA, we recommend going to a bookstore such as Amazon, buying the official study guidebook, and setting a goal to read every day.  Once you have read the official study guide go and buy a set of practice exam questions from a site like Whiz Labs or Udemy.  Note this usually retails for about $10.  So far this represents a total cost of about $50 ($40 dollars to buy a book and $10 to buy practice exams.)  For that small investment, you can gain the knowledge base to pass a certification.  You just need to pay for the exam and meet eligibility requirements. Now after you get a good grasp of important technologies such as Servers, Networks, and Operating Systems, we recommend adding several types of certifications to your resume.  The first is a certification in the Cloud.  One notable example of that is AWS Certified Solutions Architect - Associate.  Note you can find solution architect certifications from Azure and GCP, but AWS is the most popular cloud provider, so we recommend starting there.  Learning how the cloud works is extremely important.  Chances are you will be asked to defend it and you need to understand what an EC-2 server is, types of storage to make backups, and how to provide proper access control.  So, spend the time and get certified.  One course author who provides a great course is Adrian Cantrill.  You can find his course link for AWS Solutions Architect in our show notes or by visiting learn.cantrill.io.  The course costs $40 and has some of the best diagrams you will ever see in IT.  Once again go through a course like this and supplement with practice exam questions before going for the official certification. The last type of certifications we will mention is an entry cyber security certification.  We usually see college students pick up a Security+ or Certified Ethical Hacker as a foundation to establish their knowledge in cyber security.  Now the one thing that you really gain out of Security+ is a list of technical terms and concepts in cyber security.  You need to be able to understand the difference between Access Control, Authentication, and Authorization if you are to consult with a developer on what is needed before allowing access to a site.  These types of certifications will help you to speak fluently as a cyber professional.  That means you get more job offers, better opportunities, and interesting work.  It's next to impossible to establish yourself as a cyber expert if you don't even understand the technical jargon correctly. Number Three:  Getting Relevant Job Experience OK, so you have a college degree and an IT certification or two. What's next?  At this point in time, you are eligible for most entry level jobs.  So, let's find interesting work in Cyber Security.  If you are looking for jobs in cyber security, there are two places we recommend.  The first is LinkedIn.  Almost all companies post there and there's a wealth of opportunities.  Build out an interesting profile and look professional.  Then apply, apply, apply.  It will take a while to find the role you want.  Also post that you are looking for opportunities and need help finding your first role.  You will be surprised at how helpful the cyber community is.  Here's a pro tip:  add some hashtags with your post to increase its visibility. Another interesting place to consider is your local government.  The government spends a lot of time investing in their employees.  So go there, work a few years, and gain valuable experience.  You can start by going to your local government webpage such as USAJobs.Gov  and search for the Career Codes that map to cyber security.  For example, search using the keyword “2210” to find the job family of Information Technology Management where most cyber security opportunities can be found.  If you find that you get one of these government jobs, be sure to look into college repayment programs.  Most government jobs will help you pay off student loans, finance master's degrees in Cyber Security, or pay for your certifications.  It's a great win-win to learn the trade. Once you get into an organization and begin working your first job out of college, you then generally get one big opportunity to set the direction of your career.  What type of cyber professional do you want to be?  Usually, we see most Cyber Careerists fall into one of three basic paths.   Offensive Security Defensive Security Security Auditing The reason these three are the most common is they have the largest amount of job opportunities.  So, from a pure numbers game it's likely where you are to spend the bulk of your career.  Although we do recommend cross training.  Mike Miller who is the vCISO for Appalachia Technologies put out a great LinkedIn post on this where he goes into more detail.  Note we have a link to it in our show notes.  Here's some of our own thoughts on these three common cyber pathways: Offensive Security is for those that like to find vulnerabilities in things before the bad guys do.  It's fun to learn how to hack and take jobs in penetration testing and the red team.  Usually if you choose this career, you will spend time learning offensive tools like Nmap, Kali Linux, Metasploit, Burp Suite, and others.  You need to know how technology works, common flaws such as the OWASP Top Ten web application security risks, and how to find those vulnerabilities in technology.  Once you do, there's a lot of interesting work awaiting.  Note if these roles interest you then try to obtain the Offensive Security Certified Professional (OSCP) certification to gain relevant skill sets that you can use at work. Defensive Security is for the protectors.  These are the people who work in the Security Operations Center (SOC) or Incident Response Teams.  They look for anomalies, intrusions, and signals across the whole IT network.  If something is wrong, they need to find it and identify how to fix it.  Similar to Offensive Security professionals they need to understand technology, but they differ in the types of tools they need to look at.  You can find a defender looking at logs.  Logs can come from an Intrusion Detection System, a Firewall, a SIEM, Antivirus, Data Loss Prevention Tools, an EDR, and many other sources.  Defenders will become an expert in one of these tools that needs to be constantly monitored.  Note if you are interested in these types of opportunities look for cyber certifications such as the MITRE ATT&CK Defender (MAD) or SANS GIAC Certified Incident Handler GCIH to gain relevant expertise. Security Auditing is a third common discipline.  Usually reporting to the Governance, Risk, and Compliance organization, this role is usually the least technical.  This discipline is about understanding a relevant standard or regulation and making sure the organization follows the intent of the standard/regulation.  You will spend a lot of time learning the standards, policies, and best practices of an industry.  You will perform risk assessments and third-party reviews to understand how we certify as an industry.  If you would like to learn about the information systems auditing process, governance and management of IT systems, business processes such as Disaster Recovery and Business Continuity Management, and compliance activities, then we recommend obtaining the Certified Information Systems Auditor (CISA) certification from ISACA.   Ok, so you have a degree, you have certifications, you are in a promising job role, WHAT's Next?  If you want to really become an expert, we recommend you focus on… Number Four: Building your personal brand.   Essentially find a way to give back to the industry by blogging, writing open-source software, creating a podcast, building cybersecurity tutorials, creating YouTube videos, or presenting a lecture topic to your local OWASP chapter on cyber security.  Every time you do you will get smarter on a subject.  Imagine spending three hours a week reading books in cyber security.  If you did that for ten years, think of how many books you could read and how much smarter you would become.  Now as you share that knowledge with others two things happen:   People begin to recognize you as an industry expert.  You will get invited to opportunities to connect with other smart people which allows you to become even smarter.  If you spend your time listening to smart people and reading their works, it rubs off.  You will absorb knowledge from them that will spark new ideas and increase your understanding The second thing is when you present your ideas to others you often get feedback.  Sometimes you learn that you are actually misunderstanding something.  Other times you get different viewpoints.  Yes, this works in the financial sector, but it doesn't work in the government sector or in the university setting.  This feedback also helps you become smarter as you understand more angles of approaching a problem. Trust us, the greatest minds in cyber spend a lot of time researching, learning, and teaching others.  They all know G Mark's law, which I wrote nearly twenty years ago:  "Half of what you know about security will be obsolete in eighteen months." OK so let's recap a bit.  If you want to become an expert in something, then you should do four things. 1) Get a college education so that you have the greatest amount of opportunities open to you, 2) get certifications to build up your technical knowledge base, 3) find relevant job experiences that allow you to grow your skill sets, and 4) finally share what you know and build your personal brand.  All of these make you smarter and will help you become a cyber expert.   Thanks again for listening to us at CISO Tradecraft.  We wish you the best on your journey as you Learn to Earn.  If you enjoyed the show, tell one person about it this week.  It could be your child, a friend looking to get into cyber security, or even a coworker.  We would love to help more people and we need your help to reach a larger audience.  This is your host, G. Mark Hardy, and thanks again for listening and stay safe out there. References: https://www.todaysmilitary.com/education-training/rotc-programs  www.sfs.opm.gov  https://www.comptia.org/home  https://www.whizlabs.com/ https://www.udemy.com/ https://learn.cantrill.io/p/aws-certified-solutions-architect-associate-saa-c03  https://www.linkedin.com/feed/update/urn:li:activity:6965305453987737600/ https://www.offensive-security.com/pwk-oscp/  https://mitre-engenuity.org/cybersecurity/mad/ https://www.giac.org/certifications/certified-incident-handler-gcih/  https://www.ccbcmd.edu/Costs-and-Paying-for-College/Tuition-and-fees/In-County-tuition-and-fees.aspx https://www.educationcorner.com/value-of-a-college-degree.html  https://www.collegexpress.com/lists/list/us-colleges-with-army-rotc/2580/  https://www.af.mil/About-Us/Fact-Sheets/Display/Article/104478/air-force-reserve-officer-training-corps/ https://www.netc.navy.mil/Commands/Naval-Service-Training-Command/NROTC https://armypubs.army.mil/pub/eforms/DR_a/NOCASE-DA_FORM_597-3-000-EFILE-2.pdf https://niccs.cisa.gov/sites/default/files/documents/SFS%20Flyer%20FINAL.pdf https://www.nationalcyberwatch.org/  

A major security vulnerability will be found in someone's web application this week. The OWASP Top Ten list of web application vulnerabilities has recently been updated. Read more › The post OWASP Top Ten 2021 appeared first on Complete Developer Podcast.

 In this episode of the We Hack Purple Podcast we meet another of host Tanya Janca's friends; Caroline Wong of Cobalt Security! Caroline  has worked in security, and specialized in AppSec, for a very long time. She explained what Pentesting-as-a-Service actually is, how to hire a good pentester, and when this service might be your best choice. Tanya quizzed her quite a bit, but Caroline really is the expert; she even wrote a book on the topic! This episode also covers; defending against ransomware, why Pentesting-as-a-Service is not the same as a bug bounty, and how the OWASP Top Ten really hasn't changed that much over the years. Tune in to learn more!Thank you so much to our sponsor, Bright Security! Check out their amazing #DAST!Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field.Subscribe to our newsletter! Find us on Apple Podcast, Overcast + Pod#TanyaJanca #SheHacksPurple #DevOps #CyberSecurity#DAST #BrightSec #DevSecOps #AppSec

1.Fuzzing for XSS via nested parsers condition-https://swarm.ptsecurity.com/fuzzing-...In this article web application security researcher, Igor Sak-Sakovskiy reveals a novel technique for finding sanitization issues that could lead to XSS attacks. 2.Anti-Patterns in Cybersecurity Management-https://systemweakness.com/anti-patte...In this article, this author walks through the most memorable anti-patterns he's seen recurring in cybersecurity management. 3.OWASP Top 10 Peer Review-http://www.securityjourney.com/podcas...Robert and Chris break down the OWASP Top 10 2021 Peer Review Edition in this episode of the Application Security Podcast. They walk through and give their insights, highlight the things that stood out and ask questions. 4.My first impressions of web3 - https://moxie.org/2022/01/07/web3-fir...Security researcher and entrepreneur, Moxie Marlinspike recently explored web3. He shares what he's learned about how web3 works from the inside out. 5.How a routine gem update ended up creating $73k worth of subscriptions- https://serpapi.com/blog/how-a-routin...This is the story of how a company attempted to deploy what looked like an innocent gem update but ended up costing them $73k. In less than an hour, 474 new subscribers had been mistakenly added to their service.

GitLab analysis of OWASP Top 10 changes from 2004 to 2021-https://public.flourish.studio/visual...Visualization of how OWASP Top Ten has changed over the years. To Learn a New Language, Read Its Standard Library-http://patshaughnessy.net/2021/10/23/...The best way to learn a new programming language, just like human language, is from example. To learn how to write code you first need to read someone else's code. Making sense of OWASP A08:2021 - Software & Data Integrity Failures-https://www.securityjourney.com/post/...We should expect this category to rise higher within a few years. Supply chain poisoning is difficult to detect and prevent. Our countermeasures are, arguably, in infancy. ​GitHub - xntrik/hcltm: Documenting your Threat Models with HCL-https://github.com/xntrik/hcltmHcltm aims to provide a DevOps-first approach to documenting a system threat model by focusing on the following goals: Simple text-file format, simple cli-driven user experience, and integration into version control systems (VCS). This repository is the home of the hcltm cli software. The hcltm spec is based on HCL2, HashiCorp's COnfiguration Language, which aims to be. "pleasant to read and write for humans, and a JSON-based variant that is easier for machines to generate and parse". Combining the hcltm cli software and the hcltm spec allows practitioners to define a system threat model in HCL. All Things SSRF-https://github.com/jdonsec/AllThingsSSRFThis is a collection of writeups, cheat sheets, videos, related to SSRF in one single location.

If you are listening to this podcast you probably know about the OWASP Top 10. A new top 10 came out in September to replace the list from 2017 and there are a number of changes. Christian Wenz joins us to go through each item with a fine-tooth comb. The list has some new additions and consolidates some of the categories to try and make things clearer. One of the bigger changes is Broken Access Control moving from fifth to first. Want to hear more about Broken Access Control, Cryptographic Failures or Insecure Design? Then join us for this awesome OWASP episode. Which item on the top 10 have you seen most in the wild? Let us know on Twitter at @dotnet_Podcast. Panel Caleb WellsShawn Clabough Guest Christian Wenz Sponsors Top End DevsRaygun | Click here to get started on your free 14-day trialCoaching | Top End Devs Links  OWASP Top Ten 2021 ASP.NETHSTS Preload List SubmissionASP.NET Core SecurityChristian WenzTwitter: Christian Wenz (@chwenz ) Picks Caleb- The Art of ImpossibleChristian- Watch Squid Game | Netflix Official SiteChristian- Watch Money Heist | Netflix Official SiteShawn- Diablo® II: Resurrected Special Guest: Christian Wenz.

If you are listening to this podcast you probably know about the OWASP Top 10. A new top 10 came out in September to replace the list from 2017 and there are a number of changes. Christian Wenz joins us to go through each item with a fine-tooth comb. The list has some new additions and consolidates some of the categories to try and make things clearer. One of the bigger changes is Broken Access Control moving from fifth to first. Want to hear more about Broken Access Control, Cryptographic Failures or Insecure Design? Then join us for this awesome OWASP episode. Which item on the top 10 have you seen most in the wild? Let us know on Twitter at @dotnet_Podcast. Panel Caleb WellsShawn Clabough Guest Christian Wenz Sponsors Top End DevsRaygun | Click here to get started on your free 14-day trialCoaching | Top End Devs Links  OWASP Top Ten 2021 ASP.NETHSTS Preload List SubmissionASP.NET Core SecurityChristian WenzTwitter: Christian Wenz (@chwenz ) Picks Caleb- The Art of ImpossibleChristian- Watch Squid Game | Netflix Official SiteChristian- Watch Money Heist | Netflix Official SiteShawn- Diablo® II: Resurrected Special Guest: Christian Wenz.

Commonjoe/ WrongSecrets - https://github.com/commjoen/wrongsecretsImproper secret storage is a common technology problem. Use this tool to expose your developers to how to do it wrong, so they can learn how to do it rightList of IT Assets an Attacker is most likely to Extort -https://www.helpnetsecurity.com/2021/10/13/it-assets-target/Attackers love IT assets; here are the top things they are targeting and exploiting.OWASP Top 10 2021: 7 action items for app sec teams https://www.securityjourney.com/post/owasp-top-10-2021-7-action-items-for-app-sec-teamsYour AppSec team has work to do with the new OWASP Top Ten for 2021.How to win at CORS - https://jakearchibald.com/2021/corsCORS is tough to implement correctly and develop against – but it is worth the effort. Security is often difficult.7 Unconventional Pieces of Password Wisdom -https://www.darkreading.com/application-security/7-unconventional-pieces-of-password-wisdom Nice summary of NIST 800-63b.

This week, Jeffrey is joined by Troy Vinson; a Principal Software Architect at Clear Measure as a CISSP (Certified Information System Security Professional.) He is an experienced leader, architect, and problem-solver in Information Systems Security and Software Development technologies and has spent the majority of his career integrating computer science, information science, and cognitive science to assist in software development and the management of information.   With October being CyberSecurity Awareness Month, Troy gives a rundown on everything that developers and development teams need to know regarding security, how to become more cyber security aware, the top ten web application security risks you need to look out for, how to keep your environment secure regardless or where you're working from, and what you can putting in place today to improve your cyber security.   Topics of Discussion: [:39] About The Azure DevOps Podcast, Clear Measure; the new video podcast Architect Tips; and Jeffrey's offer to speak at virtual user groups. [1:11] About today's episode with Troy Vinson! [1:23] Jeffrey welcomes Troy to the podcast. [1:30] What is CISSP? [2:53] Troy shares his career highlights and the path that led him to his current role in cyber security. [4:39] Why is October Cybersecurity Awareness Month? [6:18] What developers should be aware of when setting up a connected environment for themselves at home. [8:47] Troy's favorite VPN services. [10:08] Best practice: Always work from a VPN, especially as a developer working from a public place. [10:25] What developers should keep in mind about source code when it comes to cyber security. [12:32] How to keep documents (that don't quite fit in a source control repository) secure. [14:31] Troy highlights important security architecture models of practice. [15:56] How is the STRIDE model applicable? [17:59] A word from The Azure DevOps Podcast's sponsor: Clear Measure. [18:30] What is repudiation in the STRIDE model referring to? What is it in code changes? When is it necessary? [20:22] Are there test suites that developers can use to augment their functional tests that check for security measures? [23:16] Should development teams hire third parties to do audits versus doing it in-house? [24:36] What OWASP Top Ten is and why all of your engineers should be trained on it. [26:15] Is there a comprehensive list of web application security risks? [27:28] Troy highlights the importance of #6 on the OWASP Top Ten list: vulnerable and outdated components. [29:15] Rules of thumb regarding security for development teams when it comes to deployment and configuring environments [30:56] Free online courses for cyber security awareness that you can share with family members and friends. [33:52] Jeffrey thanks Troy Vinson for joining the podcast!   Mentioned in this Episode: Architect Tips — New video podcast! Azure DevOps Clear Measure (Sponsor) .NET DevOps for Azure: A Developer's Guide to DevOps Architecture the Right Way, by Jeffrey Palermo — Available on Amazon! bit.ly/dotnetdevopsebook — Click here to download the .NET DevOps for Azure ebook! Jeffrey Palermo's YouTube Jeffrey Palermo's Twitter — Follow to stay informed about future events! DEVintersection Conference — Dec. 7th‒9th in Las Vegas, Nevada Cybersecurity Awareness Month | CISA Cybersecurity Awareness Month | National Cybersecurity Alliance (NCSA) NordVPN ExpressVPN STRIDE Model GitHub DevSecOps SharePoint One Drive Azure Front Door Azure Application Gateway FxCop Roslyn Sonarqube OWASP Top Ten Top 25 Most Dangerous Software Errors CWE/SANS 2021 CWE Top 25 Most Dangerous Software Weaknesses   Want to Learn More? Visit AzureDevOps.Show for show notes and additional episodes.

בפרק נספר על הפרויקט ההתנדבותי המתחזק את רשימת פרצות האבטחה הנפוצות ביותר ב-Web, פרויקט OWASP Top Ten. בחרנו מספר פרצות מתוך הרשימה, שנראות לנו הכי חשובות/נפוצות, ודיברנו עליהן. מודעות לפרצות אלו יכולה לחסוך חלק נכבד מאוד מדליפות המידע והפרצות שאנו שומעים עליהן כמעט מדי יום. כל מתכנת, ובפרט מתכנת Web, להכיר אותן.   פרויקט OWASP Top Ten https://owasp.org/www-project-top-ten/ OWASP Zed Attack Proxy https://owasp.org/www-project-zap/ Shodan https://www.shodan.io/explore הבלוג של נתנאל הנסל - מגיש פינת "The Matrix - על אדם ומכונה" https://hagolem.home.blog/ בדיחת ה-SQL Injection המפורסמת ביותר: https://imgs.xkcd.com/comics/exploits_of_a_mom.png See omnystudio.com/listener for privacy information.

Our special guest today is Jeff Williams, Co-Founder and CTO of Contrast Security. Jeff was one of the pioneering members who formed the Open Web Application Security Project® (OWASP). Not only did he chair it, he also contributed to many successful open source projects, including WebGoat, the OWASP Application Security Verification Standard (ASVS), the OWASP Top Ten and much more.  Without him and others we would not be doing this podcast today. Besides founding Contrast Security in 2014, he started Aspect Security in 2002. Jeff got his law degree at Georgetown University Law Center along with a computer science and psychology degree at the University of Virginia. In the early 1990's, he built high assurance systems for the U.S. Navy and taught the INFOSEC curriculum for the NSA during the good old days of the Orange Book - a trusted computer system evaluation criteria for the U.S. Department of Defense.We want to say thank you to Contrast Security for being one of our sponsors for the inaugural OWASP Pacific Northwest Application Security Conference 2021.Jeff's LinksContrast SecurityLinkedInTwitterSecurity Maganize Article - New NIST Standards on IAST and RASP Deliver State-of-the-Art AppSecWebGoatASVSBlackHat USA - Enterprise Java Rootkits - "Hardly anyone watches the developers"PNWSEChttps://pnwcon.comTwitter: @pnwsecconpnwseccon@gmail.com (contact)Jeff Williams was interviewed by David Quisenberry and John L. Whiteman.Follow us:HomepageTwitterMeetupLinkedInYouTubeSupport the show (https://owasp.org/supporters/)

1. PHP's Git server hacked to add backdoors to PHP source code​Supply chain attacks are bigger than vulns in open source; when the attack is deliberate, the stakes are higher.2. Redefining Threat Modeling: Security team goes on vacationWe can all agree that threat modeling is non-negotiable; use Segment’s model as a reference for how to do threat modeling using a self-service approach.​3. Software Security at Rocketship Pace SAST is table stakes, but your SAST solution must eliminate the frustrations that many developers feel with loud tools that provide limited value.4. SSRF Attack Examples and Mitigations​ Let’s get ahead of the OWASP Top Ten 2021 edition and start dealing with SSRF now!​5. Deprecating TLS 1.0 and TLS 1.1Goodbye, old friends! We don’t and won’t miss you at all, TLS 1.0 and 1.1.​

APIs or Application Programming Interfaces are an important part of any modern web application. When properly designed they securely expose data to authenticated and authorized users. However, not everyone designs them the same, which is why OWASP came up with a list of the top security vulnerabilities to avoid. Read more › The post OWASP Top Ten API Vulnerabilities appeared first on Complete Developer Podcast.

Learn more about the OWASP Top Ten: https://owasp.org/www-project-top-ten/ Sponsored By: codedx.com/ For more of our podcasts visit: cybersecurityventures.com/podcasts/ For more on cybersecurity, visit us at cybersecurityventures.com/ Follow Cybersecurity Ventures / Cybercrime Magazine here: LinkedIn: linkedin.com/company/cybercrime-magazine/ Twitter: twitter.com/CybersecuritySF

We all have things we consider “the best”.   Things we look to.   Rely on.   What happens when one of those old reliable, gold standard things that have been our go-to for so long winds up being #2, instead of #1?   Andrew van der Stock, Senior Application Security Leader at OWASP Foundation stops by the podcast to dispel some industry myths about The OWASP Top 10.   What we talked about:   - Is The OWASP Top 10 really the gold standard?   - Next level considerations to take on as you progress on your journey   - Risk assessment and threat modeling is just a game   Check out these resources we mentioned during the podcast: Cornucopia-the game The OWASP Foundation   

Very often, people are afraid of web application firewalls (WAF) because they can potentially block an application's legitimate traffic. No worries! In this episode, Franziska Buehler will share how you can avoid this problem and more. Discover how WAFs are a useful, additional layer of defense when it comes to fending off attacks such as those described by the "OWASP Top Ten." Don’t miss it!

OWASP Portland 2019 Training DayAbstract: This session is meant for those new to OWASP Top Ten. We will go over the OWASP Top Ten - where it came from, what it’s good for, what are the top ten, etc. And illustrate the concepts in the OWASP Top Ten through another OWASP Flagship Project - The OWASP Juice Shop. This will be a hands on class so everyone can follow along in the Juice Shop to explore the concepts. There will be time at the end for everyone to continue on their vulnerability hunting and a friendly Juice Shop CTF.David and Ben are interviewed by John L. Whiteman.Support the show (https://www.owasp.org/index.php/Membership#tab=Other_ways_to_Support_OWASP)

Today, Frank Rietta and I discuss common application vulnerabilities from the OWASP Top Ten and basic steps you can take to secure your Rails code as part of your development process.

En esta charla veremos las vulnerabilidades de la lista OWASP top ten de 2017 y como evitarlas en NodeJS. Además también veremos buenas prácticas para segurizar nuestras apis utilizando JWT y JWKS.

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit organization focused on improving the security of software. They put together a document containing the top 10 security vulnerabilities compiled through consensus of security experts from around the world. Read more › The post OWASP Top Ten appeared first on Complete Developer Podcast.

In this weeks episode we chat with Scott Arciszewski about all things Security and Cryptography. We start off the show by explaining how he got interested in this field of work, correcting PHP security related answers on Stack Overflow and why he focuses on PHP security. From here, we move on to highlight what the OWASP Top Ten is, how you can distill many security principles into data/code seperation and what is involved in a software audit. This leads us on to discuss what HTTPS actually is, touching on TLS, PKI’s, Ciphersuites, and reported attacks against TLS and ECB. Finally, we highlight some important browser security features that can be used, pushing new software releases in a secure manor, thoughts on Cryptocurrencies and how everyone wants to solve their problem with a blockchain at this time.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the ModSecurity Core Rule Set Project with project co-lead Christian Folini. The OWASP ModSecurity CRS Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

This segment of the "Less than 10 Minutes" series was recorded live at AppSec EU 2017 in Belfast. It is an update of the Juice Shop Project with project lead Bjoern Kimminich. The Juice Shop is an intentionally insecure webapp for security training, written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Bjoern Kimminich (Project Leader OWASP Juice Shop) Personal Twitter: http://twitter.com/bkimminich OWASP Juice Shop Project Twitter: http://twitter.com/owasp_juiceshop Project Wiki Page: https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Main Github Project: https://github.com/bkimminich/juice-shop Juice Shop CTF-Extension Project: https://github.com/bkimminich/juice-shop-ctf

02:40 - Justin Collins Introduction Twitter GitHub Blog Brakeman @brakeman SurveyMonkey Brakeman Pro @brakemanpro 03:40 - Brakeman & Static Analysis 04:02 - Common Security Vulnerabilities (and Definitions) Cross-site Scripting SQL Injection     rails-sqli.org Mass Assignment Open Redirects 08:57 - The Inspiration for Brakeman 09:47 - Getting Brakeman Working (Process) 10:41 - Learning About Security The Rails Cheat Sheets The Open Web Application Security Project (OWASP) The OWASP Top Ten     13:01 - Security and The Rails Core Team Justin Collins: The World of Ruby on Rails Security @ RailsConf 2015 15:19 - Should Brakeman be integrated into Rails? 16:29 - Running Brakeman On Your CI Machine guard-brakeman 17:43 - Are there specific types of vulnerabilities that are hard to find with static analysis? 19:18 - Rails Engines 20:56 - When building an app, is security something you should focus on from the get-go? Where should you get started? The OWASP Top Ten 25:32 - Code Schools Teaching Security 26:17 - Translating Lessons Learned Into Brakeman 27:24 - Handling Security and Data Breaches Charlie Miller 32:28 - Crowdsourcing Security (Security in Open Source) Terri Oda: Bringing Security to Your Open Source Project 34:54 - The Technical Side of Brakeman and Static Analysis Tools Identifying a Dangerous Value 37:34 - Data Tracing, Limited Data Flow Analysis 40:52 - Future Brakeman Features 43:29 - Supporting and Contributing to Brakeman 48:23 - PhDs Picks "Why didn't you [just]..." and "Did you consider..." Parley Thread (Avdi) Object Thinking (Developer Reference) by David West (Avdi) Web Design - The First 100 Years (Avdi) Brighton Ruby Conference (Avdi) Email (Avdi) The Twitter Mute Button (Avdi) git - the simple guide (Saron) I Love My Campus (Saron) LoneStarRuby (Saron) React Rally (Jessica) Livecoding.tv (Jessica) Remembering the Apollo 11 Moon Landing With the Woman Who Made It Happen (Coraline) Showgoers (Coraline) AngularJS Kurs (Chuck) Hire Thom Parkin! (Chuck) RethinkDB (Justin) 
Dealers of Lightning: Xerox PARC and the Dawn of the Computer Age by Michael A. Hiltzik (Justin) The Search for General Tso (Justin)

02:40 - Justin Collins Introduction Twitter GitHub Blog Brakeman @brakeman SurveyMonkey Brakeman Pro @brakemanpro 03:40 - Brakeman & Static Analysis 04:02 - Common Security Vulnerabilities (and Definitions) Cross-site Scripting SQL Injection     rails-sqli.org Mass Assignment Open Redirects 08:57 - The Inspiration for Brakeman 09:47 - Getting Brakeman Working (Process) 10:41 - Learning About Security The Rails Cheat Sheets The Open Web Application Security Project (OWASP) The OWASP Top Ten     13:01 - Security and The Rails Core Team Justin Collins: The World of Ruby on Rails Security @ RailsConf 2015 15:19 - Should Brakeman be integrated into Rails? 16:29 - Running Brakeman On Your CI Machine guard-brakeman 17:43 - Are there specific types of vulnerabilities that are hard to find with static analysis? 19:18 - Rails Engines 20:56 - When building an app, is security something you should focus on from the get-go? Where should you get started? The OWASP Top Ten 25:32 - Code Schools Teaching Security 26:17 - Translating Lessons Learned Into Brakeman 27:24 - Handling Security and Data Breaches Charlie Miller 32:28 - Crowdsourcing Security (Security in Open Source) Terri Oda: Bringing Security to Your Open Source Project 34:54 - The Technical Side of Brakeman and Static Analysis Tools Identifying a Dangerous Value 37:34 - Data Tracing, Limited Data Flow Analysis 40:52 - Future Brakeman Features 43:29 - Supporting and Contributing to Brakeman 48:23 - PhDs Picks "Why didn't you [just]..." and "Did you consider..." Parley Thread (Avdi) Object Thinking (Developer Reference) by David West (Avdi) Web Design - The First 100 Years (Avdi) Brighton Ruby Conference (Avdi) Email (Avdi) The Twitter Mute Button (Avdi) git - the simple guide (Saron) I Love My Campus (Saron) LoneStarRuby (Saron) React Rally (Jessica) Livecoding.tv (Jessica) Remembering the Apollo 11 Moon Landing With the Woman Who Made It Happen (Coraline) Showgoers (Coraline) AngularJS Kurs (Chuck) Hire Thom Parkin! (Chuck) RethinkDB (Justin) 
Dealers of Lightning: Xerox PARC and the Dawn of the Computer Age by Michael A. Hiltzik (Justin) The Search for General Tso (Justin)

02:40 - Justin Collins Introduction Twitter GitHub Blog Brakeman @brakeman SurveyMonkey Brakeman Pro @brakemanpro 03:40 - Brakeman & Static Analysis 04:02 - Common Security Vulnerabilities (and Definitions) Cross-site Scripting SQL Injection     rails-sqli.org Mass Assignment Open Redirects 08:57 - The Inspiration for Brakeman 09:47 - Getting Brakeman Working (Process) 10:41 - Learning About Security The Rails Cheat Sheets The Open Web Application Security Project (OWASP) The OWASP Top Ten     13:01 - Security and The Rails Core Team Justin Collins: The World of Ruby on Rails Security @ RailsConf 2015 15:19 - Should Brakeman be integrated into Rails? 16:29 - Running Brakeman On Your CI Machine guard-brakeman 17:43 - Are there specific types of vulnerabilities that are hard to find with static analysis? 19:18 - Rails Engines 20:56 - When building an app, is security something you should focus on from the get-go? Where should you get started? The OWASP Top Ten 25:32 - Code Schools Teaching Security 26:17 - Translating Lessons Learned Into Brakeman 27:24 - Handling Security and Data Breaches Charlie Miller 32:28 - Crowdsourcing Security (Security in Open Source) Terri Oda: Bringing Security to Your Open Source Project 34:54 - The Technical Side of Brakeman and Static Analysis Tools Identifying a Dangerous Value 37:34 - Data Tracing, Limited Data Flow Analysis 40:52 - Future Brakeman Features 43:29 - Supporting and Contributing to Brakeman 48:23 - PhDs Picks "Why didn't you [just]..." and "Did you consider..." Parley Thread (Avdi) Object Thinking (Developer Reference) by David West (Avdi) Web Design - The First 100 Years (Avdi) Brighton Ruby Conference (Avdi) Email (Avdi) The Twitter Mute Button (Avdi) git - the simple guide (Saron) I Love My Campus (Saron) LoneStarRuby (Saron) React Rally (Jessica) Livecoding.tv (Jessica) Remembering the Apollo 11 Moon Landing With the Woman Who Made It Happen (Coraline) Showgoers (Coraline) AngularJS Kurs (Chuck) Hire Thom Parkin! (Chuck) RethinkDB (Justin) 
Dealers of Lightning: Xerox PARC and the Dawn of the Computer Age by Michael A. Hiltzik (Justin) The Search for General Tso (Justin)

We finished up the OWASP Top Ten List. We discussed Injection, XSS, and other goodness.  Find out what makes the Top 5 so special.       http://risky.biz/fss_idiots  - Risky Business Interview concerning Direct Object Reference and First State Superannuation http://oauth.net/2/ - Great information on OAUTH 2.0.       Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/

As we wade through the morass of the Infosec swamp, we come across the OWASP 2013 report of web app vulnerabilities. Since Mr. Boettcher and I find ourselves often attempting to explain these kinds of issues to people on the Internet and in our daily lives, we thought it would be prudent to help shed some light on these. So this week, we discuss the lower of the top 10, the ones that aren't as glamorous or as earth shaking as XSS or SQLI, but are gotchas that will bite thine ass just as hard. Next week is the big ones, the Top 5... all your favorites, in one place!   OWASP Top 10 (2013) PDF:  http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf Costs of finding web defects early (2008): http://www.informit.com/articles/article.aspx?p=1193473&seqNum=6         Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/  

The OWASP Top Ten Proactive Controls Project is spearheaded by Jim Bird and Jim Manico. According to Jim Bird, it is a list of security techniques that should be included in every software development project. I spoke with him about the evolution of the project and how he envisions it being used by the OWASP community, and specifically by developers. Resources for this Broadcast OWASP Top Ten Proactive Controls Project Jim Bird on LinkedIn About Jim Bird Jim Bird is a software development manager and CTO with more than 25 years of experience in software engineering, with a special focus on high-integrity and high-reliability systems. Jim is currently the co-founder and CTO of a major US-based institutional trading service, where he is responsible for managing the company’s technology group and IT security programs. Jim has worked as a consultant to IBM and to major stock exchanges and banks globally. He was also the CTO of a technology firm (now part of NASDAQ OMX) that built custom IT solutions for stock exchanges and central banks in more than 30 countries. Jim is an active contributor to OWASP, helps out as a member of the SANS Analysts program on application security, and rants about Agile software development, project management and application security topics on his blog “Building Real Software.

The OWASP Top Ten is an awareness document for web application security, representing broad consensus about the most critical web application security risks as determined by the OWASP community. The OWASP Top 10 is one of the earliest and longest running OWASP projects, first published in 2003, and updates have been produced in 2004, 2007, 2010, and now 2013.

The OWASP Top Ten is an awareness document for web application security, representing broad consensus about the most critical web application security risks as determined by the OWASP community. The OWASP Top 10 is one of the earliest and longest running OWASP projects, first published in 2003, and updates have been produced in 2004, 2007, 2010, and now 2013.

The vulnerabilities and safeguards associated with Application Denial of Service and Insecure Configuration Management

The vulnerabilities and safeguards associated with Application Denial of Service and Insecure Configuration Management