POPULARITY
News includes a new Elixir case study about Cyanview's camera shading technology used at major events like the Olympics and Super Bowl, Oban Pro 1.6 with 20x faster queue partitioning, the openid_connect package reaching version 1.0, Supabase's new Postgres Language Server for developer tooling, and ElixirEvents.net as a community resource. Plus, we interview Michael Lubas, founder of Paraxial.io, about web application security in Elixir, what's involved in a security audit, and how his Elixir-focused security company is helping teams and businesses in the community. Show Notes online - http://podcast.thinkingelixir.com/248 (http://podcast.thinkingelixir.com/248) Elixir Community News https://elixir-lang.org/blog/2025/03/25/cyanview-elixir-case/ (https://elixir-lang.org/blog/2025/03/25/cyanview-elixir-case/?utm_source=thinkingelixir&utm_medium=shownotes) – New Elixir case study about Cyanview, a Belgian company whose Remote Control Panel for camera shading is used at major events like the Olympics and Super Bowl. Their Elixir-powered solution enables remote camera control across challenging network conditions. https://oban.pro/docs/pro/1.6.0-rc.1/changelog.html (https://oban.pro/docs/pro/1.6.0-rc.1/changelog.html?utm_source=thinkingelixir&utm_medium=shownotes) – Oban Pro 1.6 released with subworkflows, improved queue partitioning (20x faster), and a new guide explaining different job composition approaches. https://oban.pro/docs/pro/1.6.0-rc.1/composition.html (https://oban.pro/docs/pro/1.6.0-rc.1/composition.html?utm_source=thinkingelixir&utm_medium=shownotes) – New Oban Pro guide explaining when to use chains, workflows, chunks, or batches for job composition. https://github.com/DockYard/openid_connect (https://github.com/DockYard/openid_connect?utm_source=thinkingelixir&utm_medium=shownotes) – The Elixir package 'openid_connect' reached version 1.0, providing client library support for working with various OpenID Connect providers like Google, Microsoft Azure AD, Auth0, and others. https://hexdocs.pm/openid_connect/readme.html (https://hexdocs.pm/openid_connect/readme.html?utm_source=thinkingelixir&utm_medium=shownotes) – Documentation for the newly released openid_connect 1.0 package. https://bsky.app/profile/davelucia.com/post/3llqwsbyutc2z (https://bsky.app/profile/davelucia.com/post/3llqwsbyutc2z?utm_source=thinkingelixir&utm_medium=shownotes) – Announcement that openid_connect is maintained by tvlabs. https://bsky.app/profile/germsvel.com/post/3llee5lyerk2b (https://bsky.app/profile/germsvel.com/post/3llee5lyerk2b?utm_source=thinkingelixir&utm_medium=shownotes) – PhoenixTest v0.6.0 has been released with significant changes, including a breaking change. https://github.com/germsvel/phoenix_test (https://github.com/germsvel/phoenix_test?utm_source=thinkingelixir&utm_medium=shownotes) – GitHub repository for PhoenixTest. https://hexdocs.pm/phoenixtest/upgradeguides.html#upgrading-to-0-6-0 (https://hexdocs.pm/phoenix_test/upgrade_guides.html#upgrading-to-0-6-0?utm_source=thinkingelixir&utm_medium=shownotes) – Upgrade guide for updating to PhoenixTest v0.6.0 with its breaking change. https://hexdocs.pm/phoenix_test/changelog.html#0-6-0 (https://hexdocs.pm/phoenix_test/changelog.html#0-6-0?utm_source=thinkingelixir&utm_medium=shownotes) – Changelog for PhoenixTest v0.6.0. https://supabase.com/blog/postgres-language-server (https://supabase.com/blog/postgres-language-server?utm_source=thinkingelixir&utm_medium=shownotes) – Supabase has released a new Postgres Language Server for developers, providing IDE intellisense and autocomplete for PostgreSQL. https://marketplace.visualstudio.com/items?itemName=Supabase.postgrestools (https://marketplace.visualstudio.com/items?itemName=Supabase.postgrestools?utm_source=thinkingelixir&utm_medium=shownotes) – VSCode extension for Supabase's new Postgres developer tools. https://github.com/supabase-community/postgres-language-server (https://github.com/supabase-community/postgres-language-server?utm_source=thinkingelixir&utm_medium=shownotes) – GitHub repository for Supabase's Postgres Language Server. https://pgtools.dev/ (https://pgtools.dev/?utm_source=thinkingelixir&utm_medium=shownotes) – Official website for Postgres Tools with documentation and features. https://pgtools.dev/checking_migrations/ (https://pgtools.dev/checking_migrations/?utm_source=thinkingelixir&utm_medium=shownotes) – Feature in Postgres Tools that lints database migrations to check for problematic schema changes. https://github.com/fly-apps/safe-ecto-migrations (https://github.com/fly-apps/safe-ecto-migrations?utm_source=thinkingelixir&utm_medium=shownotes) – Resource for ensuring safe Ecto migrations. https://fly.io/phoenix-files/safe-ecto-migrations/ (https://fly.io/phoenix-files/safe-ecto-migrations/?utm_source=thinkingelixir&utm_medium=shownotes) – Article about safe Ecto migrations posted on Fly.io. https://elixirevents.net/ (https://elixirevents.net/?utm_source=thinkingelixir&utm_medium=shownotes) – Community resource created by Johanna Larsson for tracking, sharing, and learning about Elixir events worldwide. https://bsky.app/profile/elixirevents.net (https://bsky.app/profile/elixirevents.net?utm_source=thinkingelixir&utm_medium=shownotes) – Bluesky account for ElixirEvents.net for following Elixir community events. Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Discussion Resources https://paraxial.io/ (https://paraxial.io/?utm_source=thinkingelixir&utm_medium=shownotes) https://paraxial.io/blog/index (https://paraxial.io/blog/index?utm_source=thinkingelixir&utm_medium=shownotes) – Blog with posts about security for Elixir, Rails, and the Paraxial service https://www.cnn.com/2025/03/18/tech/google-wiz-acquisition/index.html (https://www.cnn.com/2025/03/18/tech/google-wiz-acquisition/index.html?utm_source=thinkingelixir&utm_medium=shownotes) https://podcast.thinkingelixir.com/93 (https://podcast.thinkingelixir.com/93?utm_source=thinkingelixir&utm_medium=shownotes) – Our last discussion was 3 years ago in episode 93! Titled "Preventing Service Abuse with Michael Lubas" https://www.amazon.com/Innovators-Dilemma-Revolutionary-Change-Business/dp/0062060244 (https://www.amazon.com/Innovators-Dilemma-Revolutionary-Change-Business/dp/0062060244?utm_source=thinkingelixir&utm_medium=shownotes) https://www.merriam-webster.com/dictionary/Kafkaesque - having a nightmarishly complex, bizarre, or illogical quality (https://www.merriam-webster.com/dictionary/Kafkaesque - having a nightmarishly complex, bizarre, or illogical quality?utm_source=thinkingelixir&utm_medium=shownotes) https://paraxial.io/blog/oban-pentest (https://paraxial.io/blog/oban-pentest?utm_source=thinkingelixir&utm_medium=shownotes) – Completed a Security Audit of Oban Pro - this is after ObanPro went free and OpenSource https://paraxial.io/blog/elixir-best (https://paraxial.io/blog/elixir-best?utm_source=thinkingelixir&utm_medium=shownotes) – Elixir and Phoenix Security Checklist: 11 Best Practices https://paraxial.io/blog/rails-command-injection (https://paraxial.io/blog/rails-command-injection?utm_source=thinkingelixir&utm_medium=shownotes) – Ruby on Rails Security: Preventing Command Injection https://paraxial.io/blog/paraxial-three (https://paraxial.io/blog/paraxial-three?utm_source=thinkingelixir&utm_medium=shownotes) – Paraxial.io v3 blog post Guest Information - Michael Lubas, Paraxial.io Founder - michael@paraxial.io - https://x.com/paraxialio (https://x.com/paraxialio?utm_source=thinkingelixir&utm_medium=shownotes) – on Twitter/X - https://x.com/paraxialio (https://x.com/paraxialio?utm_source=thinkingelixir&utm_medium=shownotes) – on Twitter/X - https://github.com/paraxialio/ (https://github.com/paraxialio/?utm_source=thinkingelixir&utm_medium=shownotes) – on Github - https://www.youtube.com/@paraxial5874 (https://www.youtube.com/@paraxial5874?utm_source=thinkingelixir&utm_medium=shownotes) – Paraxial.io channel on YouTube - https://genserver.social/paraxial (https://genserver.social/paraxial?utm_source=thinkingelixir&utm_medium=shownotes) – on Fediverse - https://paraxial.io/ (https://paraxial.io/?utm_source=thinkingelixir&utm_medium=shownotes) – Blog Find us online - Message the show - Bluesky (https://bsky.app/profile/thinkingelixir.com) - Message the show - X (https://x.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen on X - @brainlid (https://x.com/brainlid) - Mark Ericksen on Bluesky - @brainlid.bsky.social (https://bsky.app/profile/brainlid.bsky.social) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - David Bernheisel on Bluesky - @david.bernheisel.com (https://bsky.app/profile/david.bernheisel.com) - David Bernheisel on Fediverse - @dbern@genserver.social (https://genserver.social/dbern)
What's it like to work as a CISO at a security company? This week, 1Password's VP of Security and CISO, Jacob DePriest, reveals all. Jacob also shares his advice for building strong security teams with diverse perspectives, backgrounds, and skillsets.
Security Audit of the Capsicum and bhyve Subsystems, ZFS on Linux and block IO limits show some limits of being out of the kernel, NetBSD on a ROCK64 Board, Domain Naming, BSDCan 2025 CFP, The Internet Gopher from Minnesota, and more NOTES This episode of BSDNow is brought to you by Tarsnap (https://www.tarsnap.com/bsdnow) and the BSDNow Patreon (https://www.patreon.com/bsdnow) Headlines Roundup Storage and Network Diagnostics (https://klarasystems.com/articles/winter_2024_roundup_storage_and_network_diagnostics/?utm_source=BSD%20Now&utm_medium=Podcast) Security Audit of the Capsicum and bhyve Subsystems (https://freebsdfoundation.org/wp-content/uploads/2024/11/2024_Code_Audit_Capsicum_Bhyve_FreeBSD_Foundation.pdf) News Roundup ZFS on Linux and block IO limits show some limits of being out of the kernel (https://utcc.utoronto.ca/~cks/space/blog/linux/ZFSOnLinuxVersusBlockIOLimits) NetBSD on a ROCK64 Board (https://simonevellei.com/blog/posts/netbsd-on-a-rock64-board/) Domain Naming (https://ambient.institute/domain-naming/) BSDCan 2025 CFP (https://www.bsdcan.org/2025/papers.html) The Internet Gopher from Minnesota (https://www.abortretry.fail/p/the-internet-gopher-from-minnesota) Tarsnap This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. Feedback/Questions Brendan - MinIO (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/594/feedback/Brendan%20-%20minio.md) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) Join us and other BSD Fans in our BSD Now Telegram channel (https://t.me/bsdnow)
This week I Share 5 Reasons (and Methods) to Perform a Security Audit Before the New Year [powerpress]
In today's episode, we'll hear from Craig Jeffery on pentests. What are they, who performs them, and why are they vital for cyber security? Listen in to learn more.
In this episode of The Backup Wrap-Up, we delve into the critical world of IT security audits. We explore why these audits are essential for maintaining a robust cybersecurity posture and how they can help organizations identify and address potential vulnerabilities. Our discussion covers key elements of surviving an IT security audit, including user education, application whitelisting, and securing remote access protocols. We also touch on the importance of regular security assessments and proactive measures to stay ahead of cyber threats. Whether you're an IT professional or a business owner, this episode provides valuable insights into conducting thorough IT security audits and implementing best practices to protect your digital assets. Tune in to learn how you can strengthen your organization's defenses and become a cybersecurity hero.
When was the last time you reviewed your security roles and what access is included? Reduce the potential for fraud by restricting who has access to your vendor data. Why? Because the less non-vendor team members that have access to sensitive data, the less potential for them to be social engineered into giving it away - resulting in fraud. Discover how the vendor team can implement a security audit with minimal IT input - in 5 steps. Keep Listening. Check out my website www.debrarrichardson.com if you need help implementing authentication techniques, internal controls, and best practices to prevent fraudulent payments, regulatory fines or bad vendor data. Check out my new Vendor Process Training Center for 116+ hours of weekly live and on-demand training for the Vendor team. Links mentioned in the podcast + other helpful resources: On-Demand Webinar: In 5 Steps: A Security Audit to Protect Vendor Data and Avoid Fraud Vendor Validation Reference List with Resources Links: www.debrarrichardson.com/vendor-validation-download (Get 25% Discount on the Global Vendor Registration Numbers)Vendor Process Training Center: https://training.debrarrichardson.comFree Live and On-Demand Webinars: https://debrarrichardson.com/webinarsVendor Master File Clean-Up: https://www.debrarrichardson.com/cleanupYouTube Channel: https://www.youtube.com/channel/UCqeoffeQu3pSXMV8fUIGNiw More Podcasts/Blogs/Webinars www.debrarrichardson.comMore ideas? Email me at debra@debrarrichardson.com Music Credit: www.purple-planet.com
Got a Minute? Checkout today's episode of The Guy R Cook Report podcast - the Google Doc for this episode is @ Website Security Audit: Your Topmost Concern ----more---- Support this podcast Subscribe where you listen to podcasts I help goal oriented business owners that run established companies to leverage the power of the internet Contact Guy R Cook @ https://guyrcook.com The Website Design Questionnaire https://guycook.wordpress.com/start-with-a-plan/ In the meantime, go ahead follow me on Twitter: @guyrcookreport Click to Tweet Be a patron of The Guy R Cook Report. Your help is appreciated. Contact Guy R Cook https://theguyrcookreport.com/#theguyrcookreport Follow The Guy R Cook Report on Podbean iPhone and Android App | Podbean https://bit.ly/3m6TJDV Thanks for listening, viewing or reading the show notes for this episode. This episode of The Guy R Cook Report is on YouTube too @ This episode of The Guy R Cook Report Have a great new year, and hopefully your efforts to Entertain, Educate, Convince or Inspire are in play vDomainHosting, Inc 3110 S Neel Place Kennewick, WA 509-200-1429
Websites are the primary avenue used by hackers to enter the organization's network. Due to the rapidly evolving technology, most organizations are developing websites or web apps quickly without emphasizing maintaining secure coding, which results in security holes and significant vulnerabilities in the code. Therefore, organizations of all sizes must use website security audit tools, also known as WebSec audit tools, to protect their websites or applications from hackers. These tools help a business quickly identify its website weaknesses and lessen the need for time-consuming human audits. These tools also cover the OWASP top 10 vulnerabilities, which have been identified and exploited most frequently in recent years. Both paid and unpaid tools and services are available for online website security scanning. Before knowing about the tools, you must first have a basic understanding of website security audits. What is a Website Security Audit? A website security audit involves examining your website and server for any current or potential vulnerabilities that hackers might use against you. It checks the security of a website core and all of your files, plugins, extensions, themes, server settings, SSL connection, etc. Web security audits also include static and dynamic code analysis, penetration testing, business logic error testing, and configuration testing. View More: Top Tools for Website Security Audit
Weak randomness in old JavaScript crypto, lack of encryption in purported end-to-end encryption, a platform engineering maturity model, PyPI's first security audit, vision for a Rust specification, and more! Show Notes: https://securityweekly.com/asw-264
Weak randomness in old JavaScript crypto, lack of encryption in purported end-to-end encryption, a platform engineering maturity model, PyPI's first security audit, vision for a Rust specification, and more! Show Notes: https://securityweekly.com/asw-264
You know there is security audit log but don't know which events to activate? You already activated it for some events, but should you activate others? I'll tell you my take on that!
Guests:Andrew Woodhouse, CIO at RealVNC [@RealVNC]On Linkedin | https://www.linkedin.com/in/ajwoodhouse/Dr. Mario Heiderich, Founder of Cure53 [@cure53berlin]On Linkedin | https://www.linkedin.com/in/marioheiderich/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Pentera | https://itspm.ag/penteri67a___________________________Episode NotesThis Redefining CyberSecurity podcast features insights from Andrew Woodhouse, Dr. Mario Heiderich, and host Sean Martin, who explore various aspects of system and application security. Woodhouse introduces software composition analysis and the importance of security initiatives like ISO 27001. Dr. Heiderich discusses the roles in security testing, and the parallels between traditional QA testing and security testing methods. The use of C++ as a core language, the intricacies of managing large-scale software, and the complexities of auditing entire tech stacks are also highlighted. The discussion provides an overall comprehensive understanding of tech stack security tests and audit processes.____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist
Guests:Andrew Woodhouse, CIO at RealVNC [@RealVNC]On Linkedin | https://www.linkedin.com/in/ajwoodhouse/Dr. Mario Heiderich, Founder of Cure53 [@cure53berlin]On Linkedin | https://www.linkedin.com/in/marioheiderich/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Pentera | https://itspm.ag/penteri67a___________________________Episode NotesThis Redefining CyberSecurity podcast features insights from Andrew Woodhouse, Dr. Mario Heiderich, and host Sean Martin, who explore various aspects of system and application security. Woodhouse introduces software composition analysis and the importance of security initiatives like ISO 27001. Dr. Heiderich discusses the roles in security testing, and the parallels between traditional QA testing and security testing methods. The use of C++ as a core language, the intricacies of managing large-scale software, and the complexities of auditing entire tech stacks are also highlighted. The discussion provides an overall comprehensive understanding of tech stack security tests and audit processes.____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist
Cloud Security Podcast - we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the fourth episode in this series Shane Lawrence and Daniele Santos from Shopify explained how kube-audit an open source tool from Shopify. They spoke about how they have used the audit tool to improve security with a developer security lens. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Shane Lawrence (Shane's Linkedin) and Daniele Santos (Dani's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (02:52) A bit about Shane (03:45) A bit about Dani (04:23) Which kubecons have Shane and Dani attended? (05:03) A bit about Dani and Shane's talk at Kubecon EU (06:42) Misconfigurations in Kubernetes (09:48) Dani talks about the Kubernetes Security Report (10:13) Use case for Kubernetes Misconfiguration (11:45) What is Azure Escape? (12:51) What is container escape? (15:26) What is kubeaudit? (15:49) Contributing to kubeaudit (16:40) The maturity of kubeaudit (19:04) How would kubeaudit help with an azure escape? (19:41) The developer experience (21:34) How shopify uses kubeaudit (24:59) Getting started with kubeaudit (25:53) Challenges with implementing kubeaudit (27:19) Maturity of kubernetes security and kubecon (30:02) Learning about kubernetes (34:07) Areas of security not being spoken about enough (36:16) Open Source and Software supply chain risks See you at the next episode!
Microsoft turns to a weather-based taxonomy, k8s shares a security audit, a GhostToken that can't be exorcised from Google accounts, BrokenSesame RCE, typos and security, generative AI and security that's more than prompt injection Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw238
Microsoft turns to a weather-based taxonomy, k8s shares a security audit, a GhostToken that can't be exorcised from Google accounts, BrokenSesame RCE, typos and security, generative AI and security that's more than prompt injection Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw238
The port fell for phishing schemes on two occasions in 2021, the Washington State Auditor's Office found, due to weak controls including staff not following protocol.
Sponsor by SEC Playground แบบสอบถามเพื่อปรับปรุง Chill Chill Security Channel: https://forms.gle/e5K396JAox2rZFp19 --- Support this podcast: https://anchor.fm/chillchillsecurity/support
Cybersecurity is a buzzing topic these days; the rise of cyber-attacks is clearly evident and makes major organizations consider cybersecurity a high-priority concern. To combat cyberattacks, protect data from unauthorized access, and prevent them by implementing robust security measures, organizations require highly skilled cybersecurity professionals. As a result, we see a rise in cybersecurity jobs in the market, which are expected to increase in the future. In this comprehensive blog, we will see the top trending cybersecurity jobs in 2023. Top Trending Cybersecurity Jobs in 2023 Building your career in the cybersecurity domain is the best option to enhance your career in multiple roles. Cybersecurity is a combination of two streams: Offensive security and Defensive security. It includes many sectors such as Networking, Software, Systems, Information Security, Risk Analysis, Security Audit, Security Intelligence, Cloud Security, Incident Response, Security Testing, Ethical Hacking, Digital Security, and the list goes on. Let's see the top trending cybersecurity jobs in 2023.
The International Organization for Standardization developed ISO 27001 as a standard. It is the foundation for an organization's Information Security Management System (ISMS). The standard is divided into two straightforward sections: clauses (requirements, and hence not optional) and annex A controls (optionally used to mitigate identified information security risks). Types of IT Security Audit
Plus, Fort Worth ISD named a lone finalist for its new superintendent, the nation's first monkeypox death happened in Texas, and what to expect on the roads Labor Day weekend.
Permintaan akan tenaga ahli di bidang keamanan siber terus mengalami peningkatan, bahkan diprediksi menjadi salah satu profesi yang akan banyak dicari. Karir di bidang keamanan siber sendiri cukup beragam dan dapat ditemukan pada berbagai sektor industri. Akan tetapi untuk bisa terjun ke bidang profesional yang satu ini, diperlukan beberapa kemampuan atau skills yang wajib dimiliki oleh setiap ahli keamanan siber. Di episode Ask a CISO kali ini kami menghadirkan Bapak Yudistira Asnar, ST., PhD - Ketua Jurusan Studi Sistem dan Teknologi Informasi di Institut Teknologi Bandung, bagaimana pandangan seorang Akademis mengenai pentingnya mempersiapkan talenta keamanan Siber yang kompeten termasuk pentingnya menanamkan edukasi keamanan siber sejak dini guna menciptakan Sumber Daya Manusia (SDM) yang siap untuk terjun di bidang industri. The Ask A CISO podcast is a production of Horangi Cyber Security, Asia's leading cloud security provider. The show is hosted weekly by co-founder and CEO, Paul Hadjy. -- About Horangi Cybersecurity -- More information about the Ask A CISO podcast: https://www.horangi.com/resources/ask-a-ciso-podcast About Horangi Cyber Security: https://www.horangi.com --- About the Guest -- Yudistira Dwi Wardhana Asnar, ST., PhD merupakan seorang dosen di Institut Teknologi Bandung (ITB) dan saat ini menjabat sebagai Ketua Program/Jurusan Studi Sistem dan Teknologi Informasi di Sekolah Teknik Elektro dan Informatika ITB. Beliau menyelesaikan program studi S1 Teknik Informatika, ITB serta memiliki gelar Doctoral / PhD di Università Degli Studi di Trento, Italy Di bidang akademis sendiri, expertise beliau juga mencakup : Rekayasa Perangkat Lunak, Keamanan Sistem Perangkat Lunak, Keamanan Siber, Blockchain, Security Audit dengan mengantongi sertifikasi antara lain Certified Project Manager dan ISO27001 atau ISMS Lead Auditor -- Attributions -- Ending Music: I Dunno by Grapes http://ccmixter.org/files/grapes/16626 Creative Commons — Attribution 3.0 Unported— CC BY 3.0 Free Download / Stream: https://bit.ly/i-dunno-grapes Music promoted by Audio Library https://youtu.be/sNAE8-mB5lQWe
Justin is the Co-Founder & CEO of Strike Graph, a compliance SaaS solution that helps companies move deals faster through simplifying security certifications. Within Strike Graph he has also established a foundational culture of employee growth and team diversity. Before founding Strike Graph in 2020, Justin was dedicated to developing companies, products, and technologies in the human capital realm for over 2 decades. What you will learn Why security compliance is crucial for businesses Discover why compliance is a revenue issue (not just a legal one) How companies are leveraging advanced technology such as AI to perform audits An overview of the different cybersecurity frameworks and standards How Strike Graph could save your company's deals
This Saturday marks one year since the ransomware attack on the HSE, which highlighted the importance of cyber security. Newstalk's Technology Correspondent, Jess Kelly joins us this morning with some tips for carrying out a personal cyber security audit. Listen and subscribe to Newstalk Breakfast on Apple Podcasts or Spotify. Download, listen and subscribe on the Newstalk App. You can also listen to Newstalk live on newstalk.com or on Alexa, by adding the Newstalk skill and asking: 'Alexa, play Newstalk'.
In this episode, Jon will walk through some simple steps that you can do to check on the security of your social media accounts. To watch the video of this episode, click here: https://youtu.be/wMxsUG-pXVQ
Coursen Security Group is a premier security consulting and threat management firm in Austin, Texas. They provide subject matter expertise for reducing risk, preventing violence, and ensuring the certainty of safety for everyone involved.He says, “It's not what you don't know that will get you into trouble, it's what you know for certain, that just isn't so.” If you really want to know just how secure you really are, a security audit is the most effective way to find out just how well your physical, cyber, and personal protection safeguards would stand-up to a real-world threat. www.CoursenSecurityGroup.comhttp://www.yourlotandparcel.org
We're conducting a mini security audit. We've got our short list of things we're doing for security. Are they working for us? Are there things we need to change? How are we doing?LINKS1. Security Onion2. Getting started with Elastic Stack3. Sysmon4. AppLocker FIND US ON1. Twitter - DamienHull2. YouTube
What's a security audit, and why do you need one? Richard talks to Paula Januszkiewicz about auditing security, technical reviews, and so-called penetration testing. Paula talks about needing outside experts who focus on the scope of exploits out in the world today to help make sure all aspects of your company's systems are reasonably secure - there is no such thing as perfect security! The conversation gets into the details around finding a good auditor, what to expect from them, and what they will expect from you - a good security audit takes time, and is a conversation!Recorded December 21, 2021
WordPress Resource: Your Website Engineer with Dustin Hartzler
In today’s episode, we talk through a checklist of items that need to be done this fall to make your website secure.
Sai che esiste il security audit log ma non sai quali eventi attivare? Lo hai già attivato per qualche evento, ma conviene attivarne altri? Ti dico la mia a riguardo! Ciao sono Roberto ed oggi parliamo del security audit log.
WDAY's First News anchors Se Kwon and Drew Trafton get you caught up on everything you need to know for Wednesday, October 20th. The InForum Minute is a product of Forum Communications and is brought to you by reporters at WDAY-TV and The Forum of Fargo-Moorhead. Find more news throughout the day at www.inforum.com for more
#7 Security Audit by Trinity Church Colonel Light Gardens
Pete Strouse has been an information security recruiter for a decade. During that time, he has had the opportunity to work with hundreds of professionals and learn what works and what doesn't when it comes to rising through the ranks of security org structures. In this episode of Tuesday Morning Grind, Pet and Christian, talk about what it takes to be successful in the security space, how to get hired, how to rise through the ranks, potential career paths, and the attributes of aspiring security leaders. About Infosec Connect: Infosec Connect helps provide recruiting and placement services for security companies with specialties in Information Security Executives, Information Security Sales & Marketing, Security Audit & Compliance (GRC), Data Privacy, Security Operation s, Offensive Security, Digital Forensics & Incident Response (DFIR), and Cloud Security. About risk3sixty: risk3sixty is a security, privacy, and compliance consulting firm that helps high growth technology organizations build, manage, and assess security and privacy programs. Offering services related to SOC 2, ISO 27001, PCI DSS, HITRUST, Virtual CISO, Privacy Programs (GDPR, CCPA, etc.), Penetration Testing, and a GRC Platform built for cloud technology companies, Phalanx. You can learn more about risk3sixty at www.risk3sixty.com/.
Dan White's Radio Show: On The Money Dan White keeps listeners in the Philadelphia and Delaware Region up-to-date with the most pressing financial issues. With over 33 years of professional financial planning experience, Dan has a talent of explaining the complex issues in his weekly show. Dan White is a Financial Specialist in the tri-state area who focuses his practice on income and transitional planning. As a highly regarded professional in the industry, Dan has been published both nationally and locally. Nationally, you can find him in Fox Business News, Forbes, CNN Money, U.S. News & World Report, Market Watch from Dow Jones, Wall Street Journal, Philadelphia Business Journal, The Delaware County Daily Times, and The Philadelphia Inquirer. Locally, he is known as an expert financial contributor in Kennett Square Neighbor, Garnet Valley Living, West Chester Living, Chadds Ford Neighbors, and East Braford Neighbors Magazines. In addition, Dan hosts a weekly radio show on WDEL (101.7 FM / 1150 AM) every Sunday morning at 7am called “On the Money”. He can also be heard on the WDEL Rick Jensen show, on Wednesday afternoons, with the “Dan White Retirement Tip of the Day”. Dan was born and raised in Delaware County, only separating during his college years at State College. Dan and his wife Cindy have been married over 30 years. They have four children; Jessica, Justin, Dylan, and Zachary. Dan is an active member of his church, and a very passionate sports fan! In his spare time, you can find him at a Phillies Baseball Game or Penn State University cheering on the Nittany Lions. Dan and his family also enjoy spending their summers at their beach house in Ocean City, New Jersey. Daniel A. White & Associates, LLC 51 Woodland Drive, Glen Mills, PA 19342 (610) 358-8942 www.danwhiteandassociates.com
Time to do a security test of Active Directory. Going to be using Bloodhound, Plumhound, mimikats and Ping Kastle. Never used them before. First time for everything. LINKS1. Bloodhound 2. Plumhound3. Mimikatz 4. PingCastle5. BadBloodFIND US ON1. Facebook2. Twitter - DamienHull
Today I will discuss: 1. Why does a company need IT audit? 2. What are the components of IT auditing? 3. What are the benefits of conducting IT auditing? Watch
A cosa serve e come viene svolto da Aglea questo servizio?
Today I will discuss: 1. What Is a Security Audit? 2. What is the difference between Security Auditor & Penetration Tester? 3. What are the possible jobs for a security auditor? Watch
Welcome to Episode 13 of Practical Business Technology, where we keep you in-the-know about technology’s impact on business. In this episode on How to Respond to a Security Audit, Dave and Stephanie Kinsey discuss ways to respond to security compliance audits and tips on preparing your annual security action plan. Our show is sponsored by the Maricopa County Bar Association, and our host is Dave Kinsey, author, and owner of Total Networks.
What does “Information security audit”means for telcos --- Support this podcast: https://anchor.fm/nirmit-verma/support
Flycast Buzz: Technology And Process Briefs For IT Professionals
Bobby McCullough gives us a teaser on his July 23RD webinar. Are you ready for your next security audit? Never been a part of a security audit? Attend our webinar on Surviving a Security Audit to understand what to expect and why it is needed. Learn how to be better prepared and how to get the most out of the audit when your time comes.Join us on Thursday, July 23rd at 2 PM EDT with Bobby McCullough for our Surviving a Security Audit
TIMESTAMPS:0:09 - The BCH Halvening took place this week1:11 - The CashFusion Security Audit has reached its fundraising goal2:58 - Speaking of other fundraisers — 3:39 - Bitcoin cashDrive prototype created by Peter Rizun4:25 - Gifts.bitoin.com promotion4:42 - r/BTC post: “Put a Bitcoin Cash sticker on your car”5:31 - Roger's thoughts about the Twitter post from the CEO of Blockstream6:48 - Play poker using BCH at Blockchain.poker8:46 - FIAT pricing has been launched all over local.bitcoin.com9:41 - Roger's thoughts on banning a user on r/Bitcoin 10:35 - Donation to the Foundation for Economic Education (FEE)12:16 - 25 transaction chained limit on Bitcoin Cash is doubling ►Follow Roger Ver:https://twitter.com/rogerkverhttps://rogerver.com/►What is CashFusion?https://www.bitcoin.com/cashfusion-fund/►Fundraising links:Bitcoin ABC:https://fund.bitcoinabc.org/Bitcoin Unlimited:https://www.bitcoinunlimited.info/donateBitcoin Cash Node:https://bit.ly/2y2WCiK►Peter Rizuns's Twitter thread about the Bitcoin cashDrive:https://twitter.com/PeterRizun/status/1247554984968777729►Create Bitcoin Cash gift cards on:https://gifts.bitcoin.com/►r/BTC post: "Put a Bitcoin Cash sticker on your car":https://www.reddit.com/r/btc/comments/epy8m5►Roger's tweet about the CEO of Blockstream's Twitter post:https://twitter.com/rogerkver/status/1248015494788997121►Play poker using BCH at Blockchain.poker:https://blockchain.poker/►Buy and Sell Bitcoin Cash peer-to-peer:https://local.bitcoin.com►Donate BCH for FEE:https://fee.org/donate/other#bx8►Get huge discounts spending BCH on Amazon:https://purse.io ►Find out merchants accepting BCH around you: https://map.bitcoin.com/Remember to subscribe to our Youtube channel and hit the bell "
In this episode we talk about the latest Jormungandr 0.8.6 release, discuss the Cardano third-party security audit and the company behind it, compare natural and adversarial forking on the incentivized testnet, and more. We also read some of the top posts this week on r/Cardano and answer viewer questions in the Youtube live chat. Watch Episode 70 and view more information on Youtube: https://youtu.be/AWVMknEmFKg
#CryptoCorner: 2/3 of South Korean Exchanges Fail Gov't Security Audit, Sharespost Executes First Secondary Securities Transaction on Blockchain
DailyCyber The Truth About Cyber Security with Brandon Krieger
In today’s DailyCyber Podcast which you can listen to on the go. I discuss different positions in Cyber Security to help you as you are researching for your career. I also share what questions I would recommend you should ask yourself.To learn more watch the video or listen to the podcast and comment below50 Cybersecurity Titles That Every Job Seeker Should Know AboutFrom: Cybercrime MagazineEditor: Steve Morganhttps://cybersecurityventures.com/50-cybersecurity-titles-that-every-job-seeker-should-know-about/ 1. Application Security Administrator – Keep software / apps safe and secure.2. Artificial Intelligence Security Specialist – Use AI to combat cybercrime3. Automotive Security Engineer – Protect cars from cyber intrusions.4. Blockchain Developer / Engineer – Code the future of secure transactions.5. Blue Team Member – Design defensive measures / harden operating systems.6. Bug Bounty Hunter – Freelance hackers find defects and exploits in code.7. Cybersecurity Scrum Master – Watch over and protect all data.8. Chief Information Security Officer (CISO) – Head honcho of cybersecurity.9. Chief Security Officer (CSO) – Head up all physical/info/cyber security.10. Cloud Security Architect – Secure apps and data in the cloud. SANShttps://www.sans.org/security-trends/2019/08/29/20-coolest-cyber-security-jobs20 Coolest Cyber Security Jobs:1. Application Security Administrator– Keep software / apps safe and secure.2. Artificial Intelligence Security Specialist – Use AI to combat cybercrime.3. Automotive Security Engineer – Protect cars from cyber intrusions.4. Blockchain Developer / Engineer – Code the future of secure transactions.5. Blue Team Member – Design defensive measures / harden operating systems.6. Bug Bounty Hunter – Freelance hackers find defects and exploits in code.7. Cybersecurity Scrum Master – Watch over and protect all data.8. Chief Information Security Officer (CISO) – Head honcho of cybersecurity.9. Chief Security Officer (CSO) – Head up all physical/info/cyber security.10. Cloud Security Architect – Secure apps and data in the cloud. 2. Threat HunterFeatured top of the list for good reason, Threat Hunters are one of the most valuable jobs to the IT industry, with skills shown to improve the speed of threat detection and response more than two-fold, in comparison to teams without this dedicated resource. Enjoy job security by offering a 64% improvement in the detection of advanced threats, and a 63% reduction in investigation time according to the 2018 Threat Hunting Report.Related SANS courses and GIAC Certification: FOR578 (GCTI Certification), FOR572 (GNFA Certification), FOR508 (GCFA Certification), FOR526, FOR610 (GREM Certification) and SEC487 3. Penetration Tester"Penetration testing is the active circumvention of security features in networks, systems, and applications. This is where the penetration tester emulates threats by attempting to access alternative functionality. A penetration tester will also assess data or functionality in a manner not anticipated by the group designing that system. A good penetration tester will need to be highly technical and will also require a level of skill that enables meaningful communication of risk to management. Pen testing is a critical capability that most organisations will require, and it can also be quite fun, if not sometimes tedious. I love what I do, both as a tester and as an instructor for SANS."Adrien De Beaupre SANS SEC642 InstructorRelated SANS courses: SEC487, SEC401 (GSEC Certification), SEC560 (GPEN Certification) and SEC660 (GXPN Certification) 4. Forensic Computer AnalystAnalyst findings might be used as evidence in a criminal investigation, to resolve a business or legal dispute, to uncover specific targets or to detect suspicious activity.Related SANS courses: All FOR classes plus SEC504, (GCIH Certification), SEC401 (GSEC Certification) and SEC487 5. Incident ResponderWhen you're passionate about fighting cyber-crime, being an incident responder will bring a great deal of job satisfaction. Learn to discover the issue, mitigate the damages and investigate the situation from all angles.Related SANS courses: All FOR classes plus SEC504 (GCIH Certification), SEC501 (GCED Certification) and SEC487 6. Security ArchitectDesign, build and supervise the implementation of network and computer security. As a Network Security Architect, you will test for vulnerabilities and install firewalls, along with various security policies and procedures.Related SANS courses: SEC450, SEC503 (GCIA Certification), SEC511 (GMON Certification), SEC530, (GDSA Certification), FOR572 (GNFA Certification), SEC501 (GCED Certification) and MGT516 7. Malware AnalystFor those that like to fight the breach head on, a Malware Analyst will ensure the fast and effective response and containment to a cyber-attack.Related SANS courses: FOR610 (GREM Certification) 8. CISO/ISO or Director of SecurityAs a chief information security officer, you will be the balance between the IT department and the boardroom, with an equal understanding of both business and information security. Together with the ability to influence and negotiate, you will also have a thorough knowledge of global markets, policy, and legislation. With the ability to think creatively, the CISO will be a natural problem solver and will find ways to jump into the mind of a cyber criminal, discovering new threats and their solutions.Related SANS courses: SEC401 (GSEC Certification), MGT414 (GISP Certification), MGT512 (GSLC Certification), MGT514 (GSTRT Certification) and MGT525 (GCPM Certification) 9. Security Software DeveloperAs a senior developer, this creative position requires the ability to design secure software using protected programming techniques, that are free from vulnerabilities which could be abused by hackers. You will have the ability to incorporate security analysis, defences and countermeasures in order to ensure strong and reliable software. Related SANS courses: MGT525 (GCPM Certification), DEV522 (GWEB Certification), DEV541, DEV544, and SEC540 (GIAC Certification coming soon) 10. Media Exploitation Analyst/Law Enforcement Computer Crime InvestigatorIf investigating computer crime excites you, and you want to make a career of recovering file systems that have been hacked or damaged, then this may be the path for you. In this position, you will assist in the forensic examinations of computers and media from a variety of sources, in view of developing forensically sound evidence. Related SANS courses: FOR500 (GCFE Certification), FOR585 (GASF Certification), FOR518 and FOR498 11. Software Validation EngineerAs a software validation engineer, you will assess software in order to verify issues and log defects. You will be responsible for developing summary reports for tests performed and will review data with all team members. In summary, to fill this role you will be a qualified engineer responsible for managing, inspecting, testing and modifying the equipment and procedures used to manufacture various products. Related SANS courses: MGT525 (GCPM Certification) and SEC540 (GIAC Certification coming soon) 12. Security Operations Centre AnalystSOC Analysts work alongside security engineers and SOC managers, to provide situational awareness through detecting, containing, and resolving IT threats. Working closely with incident response teams, a SOC analyst will address security issues - when detected, quickly and effectively. Related SANS courses: SEC501 (GCED Certification), SEC540 (GIAC Certification coming soon), SEC450, SEC511 (GMON Certification) and SEC555 (GCDA Certification) 13. Vulnerability Researcher/Exploit DeveloperAs one of the fastest growing careers in the tech industry, this vital role is responsible for research and analysis of new exploits and will hold experience in penetration testing and writing exploit code. Related SANS courses: SEC460, SEC401 (GSEC Certification), SEC560 (GPEN Certification) and SEC660 (GXPN Certification) 14. Security Audit and Risk Management SpecialistAs the role responsible for identifying and assessing a company's potential risks to safety, reputation and financial prosperity, the security audit and risk management specialist will have strong problem solving and analytical skills together with an ability to negotiate and be diplomatic while working under pressure. Related SANS courses: SEC401 (GSEC Certification), MGT516, MGT525 (GCPM Certification), DEV522 (GWEB Certification) and SEC540 (GIAC Certification coming soon) 15. Cyber Security Analyst/EngineerAs one of the highest-paid jobs in the field, the skills required to gain footing in this role are advanced. You must be highly competent in threat detection, threat analysis, and protection, broken authentication, cross-site scripting and cross-site request forgery. This is a vital role in preserving the security and integrity of an organisation's data. Related SANS courses: SEC401 (GSEC Certification), SEC501 (GCED Certification), MGT516, MGT525 (GCPM Certification), SEC540 (GIAC Certification coming soon), SEC450, SEC511 (GMON Certification), SEC503 (GCIA Certification), SEC530 (GDSA Certification) and SEC555 (GCDA Certification) 16. Mobile Security ManagerTaking care of an organisation's mobile device safety, as a Mobile Security Manager you are responsible for monitoring and securing all of a companies' Smartphones, laptops, smartwatches, and other connected devices. Managing the collective tools, technologies, and processes that enable the securing of a mobile device or mobile computing environment, you will be part of a broader information security management policy that focusses mainly on mobile IT assets.Related SANS courses: FOR585 (GASF Certification), plus SEC575 (GMOB Certification) and MGT514 (GSTRT Certification) 17. Application Penetration TesterOne of the most exciting roles within the cyber security industry, you will be responsible for the penetration testing (or ethical hacking), of applications; a significantly vulnerable point. The objective is to find security weaknesses before a cyber criminal does.Related SANS courses: DEV522 (GWEB Certification) 18. Disaster Recovery/Business Continuity Analyst/ManagerLevel up your skills and earn your place as a disaster recovery manager, where you will be responsible for managing the design, implementation, and communication of organisations continuance and disaster recovery plans. Your processes will ensure the safeguarding of business data, technology, information systems, and databases.Related SANS courses: SEC501 (GCED Certification), MGT414 (GISP Certification), MGT514 (GSTRT Certification) and MGT516 19: Technical Director and Deputy CISOWould you like to train and develop future leaders in the cyber security department? You will be responsible for deciding on the costs needed to develop senior roles, on executing the security strategy consistently throughout the department and identifying and managing the skills and weaknesses of associates.Related SANS courses: SEC501 (GCED Certification), MGT414 (GISP Certification), MGT512 (GSLC Certification), MGT514 (GSTRT Certification) and MGT525 (GCPM Certification) 20: Intrusion Analyst"I've come to realise that network monitoring, intrusion detection, and packet analysis represent some of the very best data sources within our enterprise. These can be used to very rapidly confirm whether or not an incident has occurred, and allow an experienced analyst to determine, often in seconds or minutes, what the extent of a compromise might be. In a very real sense, I have found this to be the most important course that SANS has to offer. Not only will it cause you to think about your network in a very different way as a defender, but it is incredibly relevant for penetration testers who are looking to "fly under the radar." The concepts that you will learn in this course apply to every single role in an information security organisation!"David Hoelzer — SANS SEC503 InstructorRelated SANS courses: SEC503 (GCIA Certification) and SEC401 (GSEC Certification) 21: IoT/Critical Infrastructure Security DirectorA crucial role within today's world where cyber attacks to our critical infrastructure are increasing in risk. In an age where almost every devise or piece of machinery can be connected to the internet, they too are at risk of being hacked. The Internet of Things (IoT) has evolved so quickly that managing its security has become a minefield. When we look broadly into the matter, Critical Infrastructure is at risk to foul play. Power grids, chemical plants, and transportation systems are being attacked by hackers. In a report by Business Insider, ?A new front in cybersecurity', investigations found that companies operating critical infrastructure reported 295 cyber attacks in 2015. While technology is consistently evolving, so too will attacks to this industry.The role of security director to IoT and Critical Infrastructure is invaluable - some might say indispensable.Related SANS courses: All SANS ICS Courses and Certifications, plus MGT512 (GSLC Certification), MGT514 (GSTRT Certification) and MGT525 (GCPM Certification)https://www.sans.org/security-trends/2019/08/29/20-coolest-cyber-security-jobs
Topics:Infosec Campout report Jay Beale (co-lead for audit) *Bust-a-Kube* Aaron Small (product mgr at GKE/Google) Atreides Partners Trail of Bits What was the Audit? How did it come about? Who were the players? Kubernetes Working Group Aaron, Craig, Jay, Joel Outside vendors: Atredis: Josh, Nathan Keltner Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik Kubernetes Project Leads/Devs Interviewed devs -- this was much of the info that went into the threat model Rapid Risk Assessments - let’s put the GitHub repository in the show notes What did it produce? Vuln Report Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf White Papers https://github.com/kubernetes/community/tree/master/wg-security-audit/findings Discuss the results: Threat model findings Controls silently fail, leading to a false sense of security Pod Security Policies, Egress Network Rules Audit model isn’t strong enough for non-repudiation By default, API server doesn’t log user movements through system TLS Encryption weaknesses Most components accept cleartext HTTP Boot strapping to add Kubelets is particularly weak Multiple components do not check certificates and/or use self-signed certs HTTPS isn’t enforced Certificates are long-lived, with no revocation capability Etcd doesn’t authenticate connections by default Controllers all Bundled together Confused Deputy: b/c lower priv controllers bundled in same binary as higher Secrets not encrypted at rest by default Etcd doesn’t have signatures on its write-ahead log DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes Port 10255 has an unauthenticated HTTP server for status and health checking Vulns / Findings (not complete list, but interesting) Hostpath pod security policy bypass via persistent volumes TOCTOU when moving PID to manager’s group Improperly patched directory traversal in kubectl cp Bearer tokens revealed in logs Lots of MitM risk: SSH not checking fingerprints: InsecureIgnoreHostKey gRPC transport seems all set to WithInsecure() HTTPS connections not checking certs Some HTTPS connections are unauthenticated Output encoding on JSON construction This might lead to further work, as JSON can get written to logs that may be consumed elsewhere. Non-constant time check on passwords Lack of re-use / library-ification of code Who will use these findings and how? Devs, google, bad guys? Any new audit tools created from this? Brad geesaman “Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec https://www.youtube.com/watch?v=vTgQLzeBfRU Aaron Small: https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18 https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10 https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster CNCF: https://www.youtube.com/watch?v=90kZRyPcRZw Findings: Scope for testing: Source code review (what languages did they have to review?) Golang, shell, ... Networking (discuss the networking *internal* *external* Cryptography (TLS, data stores) AuthN/AuthZ RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*) Secrets Namespace traversals Namespace claims Methodology: Setup a bunch of environments? Primarily set up a single environment IIRC Combination of code audit and active ?fuzzing? What does one fuzz on a K8s environment? Tested with latest alpha or production versions? Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing. Tested mulitple different types of k8s implementations? Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray) Bug Bounty program: https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
In this episode of TTN Insights, Ernesto and Mickey talk about website security, how to prepare against attacks and how to react to a breach. How do you know if you have been hacked? What information is at stake? Check out our new service: Website Security Audit. Every so often, Ernesto Gluecksmann and Mickey Panayiotakis sit down and talk about digital security, new software, technologies, trends, regulations that may impact leaders of organizations. Listen to their Insights on this segment of Through The Noise.
Llevar un registro de todo lo que pasa en nuestro WordPress es una necesidad de cara a la seguridad. Yo tengo dos plugins favoritos para esto uno ya lo conoces el otro te lo presento hoy: WP Security Audit Log
Llevar un registro de todo lo que pasa en nuestro WordPress es una necesidad de cara a la seguridad. Yo tengo dos plugins favoritos para esto uno ya lo conoces el otro te lo presento hoy: WP Security Audit Log
Topics:Infosec Campout report Derbycon Pizza Party (with podcast show!) https://www.eventbrite.com/e/brakesec-pizza-party-at-the-derbycon-mental-health-village-tickets-69219271705 Mental health village at Derbycon Jay Beale (co-lead for audit) *Bust-a-Kube* Aaron Small (product mgr at GKE/Google) Atreides Partners Trail of Bits What was the Audit? How did it come about? Who were the players? Kubernetes Working Group Aaron, Craig, Jay, Joel Outside vendors: Atredis: Josh, Nathan Keltner Trail of Bits: Stefan Edwards, Bobby Tonic , Dominik Kubernetes Project Leads/Devs Interviewed devs -- this was much of the info that went into the threat model Rapid Risk Assessments - let’s put the GitHub repository in the show notes What did it produce? Vuln Report Threat Model - https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Threat%20Model.pdf White Papers https://github.com/kubernetes/community/tree/master/wg-security-audit/findings Discuss the results: Threat model findings Controls silently fail, leading to a false sense of security Pod Security Policies, Egress Network Rules Audit model isn’t strong enough for non-repudiation By default, API server doesn’t log user movements through system TLS Encryption weaknesses Most components accept cleartext HTTP Boot strapping to add Kubelets is particularly weak Multiple components do not check certificates and/or use self-signed certs HTTPS isn’t enforced Certificates are long-lived, with no revocation capability Etcd doesn’t authenticate connections by default Controllers all Bundled together Confused Deputy: b/c lower priv controllers bundled in same binary as higher Secrets not encrypted at rest by default Etcd doesn’t have signatures on its write-ahead log DoS attack: you can set anti-affinity on your pods to get nothing else scheduled on their nodes Port 10255 has an unauthenticated HTTP server for status and health checking Vulns / Findings (not complete list, but interesting) Hostpath pod security policy bypass via persistent volumes TOCTOU when moving PID to manager’s group Improperly patched directory traversal in kubectl cp Bearer tokens revealed in logs Lots of MitM risk: SSH not checking fingerprints: InsecureIgnoreHostKey gRPC transport seems all set to WithInsecure() HTTPS connections not checking certs Some HTTPS connections are unauthenticated Output encoding on JSON construction This might lead to further work, as JSON can get written to logs that may be consumed elsewhere. Non-constant time check on passwords Lack of re-use / library-ification of code Who will use these findings and how? Devs, google, bad guys? Any new audit tools created from this? Brad geesaman “Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec https://www.youtube.com/watch?v=vTgQLzeBfRU Aaron Small: https://cloud.google.com/blog/products/gcp/precious-cargo-securing-containers-with-kubernetes-engine-18 https://cloud.google.com/blog/products/gcp/exploring-container-security-running-a-tight-ship-with-kubernetes-engine-1-10 https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster CNCF: https://www.youtube.com/watch?v=90kZRyPcRZw Findings: Scope for testing: Source code review (what languages did they have to review?) Golang, shell, ... Networking (discuss the networking *internal* *external* Cryptography (TLS, data stores) AuthN/AuthZ RBAC (which roles were tested? Just admin/non-admin *best practice is no admin/least priv*) Secrets Namespace traversals Namespace claims Methodology: Setup a bunch of environments? Primarily set up a single environment IIRC Combination of code audit and active ?fuzzing? What does one fuzz on a K8s environment? Tested with latest alpha or production versions? Version 1.13 or 1.14 - version locked at whatever was current - K8S releases a new version every 3 months, so this is a challenge and means we have to keep auditing. Tested mulitple different types of k8s implementations? Tested primarily against kubespray (https://github.com/kubernetes-sigs/kubespray) Bug Bounty program: https://github.com/kubernetes/community/blob/master/contributors/guide/bug-bounty.md Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Cyber security threats are on the increase. Last year there were more than ever before. Mark Hallam from Techwell explains why your business needs an IT and security audit and how they can help.
Host Brian Thompson has a cybersecurity chat with VGM's CIO and SVP of IT, Jeremy Kauten.
Subscribe: itunes | Email | Stitcher | RadioPlayer When was the last time that you reviewed your access logs in your healthcare practice? In our policies, procedures, risk assessments, and privacy impact assessment submissions, we indicate the reasonable safeguards that we expect to implement in our practices to protect the privacy and security of health information. But policies and good intentions alone isn’t enough. We also need to take action on our policies. Custodians have an obligation to ensure reasonable safeguards to protect the privacy and security of health information. This means having appropriate policies and procedures in place and demonstrate and document that you have implemented your plans. In this podcast episode, Jean L. Eaton answers frequently asked questions (FAQ) about using audit logs of your computer and your Electronic Medical Record (EMR) / Electronic Health Record (EHR) to improve security in your healthcare practice. Improve Privacy and Security In Your Healthcare Practice Privacy and Security Monthly Audit Template This Practice Management Success Tip includes ✔ Implementation guide – easy to read ‘how-to' instructions to get the best results from your privacy and security monthly audit. ✔ Audit form template in MS Word document format that you can download, print, and use right away. ✔ Access to mini-course with video examples to get you started. ✔ On-line access to Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor to answer your questions No software to purchase Get the Templates Now! In This Podcast Episode Show Notes Recorded June 2018. You can advance the audio to these time markers: 00:51 Policies and Procedures Are Not Enough 01:10 What Are Audit Logs? 02:28 Importance of Audit Logs 04:52 Snooping 05:46 Reasonable Safeguards 06:11 Implementing Monthly Privacy and Security Audit 07:16 Starting Your Program 07:59 Sample Goals 09:36 Sample Compliance Observations 11:47 Sample Recommendations 12:15 Identify Your Action Items – what will you start, stop, or keep doing? Action Steps That You Should Do Now See https://informationmanagers.ca/audit for checklists and templates that you can use right away to help you improve your healthcare practice security. Rate and Review the Podcast I am honoured that you choose to spend your time with me today. Thank you for the opportunity to share my obsession about privacy, confidentiality and security with you! Reviews for the podcast on whatever platform that you use is greatly appreciated! When you provide your honest feedback it helps other people just like you find content that may help them, too. If you received value from this episode, please take a moment and leave your honest rating and review. Jean L. Eaton, Your Practical Privacy Coach and Your Practice Management Mentor with Information Managers Ltd.
Podcast: Unsolicited Response PodcastEpisode: Next Generation Security Audit Files for ICSPub date: 2017-12-01Digital Bond developed the Bandolier Security Audit Files with some research funding from the US Dept of Energy back in 2006 - 2008. They worked well, but required ICS vendor commitment to keep them current and promote their use. OSIsoft is a great example of what is possible. They not only continued the Bandolier Security Audit files they improved and expanded them including: migrating them to PowerShell so Nessus was no longer required expanding them to more PI components and applications releasing them on GitHub and building a community around them integrating them into the deployment process to verify installations are secure I talk with Harry about all this as well as the plans for the future that include adding a configuration capability to what they call the PI Security Audit Tools so it is more than audit. The last 10 minutes of the podcast we discuss the OSIsoft flags at past S4 Events and those planned for S4x18. If you will compete in the S4x18 CTF, this is a must listen. Links from OSIsoft PI Security Audit Tools Repository and wiki https://github.com/osisoft/PI-Security-Audit-Tools https://github.com/osisoft/PI-Security-Audit-Tools/wiki PI Square Security Group https://pisquare.osisoft.com/groups/security For a heads start on the PI System CTF challenges, competitors can bookmark the PI system cyber security page and get familiar with the PI Web API. PI System Cyber Security page https://techsupport.osisoft.com/Troubleshooting/PI-System-Cyber-Security PI Web API online documentation https://techsupport.osisoft.com/Documentation/PI-Web-API/help.htmlThe podcast and artwork embedded on this page are from Dale Peterson: ICS Security Catalyst and S4 Conference Chair, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
#CryptoCorner: 2/3 of South Korean Exchanges Fail Gov't Security Audit, Sharespost Executes First Secondary Securities Transaction on Blockchain
#CryptoCorner: 2/3 of South Korean Exchanges Fail Gov't Security Audit, Sharespost Executes First Secondary Securities Transaction on Blockchain
#CryptoCorner: 2/3 of South Korean Exchanges Fail Gov't Security Audit, Sharespost Executes First Secondary Securities Transaction on Blockchain
Zu Gast im Interview ist Stefan George, CTO und Co-Founder von Gnosis aus Berlin. Neben der generellen Funktionsweise von Vorhersagemärkten (prediction markets) gehen wir vor allem auf die Bestandteile des “Prediction Market Framework” ein, das Gnosis seit 2014 auf Basis von Ethereum entwickelt. Wir erfahren, wie damit das Fertigstellungsdatum des Berliner Flughafens vorhergesagt werden kann, und wie Geschehnisse aus der Realwelt durch Oracles verfügbar gemacht werden. Außerdem verrät uns Stefan, wieviel ein Security Audit für 200 Zeilen Code auf der Blockchain kostet, und warum sie den Full Node, Deutschlands ersten Blockchain Co-Working Space, gegründet haben.
Two weeks ago, I shared what I understand about article 32 of the General Data Protection Regulation and last week I went through the Mac security audit aimed at helping entrepreneurs comply with GDPR This week, I'll go deeper into the fundamentals of iPhone/iPad security by guiding you through the audit that I have prepared for entrepreneurs and small business owners here in Luxembourg.
In last episode, I shared what I understand about article 32 of the General Data Protection Regulation and more importantly, I shared universal security best practices, whether or not your business needs to comply with GDPR. This week, I'll go deeper into the fundamentals of Mac security by guiding you through the audit that I have prepared for entrepreneurs and small business owners here in Luxembourg.
Robert Baldi joins Ron Woerner on the Business of Security Podcast Series for a discussion about Cyber Security Audit and using the audit capability as a way to leverage change and enhance overall security performance. Robert discusses using a mathematical formula for risk and translating this back into the investments for a Board discussion. Collaboration between security, audit and risk teams is key to success of all three parties.
"Mess with a bull, you get the horns." Erik Voorhees breaks down Wall Street Journal's poor and unethical journalism. Plus studies on exchange security and crypto adoption. Report finds lax security on crypto exchanges Breaking down the 36% of lost and or stolen BTC SEC, CFTC, and FBI take action against 1Broker Beijing Sci-Tech Report (BSTR) accepts BTC Crypto ATMs supporting Bitcoin Cash are growing in Europe Meet Fabio and his BCH merchant adoption story Wall Street Journal attacks Shapeshift; Voorhees responds
Handling thousands of security audit questions per month while also conducting routine internal audits is a daunting and tiring task. Audit fatigue is real! However, meeting security audit requests has become a standard for doing business in the healthcare industry. This CyberPHIx episode examines successful approaches to handling security audits from a vendor's perspective. Hear from Chris Risley, Executive Director Enterprise Risk Management of NASCO, an exclusive provider of claims processing and other services to Blue Cross / Blue Shield Plans across the country. This discussion addresses some of the following questions: How do you help your organization to combat audit fatigue? What standards do you have in place to improve responsiveness and drive efficiencies in the audit process? How do you handle capacity constraints in managing a portfolio of audits with limited bandwidth and staff? How does effective security risk management correlate to business value and how is that value communicated to leadership and the marketplace? Show Notes: 1:04 Intro 2:11 Increase volume for various audit plans 3:07 Organizing to respond to audits 5:39 What are the common frame works for audit questions 7:41 Can you be proactive in response to eliminate fatigue 10:35 How far should organization go with being transparent 12:49 Are more resources going to be needed for responding to audits 15:33 How to prioritize internal risk management 18:03 How flexible does your internal audit plan need to be 19:49 What are the common pitfalls for creating a plan 23:45 How to combat audit fatigue 26:25 How to communicate risk to leadership 33:12 Use of analogies to help communicate 36:16 How to manage the organization change within the business 42:05 Key Findings 42:54 Introduction for next podcast
Digital Bond developed the Bandolier Security Audit Files with some research funding from the US Dept of Energy back in 2006 - 2008. They worked well, but required ICS vendor commitment to keep them current and promote their use. OSIsoft is a great example of what is possible. They not only continued the Bandolier Security Audit files they improved and expanded them including: migrating them to PowerShell so Nessus was no longer required expanding them to more PI components and applications releasing them on GitHub and building a community around them integrating them into the deployment process to verify installations are secure I talk with Harry about all this as well as the plans for the future that include adding a configuration capability to what they call the PI Security Audit Tools so it is more than audit. The last 10 minutes of the podcast we discuss the OSIsoft flags at past S4 Events and those planned for S4x18. If you will compete in the S4x18 CTF, this is a must listen. Links from OSIsoft PI Security Audit Tools Repository and wiki https://github.com/osisoft/PI-Security-Audit-Tools https://github.com/osisoft/PI-Security-Audit-Tools/wiki PI Square Security Group https://pisquare.osisoft.com/groups/security For a heads start on the PI System CTF challenges, competitors can bookmark the PI system cyber security page and get familiar with the PI Web API. PI System Cyber Security page https://techsupport.osisoft.com/Troubleshooting/PI-System-Cyber-Security PI Web API online documentation https://techsupport.osisoft.com/Documentation/PI-Web-API/help.html
Cyber security experts Sherri Davidoff and Sharon Nelson spoke in a presentation titled “Passing Your IT Security Audit” at ABA TECHSHOW 2016. Before their presentation, they stop by to discuss the topic with Legal Talk Network producer Laurence Colletti. Tune in to learn why more and more clients are demanding IT security audits from their legal service providers and how you can prepare your law firm. Sharon opens the conversation by explaining how the internet has changed the way companies perceive data security. The discussion then shifts to tips and best practices that you can implement within your firm to build an effective security program. The conversation ends with a focus on cyber insurance and the nine building blocks of an effective security program. Sharon D. Nelson is president of the digital forensics, information technology, and information security firm Sensei Enterprises. In addition to serving on numerous noted legal organizations including the ABA’s Cybersecurity Legal Task Force and the ABA’s Standing Committee on Technology and Information Systems, she was president of the Virginia State Bar. Sherri Davidoff is a nationally-recognized cyber security expert who is a founder and Senior Security Consultant at LMG Security. She has over a decade of experience as an information security professional, specializing in penetration testing, forensics, social engineering testing, and web application assessments. Davidoff is an instructor at Black Hat and co-author of “Network Forensics: Tracking Hackers Through Cyberspace”. She is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in computer science and electrical engineering from MIT.
This week I share 5 things you should do for your 2016 security audit. Upcoming Events The KitchenSinkWP Episode 100 Raffle! (Enter below!) Segment 1: In the News The ServerPress theme WP Presenter was handed off to Chris Wigman. Theresa Jennings GoFundme support needed. WordPress 4.4.1 released. Segment 2: This week I share 5 things…
This week I share 5 things you should do for your 2016 security audit. Upcoming Events The KitchenSinkWP Episode 100 Raffle! (Enter below!) Segment 1: In the News The ServerPress theme WP Presenter was handed off to Chris Wigman. Theresa Jennings GoFundme support needed. WordPress 4.4.1 released. Segment 2: This week I share 5 things…
Welcome to Hurricane Labs' [BRAND NEW] Official InfoSec Podcast: The Leak. This is Episode .01 "The Reboot," featuring Bill Mathews, Corey Ham, Tom Kopchak, and Amanda Berlin. Listen in to this animated and informational discussion, for the latest InfoSec Hacks and Headlines, Hot Topic Talk, and Tip of the Week.ANNOUNCEMENTSWe are hiring! On a quest towards a fulfilling career? Do you lie awake at night thinking about all the recent breaches and wish you could just do...something? This is your chance! Apply today. Position openings include: Splunk AdministratorSecurity Operations Center Analyst Network Security Engineer TOP INFOSEC HACKS & HEADLINES HOT OFF THE PRESS[Articles of discussion] Lenovo and Superfish Lenovo Still Shipping Laptops With Superfish Lenovo website hacked and defaced by Lizard Squad in Superfish protest Apple Watch What we know about security features on the Apple Watch 4 things to watch out for with the Apple Watch FREAK AttacksAs we get FREAK out, was old code to blame again?The FREAK bug in TLS/SSL - what you need to knowAnthem BreachAnthem refuses IT security audit following massive data breachDoes Anthem Have an Excuse for Declining a Security Audit?TODAY’S HOT TOPIC TALKWhat's the deal with Net Neutrality?Pulling net neutrality from a swamp of lies Netflix in row over net neutrality support Why Net Neutrality May Bring A Lousier Netflix ConnectionTIP OF THE WEEKWhat can be done about social engineering?Very effective Social Engineering ScamsGo Hack Yourself… ReallyUNTIL NEXT TIME!Connect with us and join the conversation on social media:Twitter: @hurricanelabsFacebook: facebook.com/hurricanelabs
David and Katie review best security practices and discuss email encryption, VPN, password practices, data encryption, two factor authentication and more. Thanks to MPU listener Jigar Talati for assistance with the shownotes this week.