Podcasts about wafs

In this episode of The Cyber Threat Perspective, we tackle the crucial first step in cybersecurity: preventing initial compromise. We'll dissect common attack vectors like phishing and exploitation and explore layered defenses ranging from MFA and patch management to DMZs and WAFs. Get actionable guidance to integrate these controls into your security program and safeguard your organization against the risk of that initial foothold.Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspenceSpencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: https://securit360.com

The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentication solutions like passkeys and deploying WAFs still seem peripheral to secure by design principles. We discuss what's necessary for establishing a secure environment and why so many orgs still look to tools. And with LLMs writing so much code, we continue to look for ways LLMs can help appsec in addition to all the ways LLMs keep recreating appsec problems. Resources https://www.forrester.com/blogs/breaches-and-lawsuits-and-fines-oh-my-what-we-learned-the-hard-way-from-2024/ https://www.forrester.com/blogs/wafs-are-now-the-center-of-application-protection-suites/ https://www.forrester.com/blogs/are-you-making-these-devsecops-mistakes-the-four-phases-you-need-to-know-before-your-code-becomes-your-vulnerability/ In the news, crates.io logging mistake shows the errors of missing redactions, LLMs give us slopsquatting as a variation on typosquatting, CaMeL kicks sand on prompt injection attacks, using NTLM flaws as lessons for authentication designs, tradeoffs between containers and WebAssembly, research gaps in the world of Programmable Logic Controllers, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-326

The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentication solutions like passkeys and deploying WAFs still seem peripheral to secure by design principles. We discuss what's necessary for establishing a secure environment and why so many orgs still look to tools. And with LLMs writing so much code, we continue to look for ways LLMs can help appsec in addition to all the ways LLMs keep recreating appsec problems. Resources https://www.forrester.com/blogs/breaches-and-lawsuits-and-fines-oh-my-what-we-learned-the-hard-way-from-2024/ https://www.forrester.com/blogs/wafs-are-now-the-center-of-application-protection-suites/ https://www.forrester.com/blogs/are-you-making-these-devsecops-mistakes-the-four-phases-you-need-to-know-before-your-code-becomes-your-vulnerability/ In the news, crates.io logging mistake shows the errors of missing redactions, LLMs give us slopsquatting as a variation on typosquatting, CaMeL kicks sand on prompt injection attacks, using NTLM flaws as lessons for authentication designs, tradeoffs between containers and WebAssembly, research gaps in the world of Programmable Logic Controllers, and more! Show Notes: https://securityweekly.com/asw-326

The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentication solutions like passkeys and deploying WAFs still seem peripheral to secure by design principles. We discuss what's necessary for establishing a secure environment and why so many orgs still look to tools. And with LLMs writing so much code, we continue to look for ways LLMs can help appsec in addition to all the ways LLMs keep recreating appsec problems. Resources https://www.forrester.com/blogs/breaches-and-lawsuits-and-fines-oh-my-what-we-learned-the-hard-way-from-2024/ https://www.forrester.com/blogs/wafs-are-now-the-center-of-application-protection-suites/ https://www.forrester.com/blogs/are-you-making-these-devsecops-mistakes-the-four-phases-you-need-to-know-before-your-code-becomes-your-vulnerability/ In the news, crates.io logging mistake shows the errors of missing redactions, LLMs give us slopsquatting as a variation on typosquatting, CaMeL kicks sand on prompt injection attacks, using NTLM flaws as lessons for authentication designs, tradeoffs between containers and WebAssembly, research gaps in the world of Programmable Logic Controllers, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-326

The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentication solutions like passkeys and deploying WAFs still seem peripheral to secure by design principles. We discuss what's necessary for establishing a secure environment and why so many orgs still look to tools. And with LLMs writing so much code, we continue to look for ways LLMs can help appsec in addition to all the ways LLMs keep recreating appsec problems. Resources https://www.forrester.com/blogs/breaches-and-lawsuits-and-fines-oh-my-what-we-learned-the-hard-way-from-2024/ https://www.forrester.com/blogs/wafs-are-now-the-center-of-application-protection-suites/ https://www.forrester.com/blogs/are-you-making-these-devsecops-mistakes-the-four-phases-you-need-to-know-before-your-code-becomes-your-vulnerability/ In the news, crates.io logging mistake shows the errors of missing redactions, LLMs give us slopsquatting as a variation on typosquatting, CaMeL kicks sand on prompt injection attacks, using NTLM flaws as lessons for authentication designs, tradeoffs between containers and WebAssembly, research gaps in the world of Programmable Logic Controllers, and more! Show Notes: https://securityweekly.com/asw-326

Send us a textIn this interview with USA Today best-selling author, Heather B. Moore, we talk about her biographical fiction of, Lady Flyer, about Nancy Harkness Love, who led the establishment of the Women's Auxiliary Ferrying Squadron at the beginning of WWII, and whose efforts were both at odds with and in support of Jackie Cochran's initiative to create the Women Airforce Service Pilots. If you're in Denver for WAI205, be sure to stop by the Authors Connect Booth from 2-3:30 on Friday to have Heather sign a copy of her book for you, and reserve your tickets to join us at the Tatter Cover Aspen Grove location at 5:30 pm on Wednesday, March 26th for a special presentation and book signing with Heather and Katherine Sharp Landdeck, author of The Women with Silver Wings.Did you know you can support your local independent bookshop and me by shopping through my Bookshop.org affiliate links on my website? If a book is available on Bookshop.org, you'll find a link to it on the book page. By shopping through the Literary Aviatrix website a small portion of the sale goes to support the content you love, at no additional cost to you. https://literaryaviatrix.com/shop-all-books/Thanks so much for listening! Stay up to date on book releases, author events, and Aviatrix Book Club discussion dates with the Literary Aviatrix Newsletter. Visit the Literary Aviatrix website to find over 600 books featuring women in aviation in all genres for all ages. Become a Literary Aviatrix Patron and help amplify the voices of women in aviation. Follow me on social media, join the book club, and find all of the things on the Literary Aviatrix linkt.ree. Blue skies, happy reading, and happy listening!-Liz Booker

Imagine if you could master the art of marketing in the Rails development world, or understand the nuances of web application firewalls (WAFs)? Well, look no further. We had an insightful chat with Ryan and Mike from Wafers, who shared their journey in Rails development, security, and their unique marketing strategies. They spoke about their presence at Rails Sassalay and RailsWorld conferences, where they stood out with their code-themed Cards Against Humanity game and a custom Lego set of DHH's car. Quite the creative spark, wouldn't you agree?Now, let's debunk a myth: developers hate marketing. Is that really true? Ryan and Mike argue that it's not about hating marketing, but about disliking inauthentic and irrelevant tactics. They brought this authenticity to their open-source web application firewall, Wafers, and their testing process was as real as it gets. They touched on the crucial role of WAFs in managing bot traffic and improving website security - knowledge that is valuable for businesses of all sizes.Our conversation also took us down the challenging road of starting a company that leverages Redis for different ecosystems. We shared our experiences with Redis and Lua scripts, and the intricate decisions about memory usage and performance. But, it hasn't all been about the technical side. Ryan and Mike emphasized the importance of customer feedback in product improvement and how engineering can be a unique tool for marketing. At the end of the day, it's about creating a balance and finding what works best for your startup. So, whether you're a Rails developer, a security enthusiast, or a marketing aficionado, this episode promises to serve a feast of knowledge.Honeybadger Honeybadger is an application health monitoring tool built by developers for developers.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Embark on a cybersecurity journey with Sam Pickles, the dynamic founder of RedShield, a pioneering web application firewall (WAF) company. Dive deep into the captivating evolution of WAFs, how they're navigating the ever-changing threat landscape, and the innovative solutions to operationalize security for enterprises inundated with hundreds or even thousands of websites to safeguard. This insightful conversation exposes the challenges around WAF deployment, the pitfalls of certain competitive models, and the industry's escalating skills shortage. Get a raw and unfiltered look at the real-world struggles of fixing legacy code, and discover how Sam and his team at RedShield are pushing the boundaries to build a safer digital world.

I greet you in Jesus' precious name! It is Sunday morning the 14th of May 2023, and this is your friend Angus Buchan thought for today.Before we start we want to say: "Happy Mother's Day" - Today we remember our Mothers! We start with Numbers 26:59, Jochebed was the mother of Moses, who brought the Jews out of slavery. Then we go to 1 Samuel 1:20, Hannah the mother of Samuel - probably the greatest of all the prophets, never defaulted once. Then Luke 1:13 - Elizabeth, the mother of John the Baptist of whom Jesus said: "Never has a man, that is been born from the womb of a woman, being greater than John" and then, of course, Luke 1:31 - Mary the mother of our beloved Savior the Lord Jesus Christ.I want to acknowledge moms today, I want to say to you, Mother - Don't allow society, or anything, to undermine how precious you are to us. Where would we be without our mothers? I mentioned just a couple of Mothers, of course, culminating in the greatest of all women, she was blessed to have God in her womb for nine months and then to bring him up into a young man. She was with Him right to the end, she never left Him. Folks, my mother was 13 years old and had to leave school when her mum died, she had to bring up the family. My Mom was in the Second World War for six years, she was in the WAFs - the Women's Auxiliary Force, the same Force as the late Queen Elizabeth. She used to drive out those huge bombs in big trucks, she those trucks herself, out to the Bombers. My Mom came to Africa as a young woman, with my Dad, and started a life for my brother, myself and my sister. My Mom is one of my Heroes. You know, my Dad used to go to work early in the morning, he was a blue-collar worker, he was a tradesman - a blacksmith. In the school holidays when Dad went off to work, we would run and jump into bed with Mom and we'd lie next to her and she would tell us stories of when she was a young girl. She was probably the greatest storyteller I've ever met. I learnt all my storytelling from my mom, not from any University. She could have you enthralled just telling you what she was making for lunch... Oh, I miss my Mom so much. The greatest moment for me is when I had the privilege of introducing my Mother to Jesus Christ. sitting by that fire early in the morning, I'll never forget it, Jill and I telling her about Jesus. After that, she used to sit there with her Bible and tell me about all the stories that she'd read. She enthralled me, she taught me everything I know about storytelling... Go out today and spoil your mom, she's worthwhile. Phone her, write to her, love her because she won't be with you forever. Jesus bless you and happy Mother's Day Moms, we love you and we appreciate you. Goodbye.

WAFs have been with us a while and it's about time someone reconsidered WAFs and their role in AppSec given the cloud-native and Kubernetes landscape. The OWASP Coraza is not only asking these questions but putting some Go code behind their ideas. Should WAFs work in a mesh network? Why create an open source WAF? What's next for the OWASP Coraza project? These and more topics are covered in this episode. I had a great time recording it and I think you'll have the same while listening. Show Link: - Coraza Website: https://coraza.io/ - Coraza Github Repo: https://github.com/corazawaf/coraza - Coraza Twitter: https://twitter.com/corazaio - AppSec EU 2023 presentation on Coraza - https://www.youtube.com/watch?v=S_TtvDFmia4

In this episode we discuss rising attacks that overcome the protections of Web Application Firewalls (WAF). We explain these attacks, why this bypass might effective against you even if think it doesn't, and what you should do to ensure you're safe.

Claroty Team82 researcher Noam Moshe joins the podcast to discuss his recent research and development of a generic bypass of leading vendors' web application firewalls.This research was presented at Black Hat Europe and on the Team82 blog.  The technique involves prepending JSON syntax to a SQL injection payload. Prior to this research, WAFs were blind to JSON syntax and would not flag these payloads as malicious. All of the leading vendors have since added JSON support to their SQL injection processes. 

Security researchers have figured out how to get around a web application firewall with a new technique that impacts several vendors. The Technado crew discussed that and Microsoft adding features to compete with Discord, updates to the snipping tool in Windows 11, support ending for Windows 7 and 8, and an update on the Raspberry Pi supply chain issues. Finally, they talked about a Fortinet bug allowing pre-auth remote code execution and what to do about it.

Security researchers have figured out how to get around a web application firewall with a new technique that impacts several vendors. The Technado crew discussed that and Microsoft adding features to compete with Discord, updates to the snipping tool in Windows 11, support ending for Windows 7 and 8, and an update on the Raspberry Pi supply chain issues. Finally, they talked about a Fortinet bug allowing pre-auth remote code execution and what to do about it.

Ken is back to lead a discussion on identification of interesting sources for the podcast and specifically how XSS just is not as interesting to him and Seth as it was a decade ago. A new project for analyzing and bypassing 403 responses from proxies and WAFs. Opinions on Patreon's recent layoffs and hot takes around security issues. Finally, web3-related topics of the recently-complete Ethereum merge along with Starbucks NFTs.

Dr. Chase Cunningham, a well-renowned expert on Zero Trust, sits down with us this week to talk about zero trust, VPNs, SASE, WAFs, and how the IS and security team can still be the department of "no" and still accommodate the demands of DevOps and contribute to an organization's growth. Tune in to this episode of Ask A CISO to hear:

Web Application Firewalls (WAF) have been around for quite some time to protect web applications through the inspection of HTTP traffic. But with a changing nature of web applications and the ever changing threats landscape they nee to evolve constantly. Richard Hill sits down with Matthias to explain newest developments in the market of WAFs, that is demanding increasingly for intelligent solutions.

Web Application Firewalls (WAF) have been around for quite some time to protect web applications through the inspection of HTTP traffic. But with a changing nature of web applications and the ever changing threats landscape they nee to evolve constantly. Richard Hill sits down with Matthias to explain newest developments in the market of WAFs, that is demanding increasingly for intelligent solutions.

As sands through the hourglass, another episode is falls on a Tuesday in late March. It was not _the_ first episode, but it was an episode as Ken and Seth talk about the origins of web application firewalls (WAFs) to go along with an article describing current WAF usage patterns. A heated discussion on recent software supply issues related to ProtestWare (or the changing of open source packages to highlight maintainer-focused causes). Finally, a quick look into Content Security Policy (CSP) Level 3 and upcoming browser support for the protocol.

Today's episode is the first of a new collaboration journey that the American MilSpouse podcast is taking with Wives of the Air Force, or WAFs as they're affectionately known. If you think their voices sound familiar, you're right! They were on the podcast early last year. We will dive into how we have managed our mental health and some feedback that we've gotten from you. Jen and Kirst are Air Force spouses, working moms, and the faces of @wivesoftheairforce. WAFs started as a blog meant to serve as a resource for Air Force spouses. Check out their first episode on The American MilSpouse linked below. Be sure to tune in to this episode as Jen, Kirst, and I sit down and discuss current events, things going on in Ukraine, and what that's looked and felt like for us. You don't want to miss this special episode. Highlights from today include: About Jen & Kirst (3:02) Collaborating and finding a community (5:53) Trying to live normally even with insight (8:02) Obligation to stay informed of current events (10:00) Being grateful and spreading positivity (12:03) Being a trusted person to give digestible information (16:52) Social media and monitoring mental and emotional health (21:31) Face to face conversations are an opportunity for learning and growth (27:40) Navigating how accessible military families are to other people (30:08) Communicating with your partner and being a team (33:25) What can you control? (34:56) Connecting in a community where the struggles are so different (38:54) Making sense of the hard (42:27) The impact on different levels of being a military spouse (44:36) Being sensitive about what information you're sharing on social media (47:14) Understanding what they need not understand it as a helper (49:40) Friends who understand to hold space for you when you're ready (53:18) One takeaway that's helping Jen and Kirst walk through this time (58:08) What did you think about today's episode? I hope that you love it as much as we do! We would love to know! Join us on social and let us know! Resources mentioned Meet Jen & Kirst Connect with Jen & Kirst Wives of the Air Force Group on Facebook Instagram Website Connect with me Website Facebook Instagram Thanks for joining me on today's episode of, The American MILSpouse! If you enjoyed today's episode, please head over to Apple Podcasts or wherever you listen, give me a 5 star, and leave a review to help me reach even more military spouses. Also, don't forget to check out my website or hang out with me on Instagram to stay connected with others in the community. --- Send in a voice message: https://anchor.fm/theamericanmilspouse/message

Links: The Register:https://www.theregister.com/2022/02/28/tech_response_to_ukraine/ “WTF is Cloud Native Data Security?”:https://blog.container-solutions.com/wtf-is-cloud-native-data-security Imdsv2 wall of shame:https://github.com/SummitRoute/imdsv2_wall_of_shame/blob/main/README.md “Piercing the Cloud Armor”:https://kloudle.com/blog/piercing-the-cloud-armor-the-8kb-bypass-in-google-cloud-platform-waf Via a third-party:https://www.theregister.com/2022/03/03/amazon_alexa_speaker_vuln/ “Streamlining evidence collection with AWS Audit Manager”:https://aws.amazon.com/blogs/security/streamlining-evidence-collection-with-aws-audit-manager/ Security assessment solution:https://github.com/awslabs/aws-security-assessment-solution Domain Protect:https://github.com/ovotech/domain-protect TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it's nobody in particular's job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: This episode is sponsored in part by our friends at Sysdig. Sysdig is the solution for securing DevOps. They have a blog post that went up recently about how an insecure AWS Lambda function could be used as a pivot point to get access into your environment. They've also gone deep in-depth with a bunch of other approaches to how DevOps and security are inextricably linked. To learn more, visit sysdig.com and tell them I sent you. That's S-Y-S-D-I-G dot com. My thanks to them for their continued support of this ridiculous nonsense.Corey: Well, oops. Last week in the newsletter version of this podcast I used the wrong description for a link. On the plus side, I do find myself wondering if anyone hunts down the things I talk about on this podcast and the newsletter I send out, and now I know an awful lot of you do. And you have opinions about the correctness of my links. The actual tech company roundup that I linked to last week was, in fact, not an AWS blog post about QuickSight community—two words that are an oxymoron if ever two were—but instead a roundup in The Register. My apologies for the oversight. Now, let's dive into what happened last week in the wide world of AWS security.In my darker moments, I find myself asking a very blunt question: “WTF is Cloud Native Data Security?” I confess it never occurred to me to title a blog post with that question, and this article I found with that exact title is in fact one of the better ones I've read in recent days. Check it out if the subject matter appeals to you even slightly because you're in for a treat. There's a lot to unpack here.Scott Piper has made good on his threat to publish a imdsv2 wall of shame. So far, two companies have been removed from the list for improving their products' security posture—I know, it's never happened before—but this is why we care about these things. It's not to make fun of folks; it's to make this industry better than it was.A while back I talked about various cloud WAFs—most notably AWS's—having a fun and in-hindsight-obvious flaw of anything above 8KB just sort of dances through the protective layer. Well, even Google and its, frankly, impressive security apparatus isn't immune. There's an article called “Piercing the Cloud Armor” that goes into it. This stuff is hard, but honestly, this is kind of a recurring problem. I'm sort of wondering, “Well, what if we make the packet bigger?” Wasn't that the whole problem with the Ping of Death, back in the '80s? Why is that still a thing now?Corey: This episode is sponsored in part by LaunchDarkly. Take a look at what it takes to get your code into production. I'm going to just guess that it's awful because it's always awful. No one loves their deployment process. What if launching new features didn't require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren't what you expect? LaunchDarkly does exactly this. To learn more, visit launchdarkly.com and tell them Corey sent you, and watch for the wince.And of course, a now patched vulnerability in Amazon Alexa meant that the speaker could activate itself. Because it's a security problem with an Amazon product that I've paid for, I of course learn about this via a third-party talking about it. Man, my perspective on Amazon's security messaging as a whole has gone from glowing to in the toilet remarkably quickly this year. And it's their own damn fault.Now, AWS had a single post of note here called “Streamlining evidence collection with AWS Audit Manager”. This post slash quote-unquote “Solution” highlights a concern that's often overlooked by security folks. It very innocently talks about collecting evidence for an audit, which is perfectly reasonable.You need evidence that your audit controls are being complied with. Now, picture someone walking past a room where you're talking about this, and all they hear is “Evidence collection.” Maybe they're going to feel like there's more going on here than an audit. Perhaps they're going to let their guilty conscience—and I assure you, everyone has one—run wild with fears that whatever imagined transgression they've committed has been discovered? Remember the human.And of course, I found two tools in open-source universe that might be of interest to folks. The first: AWS has open-sourced a security assessment solution to use Prowler and ScoutSuite that scan your environment. It's handy, but I'm having a hell of a hard time reconciling its self-described ‘inexpensive' with ‘it deploys a Managed NAT gateway.'And Domain Protect—an open-source project with a surprisingly durable user interface—scans dangling DNS entries to validate that you're not, y'know, leaving a domain of yours open to exploit. You're going to want to pay attention to this vector, but we haven't for 15 years, so why would we start now? And that's what happened last week in the wide world of AWS security. I am Cloud Economist Corey Quinn. Thank you for listening. There's always more yet to come.Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.Announcer: This has been a HumblePod production. Stay humble.

The state of API Security is in constant flux, with traditional WAF technologies being paired with, and extended by, newer models of application-driven protections. With Gartner recognizing this trend and introducing a Web Application & API Protection market, what do two long-time API security leaders think about WAFs and their immediate and long-term limitations? More pointedly, why don't traditional WAFs work well when it comes to securing APIs?We're glad you asked - that's precisely what Alissa Knight and Kunal Anand get into during this high-energy, in-depth conversation about the future of APIs and the future of API security in this latest Their Story with Imperva.Listen in to this unscripted and incredibly passionate conversation to learn about their best practices and recommended approaches to API security. It may help you to change or tune-up, your perspective and take new actions.Note: This story contains promotional content. Learn more.____________________________HostAlissa KnightOn ITSPmagazine

Alissa Knight, partner at Knight Inc Media, shares her insights into how to protect your APIs and what's in store with the latest version of FHIR. Specifically, we cover: • Avoid prison yellow and become an ethical hacker • Authentication doesn't equal authorization • Protect against BOLA with scopes • Don't use WAFs to protect your APIs • Know what traffic is going to your API • Shift left security. Shield right. • PHI is worth 1,000X credit card info • APIs are the weakest link in healthcare • APIs have multiple attack surfaces • Banning apps from jail-broken phones doesn't help • Use MobSF to find API keys • APIs need to comply with FHIR • Implement FHIR correctly • Get FHIR certified • FHIR certification versus HIPAA compliance • There's no one right solution for API security • Instrument your APIs

Today we get to listen to the wise words of encouragement from two very influential people in the Air Force Spouse community. Jen and Kirst are the two amazing women behind the WAFs (Wives of the Air Force) community. They talk with Britt about consistent messaging (as put in this episode "that's not everyone's cup of tea and that's fine, but if you do want to sip that tea, that's what we are here for,"), branding, having big goals and chasing them, and so much more! Check their website out here. Check out their Instagram community here. Check out coaching opportunities with Britt here. 

In this interview, author Sarah Byrn Rickman shares the history of the Women's Auxiliary Ferrying Squadron and the Women Air Service Pilots who flew for the U.S. during World War II. Sarah has immersed herself with the remaining  WAFS and WASP for over twenty years through the fortune of her connection with the International Women's Air and Space Museum. She arrived in their midst as an established journalist, and has made it her mission to preserve their stories for posterity. She has published ten books so far featuring these amazing stories. Her knowledge is so vast and so deep that we talked for over two hours. I did my best to edit this to an hour, with one interruption for an editorial note. She's written many smaller pieces about the WAFS and WASP, which you can find in her blog at www.sarahbyrnrickman.com

Seth and Ken discuss the role of regular expressions in routing of web application requests. Discussion covers basics of routing, exploitation of secondary contexts, and bypassing of web application firewalls.

  This week Christian Folini hangs out to talk about protecting web apps with the OWASP Core Rule Set, getting into the security industry, impedance mismatch and anomaly scoring. My 3 main takeaways were 1) how RASPs compare to WAFs 2) how paranoia levels are used to eliminate false positives and 3) how the Swiss Post used the CRS to protect a vulnerable online voting system For more information, including the show notes check out https://breachsense.io/podcast

Jen and Kirst are Air Force spouses, working moms, and the faces of @wivesoftheairforce, or WAFs as they're affectionately known. WAFs started as a blog meant to serve as a resource for new Air Force spouses. While the blog continues to grow, Jen and Kirst also work on a Facebook page with over 4000 members as well as an instagram account where they share their daily lives as spouses with us. These women are so much fun and I loved getting to know more about them, what inspired them to start WAFs and where they want to see it go. We also talk about some of the realities of internet culture and THE sweater.  https://www.wivesoftheairforce.com/ --- Send in a voice message: https://anchor.fm/theamericanmilspouse/message

Episode one is finally here! This week we talked about fast food etiquette, architectural layouts, and gave our hot take on the breakdancing community. We also described where the name WAFs came from and much more.

It's issue 55 of We Aint Found Sith and we're celebrating the fourth with Star Wars Trivia! Plus Pedro finished FFVII remake and is super excited about it. We're celebrating Star Wars on a special "May The 4th Be With You edition of WAFS!

We Ain't Found Sith | Issue 52 | WAFS TV Tournament Champion! It's the We Ain't Found Sith TV Tournament Finals. Join us as we go through the final three rounds to crown the Best TV Show Ever with a little help from our viewers!

We Ain't Found Sith | Issue 50 | WAFS TV Tournament It's round one of our WAFS TV Tournament as we mow down the field of 64 shows down to 32. There are upsets and controversy just like the NCAA. Fans voted, nerds decide.

We Ain't Found Sith | Issue 51 | WAFS TV Tournament - Round 2 It's round two of the WAFS TV Tournament, and we're narrowing it down to the Sweet Sixteen. Will it shape out as you expect or will there be some surprises? Tune in and find out!

David Lindner (@golfhackerdave) joins Seth and Ken discuss the voting applications, including the Iowa debacle and the Voatz application. Ranting on bug bounties and response times for researcher findings. An explanation of IAST, RASP, and WAFs.

David Lindner (@golfhackerdave) joins Seth and Ken discuss the voting applications, including the Iowa debacle and the Voatz application. Ranting on bug bounties and response times for researcher findings. An explanation of IAST, RASP, and WAFs.

Let's talk about digital identity with Andy Milton, Head of Channels at Hitachi Digital Security. In episode 15, Oscar talks to Andy about Hitachi's pioneering finger-vein biometrics – VeinID Five. Hear about its use cases (present and future), the evolution of the product to its current form, comparison with other biometric and non-biometric authentication methods and, importantly, the relevant privacy and security risk mitigations. Andy Milton is Head of Channels and Marketing for Hitachi Security Business Group. He joined Hitachi in November 2018 to lead and develop the channel strategy for the Hitachi Security Business Group in EMEA and North America. With over 30 years in IT and 20 years in cybersecurity, Andy's experience in working for both vendors and channel partners has given him a unique insight into the workings and drivers for aspects of the channel. He brings experience across a wide range of products and solutions including SIEM, device management, WAFs, network devices and a specific interest in identity management and biometrics. Get in touch with Andy on LinkedIn. Hitachi Europe Ltd., a wholly owned subsidiary of Hitachi, Ltd. (TSE: 6501, "Hitachi") is headquartered in Maidenhead, UK. The company is focused on its Social Innovation Business - delivering innovations that answer society’s challenges. Hitachi Europe and its subsidiary companies offer a broad range of information & telecommunication systems; rail systems, power and industrial systems; industrial components & equipment; automotive systems, digital media & consumer products and others with operations and research & development laboratories across EMEA. For more information, visit www.hitachi.eu. To find out more about Hitachi's Finger Vein products visit digitalsecurity.hitachi.eu. Hitachi is a Ubisecure partner. Read more about the partnership in this press release: www.verdict.co.uk/hitachi-vein-technology-biometrics We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!  

Very often, people are afraid of web application firewalls (WAF) because they can potentially block an application's legitimate traffic. No worries! In this episode, Franziska Buehler will share how you can avoid this problem and more. Discover how WAFs are a useful, additional layer of defense when it comes to fending off attacks such as those described by the "OWASP Top Ten." Don’t miss it!

Sandy Carielli is the Principal Analyst at Forrester Research. Discuss the impact of good and bad bots on enterprises and how it is both a security and customer experience problem. Review how the bot management marketing is evolving and how WAFs are buying up or partnering with bot management tools to expand their reach. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode87

Sandy Carielli is the Principal Analyst at Forrester Research. Discuss the impact of good and bad bots on enterprises and how it is both a security and customer experience problem. Review how the bot management marketing is evolving and how WAFs are buying up or partnering with bot management tools to expand their reach. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ASWEpisode87

Military spouses Jen & Kirst share life before marrying their Air Force husbands, how they met, and what inspired them to start Wives of the Air Force (WAFs) blog. Together, they are passionate about making this military life easier and clearer for other WAFs no matter where they are. Learn more about WAFs on Instagram @wivesoftheairforce or visit https://www.wivesoftheairforce.com/ (https://www.wivesoftheairforce.com/) --- This episode is brought to you by https://militaryfamilies.com/military-veterans/us-vetwealth-founder-creates-order-out-of-chaos/ (https://militaryfamilies.com/military-veterans/us-vetwealth-founder-creates-order-out-of-chaos/) Connect with Jen Amos https://www.linkedin.com/in/jenamos/ (https://www.linkedin.com/in/jenamos/) Join our Instagram community https://www.instagram.com/holdingdownthefortpodcast/ (https://www.instagram.com/holdingdownthefortpodcast/) Subscribe to our newsletter: https://bit.ly/hdtf-newsletter (https://bit.ly/hdtf-newsletter) Contact us at jen@holdingdownthefortpodcast.com (mailto:jen@holdingdownthefortpodcast.com)

We Ain't Found Sith | Issue 27 | Wu-Tang Clan We're cleaning out our attic this episode and throwing out random topics in this episode of WAFS. We talk all kinds of 90's stuff: Guy Richie movies, Nicktoons, and not revisiting your childhood. Also, shout out to Game Boy and the Wu-Tang Clan. Plus, we fantasy-cast The Addams Family movie. That and more on this issue of We Ain't Found Sith!

We Ain't Found Sith | Issue 16 On this issue of WAFS, we talk about Disney's Live action remakes and discuss their control of HULU. Also, Black Mirror season 5, Rick & Morty season 4, and more!

Today's Heaving Networking episode delves into Web application firewalls (WAFs) with guest Scott Hogg. We examine how WAFs differ from typical firewalls, the security problems they're trying to solve, how attackers try to bypass them, operational challenges, WAFs and cloud applications, and more. The post Heavy Networking 449: Web Application Firewall Fundamentals appeared first on Packet Pushers.

Today's Heaving Networking episode delves into Web application firewalls (WAFs) with guest Scott Hogg. We examine how WAFs differ from typical firewalls, the security problems they're trying to solve, how attackers try to bypass them, operational challenges, WAFs and cloud applications, and more. The post Heavy Networking 449: Web Application Firewall Fundamentals appeared first on Packet Pushers.

Today's Heaving Networking episode delves into Web application firewalls (WAFs) with guest Scott Hogg. We examine how WAFs differ from typical firewalls, the security problems they're trying to solve, how attackers try to bypass them, operational challenges, WAFs and cloud applications, and more. The post Heavy Networking 449: Web Application Firewall Fundamentals appeared first on Packet Pushers.

Issue 12 of WAFS lives up to its namesake. We're talkin' mostly Star Wars, and sprinkle in some weirdness. We Ain't Found Sith!

Taking the lessons they learned heading Apples offensive security team the Sqreen founding team is moving Application Security Management (ASM) into the mainstream. They just announced a $14m series A investment led by blue chip VC firm Greylock Partners. In this DevOps Chat we speak with CEO and co-founder, Pierre Betouin about how Sqreen is filling a need in the AppSec market between WAFs, DAST, STAST, etc. that is vital to locking down our applications. For more info check out https://sqreen.com

Abhi Golhar is a real estate investor, entrepreneur, consultant, coach, and media figure, whose experience encompasses print, podcasting, radio, and television appearances. Abhi is the Chief Investment Officer in Atlanta investment firm Summit & Crowne. Abhi began his real estate investment career in 2002 in Kalamazoo, MI and continued growing and developing his knowledge base with investment projects throughout the Midwest. In 2007, he headed to Atlanta to found Summit & Crowne. As a much-sought-after voice in real estate investment, Abhi has written for a variety of publications including Forbes, Inc., Huffington Post, and industry-specific magazines like Inman and Think Realty. In addition, he has been a popular blogger both at Real Estate Deal Talk and as a guest contributor on other investor and business blogs. Abhi's gift for gab and talent for communicating with clients and colleagues led him to create a variety of content across multiple platforms, including The Abhi Golhar Show and vlog on Youtube. He honed his skill as a popular guest on dozens of podcasts in the entrepreneurship and investing space before launching his first Atlanta-based radio show on the Wall Street Business Network in 2016. Subsequently tapped as the host of Think Realty's nationally-syndicated radio show, Think Realty Radio, Abhi can be heard daily on the Wall Street Business Network by 600,000+ listeners in 42+ major markets. In addition, his live show can be heard in Atlanta every weekday during the morning drive time on Biz 1190 WAFS and in an additional twelve markets with a total reach of 70,000 listeners per show. Abhi's latest passion project is NPHub, a unique opportunity to force an industry to change for betterment of its students and the future of nurse practitioner education. NPHub's first major product launch is coming up in October 2018, offering an online platform to nurse practitioner students and preceptors throughout North America to streamline the clinical rotation process. Learn more about your ad choices. Visit https://megaphone.fm/adchoices (megaphone.fm/adchoices)

Nollaig Heffernan and Sean Martin weave, swerve and blast their way through a number of application security technologies looking at the history of the marketplace, the expansion of the technologies, how things stay the same even with the massive changes in continuous delivery and continuous integration. Some of the acronyms the two unpack in this episode include SAST, DAST, IAST, WAFs, RASP and more. To make things even more interesting, many one of these, of course, have a variety of flavors to choose from. A lot is covered in this conversation. So… sit back, grab a notepad, and walk down our memory lane to the future of AppSec. This episode of At The Edge is brought to you by Edgescan. Visit Edgescan on ITSPmagazine at https://www.itspmagazine.com/company-directory/edgescan

This week, Paul and Matt Alderman interview James Wickett, Head of Research at Signal Sciences! James talks about how security is moving to the application space and web applications! In the Enterprise News this week, AlgoSec delivers Native Cloud Security Management for Azure, HP Reinvents customer experience with Ping Identity, what mid market security budgets will look like in 2019, and we have some acquisition & funding updates from ForeScout, Dragos, Netskope, Duality, and more!   Full Show Notes: https://wiki.securityweekly.com/ES_Episode115 To learn more about Signal Sciences, go to: www.signalsciences.com/psw   Visit https://www.securityweekly.com/esw for all the latest episodes! Visit https://www.activecountermeasures/esw to sign up for a demo or buy our AI Hunter!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

James Wickett is the Head of Research at Signal Sciences. James talks about how security is moving to the application space and web applications. WAFs may seem tedious but they are necessary to allow developers to focus on other things. Full Show Notes: https://wiki.securityweekly.com/ES_Episode115 To learn more about Signal Sciences, go to: www.signalsciences.com/psw Visit http://securityweekly.com/esw for all the latest episodes!

James Wickett is the Head of Research at Signal Sciences. James talks about how security is moving to the application space and web applications. WAFs may seem tedious but they are necessary to allow developers to focus on other things. Full Show Notes: https://wiki.securityweekly.com/ES_Episode115 To learn more about Signal Sciences, go to: www.signalsciences.com/psw Visit http://securityweekly.com/esw for all the latest episodes!

This week, Paul and Matt Alderman interview James Wickett, Head of Research at Signal Sciences! James talks about how security is moving to the application space and web applications! In the Enterprise News this week, AlgoSec delivers Native Cloud Security Management for Azure, HP Reinvents customer experience with Ping Identity, what mid market security budgets will look like in 2019, and we have some acquisition & funding updates from ForeScout, Dragos, Netskope, Duality, and more!   Full Show Notes: https://wiki.securityweekly.com/ES_Episode115 To learn more about Signal Sciences, go to: www.signalsciences.com/psw   Visit https://www.securityweekly.com/esw for all the latest episodes! Visit https://www.activecountermeasures/esw to sign up for a demo or buy our AI Hunter!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

We have an exciting announcement. Our latest version of the podcast is packed with new features and they're riddled with security holes. We know you wanted the features. The security vulnerabilities are just a bonus. On this episode of the CISO/Security Vendor Relationship Podcast, we discuss: Cybersecurity burnout: How bad is it? What can be done to mitigate it? And what are the warning signs? All tech professionals have burnout issues, but InfoSec has it toughest because it's very hard for them to get a sense of accomplishment for their work. CISO/Security Vendor Relationship Podcast is making an impact in the vendor community: We hear multiple stories from vendors how the advice from Mike and the guests is really changing the way they reach out to security professionals. Are you willing to release a product with known security vulnerabilities? What if the customer really demands the new feature next week and they're expecting it, but remediation may take much longer. Do you give the customer what they want, or are there other solutions? What's Worse?! We play a round of picking the worse of two evils. This one is all about training your staff. We unleash another pitch on the security professionals: Their response will surprise you as will the outcome of this pitch. Dumb CISO mistakes: This one actually may not be so dumb. It could actually be good advice when it comes to product testing. Ten-second security tip: This one offers up a more holistic view of security that you may have not considered, but definitely should. Special thanks to Signal Sciences for sponsoring this episode. If you’re using WAFs, make sure you read “Three Ways Legacy WAFs Fail,” by their head of research, James Wickett. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest is Anne Marie Zettlemoyer, a security strategist and independent researcher who is also on the board of directors for SSH.  

Rick Holland has more than 15 years' experience working in information security. Paul and John talk to Rick about vulnerability management, WAFs, and advice to enterprise marketing. Full Show Notes: https://wiki.securityweekly.com/ES_Episode104 Visit http://securityweekly.com/esw for all the latest episodes!

Rick Holland has more than 15 years' experience working in information security. Paul and John talk to Rick about vulnerability management, WAFs, and advice to enterprise marketing. Full Show Notes: https://wiki.securityweekly.com/ES_Episode104 Visit http://securityweekly.com/esw for all the latest episodes!

Security is suffering from a serious Rodney Dangerfield "I get no respect" problem. What has often been seen as the department of "no" is struggling under that brand image. That's probably because security is often seen as an inhibitor rather than an enabler. If InfoSec wants to fix that perception, it'll be their responsibility to dig themselves out. Here's what you'll hear on the latest episode of the CISO/Security Vendor Relationship Podcast: Nobody thinks security is their friend: How can security rid itself of this highly negative branding? Be problem solvers vs. problem creators. Techniques to integrate AppSec into the DevOps process: It comes down to measurement, respecting an engineer's time, and learning from the success of one process and putting it into another. Read more great insight by Chris Steipp of Lyft. We play "What's Worse?!" In this episode of the game we question the worst scenario of an encrypted or unencrypted laptop, but with qualifications. Uggh, WAFs are NOT magical boxes: In a round of "Please, Enough. No, More." we challenge the way web application firewalls (WAFs) are being sold. WAFs need to be more friendly and flexible. No one believes you if you sell them as magical boxes that stop all attacks. How can you be a great customer? We turn the tables from "Ask a CISO" to "Ask a Vendor" and ask what it takes to be a great customer. Vendors would like you to ttop kicking the tires and talk about solving real problems. Plus a ten-second security tip: It may be cliche, but if security departments want to be more effective, they should be moving away from blocking to enabling. Special thanks to Signal Sciences for sponsoring this episode. If you’re using WAFs, make sure you read “Three Ways Legacy WAFs Fail,” by their head of research, James Wickett. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Zane Lackey (@zanelackey), co-founder and CSO for Signal Sciences and author of the new book from O'Reilly, "Building a Modern Security Program." Sponsor the Podcast If you'd like to sponsor the podcast, contact David Spark at Spark Media Solutions.

Just like so many security products are infused with artificial intelligence, we've also got plenty of meaningless modifiers to describe this podcast. On this episode we've got: First 90 Days of a CISO. How do you assess talent already there, and how do you prioritize the new hires you need? Please, Enough! No, More! We delve into the overexposure of AI (artificial intelligence) and machine learning. Are they the same thing? And what do CISOs actually want to hear more about on both of these topics? "What's Worse?!" This is a brand new game where I ask the CISOs to determine which of two really bad security practices is worse. What Do You Think of This Pitch? We've got another vendor pitch that the CISOs critique. Ask a CISO. How are CISOs involved in purchase decisions that are not security related (e.g., cloud, networking, infrastructure). Special thanks to Signal Sciences for sponsoring this episode. If you're using web application firewalls (WAFs), make sure you read "Three Ways Legacy WAFs Fail" by their head of research, James Wickett. As always, the show is hosted by me, David Spark (@dspark), founder, Spark Media Solutions and Mike Johnson, CISO, Lyft. Our guest this week is Dennis Leber (@dennisleber), CISO, Cabinet for Health and Family Services, Commonwealth of Kentucky and the self proclaimed "Most Interesting Man in Information Security." We Want More of "What's Worse?!" In this episode, I introduced a new segment, a game called "What's Worse?!" where I introduce two comparably bad security practices and ask the CISOs to debate on which is worse, and why. Fortunately in this episode the CISOs disagreed on both comparisons posed. I'm eager to challenge CISOs with more "What's Worse?!" questions. So if you've got a good one, please contact me here or on LinkedIn. I'm also interested in: “Ask a CISO” questions. A vendor pitch you want us to critique. A hot security discussion (please provide a link). A quick security tip. A big industry story and what it means to security professionals. In all cases, we can mention you and your company name or keep you anonymous. Just let me know which you prefer. Listen and Subscribe to the CISO/Security Vendor Relationship Podcast So many ways to connect and listen to the podcast. iTunes Google Play Stitcher RSS Feed Sponsor the Podcast If your company would like to sponsor this podcast, please contact David Spark at Spark Media Solutions.

Web application firewalls (WAF) are a specialized form of firewall designed to protect applications from internet-based attacks. Firewalls must be lightweight to ensure people can quickly get onto the internet and data can be returned, but WAFs are much more sophisticated. They need to interact with data coming from the web server and the user and analyze it in ways that a traditional firewall cannot. It is an application itself. Atomicorp CEO and long-time Modsecurity contributor Mike Shinn talks about these differences, good and bad WAF attributes, software-based WAFs, the role of rules in making a WAF effective and the origin of the open source WAF Modsecurity.   

Your pen tester want you to white list them in your WAF?  What should you do?  Why do they ask?  James breaks it down for you in this episode. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

[NOTE: Check links under description!] **Don't forget to listen to "Disgruntled Discussion" right after DV Radio** ~ DV6, Google, Recoil and SRP get a sign ~ Lieutenant Lost & Captain Cardboard's Land Nav Course ~ DV Farm event update ~ Marquis Davis from WAFS 1190 AM Radio in Atlanta, GA joins us ~ Google has an infestation ~ Marquis and Bo Nur Wood have the shits ** Ways to Contact Marquis Davis ** Twitter: @marquisadavis1 Email: marquis.davis@salematlanta.com ** Dysfunctional Veterans Links ** Call the Rant Line 24 hours a day. 7 days a week @ 603-499-7676 Join us on the DV Forum: www.DVBarracks.com Help combat veteran homelessness: www.DVFarm.org For Veteran Resources: www.DVRadio.net/vet-resources Know what DV really is: www.DysfunctionalVeterans.com Like and share us on Facebook: https://www.facebook.com/DVRadioNetwork Follow and tweet us on Twitter: @DV6_DVRadio YouTube: https://www.youtube.com/channel/UCghsSpfMR209LbvpMr4zCMg Instagram: dysfunctionalveterans DVTV on Vimeo: https://vimeo.com/dvtelevision Show your DV pride: www.MyDVStore.com Other questions, comments or concerns DV Radio related? Email us at info@dvradio.net

We present Sphinx, a new fully anomaly-based Web Intrusion Detection Systems (WIDS). Sphinx has been implemented as an Apache module (like ModSecurity, the most deployed Web Application Firewall), therefore can deal with SSL and POST data. Our system uses different techniques at the same time to improve detection and false positive rates. Being anomaly-based, Sphinx needs a training phase before the real detection could start: during the training, Sphinx ?learns? automatically the type of each parameter inside user requests and applies the most suitable model to detect attacks. We define 3 basic types: numerical, short and long texts. The idea behind this is that, e.g., if we observe only integer values and later some text, that is likely to be an attack (e.g. SQL Injection or XSS). For numerical parameters, a type checker is applied. For short texts (text with fixed length or slight variations), Sphinx uses a grammar checker: grammars are built observing the parameter content (during the training phase) and then used to check the similarity of new content during detection. Long texts are typically e-mail/forum messages, which change often their length and would produce infeasible grammars. For this kind of content we use a modified version of our NIDS POSEIDON, using n-gram analysis. Furthermore, Sphinx can actively support the deployment of WAFs like ModSecurity: e.g. if we are deploying an ad hoc web application, most probably we need to spend a lot of time on writing signatures (or when 3rd parties? software is used). Once Sphinx accomplishes the training phase, it can automatically generates ModSecurity-style signatures for numerical and (some) short-text parameters, making the deployment much easier.

We present Sphinx, a new fully anomaly-based Web Intrusion Detection Systems (WIDS). Sphinx has been implemented as an Apache module (like ModSecurity, the most deployed Web Application Firewall), therefore can deal with SSL and POST data. Our system uses different techniques at the same time to improve detection and false positive rates. Being anomaly-based, Sphinx needs a training phase before the real detection could start: during the training, Sphinx ?learns? automatically the type of each parameter inside user requests and applies the most suitable model to detect attacks. We define 3 basic types: numerical, short and long texts. The idea behind this is that, e.g., if we observe only integer values and later some text, that is likely to be an attack (e.g. SQL Injection or XSS). For numerical parameters, a type checker is applied. For short texts (text with fixed length or slight variations), Sphinx uses a grammar checker: grammars are built observing the parameter content (during the training phase) and then used to check the similarity of new content during detection. Long texts are typically e-mail/forum messages, which change often their length and would produce infeasible grammars. For this kind of content we use a modified version of our NIDS POSEIDON, using n-gram analysis. Furthermore, Sphinx can actively support the deployment of WAFs like ModSecurity: e.g. if we are deploying an ad hoc web application, most probably we need to spend a lot of time on writing signatures (or when 3rd parties? software is used). Once Sphinx accomplishes the training phase, it can automatically generates ModSecurity-style signatures for numerical and (some) short-text parameters, making the deployment much easier.