Pokémon & Synthwave & Hair & Hats – ASW #135
Full Audio
View Show IndexSegments
1. Security By Design – ASW #135
A premise of adding security to DevOps is we can "shift left" AppSec responsibilities, one of which is building apps so they're secure by design. Yet what resources does the AppSec community provide for this approach to design? We take a look at the OWASP Top 10, Web Security Testing Guide, and Application Security Verification Standard to find a way forward for DevOps teams.
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Hosts
2. Kubernetes Clusters, Microsoft Solarigate, & Apple’s Security DIY – ASW #135
Microsoft purges malicious SolarWinds presence and highlights a threat model around their source code, the tl;drsec crew provides a hardening guide for Kubernetes, Apples provides a user guide for hardening accounts, Firefox provides a new storage system to defeat side channel abuse.
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
Hosts
- 1. Microsoft Internal Solorigate Investigation UpdateMicrosoft searches for supply chain fallout from SolarWinds, cleans out malicious binaries, and finds a compromised account accessed source code -- but their threat models already considered an attacker's knowledge of source. Plus, with the ability to reverse engineer binary security patches, how important is source code anyway?
- 2. Risk8s Business: Risk Analysis of Kubernetes ClustersEven if you're not maintaining your own Kubernetes clusters, this is a good example of building up a threat model to assess the risk of a system and take steps towards hardening it against attacks and misconfigurations.
- 3. Apple: Here’s how to secure an iPhone or Apple ID ‘when personal safety is at risk’Apple describes threats to iPhones and Apple IDs for different populations of users in a way that sets aside security jargon and focuses on how to help users make informed decisions. You can download the manual directly from https://manuals.info.apple.com/MANUALS/1000/MA1976/en_US/device-and-data-access-when-personal-safety-is-at-risk.pdf
- 4. Firefox to ship ‘network partitioning’ as a new anti-tracking defenseFirefox takes a security-by-design approach to address the abuse of side channels in browsers, from timing attacks to cache hits. You can read more about Client-Side Storage Partitioning at https://github.com/privacycg/storage-partitioning
- 5. 3 Metrics That Will Indicate We’re Taking Security SeriouslyWhile these aren't intended to be prescriptive metrics, the underlying discussion is a step towards the distinction between "What are the consequences of insecure software" and "What ought to be the consequences".
- 6. Python is dead. Long live Python!We covered this one year ago on episode 90. So...is Python 2 still part of your CI/CD pipeline? Is it in use in production systems? Did you migrate off it using a process that you'll be able to repeat for the next end-of-life software component?
- 7. 6 Security Team Goals for DevSecOps in 2020We covered this one year ago on episode 90. So...did you make any progress towards these goals? What's left to do? What do you still want to improve on?