Application Security WeeklySubscribe
Application security, DevSecOps

Total Recall – ASW #139

Full Audio

View Show Index

Segments

1. Being a Serial Entrepreneur, Business Leader, & Hacker – Alissa Knight – ASW #139

Alissa Knight has spent her career going against industry and social norms as both a Transgendered and Lesbian business leader and hacker. Learn more about her, her achievements as a published author, her recent vulnerability research in hacking law enforcement vehicles, mHealth apps and APIs, her recent screenplay for her new TV series, her life as a hacker, and barriers she's broken down in business.

Announcements

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Guest

Partner at Knight Group; API hacker, author, and cyber entrepreneur at Knight Group

Alissa Knight is a partner at Knight Group where she’s the Director and Executive Producer at Knight Studios, and partner at Knight Ink, Knight Events, and Knight Publishing. She’s a recovering hacker of 22 years after being arrested for hacking into a government network at 17. Over the last two decades, Alissa has sold numerous cybersecurity startups to public companies as a serial entrepreneur and is a published author. Alissa is now an award-winning filmmaker at Knight Studios where she produces scripted narrative short and feature films in cybersecurity crime dramas for vendors as a form of disruptive content marketing.

Hosts

Tech Lead at Block
Senior Engineering Leader at AWS
Chief Product Officer at CyberSaint

2. BBPLR, API Security Trends, Memory Unsafety, & Patching 0-Days – ASW #139

Funding bounties or finding bugs, how should we invest? Talks from Enigma Conference on memory unsafety and 0-days. Coming trends in API security and a review of research from 2020.

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Hosts

Tech Lead at Block
  1. 1. Bug Bounty Program of Last Resort
    This paper answers what it might cost to fund bounties for critical open-source projects. Which also raises a question of what might it cost to fund code refactoring and hardening for critical open-source projects. It also references a paper from WEIS 2019 (https://weis2019.econinfosec.org/wp-content/uploads/sites/6/2019/05/WEIS_2019_paper_36.pdf). We talked about this conference and a few papers back in episode 136.
  2. 2. Google’s Payout to Bug Hunters Hits New High
    As a bug bounty of first resort, Google pays quite a bit for software flaws in Android, Chrome, and its other properties. But it's nowhere near the scale suggested in the other article this week about the bounty of last resort.
  3. 3. API Security Trends
    Another vendor state of security report, this time with a focus on what incidents have been hitting APIs. Read it along with their take on "OpenAPI Specification: Perception vs. Reality" (https://devops.com/openapi-specification-perception-vs-reality/) and how the industry might improve API security.
  4. 4. NCC Group’s 2020 Annual Research Report
    A wealth of reading for research, tools, and presentations from 2020. Each item has helpful context so you can choose what appeals to your interests or what might be relevant to your organization.
  5. 5. Establishing a Scalable Collaboration Between Security and DevOps
    A discussion of research on DevOps skillsets, what organizations are worried about, where containers fit within a DevOps strategy, and where Security sits among all this. And for bonus reading material, check out their other article about keeping Availability on the Security radar (https://capsule8.com/blog/bringing-your-a-game-availability-for-security-people-2/).
  6. 6. Quantifying Memory Unsafety and Reactions to It
    A talk from Enigma 2021 that brings data to the journey of understanding the implications of C and C++. How much does programming language choice affect software security? How much _has_ programming language choice impacted the population of vulns?
  7. 7. The State of 0-Day in-the-Wild Exploitation
    A talk from Enigma 2021 that brings data to the discussion of finding vulns and patching them. Check out the companion article on Project Zero at https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html
  8. 8. Privacy and Security Nutrition Labels to Inform IoT Consumers
    A talk from Enigma 2021 that brings visualization and communication of security and privacy issues in IoT to consumers. Find out more about these labels on their site at https://www.iotsecurityprivacy.org.
Senior Engineering Leader at AWS
  1. 1. Apple patches 28 code execution vulnerabilities
    Apple released updated info about what was patched in last week's ios/watchos/tvos/macos updates. Quite a few bugs...
Chief Product Officer at CyberSaint

Related

You can skip this ad in 5 seconds