ASW #241 – Asaf Ashkenazi, Chris Eng, Jeff Martin
Full Audio
View Show IndexSegments
1. What to Do When the Honeymoon Period Ends – Chris Eng – ASW #241
What happens to an app's security after six months? What about a year or two years? A Secure SDLC needs to maintain security throughout an app's lifetime, but too often the rate of new flaws can outpace the rate of new code within an app. Appsec teams need strategies and processes to keep software secure for as long as possible.
Segment Resources:
Announcements
Our teams from Security Weekly and SC Media were onsite at RSA Conference 2023 delivering in-depth reporting, analysis and interviews from the conference. If you were unable to join us in person, or didn't manage to catch our video livestream from Broadcast Alley, you can access all of our RSAC 2023 coverage at https://securityweekly.com/rsac.
Guest
Chris Eng is Chief Research Officer at Veracode. A founding member of the Veracode team, he is responsible for all research initiatives including applied research and product security, as well as advising on product strategy and M&A. Chris is a frequent speaker at industry conferences and serves on the review board for Black Hat USA. He is also a charter member of MITRE’s CWE/CAPEC Board. Bloomberg, Fox Business, CBS, and other prominent media outlets have featured Chris in their coverage. Previously, Chris was technical director at Symantec (formerly @stake) and an engineer at the National Security Agency. Chris holds a B.S. in Electrical Engineering and Computer Science from the University of California.
Hosts
2. Staying Ahead of Hackers: Protecting Mobile Apps & Detecting Malicious Packages – Asaf Ashkenazi, Jeff Martin – ASW #241
Learn how hackers are exploiting the trust that mobile app owners place in their customers. Hackers are increasingly modifying app code, posing as trusted customers, and infiltrating IT infrastructure.
This segment is sponsored by Verimatrix. Visit https://securityweekly.com/verimatrixrsac to learn more about them!
Unlike vulnerabilities, which can and do often exist for months or years in application code without being exploited, a malicious package represents an immediate threat to an organization, intentionally designed to do harm. In the war for cybersecurity, attackers are innovating faster than companies can keep up with the threats coming their way. A new approach is needed to stay ahead of the impacts of malicious packages within applications.
Findings from our latest report "Malicious Packages Special Report: Attacks Move Beyond Vulnerabilities" illustrate the growing threat of malicious packages. From 2021 to 2022, the number of malicious packages published to npm and rubygems alone grew 315 percent.
Mend.io technology detected thousands of malicious packages in existing code bases. The top four malicious package risk vectors were exfiltration, developer sabotage, protestware, and spam. Nearly 85 percent of malicious packages discovered in existing applications were capable of exfiltration – causing an unauthorized transmission of information. Threat actors leveraging this type of package can easily collect protected information before the package is discovered and removed.
We’ll share why as long as open source means open, the door will be left open to bad actors, so it’s especially critical to know when things are being brought into your code. Malicious packages represent an immediate threat, unlike vulnerabilities, and can not be taken lightly.
This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to learn more about them!
Sponsored By
Announcements
Security Weekly listeners: Identiverse is just weeks away! Register now and join the digital identity community at the ARIA Resort & Casino in Las Vegas, May 30 – June 2. The 14th annual Identiverse will bring together over 2,500 security professionals for 4 days of world-class learning, engagement, and entertainment.
As a community member, receive 20% off your Identiverse 2023 tickets using code IDV23-SW20!
Register today: securityweekly.com/identiverse2023
Guests
Asaf Ashkenazi is Chief Executive Officer of Verimatrix. Asaf joined Verimatrix in 2018 and previously served as the company’s Chief Operating Officer. As CEO, Asaf leads the company’s ongoing business model transformation that focuses on recurring subscription-based revenue sources and new products. Offering a distinct mix of extensive cybersecurity technical expertise and management successes, he brings proven insights for market analysis, strategic partnerships as well as mergers and acquisitions. Asaf is a recognized security expert and routinely appears as a thought leader in industry publications around the globe – positioning Verimatrix as a top innovator that’s committed to providing the most powerful yet people-friendly protection for digital content, applications and devices. Prior to Verimatrix, he served as vice president of IoT security products at Rambus (NASDAQ: RMBS), lead security products at Qualcomm (NASDAQ: QCOM), and held other engineering management positions at Freescale Semiconductor and Motorola (NYSE: MSI). Asaf is a former board member of the FIDO Alliance and holds 10 U.S. patents for security architectures as well as an engineering degree from Ben-Gurion University of the Negev.
Jeff has spent the last 20 years in Product roles helping both the organizations he worked for and their customers transform and measure their software risk management processes and practices. He especially enjoys cultural and mindset transformations for their ability to create lasting progress.
Host
