Demystifying Security Engineering Career Tracks – Karan Dwivedi – ASW #281
Full Audio
View Show IndexSegments
1. Demystifying Security Engineering Career Tracks – Karan Dwivedi – ASW #281
There are as many paths into infosec as there are disciplines within infosec to specialize in. Karan Dwivedi talks about the recent book he and co-author Raaghav Srinivasan wrote about security engineering. There's an appealing future to security taking on engineering roles and creating solutions to problems that orgs face. We talk about the breadth and depth of security engineering and ways to build the skills that will help you in your appsec career.
Segment resources:
Announcements
Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!
Google has announced that they will be shutting down the Google Podcasts platform in mid-2024. To ensure that you don't lose access to the Security Weekly content you know and love, please make sure that you subscribe to your favorite podcasts feeds on an alternative platform such as Spotify, YouTube Music, Amazon Music, Apple Podcasts, Overcast, Podcast Addict, PocketCasts, or anywhere else you listen to podcasts! Visit securityweekly.com/subscribe to find the buttons to subscribe to each show now!
Guest
Karan Dwivedi is a recognized cybersecurity expert. Karan has led large-scale security projects at Google and Yahoo in the US for products like Google Search, Google Assistant, Yahoo Mail, Yahoo Finance, Flickr, etc, to safeguard over a billion users. At Yahoo, he was part of the security team responding to the world’s largest data breach. He is the author of the book “Kickstart your security engineering career” which is a definitive guide for anyone looking to start a career in security engineering. Karan contributed to the latest internet standard for scoring vulnerabilities, the Common Vulnerability Scoring System (CVSS 4.0). He is featured in major media like Hakin9 Media Magazine, Forensic Focus News, etc. He has delivered talks at national and international conferences like Tech Ex North America, Tech Summit SF, BSides Las Vegas, National Cyber Summit, etc, to influence private and public sectors. Karan was featured as a subject matter expert in the Google Cybersecurity Certificate program launched in May 2023 on Coursera, which had an enrollment of over 41000 students in a few weeks. Furthermore, Karan has served as an advisor to startups, an editorial board member in international security journals, and judged global competitions. He holds a master’s degree in Information Security from Carnegie Mellon University, USA.
Hosts
2. Arg Parsing in Rust, End of Life Hardware, CSRB & MS, Chrome’s V8 Sandbox – ASW #281
A Rust advisory highlights the perils of parsing and problems of inconsistent approaches, D-Link (sort of) deals with end of life hardware, CSRB recommends practices and processes for Microsoft, Chrome’s V8 Sandbox increases defense, and more!
Announcements
On the evening of Monday, May 6, 2024, W2 Communications and CyberRisk Alliance are bringing CYBERTACOS back to San Francisco! If eating FREE tacos, sipping on margaritas and mingling with cyber professionals from all over the world sounds good to you, make sure to register to secure your spot! Visit securityweekly.com/cybertacos to RSVP today!
Get ready for an electrifying experience at the 15th annual Identiverse! Join 3,000+ identity professionals at the ARIA Resort & Casino in Vegas on May 28-31, 2024, for 4 days packed with dynamic learning & collaboration. Don't miss out on keynote speakers including Denee Defiore, CSIO of United Airlines; Tucker Bryant, Entrepreneur and Former Googler; George Roberts, Director of Identity and Access Engineering at McDonald's and many more!
As a community member, receive 25% off your Identiverse 2024 tickets using code IDV24-SW25!
Register today: securityweekly.com/idv2024
Hosts
- 1. Multiple programming languages fail to escape args in Windows
It turns out how Microsoft's C library parses command line arguments is not how everybody thinks. This leads to a situation where programs might get those arguments in an unexpected manner, which means there's a potential for security vulnerabilities.
There's a good post about what's going on in a Microsoft blog - from over 10 years ago. https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way
An question arises - should each software author fix this in their appliation, or should the OS vendor address this in the library they publish?
- 2. Buffer overflow visualizations in gcc analyzer, and more
Red Hat has been working on a static analyzer in gcc for the last several releases. At this point it's able to catch "some" infinite loops, perform taint analysis, etc. The one that caught my eye, though, is ability to detect - and then visualize via ASCII art - buffer overflow issues.
I know I'm always talking about being visual, personally - but this is a case where I think seeing really helps a developer (and their management!) understand what's going on and why a bug needs to be fixed.
- 3. Remote command injection vulnerability in Palo Alto Networks firewalls
There's a critical vulnerability in the zero-trust network access feature from Palo Alto Networks that runs on some of their firewalls.
- 4. Fortran and Webassembly is like Peanutbutter and….
As a callback to the first half, Fortran is still out there, but new tech can "help" keep older tech alive...
