asw131

Application Security Weekly Episode #131 – November 23, 2020

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Threat Modeling Deep Dive – 12:30 PM-01:00 PM

Announcements

  • In our upcoming webcasts & technical trainings, you will learn how to build a risk-based vulnerability management program, how to prevent phishing scams, and how to move beyond vulnerability scan to vulnerability fix! Visit https://securityweekly.com/webcasts to see what we have coming up, or visit securityweekly.com/ondemand to view our previously recorded webcasts!

Description

We threat model every day without realizing it. And, of course, we often threat model with systems and products within our organizations. So how formal does our approach need to be? How do we best guide the “what could go wrong” discussion with DevOps teams? And what’s a sign that we’re generating useful threat models?

Articles
https://www.threatmodelingmanifesto.org
https://securityboulevard.com/2020/05/data-security-and-threat-models/
https://speakerdeck.com/abhaybhargav/agile-threat-modeling-as-code

Hosts

AdrianSanabria
AdrianSanabria – Senior Research Engineer
JohnKinsella
JohnKinsella – Chief Architect
MikeShema
MikeShema – Product Security Lead

2. Drupal Flaws, DevSecOps Implementation, & Cloud Native Security White Paper – 01:00 PM-01:30 PM

Announcements

  • Do you always end up missing our live streams? Need somewhere to flag Security Weekly podcasts that you want to listen to? Subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server to stay in the loop on all things Security Weekly! Visit: https://securityweekly.com/subscribe

  • Security Weekly, in partnership with CyberRisk Alliance, is excited to present Security Weekly Unlocked on December 10, 2020. This 1 day virtual event wraps up with the 15th anniversary edition of Paul’s Security Weekly live on Youtube! Visit https://securityweekly.com/unlocked to view the agenda and register for free!

Description

In the Application Security News, a manifesto highlights principles and values for threat modeling, the CNCF releases a Cloud Native Security Whitepaper, Microsoft put security in the CPU with Pluton, mass scanning for secrets, ancient flaws resurface in Drupal, and steps for implementing source composition analysis!

Hosts

AdrianSanabria
AdrianSanabria – Senior Research Engineer
JohnKinsella
JohnKinsella – Chief Architect
MikeShema
MikeShema – Product Security Lead
  1. Threat Modeling Manifesto
  2. Drupal sites vulnerable to double-extension attacks
  3. Botnets have been silently mass-scanning the internet for unsecured ENV files
  4. DevSecOps Implementation: Source Composition Analysis – DevOps.com
  5. Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs – Microsoft Security
  6. Announcing the Cloud Native Security White Paper
  7. PhD Thesis: Greybox Automatic Exploit Generation for Heap Overflows in Language Interpreters