asw139

Application Security Weekly Episode #139 – February 08, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Being a Serial Entrepreneur, Business Leader, & Hacker – 12:30 PM-01:00 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

Alissa Knight has spent her career going against industry and social norms as both a Transgendered and Lesbian business leader and hacker. Learn more about her, her achievements as a published author, her recent vulnerability research in hacking law enforcement vehicles, mHealth apps and APIs, her recent screenplay for her new TV series, her life as a hacker, and barriers she’s broken down in business.

Hacking law enforcement vehicles: https://www.youtube.com/watch?v=j9ErtuYBQtk
and https://www.youtube.com/watch?v=Soj3P3S3i_o

2021 Vulnerability Research: https://www.youtube.com/watch?v=6SOc1u66u7c&t=1s

Hacking mHealth: https://www.youtube.com/watch?v=D-Mu3KMWx6s

2020 Year in Review: https://www.youtube.com/watch?v=Uv8oMbGPQTI&t=7s

Guest(s)

Alissa Knight

Alissa Knight –

Partner at Knight Ink

Alissa Knight is a recovering hacker of 20 years, beginning her career as a penetration tester then moving into incident response and forensics. After the charges were dropped when she hacked into a government network at 17, she began working for the US Intelligence Community in the Cyber Warfare directorate, supporting HUMINT operations in Afghanistan and Iraq. Alissa is a serial entrepreneur, having sold two previous cybersecurity startups and is now a published author. The world’s financial services and fintech industry turned its attention to Alissa in 2019 when she downloaded and hacked 30 financial services and fintech mobile apps in less than 1 week. That same year, she was brought to the Pentagon to assist the US Marine Corp Brigadier General in securing the global marine corps network. In 2020, she published the first book on hacking connected cars and APIs. She made more noise in the healthcare space recently when she hacked 30 mobile health/telemedicine apps and published that research in January 2021. Alissa is a cybersecurity influencer as a youtuber, content creator, and writer. Last year several producers approached her for creating a new TV series based on her life that will premiere at a later date still to be determined. She now joins Quontic to architect, implement, and maintain a cybersecurity program to manage the bank’s IT risk as it continues to disrupt traditional banking.

Hosts

JohnKinsella

John Kinsella –

Chief Architect at Accurics

MattAlderman

Matt Alderman –

Executive Director at CyberRisk Alliance

MikeShema

Mike Shema –

Product Security Lead at Square

2. BBPLR, API Security Trends, Memory Unsafety, & Patching 0-Days – 01:00 PM-01:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

Funding bounties or finding bugs, how should we invest? Talks from Enigma Conference on memory unsafety and 0-days. Coming trends in API security and a review of research from 2020.

Hosts

JohnKinsella

John Kinsella –

Chief Architect at Accurics

  1. Apple patches 28 code execution vulnerabilities – Apple released updated info about what was patched in last week’s ios/watchos/tvos/macos updates. Quite a few bugs…
MattAlderman

Matt Alderman –

Executive Director at CyberRisk Alliance

MikeShema

Mike Shema –

Product Security Lead at Square

  1. Bug Bounty Program of Last Resort – This paper answers what it might cost to fund bounties for critical open-source projects. Which also raises a question of what might it cost to fund code refactoring and hardening for critical open-source projects. It also references a paper from WEIS 2019 (https://weis2019.econinfosec.org/wp-content/uploads/sites/6/2019/05/WEIS_2019_paper_36.pdf). We talked about this conference and a few papers back in episode 136.
  2. Google’s Payout to Bug Hunters Hits New High – As a bug bounty of first resort, Google pays quite a bit for software flaws in Android, Chrome, and its other properties. But it’s nowhere near the scale suggested in the other article this week about the bounty of last resort.
  3. API Security Trends – Another vendor state of security report, this time with a focus on what incidents have been hitting APIs. Read it along with their take on “OpenAPI Specification: Perception vs. Reality” (https://devops.com/openapi-specification-perception-vs-reality/) and how the industry might improve API security.
  4. NCC Group’s 2020 Annual Research Report – A wealth of reading for research, tools, and presentations from 2020. Each item has helpful context so you can choose what appeals to your interests or what might be relevant to your organization.
  5. Establishing a Scalable Collaboration Between Security and DevOps – A discussion of research on DevOps skillsets, what organizations are worried about, where containers fit within a DevOps strategy, and where Security sits among all this. And for bonus reading material, check out their other article about keeping Availability on the Security radar (https://capsule8.com/blog/bringing-your-a-game-availability-for-security-people-2/).
  6. Quantifying Memory Unsafety and Reactions to It – A talk from Enigma 2021 that brings data to the journey of understanding the implications of C and C++. How much does programming language choice affect software security? How much _has_ programming language choice impacted the population of vulns?
  7. The State of 0-Day in-the-Wild Exploitation – A talk from Enigma 2021 that brings data to the discussion of finding vulns and patching them. Check out the companion article on Project Zero at https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html
  8. Privacy and Security Nutrition Labels to Inform IoT Consumers – A talk from Enigma 2021 that brings visualization and communication of security and privacy issues in IoT to consumers. Find out more about these labels on their site at https://www.iotsecurityprivacy.org.