asw156

Application Security Weekly Episode #156 – June 28, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Scaling Your Application Security Program – 12:30 PM-01:00 PM

Announcements

  • Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

  • In our July 14th democast at 11 AM ET, learn how to reveal and protect your entire attack surface. Then join us July 15 at 11 AM ET to learn how a thoughtful approach to SASE can improve security and enable scalability. Finally, in our July 22nd technical training at 11 AM ET, learn how Guided-SaaS NDR Enables Rapid Response. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

In this segment with Clint Gibler, learn:

  • Why secure defaults are higher ROI than finding vulnerabilities
  • How modern AppSec teams are working with their engineering counterparts
  • Targeting vulnerability classes, avoiding bug whack-a-mole
  • The latest innovations in lightweight static analysis

Segment Resources:
https://semgrep.dev/ https://github.com/returntocorp/semgrep https://github.com/returntocorp/semgrep-rules 2020 GlobalAppSec SF https://docs.google.com/presentation/d/14PjOViz2dE6iToOyoFk_BQ_RUfkEHGX-celIiybDQZA/edit https://tldrsec.com/

Guest(s)

Clint Gibler

Clint Gibler – Head of Security Research at r2c

@clintgibler

Clint Gibler is the Head of Security Research for r2c, a startup working on giving security tools directly to developers. Previously, Clint was a Research Director at NCC Group, a global security consulting firm, where he helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies ranging from large enterprises to new startups. Clint has previously spoken at conferences including BlackHat USA, AppSec USA/EU/Cali, BSidesSF, and many DevSecCons. Clint holds a Ph.D. in Computer Science from the University of California, Davis. Want to keep up with security research? Check out *tl;dr sec*, Clint’s newsletter that contains summaries of artisanally curated, top talks and useful security links and resources from around the web. https://tldrsec.com/

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

2. Semgrep, Microsoft Signs With Rootkits, ATT&CK/D3FEND, & Injured Android – 01:00 PM-01:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

Description

This week in the AppSec News: Visual Studio Code’s Workplace Trust, Injured Android an insecure mobile app, Microsoft accidentally signed driver with rootkits, The NSA funds a new sister Matrix to ATT&CK: D3FEND, & “Ransomware: maybe it’s you, not them?”, and more!

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

  1. D3FEND Matrix
  2. Semgrep: The Surgical Static Analysis Tool
  3. InjuredAndroid – CTF
  4. I know what I didn’t do last summer!
  5. Lightning Components: A treatise on Apex Security from an External Perspective – AppOmni %
  6. The Fault in Our Stars
JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

  1. Visual Studio Code’s Workplace Trust – The May release of Visual Studio Code added something called Workspace Trust – what looks like a significant improvement in the safety for browsing code from within VSCode. Functionality includes being able to prevent code execution from running Tasks, debugging, workplace settings, or extensions. Looks like they have these features for either workplace or folder granularity.
  2. Microsoft accidentally signed driver with rootkits – Microsoft signed a signature request from a vendor that contained malicious software, without either the vendors or Microsoft’s awareness. While Microsoft as since signed a clean version, the question is how did this get signed in the first place?
  3. Ransomware isn’t out of control – security teams are – Here’s a think piece for us to…think about what we want and expect our security teams to do. While in any environment we need everybody to work on security together, security teams and management must set the direction and goals for us. With that guidance – how can we better prevent security issues, whether they’re ransomware or others?
  4. What are the odds someone will find and exploit this? – Up to 80% of developers are releasing software with some known vulnerability. How can we improve that stat?