esw255

Enterprise Security Weekly Episode #255 – December 23, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Bringing Autonomy to AppSec – 03:00 PM-03:30 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren’t going to go away with current approaches like SAST and SCA. Why? They are:
-40 years old, with little innovation
-Haven’t solved the problem.

In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different:
-Prove bugs, rather than trying to list all of them.
-Zero false positives, which leads to better autonomy.

Segment Resources:
Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge

Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them

Example vulns discovered:
https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot

https://github.com/forallsecure/vulnerabilitieslab

Guest(s)

Dr. David Brumley

Dr. David Brumley – CEO and Co-Founder at ForAllSecure

Dr. Brumley is the CEO and co-founder of ForAllSecure, a company with the mission to secure the world’s software. He is also is an Associate Professor at Carnegie Mellon University (currently on leave) with a primary appointment in the Electrical and Computer Engineering Department and a courtesy appointment in the Computer Science Department. He is also the previous Director of CyLab, the CMU Security and Privacy Institute. His research focuses on software security.

Prof. Brumley received his Ph.D. in Computer Science from Carnegie Mellon University, an MS in Computer Science from Stanford University, and a BA in Mathematics from the University of Northern Colorado. He served as a Computer Security Officer for Stanford University from 1998-2002 and handled thousands of computer security incidents in that capacity. He is the faculty mentor for the CMU Hacking Team Plaid Parliament of Pwning (PPP), which is ranked internationally as one of the top teams in the world according to ctftime.org. The team was ranked #1 in 2011, #2 in 2012, and #1 in 2013, and won DefCon 2013. He received the USENIX Security best paper awards in 2003 and 2007, an ICSE distinguished paper award in 2014.

Prof. Brumley honors include being selected for the 2010 DARPA CSSP program and 2013 DARPA Information Science and Technology Advisory Board, a 2010 NSF CAREER award, a 2010 United States Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama (the highest award in the US for early career scientists according to wikipedia), and a 2013 Sloan Foundation award.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

TylerShields

Tyler Shields

@txs

CMO at JupiterOne

2. Dragons & Unicorns, Phishing Training, GreyNoise, & Becoming Domain Admin – 03:30 PM-04:00 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • We had an absolute blast putting together this year’s SW Unlocked virtual event! All presentations are now available on-demand for your viewing pleasure. Please visit https://securityweekly.com/unlocked to register and watch now!

Description

In the Enterprise Security News for this week, ZeroFox has a $1.4 billion dollar blank check, Corellium raises a $25m series A, GreyNoise makes its data free to help out Log4j sufferers, AWS suffers its third outage in a month (coincidentally hindering GreyNoise’s efforts), Ditching Unicorns for Dragons, Yet another easy way to become domain admin, thanks Microsoft, New report finds that current phishing training isn’t effective and is even potentially harmful, & more!

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

  1. FUNDING: Corellium Secures $25M Series A Round, Led by Paladin Capital Group with Participation from Cisco Investments
  2. TRENDS: Why the startup world needs to ditch “unicorns” for “dragons”
  3. GOING PUBLIC: Cybersecurity Saas company ZeroFox to go public via merger with SPAC in deal valued at about $1.4 billion
  4. REPORTS: Phishing in Organizations: Findings from a Large-Scale and Long-Term Study – Security awareness training might be less valuable than we had thought. Potentially harmful, even?
  5. SUPPLY CHAIN: AWS suffers third outage of the month
  6. VULNERABILITIES: Microsoft warns of easy Windows domain takeover via Active Directory bugs – This title is evergreen – both historically and into the future.
  7. LOG4J: As Log4j sent defenders scrambling, this startup made its threat data free
  8. RUMORS: SentinelOne’s $2.5 billion takeover of Orca Security falls through after shares plummet
  9. SQUIRREL: Tardigrade is first multicellular organism to be quantum entangled
  10. SQUIRREL: RadioShack Returns as a Crypto Company
TylerShields

Tyler Shields

@txs

CMO at JupiterOne

3. ESW End-of-Year Wrap Up – 04:00 PM-04:30 PM

Announcements

  • Join us January 20th to learn how to build your own security lab at home! Don’t forget to check out our library of on-demand webcasts & technical trainings at https://securityweekly.com/ondemand.

Description

In our final security weekly segment of the year, we’re wrapping up by reminiscing about 2021’s biggest, craziest, and most interesting stories. We’ll chat about our favorite interviews of the year. Finally, we’re sharing our hopes for 2022. What could make it better? Will it be the year we break free from ransomware? Will cyber insurance providers drop all their policyholders? All this, and cryptic hints from Adrian and Tyler!

It has been a crazy year and we’re looking forward to keeping you informed throughout 2022 as well!

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

TylerShields

Tyler Shields

@txs

CMO at JupiterOne