Security Journey's hi/5
43 episodes - English - Latest episode: almost 2 years ago - ★★★★★ - 1 ratingEach week, Security Journey's CEO, Chris Romeo, takes you through the five security articles he thinks are worth your time. Links to all the articles are included with each episode.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Long Live SBOMs, Application Risk Profiling, Software Supply Chain, and more
June 23, 2022 14:00 - 2 minutes - 1.89 MB“SBOM” should not exist! Long live the SBOM. This article by Steve Springett, who is at the center of the software bill of materials universe, explains what an SBOM is and why they should exist. In defense of simple architectures As security professionals, we love simple because complex is hard to secure. This article is about a 1.7 billion dollar company that runs its web app as a Python monolith on top of Postgres and how this simplified architecture runs a successful application. Alex M...
Implementation of DevSevOps, Product Security Leads, GO Mitigations, and more
June 09, 2022 04:00 - 2 minutes - 2.02 MB3 Cultural Obstacles to Successful DevSecOps Implementation When our goal is to change security culture we must consider how to influence our developers while still caring for their needs. This article shares helpful insight into implementing successful security culture change within an organization. Brenna Leath -- Product Security Leads: A different way of approaching Security Champions Brenna Leath, head of product security at SAS, visited the Application Security Podcast to share her i...
Hi/5: Automated Threat Modeling; In depth research; GitHub 99 designs/aws-vault; Nginx
May 26, 2022 13:00 - 2 minutes - 2.18 MB1. An Analysis of Open-source Automated Threat Modeling Tools and Their Extensibility from Security into Privacy -https://www.usenix.org/publications/l... We conducted our review of threat modeling tools in three main phases: Tool Discovery, Evaluation Criteria Selection, and Application of Evaluation Criteria. 2. In-depth research and trends analyzed from 50+ different concepts as code -https://www.jedi.be/blog/2022/02/23/t... •DevSecOps as code explosion •Data as code •Capturing knowle...
Internal Secrets; SHA-256; 28,000 Vulnerabilities disclosed in 2021; Threat Modeling.
May 12, 2022 13:00 - 2 minutes - 2.17 MB1. Is it safe to use SECRETS_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED? - https://datasociety.net/wp-content/up... This first story is a react development issue. A developer was asking if a specific property was safe to use. This shows the importance of naming in understanding the security risks when using specific properties. 2. Adam Shostack -- Fast, cheap, and good threat models -https://www.securityjourney.com/podca... Adam is very well known in the world of threat modeling as a thoug...
Terraform, CI/CD, Bug Bounties and more
April 28, 2022 04:00 - 2 minutes - 2.02 MBBounty Everything This ebook has in-depth explanations of how bug bounties work, how the economy works within the bug bounty, and how the researchers are paid and treated. Understanding Website SQL Injections A high-level deep dive into SQL injection, so even those that have no understanding of what an injection attack is can learn how they work. Mazin Ahmed -- Terraform Security Terraform is all the rage in the infrastructurous code world. Mazin walks through all things you need to understa...
Python Repos, Advanced SQL, NPM corruption, and more
April 12, 2022 18:00 - 2 minutes - 1.94 MB5% of 666 Python repos had comma typos (including Tensorflow, PyTorch, Sentry, and V8) Out of a group of GitHub repositories that had been checked, 5% had a comma problem. Either too few or too many commas somewhere in the library. Advanced SQL Injection Cheatsheet This repository contains an advanced methodology of all types of SQL Injection. MySQL, PostgreSQL, Oracle, and MSSQL 10 Threats ebook Read about the eBook on 10 Greatest Threats to Your Application’s Security 2021 version....
XSS, Cybersecurity Management, OWASP Top Ten review, Web3 and more
April 05, 2022 16:00 - 3 minutes - 2.13 MB1.Fuzzing for XSS via nested parsers condition-https://swarm.ptsecurity.com/fuzzing-... In this article web application security researcher, Igor Sak-Sakovskiy reveals a novel technique for finding sanitization issues that could lead to XSS attacks. 2.Anti-Patterns in Cybersecurity Management-https://systemweakness.com/anti-patte... In this article, this author walks through the most memorable anti-patterns he's seen recurring in cybersecurity management. 3.OWASP Top 10 Peer Review-htt...
ZAPping, AWS, and DevSecOps! Oh My!
March 17, 2022 14:00 - 3 minutes - 2.6 MBZAPping the OWASP Top 10 This document gives an overview of the automation and manual components provided by OWASP Zed Attack Proxy (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2021 risks. AWS Is the Internet's Biggest Single Point of Failure In December, several services on the internet ground to a halt because of an outage at some Amazon Web Services cloud servers. The outage affected Netflix, Disney Plus, PUBG, League of Legends, Ring security cameras, a...
Container Security, Securing our Software Future, Threat Modeling Medical Devices and more
March 02, 2022 22:00 - 3 minutes - 2.31 MBExploring Container Security: A Storage Vulnerability Deep Dive - https://security.googleblog.com/2021/... Recently, the GKE Security team discovered a high severity vulnerability that allowed workloads to have access to parts of the host file system outside the boundaries of the mounted volume. Remember, vulnerabilities can exist deep within the internals of Kubernetes. Really Stupid “Smart Contract” Bug Let Hackers Steal $31 Million In Digital Coin - https://arstechnica.com/information-t...
Exact Dependencies, Insecure Design, How To Learn Stuff Quickly and more
February 17, 2022 14:00 - 3 minutes - 2.31 MBHow to Learn Stuff Quickly: https://www.joshwcomeau.com/blog/how-... Learning how to learn is a crucial skill of the security professional and developer Never Update Anything: https://blog.kronis.dev/articles/neve... "In my eyes, it could be pretty nice to have a framework version that's supported for 10-20 years and is so stable that it can be used with little to no changes for the entire expected lifetime of a system." Bridges fall down due to insecure design - make sure your web applica...
Trojan Source Attacks, AppSec Things to Watch, AWS WAF's Dangerous Defaults and more
January 27, 2022 14:00 - 3 minutes - 2.31 MBProtect your open source project from supply chain attacks - https://opensource.googleblog.com/2021/10/protect-your-open-source-project-from-supply-chain-attacks.html?m=1 This blog post walks through the quiz questions, answers, and options for prevention, and can serve as a beginner's guide for anyone who wants to protect their open source project from supply chain attacks. Trojan Source Attacks - https://trojansource.codes/ Some vulnerabilities are invisible - rather than inserting logi...
Holiday Hi/5: OWASP Top 10 Analysis, OWASP A08:2021, All Things SSRF, and more
December 17, 2021 05:00 - 2 minutes - 2.01 MBGitLab analysis of OWASP Top 10 changes from 2004 to 2021-https://public.flourish.studio/visual... Visualization of how OWASP Top Ten has changed over the years. To Learn a New Language, Read Its Standard Library-http://patshaughnessy.net/2021/10/23/... The best way to learn a new programming language, just like human language, is from example. To learn how to write code you first need to read someone else's code. Making sense of OWASP A08:2021 - Software & Data Integrity Failures-https:...
Hi/5: Minimum Viable Secure Product, Bandit, Sigstore and more
December 02, 2021 12:00 - 2 minutes - 2.01 MBMinimum Viable Secure Product Minimum Viable Secure Product is a minimalistic security checklist for B2B software and business process outsourcing suppliers. How to Secure Python Web App Using Bandit Bandit is a tool developed to locate and correct security problems in Python code. To do that Bandit analyzes every file, builds an AST from it, and runs suitable plugins to the AST nodes. Once Bandit has completed scanning all of the documents, it generates a report. Explain Sigstore to m...
Hi/5: WrongSecrets, IT Assets, OWASP Top 10, CORS and Password Wisdom
November 17, 2021 17:00 - 2 minutes - 1.82 MBCommonjoe/ WrongSecrets - https://github.com/commjoen/wrongsecrets Improper secret storage is a common technology problem. Use this tool to expose your developers to how to do it wrong, so they can learn how to do it right List of IT Assets an Attacker is most likely to Extort -https://www.helpnetsecurity.com/2021/10/13/it-assets-target/ Attackers love IT assets; here are the top things they are targeting and exploiting. OWASP Top 10 2021: 7 action items for app sec teams https://www.secur...
How Yahoo Built a Culture of Cybersecurity, minimaxir/big-list-of-naughty-strings, Issue #4409, OWASP A08:2021, Apache Servers
October 21, 2021 16:00 - 3 minutes - 2.32 MBHow Yahoo Built a Culture of Cybersecurity- https://hbr.org/2021/09/how-yahoo-built-a-culture-of-cybersecurity Commentary: Security culture continues to grow as a non-negotiable piece of a security strategy. minimaxir/big-list-of-naughty-strings – https://github.com/minimaxir/big-list-of-naughty-strings Commentary: Safe list input validation is always our go to, but the big list of naughty strings is a nice input for testing! Have Trusted Types API built directly into the jQuery Core...
Threat Modeling, Highest Quality of Software Code, Cloud Company, and more
October 07, 2021 18:00 - 2 minutes - 2.03 MB1. NIST Brings Threat Modeling into the Spotlight If you haven't heard about the NIST Executive Order about software security and supply chain, you've been living under a rock. Adam gives us the threat modeling perspective on the EO 2. How to ensure the highest quality of Software code Security or development, we all want the highest quality of software code. Explore linting, unit testing, SAST, and continuous monitoring of software. 3. A cloud company asked security researchers to look...
New and Growing Threats, HTTP/2, DefCon29, and More
September 02, 2021 18:00 - 4 minutes - 3.46 MB1. Application security tools ineffective against new and growing threats Outdated offerings, false positives, and ineffective blocking are among the main causes driving this global concern. 2. HTTP/2: The Sequel is Always Worse Attackers are learning HTTP/2. Developers and defenders must learn it as well. 3. AppSec Village Live Stream of DefCON 29 Check out AppSec Village as it is the perfect place to connect with those with related interests. 4. Mark Loveless -- Threat modeling in a...
Empty Npm Package, Privacy, Security Automation, and More
August 26, 2021 18:00 - 5 minutes - 3.9 MB1. Empty npm package '-' has over 700,000 downloads — here's why There have been 720,000 downloads since its publication on the npm registry since early 2020. 2. Privacy – more than the icing on the cake Questions to consider: What are we working on? What can go wrong? and more. Give this a read to gain more context. 3. Jeroen Willemsen -- Security automation with ci/cd Jeroen joins us to unpack security automation in a DevOps world. 4. Why cybersecurity pros need to learn how to cod...
SQL Injection Vulnerabilities, Security Nihilism, Passwords, and More
August 19, 2021 18:00 - 4 minutes - 3.53 MB1. 16 of 30 Google results contain SQL injection vulnerabilities The dreadful quality of most of Google's search results. Several of these results were, simply put, SEO-optimized baloney. 2. A case against security nihilism Skepticism that we can guard against the NSO Group's Pegasus spyware, or similar products. 3. Why the password isn't dead quite yet It will take time and more experimentation to create a passwordless ecosystem that can replace all the functionality of passwords, esp...
Threat Modeling, Secure-Coding-Handbook, Security Headers, and more
August 12, 2021 18:00 - 4 minutes - 3.65 MB1. Jeevan Singh -- Threat modeling based in democracy Jeevan joins us to speak about self-serve threat modeling at Segment or threat modeling based in democracy. 2. joswha/Secure-Coding-Handbook Client side, Server Side, Auxiliary. 3. Security headers quick reference Security headers recommended for all websites, websites that handle sensitive user data, and websites with advanced capabilities. 4. Cyber insurance isn't helping with cybersecurity, and it might be making the ransomware...
Threat Model Framework, Decision Tree Generator, Npm Audit, and more
August 05, 2021 18:00 - 5 minutes - 4.05 MB1. How we're creating a threat model framework that works for GitLab While our Security team owns the framework, we don't "run" it. It is run by the people who are running the project. 2.Deciduous: A Security Decision Tree Generator Security decision trees are a powerful tool to inform saner security prioritization when designing, building, and operating software systems. 3.npm audit: Broken by Design I see the point, but I also disagree – SCA and finding/mitigating supply chain issues ...
Groundhog Day, TypeScript, Minimum Standard for Vendor, and more
July 29, 2021 18:00 - 5 minutes - 3.92 MB1. Groundhog day: NPM package caught stealing browser passwords The author intended to trick the targets into executing the malicious package. In cases of malware placed in package repositories, attackers usually rely on typo squatting. 2. TypeScript Doesn't Suck; You Just Don't Care About Security Security wins against the eleven popular reasons developers disapprove of TypeScript. 3.Recommended Minimum Standard for Vendor or Developer Verification of Code Threat modeling, automated t...
PyPl Cryptomining Malware, Infosec Core Competencies, SSRF Cheat Sheet, and more
July 22, 2021 18:00 - 6 minutes - 5.05 MB1. Sonatype Catches New PyPI Cryptomining Malware Malicious packages continue to infect our public package repositories; all developers must understand these threats! 2. (Technical) Infosec Core Competencies While these core competencies stray slightly to the red team / pen test side, this is a solid list of what folks need to know as they grow. 3. SSRF Cheat Sheet & Bypass Techniques SSRF vulns are growing; application security people must understand SSRF and know how to properly find ...
Cybereason, Introducing SLSA, Peloton Bike Vulnerability, and more
July 15, 2021 18:00 - 6 minutes - 4.73 MB1. Cybereason: 80% of orgs that paid the ransom were hit again Prevention of ransomware is a human and technology solution. 2. Introducing SLSA, an End-to-End Framework for Supply Chain Integrity Learn from Google’s eight years of protecting their supply chain. 3. Peloton Bike+ vulnerability allowed complete takeover of devices Secure your fitness equipment – seems strange that we have to say that, but hey, it is 2021. 4. Irish police to be given powers over passwords Privacy advoc...
Impact of GDPR, JavaScript for Pen Testers and Bug Bounty Hunters, Incident Response Plan, and more
July 08, 2021 20:00 - 6 minutes - 4.55 MB1. Impact of GDPR on Cloud Service Providers Privacy is here to stay -- long live data privacy in the cloud. 2. Static Analysis of Client-Side JavaScript for pen testers and bug bounty hunters Bug bounty hunter techniques are the same techniques adversaries use. 3. What Every Incident Response Plan Needs Nobody thinks they’ll need an incident response plan… until it’s too late. 4. Dev-Sec Disconnect Undermines Secure Coding Efforts Developer empathy – as a security person, walk a mile...
Unified Kill Chain, Why Devs Dislike Security, Hacker Tools Used for Good, and more
July 01, 2021 18:00 - 7 minutes - 5.29 MB1. The Unified Kill Chain The Unified Kill Chain is thorough, and all builders and defenders must understand the techniques of our adversaries. 2. Why Developers Dislike Security -- and What You Can Do About It Developers that embrace security and learn all the ins and outs rise to the top and have the option to transition into dedicated security professionals in the future. 3. Hacker Tools Used for Good as Exposed Amazon Cloud Storage Accounts Get Warnings Secure those AWS S3 buckets by...
I Mailed an Airtag, Protect Public AWS SSM Documents, Zen of Python, and more
June 24, 2021 18:00 - 6 minutes - 4.86 MB1. I Mailed an AirTag and Tracked Its Progress; Here’s What Happened AirTags use the network capacity of all other Apple devices. If you own an Apple device, you’re now part of a mesh network that you cannot disable. 2. The Need to Protect Public AWS SSM Documents – What the Research Shows Follow the AWS Best Practices for SSM: https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-before-you-share.html 3. Application Security and the Zen of Python Application security and th...
Cross-site Scripting, DevOps, OAuth 2.0, GitLab Packages, and more
June 17, 2021 18:00 - 6 minutes - 5.15 MB1. Cross-site scripting (XSS) cheat sheet Learn XSS at a depth that you can explain it to anyone, and understand the diversity of attack that exists across the set of XSS vectors. 2. Why DevOps Will Cease to Exist Just like DevOps is integrated into every developer’s job, so is security. 3. OAuth 2.0 Threat Model Pentesting Checklist OAuth 2.0 is used everywhere, and many developers and security people aren’t aware of the depth of threat that exists. 4. A deep dive into how we inve...
JWT, Cross-Browser Tracking, Advocating and being on the Side of Developers, and more
June 10, 2021 18:00 - 6 minutes - 5.07 MB1. JWT should not be your default for sessions JWT is a bad default -- be deliberate and careful when you use it. 2. Exploiting custom protocol handlers for cross-browser tracking in Chrome, Firefox, Safari, and Tor Protecting user privacy is a foundational capability of the web browser, and scheme flooding violates that capability. 3. Dustin Lehr -- Advocating and being on the side of developers As AppSec people, work hard to be an advocate for your developers and evaluate tools that will...
AppSec Manifesto, Security Chaos Engineering, Linux bans University of Minnesota, and more
June 03, 2021 18:00 - 8 minutes - 5.9 MB1. The AppSec Manifesto The AppSec Manifesto has some good advice contained within, but we think a Manifesto should be the work of multiple people to ensure that the opinions are vetted. 2. Security Chaos Engineering Security chaos engineering is providing a methodology to prepare your system for the unexpected happenings that could adversely impact security and privacy. 3. Linux bans University of Minnesota for committing malicious code Open-source is built upon a trust model of the pe...
Kube-goat, Microsoft's Password Changing, Secure Python Code, and more
May 27, 2021 18:00 - 6 minutes - 4.95 MB1. Kube-goat: A deliberately vulnerable Kubernetes cluster https://reconshell.com/kube-goat-a-deliberately-vulnerable-kubernetes-cluster/ To truly learn how to protect Kubernetes clusters, it’s helpful to exploit known bad security settings. 2. Microsoft says mandatory password changing is “ancient and obsolete” https://arstechnica.com/information-technology/2019/06/microsoft-says-mandatory-password-changing-is-ancient-and-obsolete/ Embrace password managers for your Enterprise and remove...
Reference Architectures, "Huge Upsurge" in DDoS, Codecov, and more
May 20, 2021 18:00 - 6 minutes - 4.87 MB1. Uncomplicate Security for developers using Reference Architectures Reference architectures assist developers in building secure applications and limit rework as a result of later security reviews. 2. “Huge upsurge” in DDoS attacks during pandemic Acknowledge that a DDoS attack is coming your way, and architect your system in a scalable manner to ensure that you can absorb a DDoS attack of any size. 3. Codecov discloses 2.5-month-long supply chain attack Attackers are targeting the supp...
Kubernetes, API-First Security Strategy, Threat Modeling, and more
May 13, 2021 18:00 - 6 minutes - 4.87 MB1. Threat matrix for Kubernetes The application of the ATT&CK methodology to Kubernetes is the subject matter that everyone using Kubernetes should know. 2. 5 Objectives for Establishing an API-First Security Strategy The five objectives are a good reminder that when using API (and we all are), think security first. 3. Izar Tarandach and Matt Coles-- Threat Modeling: A Practical Guide for Development Teams Threat model all the things! 4. Deep dive in CORS: History, how it works, a...
DevSecOps Metrics, JavaScript and Node.js, Top 25 pros, and more
May 06, 2021 14:00 - 6 minutes - 4.52 MB1. The Current State of DevSecOps Metrics Measure what matters, and what gets measured gets attention. Apply this guidance to your DevOps program to measure the value of security. 2. 5 ways to prevent code injection in JavaScript and Node.js JavaScript is susceptible to code injection via several different code constructs. Stop using these, please. Code securely! 3. Do app sec like a boss: The top 25 pros to follow Twitter is where security congregates to argue and share. Join the disc...
PHP's Git Server Hacked, Threat Modeling, SSRF Attacks, Deprecating TLS
April 29, 2021 16:00 - 6 minutes - 4.68 MB1. PHP's Git server hacked to add backdoors to PHP source code Supply chain attacks are bigger than vulns in open source; when the attack is deliberate, the stakes are higher. 2. Redefining Threat Modeling: Security team goes on vacation We can all agree that threat modeling is non-negotiable; use Segment’s model as a reference for how to do threat modeling using a self-service approach. 3. Software Security at Rocketship Pace SAST is table stakes, but your SAST solution must eliminate ...
Web Development, Security Scanner, Private Keys, and more
April 22, 2021 13:00 - 5 minutes - 4.43 MB1. Post-Spectre Web Development The web is changing, and we must adapt our threat model and our mitigations across the board to prepare for future attacks. 2. The security scanner that cried wolf Keep your eyes focused on the results of your container scanners and use additional tools besides trivy to scan for vulnerabilities in your workloads. 3. Understanding Private Keys While we don’t recommend that you dig into the depths of crypto, a software engineer should understand how cr...
Security and Engineering, Top Open-Source Tools, Technical Product/Project Manager, and more
April 15, 2021 15:00 - 5 minutes - 3.82 MBStop forcing security and engineering to collaborate! Security and engineering must collaborate in a seamless approach to protecting customer data. We’ve tried silos for the past twenty years, and that hasn’t worked. Let’s try collaboration for five and see who wins. The top open-source tools to secure your app sec pipeline Open-source provides a solid set of application security tools. We’ve only used a handful of these, and we’ll be diving in right alongside you! Leveraging your Ro...
Programming Language Reduce Vulns, Zero Data App, Someone is Hacking the Hackers and more
April 09, 2021 18:00 - 5 minutes - 3.66 MB1. Can a Programming Language Reduce Vulnerabilities? A programming language can reduce vulnerabilities, and the future of application security must walk in lock step with improving the languages and frameworks to eliminate classes of vulns. 2. “Zero Data App – Own your data, all of it.” Is this an app we can download and use now? To move personal privacy forward, we need app options that let us keep our data in a secure enclave instead of in a cloud service. 3. Someone Is Hacking th...
Web Hacking Techniques, Exploited Vulnerabilities, Security Chaos Engineering and more
April 01, 2021 18:00 - 5 minutes - 3.98 MB1. Top 10 web hacking techniques of 2020 ( https://portswigger.net/research/top-10-web-hacking-techniques-of-2020 ) While the OWASP Top 10 is more high level, this list gives you the down and dirty for how attackers are using the web to break applications. 2. What your DevOps team needs to know: 4 lessons from exploited vulnerabilities ( https://techbeacon.com/security/what-your-devops-team-needs-know-4-lessons-exploited-vulnerabilities ) Learn from security past to prevent vulnerabiliti...
Evil Go Packages, Shifting Engineering Right, Hacking and more
March 25, 2021 13:00 - 5 minutes - 4.08 MB1. Finding Evil Go Packages https://michenriksen.com/blog/finding-evil-go-packages/ Go is better protected from a software supply chain issue, but nothing is 100% safe. 2. Shifting Engineering Right: What security engineers can learn from DevSecOps https://segment.com/blog/shifting-engineering-right/ All security people need to learn to practice developer empathy – walk a mile in your developer’s shoes. 3. Hacking is not a crime – and the media should stop using 'hacker' as a pejorativ...
Shifting Left, REST API, HTML Over WebSockets and more
March 18, 2021 22:00 - 4 minutes - 3.4 MBEach week our CEO, Chris Romeo, will take you through the five articles he thinks are worth your time. Check out the video and links to each article below! 1. Shifting Left on Security: Solutions, Google Cloud (https://cloud.google.com/solutions/sh...) 2. Best Practices for REST API Design (https://stackoverflow.blog/2020/03/02...) 3. The Future of Web Software is HTML Over WebSockets (https://alistapart.com/article/the-fu...) 4. Be Afraid of the Ruby on Rails Supply Chain (https://w...
JSON, Alexa , Nginx and more
March 11, 2021 17:00 - 5 minutes - 3.84 MB1 - An exploration of JSON interoperability vulnerabilities 2 - Alexa installed skills can double-cross their users 3 - Common Nginx misconfigurations that leave your web server open to attack 4 - Attacks turn struggling software projects into trojan horses 5 - Cloud Native application security with Liran Tal
CVE's aren't exploited, Python wheel jacking, total cookie protection, supply chain security, and 12 DevOps security culture fails.
March 09, 2021 12:00 - 4 minutes - 3.72 MB1 - Just 2.6% of 2019's 18,000 Tracked Vulnerabilities Were Actively Exploited in the Wild 2 - Python Wheel-Jacking in Supply Chain Attacks 3 - Firefox 86 Introduces Total Cookie Protection 4 - Supply Chain Security In The Shadow Of Centreon And Solarigate 5 - DevOps Security Culture: 12 Fails Your Team Can Learn From