Latest Security journey Podcast Episodes
Long Live SBOMs, Application Risk Profiling, Software Supply Chain, and more
Security Journey's hi/5 - June 23, 2022 14:00 - 2 minutes ★★★★★ - 1 rating“SBOM” should not exist! Long live the SBOM. This article by Steve Springett, who is at the center of the software bill of materials universe, explains what an SBOM is and why they should exist. In defense of simple architectures As security professionals, we love simple because complex is hard...
Implementation of DevSevOps, Product Security Leads, GO Mitigations, and more
Security Journey's hi/5 - June 09, 2022 04:00 - 2 minutes ★★★★★ - 1 rating3 Cultural Obstacles to Successful DevSecOps Implementation When our goal is to change security culture we must consider how to influence our developers while still caring for their needs. This article shares helpful insight into implementing successful security culture change within an organiza...
Hi/5: Automated Threat Modeling; In depth research; GitHub 99 designs/aws-vault; Nginx
Security Journey's hi/5 - May 26, 2022 13:00 - 2 minutes ★★★★★ - 1 rating1. An Analysis of Open-source Automated Threat Modeling Tools and Their Extensibility from Security into Privacy -https://www.usenix.org/publications/l... We conducted our review of threat modeling tools in three main phases: Tool Discovery, Evaluation Criteria Selection, and Application of Eva...
Internal Secrets; SHA-256; 28,000 Vulnerabilities disclosed in 2021; Threat Modeling.
Security Journey's hi/5 - May 12, 2022 13:00 - 2 minutes ★★★★★ - 1 rating1. Is it safe to use SECRETS_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED? - https://datasociety.net/wp-content/up... This first story is a react development issue. A developer was asking if a specific property was safe to use. This shows the importance of naming in understanding the security risk...
Terraform, CI/CD, Bug Bounties and more
Security Journey's hi/5 - April 28, 2022 04:00 - 2 minutes ★★★★★ - 1 ratingBounty Everything This ebook has in-depth explanations of how bug bounties work, how the economy works within the bug bounty, and how the researchers are paid and treated. Understanding Website SQL Injections A high-level deep dive into SQL injection, so even those that have no understanding of ...
Python Repos, Advanced SQL, NPM corruption, and more
Security Journey's hi/5 - April 12, 2022 18:00 - 2 minutes ★★★★★ - 1 rating5% of 666 Python repos had comma typos (including Tensorflow, PyTorch, Sentry, and V8) Out of a group of GitHub repositories that had been checked, 5% had a comma problem. Either too few or too many commas somewhere in the library. Advanced SQL Injection Cheatsheet This repository contains ...
XSS, Cybersecurity Management, OWASP Top Ten review, Web3 and more
Security Journey's hi/5 - April 05, 2022 16:00 - 3 minutes ★★★★★ - 1 rating1.Fuzzing for XSS via nested parsers condition-https://swarm.ptsecurity.com/fuzzing-... In this article web application security researcher, Igor Sak-Sakovskiy reveals a novel technique for finding sanitization issues that could lead to XSS attacks. 2.Anti-Patterns in Cybersecurity Management...
ZAPping, AWS, and DevSecOps! Oh My!
Security Journey's hi/5 - March 17, 2022 14:00 - 3 minutes ★★★★★ - 1 ratingZAPping the OWASP Top 10 This document gives an overview of the automation and manual components provided by OWASP Zed Attack Proxy (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2021 risks. AWS Is the Internet's Biggest Single Point of Failure In December, sever...
Container Security, Securing our Software Future, Threat Modeling Medical Devices and more
Security Journey's hi/5 - March 02, 2022 22:00 - 3 minutes ★★★★★ - 1 ratingExploring Container Security: A Storage Vulnerability Deep Dive - https://security.googleblog.com/2021/... Recently, the GKE Security team discovered a high severity vulnerability that allowed workloads to have access to parts of the host file system outside the boundaries of the mounted volume...
Exact Dependencies, Insecure Design, How To Learn Stuff Quickly and more
Security Journey's hi/5 - February 17, 2022 14:00 - 3 minutes ★★★★★ - 1 ratingHow to Learn Stuff Quickly: https://www.joshwcomeau.com/blog/how-... Learning how to learn is a crucial skill of the security professional and developer Never Update Anything: https://blog.kronis.dev/articles/neve... "In my eyes, it could be pretty nice to have a framework version that's suppor...
Trojan Source Attacks, AppSec Things to Watch, AWS WAF's Dangerous Defaults and more
Security Journey's hi/5 - January 27, 2022 14:00 - 3 minutes ★★★★★ - 1 ratingProtect your open source project from supply chain attacks - https://opensource.googleblog.com/2021/10/protect-your-open-source-project-from-supply-chain-attacks.html?m=1 This blog post walks through the quiz questions, answers, and options for prevention, and can serve as a beginner's guide fo...
Holiday Hi/5: OWASP Top 10 Analysis, OWASP A08:2021, All Things SSRF, and more
Security Journey's hi/5 - December 17, 2021 05:00 - 2 minutes ★★★★★ - 1 ratingGitLab analysis of OWASP Top 10 changes from 2004 to 2021-https://public.flourish.studio/visual... Visualization of how OWASP Top Ten has changed over the years. To Learn a New Language, Read Its Standard Library-http://patshaughnessy.net/2021/10/23/... The best way to learn a new programming ...
Hi/5: Minimum Viable Secure Product, Bandit, Sigstore and more
Security Journey's hi/5 - December 02, 2021 12:00 - 2 minutes ★★★★★ - 1 ratingMinimum Viable Secure Product Minimum Viable Secure Product is a minimalistic security checklist for B2B software and business process outsourcing suppliers. How to Secure Python Web App Using Bandit Bandit is a tool developed to locate and correct security problems in Python code. To do tha...
Hi/5: WrongSecrets, IT Assets, OWASP Top 10, CORS and Password Wisdom
Security Journey's hi/5 - November 17, 2021 17:00 - 2 minutes ★★★★★ - 1 ratingCommonjoe/ WrongSecrets - https://github.com/commjoen/wrongsecrets Improper secret storage is a common technology problem. Use this tool to expose your developers to how to do it wrong, so they can learn how to do it right List of IT Assets an Attacker is most likely to Extort -https://www.help...
How Yahoo Built a Culture of Cybersecurity, minimaxir/big-list-of-naughty-strings, Issue #4409, OWASP A08:2021, Apache Servers
Security Journey's hi/5 - October 21, 2021 16:00 - 3 minutes ★★★★★ - 1 ratingHow Yahoo Built a Culture of Cybersecurity- https://hbr.org/2021/09/how-yahoo-built-a-culture-of-cybersecurity Commentary: Security culture continues to grow as a non-negotiable piece of a security strategy. minimaxir/big-list-of-naughty-strings – https://github.com/minimaxir/big-list-of-n...
Threat Modeling, Highest Quality of Software Code, Cloud Company, and more
Security Journey's hi/5 - October 07, 2021 18:00 - 2 minutes ★★★★★ - 1 rating1. NIST Brings Threat Modeling into the Spotlight If you haven't heard about the NIST Executive Order about software security and supply chain, you've been living under a rock. Adam gives us the threat modeling perspective on the EO 2. How to ensure the highest quality of Software code Securi...
New and Growing Threats, HTTP/2, DefCon29, and More
Security Journey's hi/5 - September 02, 2021 18:00 - 4 minutes ★★★★★ - 1 rating1. Application security tools ineffective against new and growing threats Outdated offerings, false positives, and ineffective blocking are among the main causes driving this global concern. 2. HTTP/2: The Sequel is Always Worse Attackers are learning HTTP/2. Developers and defenders must le...
Empty Npm Package, Privacy, Security Automation, and More
Security Journey's hi/5 - August 26, 2021 18:00 - 5 minutes ★★★★★ - 1 rating1. Empty npm package '-' has over 700,000 downloads — here's why There have been 720,000 downloads since its publication on the npm registry since early 2020. 2. Privacy – more than the icing on the cake Questions to consider: What are we working on? What can go wrong? and more. Give this a ...
SQL Injection Vulnerabilities, Security Nihilism, Passwords, and More
Security Journey's hi/5 - August 19, 2021 18:00 - 4 minutes ★★★★★ - 1 rating1. 16 of 30 Google results contain SQL injection vulnerabilities The dreadful quality of most of Google's search results. Several of these results were, simply put, SEO-optimized baloney. 2. A case against security nihilism Skepticism that we can guard against the NSO Group's Pegasus spyware...
Threat Modeling, Secure-Coding-Handbook, Security Headers, and more
Security Journey's hi/5 - August 12, 2021 18:00 - 4 minutes ★★★★★ - 1 rating1. Jeevan Singh -- Threat modeling based in democracy Jeevan joins us to speak about self-serve threat modeling at Segment or threat modeling based in democracy. 2. joswha/Secure-Coding-Handbook Client side, Server Side, Auxiliary. 3. Security headers quick reference Security headers reco...
Threat Model Framework, Decision Tree Generator, Npm Audit, and more
Security Journey's hi/5 - August 05, 2021 18:00 - 5 minutes ★★★★★ - 1 rating1. How we're creating a threat model framework that works for GitLab While our Security team owns the framework, we don't "run" it. It is run by the people who are running the project. 2.Deciduous: A Security Decision Tree Generator Security decision trees are a powerful tool to inform saner ...
Groundhog Day, TypeScript, Minimum Standard for Vendor, and more
Security Journey's hi/5 - July 29, 2021 18:00 - 5 minutes ★★★★★ - 1 rating1. Groundhog day: NPM package caught stealing browser passwords The author intended to trick the targets into executing the malicious package. In cases of malware placed in package repositories, attackers usually rely on typo squatting. 2. TypeScript Doesn't Suck; You Just Don't Care About Se...
PyPl Cryptomining Malware, Infosec Core Competencies, SSRF Cheat Sheet, and more
Security Journey's hi/5 - July 22, 2021 18:00 - 6 minutes ★★★★★ - 1 rating1. Sonatype Catches New PyPI Cryptomining Malware Malicious packages continue to infect our public package repositories; all developers must understand these threats! 2. (Technical) Infosec Core Competencies While these core competencies stray slightly to the red team / pen test side, this is...
Cybereason, Introducing SLSA, Peloton Bike Vulnerability, and more
Security Journey's hi/5 - July 15, 2021 18:00 - 6 minutes ★★★★★ - 1 rating1. Cybereason: 80% of orgs that paid the ransom were hit again Prevention of ransomware is a human and technology solution. 2. Introducing SLSA, an End-to-End Framework for Supply Chain Integrity Learn from Google’s eight years of protecting their supply chain. 3. Peloton Bike+ vulnerabili...
Thinking back, Looking forward - A Balanced Approach to Securing our Software Future
Application Security PodCast - July 15, 2021 16:00 - 1 hour ★★★★★ - 27 ratingsKevin Greene is the Director of Security Solutions at Parasoft and has extensive experience and expertise in software security, cyber research and development, and DevOps. He leverages his knowledge to create meaningful solutions and technologies to improve software security practices. Kevin and...
Impact of GDPR, JavaScript for Pen Testers and Bug Bounty Hunters, Incident Response Plan, and more
Security Journey's hi/5 - July 08, 2021 20:00 - 6 minutes ★★★★★ - 1 rating1. Impact of GDPR on Cloud Service Providers Privacy is here to stay -- long live data privacy in the cloud. 2. Static Analysis of Client-Side JavaScript for pen testers and bug bounty hunters Bug bounty hunter techniques are the same techniques adversaries use. 3. What Every Incident Respon...
Unified Kill Chain, Why Devs Dislike Security, Hacker Tools Used for Good, and more
Security Journey's hi/5 - July 01, 2021 18:00 - 7 minutes ★★★★★ - 1 rating1. The Unified Kill Chain The Unified Kill Chain is thorough, and all builders and defenders must understand the techniques of our adversaries. 2. Why Developers Dislike Security -- and What You Can Do About It Developers that embrace security and learn all the ins and outs rise to the top and...
I Mailed an Airtag, Protect Public AWS SSM Documents, Zen of Python, and more
Security Journey's hi/5 - June 24, 2021 18:00 - 6 minutes ★★★★★ - 1 rating1. I Mailed an AirTag and Tracked Its Progress; Here’s What Happened AirTags use the network capacity of all other Apple devices. If you own an Apple device, you’re now part of a mesh network that you cannot disable. 2. The Need to Protect Public AWS SSM Documents – What the Research Shows F...
Cross-site Scripting, DevOps, OAuth 2.0, GitLab Packages, and more
Security Journey's hi/5 - June 17, 2021 18:00 - 6 minutes ★★★★★ - 1 rating1. Cross-site scripting (XSS) cheat sheet Learn XSS at a depth that you can explain it to anyone, and understand the diversity of attack that exists across the set of XSS vectors. 2. Why DevOps Will Cease to Exist Just like DevOps is integrated into every developer’s job, so is security. ...
Jeevan Singh -- Threat modeling based in democracy
Application Security PodCast - June 11, 2021 19:00 - 36 minutes ★★★★★ - 27 ratingsJeevan Singh is a Security Engineer Manager at Segment, where he is embedding security into all aspects of the software development process. Jeevan enjoys building security culture within organizations and educating staff on security best practices. Before life in the security space, Jeevan had ...
Related Security journey Topics