vulnerabilityreporting

An Interview with the newest member of the CRA/Security Weekly family, Adrian Sanabria! What is his role at Security Weekly, and what is the plan for rolling things out over the next 12-18 months?

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/scw52

This week, we have the pleasure of welcoming the newest member of the CRA/Security Weekly family, Adrian Sanabria! What is his role at Security Weekly, and what is the plan for rolling things out over the next 12-18 months? We'll continue the discussion with Adrian Sanabria and explore if and how the plans for CRA/Security Weekly will impact the Security & Compliance Weekly audience!

Show Notes: https://wiki.securityweekly.com/scw52

Visit https://www.securityweekly.com/scw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

We're continuing the discussion with Adrian Sanabria and exploring if and how the plans for CRA/Security Weekly will impact the Security & Compliance Weekly audience!

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/scw52

An Interview with the newest member of the CRA/Security Weekly family, Adrian Sanabria! What is his role at Security Weekly, and what is the plan for rolling things out over the next 12-18 months?

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/scw52

Lax IoT security exposes smart-irrigation systems, Adobe Flash goes truly end of line in one last update, confidential computing gets a turbo boost with Nitro, link previews show security and privacy problems, and security theatre gets an encore!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/asw128

Lax IoT security exposes smart-irrigation systems, Adobe Flash goes truly end of line in one last update, confidential computing gets a turbo boost with Nitro, link previews show security and privacy problems, and security theatre gets an encore!

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/asw128

Many organizations use the Common Vulnerability Scoring System (CVSS) to prioritize actions during vulnerability management. This podcast—which highlights the latest work in prioritizing actions during vulnerability management—presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some problems with CVSS. SSVC takes the form of decision trees for different vulnerability management communities. During this podcast, CERT vulnerability researchers Eric Hatleback, Allen Householder, and Jonathan Spring discuss SSVC and also take audience members through a sample scoring vulnerability.

Software vulnerabilities are exploding in growth at an unprecedented rate, and security teams are struggling to stay afloat. Lifebuoys (i.e. CVSS base scores) aren’t doing much to save them, either. A new advancement in threat prioritization offers relief, integrating the vulnerabilities’ surrounding characteristics to identify the most severe risks.

This segment is sponsored by Vicarius. Visit https://securityweekly.com/vicarius to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/psw670

Software vulnerabilities are exploding in growth at an unprecedented rate, and security teams are struggling to stay afloat. Lifebuoys (i.e. CVSS base scores) aren’t doing much to save them, either. A new advancement in threat prioritization offers relief, integrating the vulnerabilities’ surrounding characteristics to identify the most severe risks.

This segment is sponsored by Vicarius. Visit https://securityweekly.com/vicarius to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/psw670

Falcon OverWatch, the CrowdStrike® elite team of threat hunters, has the unparalleled ability to see and stop the most sophisticated threats, leaving adversaries with nowhere to hide. In this segment we'll discuss the OverWatch team’s key threat hunting findings from the first half of 2020, as described in the 2020 Threat Hunting Report. The report reviews intrusion trends during that time frame, provides insights into the current landscape of adversary tactics and delivers highlights of notable intrusions OverWatch identified. Download the full report https://www.crowdstrike.com/resources/reports/threat-hunting-report-2020/ Learn about the latest trends in cyber crime and take a deep dive into some of the tactics, techniques and procedures in use by specific cyber crime groups!

Visit https://securityweekly.com/crowdstrike to learn more about them!

Visit https://www.securityweekly.com/esw

for all the latest episodes!

Show Notes: https://securityweekly.com/esw201

There was a pretty extensive discussion on the Discord server during last week's show that we thought was appropriate to discuss on air. Josh kicked off the discussion by asking, "Anybody know any vulnerability remediation timeline guidance? Formalized, scientifically based stuff?" Josh further clarified, "just trying to find the science behind why and when I should give a crap about vulnerabilities". He finally stated, "I am troubled by the lack of empirically based standards of remediation timing, remediation prioritization, remediation adjustment/offsets based on compensating controls." This launched a multi-threaded conversation that touched on vulnerability management, how to pass various compliance audits/assessments, the many vendors that have latched on to "prioritization" of vulnerabilities, or simply "Risk-Based Vulnerability Management". Of course, PCI became a focal point for much of the discussion because of the mention of vulnerability management, compensating controls, remediation timing, etc. - all of which is addressed within the PCI DSS (despite what Quadling thinks). We're going to try to find consensus on the problem, possible solutions (based on recognized sources), and provide advice.

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/scw45

We welcome special guest Lea Snyder, BSides Boston Organizer, to talk all things BSides Boston 2020 for its 10 year anniversary! In the Security News, Cisco Patches Critical Vulnerability in Jabber for Windows, Expert found multiple critical issues in MoFi routers, TeamTNT Gains Full Remote Takeover of Cloud Instances, Bluetooth Bug Opens Devices to Man-in-the-Middle Attacks, Former NSA chief General Keith Alexander is now on Amazon’s board, and the Legality of Security Research is to be Decided in a US Supreme Court Case!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/psw666

We welcome special guest Lea Snyder, BSides Boston Organizer, to talk all things BSides Boston 2020 for its 10 year anniversary! In the Security News, Cisco Patches Critical Vulnerability in Jabber for Windows, Expert found multiple critical issues in MoFi routers, TeamTNT Gains Full Remote Takeover of Cloud Instances, Bluetooth Bug Opens Devices to Man-in-the-Middle Attacks, Former NSA chief General Keith Alexander is now on Amazon’s board, and the Legality of Security Research is to be Decided in a US Supreme Court Case!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/psw666

Every time you deploy a patch nothing has ever gone wrong, right? Most of us have been burned by deploying a patch, causing downtime in your environment, getting in trouble with users and management for causing an outage and having to back out a patch, then re-deploy. The team at Vicarious has a way to apply in-memory virtual patches that mitigate exploitation and do not require binaries to be altered. Tune-in for the full description and demo!

This segment is sponsored by Vicarius. Visit https://securityweekly.com/vicarius to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/psw666

Every time you deploy a patch nothing has ever gone wrong, right? Most of us have been burned by deploying a patch, causing downtime in your environment, getting in trouble with users and management for causing an outage and having to back out a patch, then re-deploy. The team at Vicarious has a way to apply in-memory virtual patches that mitigate exploitation and do not require binaries to be altered. Tune-in for the full description and demo!

This segment is sponsored by Vicarius. Visit https://securityweekly.com/vicarius to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/psw666

The growth in software vulnerability exploitation creates a need for better prediction capabilities. Over time, there have been shifts in the ways of discovering vulnerabilities in binary code. Research and development of new tools enables security pros to adopt innovative techniques to scale the process.

This segment is sponsored by Vicarius. Visit https://securityweekly.com/vicarius to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/psw664

The growth in software vulnerability exploitation creates a need for better prediction capabilities. Over time, there have been shifts in the ways of discovering vulnerabilities in binary code. Research and development of new tools enables security pros to adopt innovative techniques to scale the process.

This segment is sponsored by Vicarius. Visit https://securityweekly.com/vicarius to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/psw664

MITRE ATT&CK seems to be the “next big thing”. Every time I hear about it I can’t help but wonder, “how do you prevent all these attacks in the first place? Shouldn’t that be the end game?” To that end, I set out to map all the recommended “Mitigations” for all the “Techniques” detailed in ATT&CK to see how many are already addressed by what is required in the Payment Card Industry Data Security Standard (PCI DSS). My hypothesis was all of them. The results were interesting and a little surprising, and I’m still trying to figure out how to best use the results and subsequently ATT&CK itself. I will present my findings in the briefing and hopefully generate a discussion about what to do with the results.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw193

Marketing to today’s CISO is no easy task. CISOs have an unprecedented amount of work on their plates with constantly shifting technology, vast amounts of data in motion, regulatory requirements and new threats arising daily. We'll discuss the results of a Merritt Group Survey on Marketing and Selling to the CISO, 2020 Edition.

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/bsw182

Marketing to today’s CISO is no easy task. CISOs have an unprecedented amount of work on their plates with constantly shifting technology, vast amounts of data in motion, regulatory requirements and new threats arising daily. We'll discuss the results of a Merritt Group Survey on Marketing and Selling to the CISO, 2020 Edition.

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://wiki.securityweekly.com/bsw182