Security

Episode 208 - Passwords are pollution

Josh and Kurt talk about some of the necessary evils of security. There are challenges we face like passwords and resource management. Sometimes the problem is old ideas, sometimes it’s we don’t have metrics. Can you measure not getting hacked? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_208_Passwords_are_pollution.mp3 Show Notes Clearing checks FAIR Institute Factorio

Episode 207 - Weaponized attention

Josh and Kurt start this one by explaining how the Twitter hacker was just a dumb criminal (most criminals are dumb). We then discuss the new GPT-3 AI that can create text. How we create, and how social media is doing everything it can to weaponize our attention. It’s not a fight humanity is winning. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_207_Weaponized_attention.mp3 Show Notes GPT-3 AI Blipverts Show Tags #weaponizedattention #GPT-3 #GPT3

Episode 206 - Confidential Virtual Machines; The future of cloud computing

Josh and Kurt talk about Google’s new confidential VMs. The AMD Secure Encrypted Virtualization is the technology that makes it all possible. What is SEV, how does it work, and why should you care? This technology is going to be the future of the cloud. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_206_Confidential_Virtual_Machines_The_future_of_cloud_computing.mp3 Show Notes Google confidential VMs AMD SEV SEV vs SGX Show Tags #confidentialcomputing

Episode 205 - The State of Open Source Security with Alyssa Miller from Snyk

Josh and Kurt talk to Alyssa Miller from Snyk about the State of Open Source Security 2020 report. Alyssa was the report author and has some great insight into the current trends we’re seeing in open source security. Some of the challenges developers face. We discuss the difficulty static and composition analysis scanners face. It’s a great conversation! https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_205_The_State_of_Open_Source_Security_with_Alyssa_Miller_from_Snyk.mp3 Show Notes The State of Open Source Security 2020 Alyssa’s Twitter Show Tags #opensourcesecurity

Episode 204 - What Would Apple Do?

Josh and Kurt talk about some recent security actions Apple has taken. Not all are good, but in general Apple is doing things to benefit their customers (their customers are not advertisers). We also discuss some of the challenges when your customers are advertisers. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_204_What_Would_Apple_Do.mp3 Show Notes Apple one year certificates Apple declines to implement 16 new APIs Apple is tracking unsigned executables

Episode 203 - Humans, conferences, and security: let me think and get back to you in a bit

Josh and Kurt talk about human behavior. The conversation makes its way to conferences and the perpetual question of if a conference is useful or not. We come to the agreement the big shows aren’t what they used to be, but things like BSides are great experiences. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_203_Humans_conferences_and_security_let_me_think_and_get_back_to_you_in_a_bit.mp3 Show Notes Security and Human Behaviour Josh’s blog post Mudge’s Twitter thread

The ineffective CISO

I’ve been thinking about this one for a while. I’ve seen some CISOs who are amazing at what they do, and I’ve seen plenty that can’t get anything done. After working with one that I think is particularly good lately, I’ve made some observations that has changed my mind about the modern day CISO reporting structure. The TL;DR of this post is if you have a CISO that claims they can only get their job done if they report to the board or CEO, you have an ineffective CISO. ...

Episode 200 - Talking Container Security with Liz Rice

Josh and Kurt talk to Liz Rice from Aqua Security about container security and her new book on the same topic. What does container security look like today? What are some things you can do now? What will container security look like in the future? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_200_Talking_Container_Security_with_Liz_Rice.mp3 Show Notes Container Security download Pictures of elephants Kubernetes Security book Starboard project Dynamic threat analysis

Episode 199 - Special cases are special: DNS, Websockets, and CSV

Josh and Kurt talk about a grab bag of topics. A DNS security flaw, port scanning your machine from a web browser, and CSV files running arbitrary code. All of these things end up being the result of corner cases. Letting a corner case be part of a default setup is always a mistake. Yes always, not even that one time. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_199_Special_cases_are_special_DNS_Websockets_and_CSV.mp3 Show Notes Bind advisory Robustness Principal eBay port scanning localhost OWASP CSV injection

Broken vulnerability severities

This blog post originally started out as a way to point out why the NVD CVSS scores are usually wrong. One of the amazing things about having easy access to data is you can ask a lot of questions, questions you didn’t even know you had, and find answers right away. If you haven’t read it yet, I wrote a very long series on security scanners. One of my struggles I have is there are often many “critical” findings in those scan reports that aren’t actually critical. I wanted to write something that explained why that was, but because my data took me somewhere else, this is the post you get. I knew CVSSv3 wasn’t perfect (even the CVSS folks know this), but I found some really interesting patterns in the data. The TL;DR of this post is: It may be time to start talking about CVSSv4. ...