Vogons, Task Scams, HiatusRat, Cellebrite, Deloitte, Quantum, WordPress, Aaran Leyland, and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-438

Practices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and setting an example for transparency in security disclosures. Segment resources https://youtu.be/ydg95R2QKwM Curl's oldest bug yet, RCPs (and more!) from AWS re:Invent, possible controls for NPM's malware proliferation, insights and next steps on protecting top 500 packages from the Census III report, the flawed design choice that made Microsoft's OTP (successfully) brute-forceable, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! 00:00 Welcome to Application Security Weekly! 01:49 Meet the Experts 03:28 What Are Non-Human Identities? 06:17 Balancing Security & Usability 08:24 MFA Challenges & Admin Security 12:09 Navigating Breaking Changes 16:05 Security by Design in Action 18:42 Identity Management for Startups 20:18 Secure by Design: Real Impact 24:03 Transparency After a Critical Vulnerability 31:39 Looking Ahead to 2025 32:45 Application Security in Three Words 34:10 - Intro & Cyber Resilience Insights 35:30 - The 25-Year-Old Curl Bug Story 38:27 - Fuzzing for Security: A Missed Opportunity? 42:56 - AWS re:Invent Security Highlights 46:04 - NPM Malware Surge 50:43 - Small Packages, Big Risks in NPM 54:05 - Open Source Security Trends 58:37 - Microsoft MFA Vulnerability Explained 62:38 - Hardware Hacking & DMA Exploits 65:05 - Auditing Ruby’s Package Ecosystem 68:12 - Looking Ahead to 2025 Show Notes: https://securityweekly.com/asw-311

Nudity, Krispy Kreme, Cleo, AIAPIs, non-human identities, North Korea, Jersey Drones, Josh Marpet, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-437

For our second year now, Mike Privette, from Return on Security and the Security, Funded newsletter joins us to discuss the year's highlights and what's to come in the next 12 months. In some ways, it has been a return to form for funding, though some casualties of a tough market likely had to seek acquisition when they might have otherwise raised another round and stayed independent a while longer. We'll cover some stats, talk 2025 IPO market, and discuss the likelihood of (already) being in another bubble, particularly with regards to the already saturated AI security market. It won't be all financial trends though, we'll discuss some of the technical market trends, whether they're finding market fit, and how ~50ish AI SOC startups could possibly survive in such a crowded space. In this segment, we discuss two new FIDO Alliance standards focused on credential portability. Specifically, if passwordless is going to catch on, we need to minimize friction and maximize usability. In practice, this means that passkeys must be portable! Rew Islam of Dashlane joins us to discuss the new standards and how they'll help us enter a new age of secure authentication, both for consumers and the enterprise. Segment Resources: Elevating Passwordless Security With AWS Nitro Synced Passkeys Will Be Portable FIDO Alliance Publishes New Specifications to Promote User Choice and Enhanced UX for Passkeys This week, in the enterprise security news, NOTE: We didn't get to 2, 3, 5, or 7 due to some technical difficulties and time constraints, but we'll hit them next week! The show notes have been updated to reflect what we actually discussed this week: https://www.scworld.com/podcast-segment/13370-enterprise-security-weekly-387 Snowflake takes security more seriously Microsoft takes security more seriously US Government takes telecom security more seriously Cleo Capital takes security more seriously EU’s DORA takes effect soon Is phishing and security awareness training worthless? CISOs need financial literacy Supply chain firewall is basic but useful All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-387

Join us for this segment as we discuss government regulations and certifications as they apply to supply chain security and vulnerability management, and how understanding the mumbo jumbo can enable organizations to improve their cyber security. In the security news, the crew, (minus Paul) get to gather to discus hacks causing disruptions, in healthcare, donuts and vodka, router and OpenWRT hacks (and the two are not related), Salt/Volt Typhoon means no more texting and 10 year old vulnerabilities and more! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-854

For over 15 years, Okta has led the charge in securing digital identities through more sophisticated sign-in solutions. Our latest 2024 Secure Sign-In Trends Report offers insights into the rapidly evolving world of identity security, specifically on how organizations across industries are embracing modern, phishing-resistant methods like Multi-Factor Authentication (MFA) and passwordless sign-ins. In this year's report, we explore: - The surge in MFA adoption across industries, and what it means for the future of secure authentication. - Phishing-resistant authentication methods gaining traction, signaling that the passwordless future is possible. - Why a seamless user experience and strong security are no longer in opposition. - How industries compare in their adoption of modern authentication, and who's setting the pace. Segment Resources: Secure Sign-In Trends Full Report: https://www.okta.com/resources/whitepaper-the-secure-sign-in-trends-report/ Todd McKinnon Blog on the Secure Sign-In Trends Report: https://www.okta.com/blog/2024/10/phishing-resistant-mfa-shows-great-momentum/ This segment is sponsored by Okta. Visit https://www.securityweekly.com/okta to learn more about them! In the leadership and communications segment, How Good Leaders Become Great By Never Leading Alone, How Leaders Can Prepare Their Teams For 2025, Nervous About Public Speaking? Here’s How to Use Notes Like a Pro, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-375

Evil ISPs, Deloitte, YOLO11, Microsoft, Gift Cards, Navix, Horror, Telegram, Josh Marpet and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-436

We do our usual end of year look back on the topics, news, and trends that caught our attention. We covered some OWASP projects, the ongoing attention and promises of generative AI, and big events from the XZ Utils backdoor to Microsoft's Recall to Crowdstrike's outage. Segment resources https://prods.ec https://owasp.org/www-project-spvs/ https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/ https://securitychampions.owasp.org/ https://deadliestwebattacks.com/appsec/2024/11/14/ai-and-llms-asw-topic-recap https://www.scworld.com/podcast-episode/3017-infosec-myths-mistakes-and-misconceptions-adrian-sanabria-asw-279 Curl and Python (and others) deal with bad vuln reports generated by LLMs, supply chain attack on Solana, comparing 5 genAI mistakes to OWASP's Top Ten for LLM Applications, a Rust survey, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-310

Deloitte, e-Tattoos, Web 3.0, Cp3o, Chemonics, IPv6, the Number 6, Chinese Emperors, Aaran Leyland, and More, on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-435

In this final installment of a trio of discussions with Theresa Lanowitz about Cyber Resilience, we put it all together and attempt to figure out what the road to cyber resilience looks like, and what barriers security leaders will have to tackle along the way. We'll discuss: How to identify these barriers to cyber resilience Be secure by design Align cybersecurity investments with the business Also, be sure to check out the first two installments of this series! Episode 380: Cybersecurity Success is Business Success Episode 383: Cybersecurity Budgets: The Journey from Reactive to Proactive This segment is sponsored by LevelBlue. Visit https://securityweekly.com/levelblue to learn more about them! When focused on cybersecurity through a vulnerability management lens, it's tempting to see the problem as a race between exploit development and patching speed. This is a false narrative, however. While there are hundreds of thousands of vulnerabilities, each requiring unique exploits, the number of post-exploit actions is finite. Small, even. Although Log4j was seemingly ubiquitous and easy to exploit, we discovered the Log4Shell attack wasn't particularly useful when organizations had strong outbound filters in place. Today, we'll discuss an often overlooked advantage defenders have: mitigating controls like traffic filtering and application control that can prevent a wide range of attack techniques. This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them! This week, in the enterprise security news, Funding and acquisition news slows down as we get into the “I’m more focused on holiday shopping season” North Pole Security picked an appropriate time to raise some seed funding Breaking news, it’s still super easy to exfiltrate data The Nearest Neighbor Attack Agentic Security is the next buzzword you’re going to be tired of soon Frustrations with separating work from personal in the Apple device ecosystem We check in on the AI SOC and see how it’s going Office surveillance technology gives us the creeps All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-386