Security Weekly Podcast Network (Video)

Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake! Segment Resources: BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/) CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891) Show Notes: https://securityweekly.com/psw-804

We officially welcome Bill Swearingen to our expert panel of PSW hosts, and discuss the news including hacking shenanigans, QNAP, recovering crypto currency, Android malware, and more! Show Notes: https://securityweekly.com/psw-804

In this interview, we talk to Chad Cardenas about why he created The Syndicate Group, which operates very differently from the typical VC firm with LPs and a collective fund to draw from. We'll discuss how the investor/startup relationship differs, and what the advantages of this model are. Show Notes: https://securityweekly.com/esw-337

Appsec lessons from the Okta breach, directory traversal (and appsec) lessons from SolarWinds, how CISOs and Boards rank factors around vulns and patching, revisiting cryptocurrency attacks for lessons in business logic and threat modeling, CISA and friends update guidance on Secure Design, and more! Show Notes: https://securityweekly.com/asw-260

Goatse, Okta, Cisco, Ducktail, 0Auth, China, Spain, More News and Aaran Leyland. Show Notes: https://securityweekly.com/swn-336

We return to discussions of OAuth and all sorts of authentication. This time around we're looking at the design of authentication protocols, the kinds of trade-offs they weigh for adoption and security, and how a standard evolves over time to keep pace with new attacks and put to rest old mistakes. Segment resources: https://fusionauth.io/docs/v1/tech/core-concepts/modes https://webauthn.wtf/ https://datatracker.ietf.org/doc/html/rfc7636 https://www.ietf.org/about/participate/tao/ Show Notes: https://securityweekly.com/asw-260

In the leadership and communications section, Cybersecurity should be a business priority for CEOs, What CISOs Should Exclude From SEC Cybersecurity Filings, Effective Communication: The Key to Workplace Success, and more! Show Notes: https://securityweekly.com/bsw-325

As the CISO role continues to transform from a technician to a risk manager, how do you secure emerging technologies, such as edge computing? By aligning to business objectives. In this segment, Theresa Lanowitz from AT&T Cybersecurity and Scott Stout From Cisco help us break down the challenges of the CISO and how to align security requirements to business outcomes to solve the emerging edge computing use cases. During the interview, we will tackle the Hospital at Home and Manufacturing edge computing uses cases. Tune in for this collaborative session from two of the leading cybersecurity giants. This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attcybersecurity to learn more about them! Show Notes: https://securityweekly.com/bsw-325

This week, in the enterprise security news, AI dominates new funding rounds (I'm shocked. This is my shocked face.) The buyer's market continues, with lots of small acquisitions SingTel sells off Trustwave at a significant loss Yubico goes public (actually, a month ago, sorry we missed it) Yubico can also now ship pre-registered security keys New cybersecurity tools for board and exec-level folks Lessons learned from recent ransomware attacks Healthcare is increasingly under attack A study on CISO tenure - longer than you might think! Don't miss today's squirrel stories at the end! All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-336

Skynet, India, North Korea, China, passwords, KeePass, Cisco, AI, Aaran Leyland, and More on the Security Weekly News. Show Notes: https://securityweekly.com/swn-335