Vulnerability Management is Dead! – Rickard Carlsson – ESW #257
Modern tech stacks are becoming increasingly complex puzzles of components built in-house and sourced from third-party vendors. With DNS at the center of the infrastructure, and staging and production being sometimes just minutes apart, scanning for CVEs is not enough to stay on top of web threats.
There are lots of critical things traditional app scanners won’t catch, like dangling DNS records, subdomain takeover and open S3 buckets. To keep their growing attack surface secure, companies need to combine crowdsourced vulnerability detection with solutions that detect outliers and anomalies in their software - before these become an attack vector.
In this episode we’ll discuss:
- Why hunting for vulnerabilities is no longer enough to stay on top of threats
- Vulnerability Management vs Attack Surface Management
- How security teams can adapt their vulnerability management process to modern dev cycles.
Segment Resources:
More insights on how to secure your external attack surface: https://detectify.com/resources
Free trial of Detectify's attack surface management solutions: https://detectify.com/product/surface-monitoring
https://detectify.com/product/application-scanning
This segment is sponsored by Detectify. Visit https://securityweekly.com/detectify to learn more about them!
Entrepreneurial tech nerd Rickard Carlsson has grown Detectify from a group of ethical hackers with an idea on how to make the internet safer, to an international industry challenger of 140+ people. Rickard has a background in tech and management consulting, and has lived and worked in Sweden, India and the US.
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Architecture & Security from the Trenches – Will Clark – ESW #257
An open discussion of challenges facing software and system architects in small and medium sized businesses.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
McAfee MVISION XDR, Microsoft Acquires Activision Blizzard, & Tom Brady NFTs – ESW #257
In the Enterprise Security News: 1Password plans to do some shopping with their massive Series C, Devo announces a $250M round, Permiso Security and Tromzo emerge backed by both traditional VCs and industry execs, STG spins out McAfee’s MVISION XDR product as Trellix - the first of many spinouts, they say, Microsoft reminds us that, in addition to being the industry’s largest security vendor, they can also drop $70B on video games if they feel like it, More reminders that open source is essential, but orgs with massive budgets will still treat it as worthless and disposable, Real-world stories of CI/CD pipeline compromises, Is Uber’s former CSO going to jail?, and Tom Brady NFTs!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
We had an absolute blast putting together this year's SW Unlocked virtual event! All presentations are now available on-demand for your viewing pleasure. Please visit https://securityweekly.com/unlocked to register and watch now!
Adrian Sanabria
- FUNDING: Remote work and cloud adoption lands 1Password with $620M Series C, now valued at $6.8B – TechCrunchThis is a MASSIVE series C with a valuation to match. It makes me wonder what Dominik Reichl, the author of KeePass, might think about it. As both a B2C as well as B2B company, it seems more justified than some of the B2C-only unicorns we've seen. They intend to do some more acquisitions with this money. Any guesses? Do they get into Zero Trust? Deeper into MFA? API Security?
- FUNDING: Devo Announces $250 Million Funding Round Led by TCV – Devo.com
- FUNDING: Germany’s SoSafe raises $73M Series B led by Highland to address human error in cyber – TechCrunch
- FUNDING: Banyan Security Raises $30M in Growth Financing to Support Increased Demand for Innovative Zero Trust Network Access Platformhttps://www.banyansecurity.io/news/banyan-security-raises-30m-in-growth-financing-to-support-increased-demand-for-innovative-zero-trust-network-access-platform/
- FUNDING: Continuous verification company Verica raises $12M to make systems more resilienthttps://venturebeat.com/2022/01/18/continuous-verification-company-verica-raises-12m-to-make-systems-more-resilient/
- FUNDING: Former FireEye Executives Emerge from Stealth with $10M Seed Round to Tackle Cloud Detection and Response – Permiso SecurityI spy with my analyst eye... our very own Tyler Shields participating in this funding round! Sounds like anomaly detection for authorization-related events?
- FUNDING: Tromzo Raises $3.1M From Innovation Endeavors and Over 25 Leading CISOs to Eliminate the Friction Between Developers and Security Teamshttps://www.globenewswire.com/news-release/2021/10/21/2318623/0/en/Tromzo-Raises-3-1M-From-Innovation-Endeavors-and-Over-25-Leading-CISOs-to-Eliminate-the-Friction-Between-Developers-and-Security-Teams.html
- ACQUISITION: Netrix Acquires BTB Security, a Provider of Cybersecurity and Digital Forensics Solutions – Netrix LLC
- SPINOUT: Symphony Technology Group Announces the Launch of Extended Detection and Response Provider, TrellixIn what sounds like the first of many spinouts, the first child of the McAfee FireEye union has surfaced! Trellix appears to be centered around the McAfee MVISION XDR product. It's an interesting approach. Instead of simply smashing together the products and services of McAfee and FireEye under new branding, it looks like the most successful products will each spin out as separate subsidiaries under STG for now. SASE will be the next product to spin out as a separate company, comprised of McAfee's Enterprise Secure Service Edge offering, which includes CASB, SWG, and ZTNA functionality.
- WHATEVER, MONEY ISN’T REAL ANYWAY: Microsoft will buy Activision Blizzard, a bet on the next generation of the internet.Obviously not security-related, but a market event too huge to not talk about. This is especially true when you consider Microsoft as one of the biggest cybersecurity companies and acquirers. The numbers seem insane until you start to dig into some context, like: - MSFT's $2T+ market cap - MSFT is already a leader in gaming - Scandal discount? - 18% YoY growth - 7.5x ($9.053B revenue in 2021) - Still, this accounts for only 5% of the entire gaming industry - CoD alone makes $5M a DAY. That's over $1.8B annually.
- SUPPLY CHAIN: The customer has nuclear weapons. They do not do “bounty”This Bugzilla thread is a stark reminder that: a) OSS projects still use Bugzilla (whaaaat) b) Fortran is still alive and well c) open source is thankless, fragile, underfunded, and not free as in 'beer', but free as in 'piano'
- LEARNING: 10 real-world stories of how we’ve compromised CI/CD pipelinesIn an editorial I published on scworld.com at the end of 2021, I urged defenders in 2022 to focus on three things: 1. Sharing data on how breaches occur 2. Studying that data 3. Using these scenarios as training exercises NCC has always been generous, sharing their tools and knowledge, and this is no exception. Incident responders, AppSec folks, and detection engineers should all take some time to read over these detailed accounts of how consultants were able to compromise CI/CD pipelines.
- TRENDS: Forecasting in-the-wild 0days: 2022Ryan McGeehan uses the power of math and the data of Google's Project Zero to determine the number of 0day exploits we'll see in the wild in 2022. The answer is more than 28, but less than 75. Anything over 25 was almost unheard of until last year when we saw 57. You shouldn't worry about the number though. Best to focus on fundamentals and practice, practice, practice! Most breaches happen because processes fail.
- VULNS: 2 Critical Cloud Vulnerabilities to Convince You to Move to the Cloud – Orca Security
- REPORT: Wearing Many Hats: The Rise of the Professional Security HackerThis paper tracks the history of the hacker. Though I haven't read all of it, I doubt there will be too many revelations for those of us that have at least one shelf in our homes dedicated to books on hacking and its history. Still, it seems like a great primer for anyone jumping into the industry that wants the Cliff Notes on the hacker industry and culture.
- LEGAL: Former Uber CSO Faces New Charge for Alleged Breach Cover-UpJoe Sullivan is facing Theranos-level charges here, which seem a bit extreme. Perhaps the government wants to set a precedence in this case, to ensure bug bounty platforms don't become the new ransomware payment gateways. I doubt this will have a chilling effect on CISOs being willing to take on the role, but I have noticed that it quickly became commonplace for CISOs to have their own independent insurance for situations where they could be personally liable for work-related actions.
- SQUIRREL: kube-chaos
- SQUIRREL: Tom Brady’s buzzy celebrity NFT startup Autograph banks $170M from Silicon Valley’s top crypto investors – TechCrunch
- SQUIRREL: Tom Brady Ruby Signed Immortal Statue
- SQUIRREL: Former SpaceX engineer says his pizza-making robot, located across the road from Elon Musk’s HQ, sprayed cheese everywhere during testinghttps://news.yahoo.com/former-spacex-engineer-says-pizza-100000687.html
