ESW #276 – Matt McGuirk & Ian Glazer
Full Audio
View Show IndexSegments
1. Understanding Web Application Client-Side Risk – Matt McGuirk – ESW #276
Web applications have a new and dangerous security gap which requires attention: client-side security. The code and content that a web application delivers into a web browser is a ripe attack surface and requires different consideration, tools, and knowledge than required by traditional web application security. This segment will explore what client-side security is, why client-side attacks are so dangerous, and what options are available to defend ourselves from this new threat.
Segment Resources: "Magecart 101" - a courseware-style overview of the problem for security practioners: https://www.youtube.com/watch?v=T4al8idAE_M
A quick five minute explainer on the problem and Source Defense's solution: https://www.youtube.com/watch?v=f8MO45EQcKY
Source Defense's brand new (as of 5/25/22) "State of the Industry" report for client-side security: https://info.sourcedefense.com/third-party-digital-supply-chain-report-white-paper
This segment is sponsored by Source Defense.
Visit https://securityweekly.com/sourcedefense to learn more about them!
Announcements
Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!
Guest
Matt McGuirk is an expert in JavaScript, web technologies, and both client-side risk and client-side attacks. He has over 15 years of experience in web application development, website administration, and cybersecurity. Additionally, he has provided consultation and analysis to Fortune 50 companies on how best to secure their customer-facing web properties and business critical web applications. Matt lives in the American Northeast with his wife and two dogs.
Hosts
2. Salesforce’s Journey Towards Complete Customer MFA – Ian Glazer – ESW #276
In the Autumn of 2019, Salesforce started on an ambitious journey - to require all of their customers to use multi-factor authentication (MFA) as of February 2022. The journey required the collaboration of every product line and every business function within Salesforce. And the journey potentially required every single one of Salesforce’s customer to deploy new technology and to change all of their user’s behavior. Clearly this would be no simple journey, but it was one with massive rewards for everyone involved.
Join Ian Glazer as he discusses the impetus for Salesforce’s MFA push, the challenges of such a large scale endeavor, some of the setbacks and victories along the way, and, most importantly, what you can take from Salesforce’s journey towards complete customer MFA adoption and apply it in your own organization.
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Guest
Ian Glazer is the Senior Vice President for Identity Product Management, at Salesforce. His responsibilities include leading the product management team, product strategy and identity standards work. Prior to that, he was a research vice president and agenda manager on the Identity and Privacy Strategies team at Gartner, where he oversaw the entire team’s research. He is the co-founder IDPro, the professional organization for digital identity management, and works to deliver more services and value to the IDPro membership, raise funds for the organization, and help identity management professionals learn from one another. During his career in the identity industry, he has co-authored a patent on federated user provisioning, co-authored and contributed to user provisioning specifications, is a noted blogger, speaker, and photographer of his socks.
Hosts
3. ReliaQuest, Mimecast Delisted, 57th Unicorn, Expired Certs, & CyberSec Skill Crisis – ESW #276
Finally, in the Enterprise Security News, Funding is back, in preparation for RSA! Devo raises $100M and becomes our 56th unicorn, JupiterOne raises $70M and becomes our 57th unicorn! Open source projects get some security funding, 10 more funding announcements, Mimecast has been taken private and is now delisted from the NASDAQ, ReliaQuest acquires Digital Shadows, We talk about public and private market performance, The cybersecurity skills crisis gets worse, Expired certs + IoT devices = PAIN! All that and more, on this episode of Enterprise Security Weekly.
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. FUNDING: Security Vendor Semperis Lands $200M Funding Round Led By KKR
- 2. FUNDING: Devo Announces $100 Million Funding Round Led by Eurazeo to Fuel Global Expansion and Acquisitions$100M Series F with a valuation of $2B, making Devo our newest and 56th Cybersecurity unicorn! Eurazeo led the round along with Insight Partners, Georgian, TCV, General Atlantic, Bessemer Venture Partners, Kibo Ventures and ISAI Cap Venture
- 3. FUNDING: JupiterOne Achieves Valuation of Over $1B with $70M Series C Funding to Fuel Innovation in Cybersecurity and Democratize Access for AllAnd our very own Tyler Shield's company makes our 57th Unicorn after a $70M Series C with a $1B+ valuation!
- 4. FUNDING: Announcing the First Images Designed for a Secure Software Supply Chain$50M Series A. The round was led by Sequoia Capital with participation from Amplify Partners, Chainsmoker’s Mantis VC, K5/JPMC, Banana Capital, and LiveOak Venture Partners
- 5. FUNDING: Ordr Secures $40 Million in Series C Funding to Answer Increased Demand for Connected Device Security
- 6. FUNDING: Hoxhunt raises $40M to solve the hardest part of cybersecurity: people
- 7. FUNDING: Seemplicity Raises $32 Million with First-of-its-Kind Productivity Platform for Modern Security Teams to Scale Risk Reduction Efforts
- 8. FUNDING: Open Source Security Gets $30M Boost From Industry Heavy Hitters
- 9. FUNDING: Laminar Doubles Funding in Less Than Six Months to $67 Million, Leading the Way in Cloud Data Security
- 10. FUNDING: Vade Lands $30 Million in New Funding Round
- 11. FUNDING: Tidelift Raises $27 Million in Series C Funding as Open Source Software Supply Chain Health and Security Become Urgent Priorities
- 12. FUNDING: Incognia Raises $15.5M Series A to Combat Increased Identity Fraud
- 13. FUNDING: ShardSecure Secures $11M in Series A Funding
- 14. FUNDING: Forgepoint Capital Fuels Cyber Market, Launches New Incident Response Firm Surefire Cyber with $10 Million in Series A Funding
- 15. FUNDING: OT Remote Access Firm Xona Raises $7.2 Million in Series A Funding
- 16. FUNDING: Red Access Emerges from Stealth with $6M Round to Secure Every Web Session Across any Browser, App and Device
- 17. ACQUISITIONS: Mimecast goes private after Permira completes $5.8B acquisition – Boston Business JournalFirst announced last December, this acquisition has now closed and Mimecast has been taken private.
- 18. ACQUISITIONS: ReliaQuest to Acquire Digital Shadows
- 19. NEW PRODUCT: Another arrow in the quiver: Mastercard strengthens cybersecurity consulting practice with new Cyber Front threat simulation platform
- 20. TRENDS: Cybersecurity performance in public markets & 2022 economic downturn
- 21. TRENDS: Cybersecurity Performance Summary – Public Markets (updated automatically every 20 minutes)
- 22. TRENDS: Trellix Survey Findings: A Closer Look at the Cyber Talent GapIf you want to jump into the full survey results for the previous story, it's all here.
- 23. TRENDS: Bad news: The cybersecurity skills crisis is about to get even worse"Cybersecurity firm Trellix commissioned a survey of 1,000 cybersecurity professionals globally and found that 30% are planning to change professions within two or more years." This is a decent sample size. While surveys are difficult and unreliable in the best of times, the question was well worded and does trouble me a bit. One issue is that it didn't account for soon-to-be-retirees. The biggest thing I'd want to see is the cross section of time-in-industry across this 30%. Are we losing new people? Industry veterans? Even losses across time-in-industry?
- 24. REBRANDING: McAfee Enterprise SSE Business Renamed Skyhigh Security
- 25. SQUIRREL: Expired Cert + IoT = PAINJoey Piccola on Twitter - Never thought I’d say this: My window blinds won’t open because of an expired cert.
- 26. SQUIRREL: Gene-editing experiment turns fluffy hamsters into ‘aggressive’ rage monsters