PodGrabber Logo/Mascot - Blue Gorilla with Red HeadphonesPodGrabber.com
Cybersecurity | Podcast Archives (The Vault)


Application Security PodCast

Tue, 09 Jul 2024 08:00:00 -0400

Tanya Janca -- Secure Guardrails


Join us for a conversation with Tanya Janka, also known as SheHacksPurple, as she discusses secure guardrails, the difference between guardrails and paved roads, and how to implement both in application security.

Tanya, an award-winning public speaker and head of education at SEMGREP, shares her insights on creating secure software and teaching developers. Tanya also shares with us about her hobby farm and love for gardening.

Mentioned in this episode:

Tanya Janca What Secure Coding Really Means

Tanya Janca Mentoring Monday - 5 Minute AppSec

Tanya Janca and Nicole Becher Hacking APIs and Web Services with DevSlop


The Expanse Series by James S.A. Corey


Alice and Bob Learn Application Security by Tanya Janca


FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 02 Jul 2024 08:00:00 -0400

Jahanzeb Farooq -- Launching and executing an AppSec program


In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut are joined by Jahanzeb Farooq to discuss his journey in cybersecurity and the challenges of building AppSec programs from scratch. Jahanzeb shares his experience working in various industries, including Siemens, Novo Nordisk, and Danske Bank, highlighting the importance of understanding developer needs and implementing the right tools.

The conversation covers the complexities of cybersecurity in the pharmaceutical and financial sectors, shedding light on regulatory requirements and the role of software in critical industries. Learn about prioritizing security education, threat modeling, and navigating digital transformation.


Mentioned in this Episode:

The Power of Habit by Charles Duhigg



FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 18 Jun 2024 08:00:00 -0400

David Quisenberry -- Building Security, People, and Programs


In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut engage in a deep discussion with guest David Quisenberry about various aspects of application security. They cover David's journey into the security world, insights on building AppSec programs in small to mid-sized companies, and the importance of data-driven decision-making.

The conversation also delves into the value of mentoring, the vital role of trust with engineering teams, and the significance of mental health and community in the industry. Additionally, Chris, David and Robert share personal stories that emphasize the importance of relationships and balance in life.

Books Shared in the Episode:

SRE Engineering by Betsy Beyer, Chris Jones, Jennifer Petoff and Niall Richard Murphy

The Phoenix Project by Gene Kim, Kevin Behr and George Spafford

Security Chaos Engineering by Aaron Rinehart and Kelly Shortridge

CISO Desk Reference Guide by Bill Bonney, Gary Hayslip, Matt Stamper

Wiring the Winning Organization by Gene Kim and Dr. Steven J. Spear

The Body Keeps the Score by Bessel van der Kolk, M.D.

Intelligence Driven Incident Response by Rebekah Brown and Scott J. Roberts

Never Eat Alone by Keith Ferrazzi

Thinking Fast and Slow by Daniel Kahneman

Do Hard Things by Steve Magness

How Leaders Create and Use Networks, Whitepaper by Herminia Ibarra and Mark Lee Hunter



FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 11 Jun 2024 08:00:00 -0400

Matt Rose -- Software Supply Chain Security Means Many Different Things to Different People


In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut welcome Matt Rose, an experienced technical AppSec testing leader. Matt discusses his career journey and significant contributions in AppSec. The conversation delves into the nuances of software supply chain security, exploring how different perceptions affect its understanding. Matt provides insights into the XZ compromise, critiques the buzzword 'shift left,' and discusses the role of digital twins and AI in enhancing the supply chain security. He emphasizes the need for a comprehensive approach beyond SCA, the relevance of threat modeling, and the potential risks and benefits of AI in security. The discussion also touches on industry trends, the importance of understanding marketing terms, and the future directions of AppSec.

Mentioned in the episode:

The Application Security Program Handbook by Derek Fisher
https://www.manning.com/books/application-security-program-handbook

Podcast Episode: Derek Fisher The Application Security Program Handbook
https://youtu.be/DgmlHgNT-UM

Authors mentioned:
Steven E. Ambrose https://www.simonandschuster.com/authors/Stephen-E-Ambrose/1063454
Mark Frost https://en.wikipedia.org/wiki/Mark_Frost

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 31 May 2024 18:00:00 -0400

James Berthoty -- Is DAST Dead? And the future of API security


In this episode of the Application Security Podcast, host Chris Romeo welcomes James Berthoty, a cloud security engineer with a diverse IT background, to discuss his journey into application and product security.

The conversation spans James's career trajectory from IT operations to cloud security, his experiences with security tools like Snyk and StackHawk, and the evolving landscape of Dynamic Application Security Testing (DAST) and API security. They delve into the practical challenges of CVEs, reachability analysis, and the complexities of patching in mid-sized companies. James shares his views on the often misunderstood role of WAF and the importance of fixing issues over merely identifying them.

The discussion concludes with insights into James's initiative, Latio Tech, which aims to help security professionals evaluate and understand application security products better.

James Berthotys LinkedIn post: AppSec Kool-Aid Statements I Disagree With
https://www.linkedin.com/posts/james-berthoty_appsec-kool-aid-statements-i-disagree-with-activity-7166084208686256128-tb1U?utm_source=share&utm_medium=member_desktop

What is Art by Leo Tolstoy
https://www.gutenberg.org/files/64908/64908-h/64908-h.htm

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 21 May 2024 08:00:00 -0400

Mark Curphey and Simon Bennetts -- Riding the Coat Tails of ZAP, without Open Source Funding


Mark Curphey and Simon Bennetts, join Chris on the podcast to discuss the challenges of funding and sustaining major open source security projects like ZAP.

Curphey shares about going fully independent and building a non-profit sustainable model for ZAP. The key is getting companies in the industry, especially companies commercializing ZAP, to properly fund its ongoing development and maintenance.

Bennetts, who has led ZAP for over 15 years, shares the harsh reality that while ZAP is likely the world's most popular web scanner with millions of active users per month, very few companies contribute back financially despite making millions by building products and services on top of ZAP.

Curphey and Bennetts are asking those in the industry to step up and properly fund open source projects like ZAP that are critical infrastructure, rather than freeloading off the hard work of a few individuals. Curphey's company is investing substantial funds in a "responsible marketing" model to sustain ZAP as a non-profit, with hopes others will follow this ethical example to prevent open source security going down a dangerous path.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 14 May 2024 08:00:00 -0400

Devin Rudnicki -- Expanding AppSec


Devon Rudnicki, the Chief Information Security Officer at Fitch Group, shares her journey of developing an application security program from scratch and advancing to the CISO role. She emphasizes the importance of collaboration, understanding the organization's business, and using metrics to drive positive change in the security program.

Elon Musk - Walter Isaacson
Steve Jobs - Walter Isaacson
The Code Breaker: Jennifer Doudna, Gene Editing, and the Future of the Human Race - Walter Isaacson
https://www.simonandschuster.com/authors/Walter-Isaacson/697650

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 16 Apr 2024 05:00:00 -0400

Dustin Lehr -- Culture Change through Champions and Gamification


Dustin Lehr, Senior Director of Platform Security/Deputy CISO at Fivetran and Chief Solutions Officer at Katilyst Security, joins Robert and Chris to discuss security champions. Dustin explains the concept of security champions within the developer community, exploring the unique qualities and motivations behind developers becoming security advocates. He emphasizes the importance of fostering a security culture and leveraging gamification to engage developers effectively. They also cover the challenges of implementing security practices within the development process and how to justify the need for a champion program to engineering leadership. Dustin shares insights from his career transition from a developer to a cybersecurity professional, and he provides practical advice for organizations looking to enhance their security posture through community and culture-focused approaches.

Links:
"Maker's Schedule, Manager's Schedule" article by Paul Graham https://www.paulgraham.com/makersschedule.html

Never Split the Difference by Chris Voss & Tahl Raz
https://www.harpercollins.com/products/never-split-the-difference-chris-vosstahl-raz?variant=32117745385506

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 09 Apr 2024 05:00:00 -0400

Francesco Cipollone -- Application Security Posture Management and the Power of Working with the Business


Francesco Cipollone, CEO of Phoenix Security, joins Chris and Robert to discuss security and explain Application Security Posture Management (ASPM). Francesco shares his journey from developer to cybersecurity leader, revealing the origins and importance of ASPM. The discussion covers the distinction between application security and product security, the evolution of ASPM from SIEM solutions, and ASPM's role in managing asset vulnerabilities and software security holistically. Francesco emphasizes the necessity of involving the business side in security decisions and explains how ASPM enables actionable, risk-based decision-making. The episode also touches on the impact of AI on ASPM. It concludes with Francesco advocating for a stronger integration between security, development, and business teams to effectively manage software security risks.

Recommended Reading:
Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup by Ross Haleliuk https://ventureinsecurity.net/p/cyber-for-builders

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 02 Apr 2024 05:00:00 -0400

Mukund Sarma -- Developer Tools that Solve Security Problems


Mukund Sarma, the Senior Director for Product Security at Chime, talks with Chris about his career path from being a software engineer to becoming a leader in application security. He explains how he focuses on building security tools that are easy for developers to use and stresses the importance of looking at application security as a part of the broader category of product security. Mukund highlights the role of collaboration over security mandates and the introduction of security scorecards for proactive risk management. He and Chris also discuss the strategic implementation of embedded security functions within development teams. Discover the potential of treating security as an enabling function for developers, fostering a culture of shared responsibility, and the innovative approaches Chime employs to secure its services with minimal friction for developers.

Links
Chime's Monocle
-- https://medium.com/life-at-chime/monocle-how-chime-creates-a-proactive-security-engineering-culture-part-1-dedd3846127f
-- https://medium.com/life-at-chime/mitigating-risky-pull-requests-with-monocle-risk-advisor-part-2-7013e1485bf2

Introduction to Overwatch
-- https://www.youtube.com/watch?v=QtZKBtw8VO4

Recommended Reading
Building Secure and Reliable Systems by Adkins, Beyer, Blankinship, Lewandowski, Oprea, Stubblefield -- https://www.oreilly.com/library/view/building-secure-and/9781492083115/
Drive by Daniel Pink -- https://www.danpink.com/books/drive/

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 20 Mar 2024 05:00:00 -0400

Meghan Jacquot -- Assumed Breach Red Team Engagements for AppSec


AppSec specialist Megan Jacquot joins Chris and Robert for a compelling conversation about community, career paths, and productive red team exercises. Megan shares her unique cybersecurity origin story, tracing her interest in the field from childhood influences through her tenure as an educator and her formal return to academia to pivot into a tech-focused career. She delves into her roles in threat intelligence and application security, emphasizing her passion for technical work, penetration testing, and bug bounty programs. Additionally, Megan highlights the importance of mentorship, her involvement with the Women in Cybersecurity (WeCyS) community, and her dedication to fostering the next generation of cybersecurity professionals.

The discussion covers assumed breach and red team engagements in cybersecurity, the significance of empathy in bug bounty interactions, tips for Call for Papers (CFP) submissions, and the value of community engagement within organizations like OWASP and DEF CON. Megan concludes with insights on the importance of difficult conversations and giving back to the cybersecurity community.

Links

Difficult Conversations (How to Discuss What Matters Most) by Douglas Stone, Bruce Patton, Sheila Heen -- https://www.stoneandheen.com/difficult-conversations

Being Henry: The Fonz...and Beyond by Henry Winkler -- https://celadonbooks.com/book/being-henry-fonz-and-beyond-henry-winkler/

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 12 Mar 2024 05:00:00 -0400

Bill Sempf -- Development, Security, and Teaching the Next Generation


Robert is joined by Bill Sempf, an application security architect with over 20 years of experience in software development and security. Bill shares his security origins as a curious child immersed in technology, leading to his lifelong dedication to application security. They discuss CodeMash, a developer conference in Ohio, and recount Bill's presentation on the Veilid application framework, designed for privacy-driven mobile applications. Bill also explores his efforts in educating children about technology and programming, drawing on his experiences with Kidsmash and other initiatives. Additionally, they delve into the challenges of application security, particularly modern software development practices and the utility of languages like Rust for creating secure applications. Bill concludes with intriguing thoughts on application security trends and the importance of a diverse skill set for both developers and security professionals.

Helpful Links:

Bill's homepage - https://www.sempf.net/
CodeMash conference - https://codemash.org
Veilid Application Framework - https://veilid.com/

Math Without Numbers - https://www.amazon.com/Math-Without-Numbers-Milo-Beckman/dp/1524745545

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 05 Mar 2024 05:00:00 -0500

Hendrik Ewerlin-- Threat Modeling of Threat Modeling


Robert and Chris talk with Hendrik Ewerlin, a threat modeling advocate and trainer. Hendrik believes you can threat model anything, and he recently applied threat modeling to the process of threat modeling itself. His conclusions are published in the document Threat Modeling of Threat Modeling, where he aims to help practitioners, in his own words, "tame the threats to the threat modeling process."

They explore the role of threat modeling in software development, emphasizing the dire consequences of overlooking this crucial process.
They discuss why threat modeling serves as a cornerstone for security, and why Hendrik stresses the importance of adopting a process that is effective, efficient, and satisfying. If you care about secure software, you will want to listen in as Hendrik emphasizes why the approach to threat modeling, as well as the process itself, is so critical to success in security.

Links:
=> Hendrik Ewerlin: https://hendrik.ewerlin.com/security/
=> Threat Modeling of Threat Modeling: https://threat-modeling.net/threat-modeling-of-threat-modeling/

Recommended Reading:

=> Steal Like An Artist and other books by Austin Kleon https://austinkleon.com/books/

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 27 Feb 2024 05:00:00 -0500

Jason Nelson -- Three Pillars of Threat Modeling Success: Consistency, Repeatability, and Efficacy


Jason Nelson, an accomplished expert in information security management, joins Chris to share insights on establishing successful threat modeling programs in data-intensive industries like finance and healthcare. Jason presents his three main pillars to consider when establishing a threat modeling program: consistency, repeatability, and efficacy. The discussion also provides a series of fascinating insights into security practices, regulatory environments, and the value of a threat modeling champion. As a threat modeling practitioner, Jason provides an essential perspective to anyone serious about application security.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sat, 17 Feb 2024 05:00:00 -0500

Erik Cabetas -- Cracking Codes on Screen and in Contests: An Expert's View on Hacking, Vulnerabilities, and the Evolution of Cybersecurity Language


Erik Cabetas joins Robert and Chris for a thought-provoking discussion about modern software security. They talk about the current state of vulnerabilities, the role of memory-safe languages in AppSec, and why IncludeSec takes a highly systematic approach to security assessments and bans OWASP language. Along the way, Erik shares his entry into cybersecurity and his experience consulting about hacking for TV shows and movies. The conversation doesn't end before they peek into threat modeling, software engineering architecture, and the nuances of running security programs.

Helpful Links:
Security Engineering by Ross Anderson - https://www.wiley.com/en-us/Security+Engineering%3A+A+Guide+to+Building+Dependable+Distributed+Systems%2C+3rd+Edition-p-9781119642817

New School of Information Security by Adam Shostack and Andrew Stewart - https://www.informit.com/store/new-school-of-information-security-9780132800280

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 06 Feb 2024 05:00:00 -0500

Justin Collins-- Enabling the Business to Move Faster, Securely


Justin Collins of Gusto joins Robert and Chris for a practical conversation about running security teams in an engineering-minded organization. Justin shares his experience leading product security teams, the importance of aligning security with business goals, and the challenges arising from the intersection of product security and emerging technologies like GenAI.

They also discuss the concept of security partners and the future of AI applications in the field of cybersecurity. And he doesnt finish before sharing insights into the role of GRC and privacy in the current security landscape. Find out why Justin believes that above all, security should align with the goals of a business, tailored to the business itself, its situation, and its resources.

Book Recommendation:
The DevOps Handbook by Gene Kim et al.
https://itrevolution.com/product/the-devops-handbook-second-edition/

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 30 Jan 2024 05:00:00 -0500

Kyle Kelly -- The Dumpster Fire of Software Supply Chain Security


Kyle Kelly joins Chris to explore the wild west of software supply chain security. Kyle, author of the CramHacks newsletter, sheds light on the complicated and often misunderstood world of software supply chain security. He brings unique insights into the challenges, issues, and potential solutions in this constantly growing field. From his experiences in sectors like cybersecurity and security research, he adapts a critical perspective on the state of the software supply chain, suggesting it is in a 'dumpster fire' state. We'll dissect that incendiary claim and discuss the influence of open-source policies, the role of GRC, and the importance of build reproducibility. From starters to experts, anyone with even a mild interest in software security and its future will find this conversation enlightening.

Links:
CramHacks - https://www.cramhacks.com/

Solve for Happy by Mo Gawdat - https://www.panmacmillan.com/authors/mo-gawdat/solve-for-happy/9781509809950

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sat, 20 Jan 2024 17:00:00 -0500

Chris Hughes -- Software Transparency


Chris Hughes, co-founder of Aquia, joins Chris and Robert on the Application Security Podcast to discuss points from his recent book Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, co-authored with Tony Turner. The conversation touches on the U.S. government in the software supply chain, the definition and benefits of software transparency, the concept of a software bill of materials (SBOM), and the growth of open-source software.

The episode also covers crucial topics like compliance versus real security in software startups, the role of SOC 2 in setting security baselines, and the importance of threat modeling in understanding software supply chain risks. They also talk about the imbalance between software suppliers and consumers in terms of information transparency and the burden on developers and engineers to handle vulnerability lists with little context.

As an expert in the field, Chris touches on the broader challenges facing the cybersecurity community, including the pitfalls of overemphasizing technology at the expense of building strong relationships and trust. He advocates for a more holistic approach to security, one that prioritizes people over technology.

Links

Software Transparency: Supply Chain Security in an Era of a Software-Driven Society by Chris Hughes and Tony Turner
https://www.wiley.com/en-us/Software+Transparency%3A+Supply+Chain+Security+in+an+Era+of+a+Software+Driven+Society-p-9781394158492

Application Security Program Handbook by Derek Fisher https://www.simonandschuster.com/books/Application-Security-Program-Handbook/Derek-Fisher/9781633439818

Agile Application Security by Laura Bell, Michael Brunton-Spall, Rich Smith, Jim Bird
https://www.oreilly.com/library/view/agile-application-security/9781491938836/

CNCF Catalog of Supply Chain Compromises
https://github.com/cncf/tag-security/blob/main/supply-chain-security/compromises/README.md

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 09 Jan 2024 05:00:00 -0500

Jay Bobo & Darylynn Ross -- App Sec Is Dead. Product Security Is the Future.


Jay Bobo and Darylynn Ross from CoverMyMeds join Chris to explain their assertion that 'AppSec is Dead.' They discuss the differences between product and application security, emphasizing the importance of proper security practices and effective communication with senior leaders, engineers, and other stakeholders. Jay proposes that product security requires a holistic approach and cautions against the current state of penetration testing in web applications. Darylynn encourages AppSec engineers to broaden their scope beyond individual applications to product security. With enlightening insights and practical advice, this episode thoughtfully challenges AppSec professionals with new ideas about application and product security.

Links:
Jay recommends:
How to Measure Anything in Cybersecurity Risk, 2nd Edition
by Douglas W. Hubbard, Richard Seiersen
https://www.wiley.com/en-us/How+to+Measure+Anything+in+Cybersecurity+Risk%2C+2nd+Edition-p-9781119892311

Darylynn recommends:
Kristin Hannah: https://kristinhannah.com/

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 19 Dec 2023 05:00:00 -0500

Eitan Worcel -- Is AI a Security Champion?


Eitan Worcel joins the Application Security Podcast, to talk automated code fixes and the role of artificial intelligence in application security. We start with a thought-provoking discussion about the consistency and reliability of AI-generated responses in fixing vulnerabilities like Cross-Site Scripting (XSS). The conversation highlights a future where AI on one side writes code while AI on the other side fixes it, raising questions about the outcomes of such a scenario.

The discussion shifts to the human role in using AI for automated code fixes. Human oversight is important in setting policies or rules to guide AI, as opposed to letting it run wild on the entire code base. This controlled approach, akin to a 'controlled burn,' aims at deploying AI in a way that's beneficial and manageable, without overwhelming developers with excessive changes or suggestions.

We also explore the efficiency gains expected from AI in automating tedious tasks like fixing code vulnerabilities. We compare this to the convenience of household robots like Roomba, imagining a future where AI takes care of repetitive tasks, enhancing developer productivity. However, we also address potential pitfalls, such as AI's tendency to 'hallucinate' or generate inaccurate solutions, underscoring the need for caution and proper validation of AI-generated fixes.

This episode offers a balanced perspective on the integration of AI in application security, highlighting both its promising potential and the challenges that need to be addressed. Join us as we unravel the complexities and future of AI in AppSec, understanding how it can revolutionize the field while remaining vigilant about its limitations.

Recommended Reading from Eitan:
The Hard Thing About Hard Things by Ben Horowitz - https://www.harpercollins.com/products/the-hard-thing-about-hard-things-ben-horowitz?variant=32122118471714

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 12 Dec 2023 05:00:00 -0500

Bjrn Kimminich -- OWASP Juice Shop


Bjorn Kimminich, the driving force behind the OWASP Juice Shop project, joins Chris and Robert to discuss all things Juice Shop. The OWASP Juice Shop is a deliberately vulnerable web application that serves as an invaluable training tool for security professionals and enthusiasts. Bjorn provides a comprehensive overview of the latest features and challenges introduced in the Juice Shop, underscoring the project's commitment to simulating real-world security scenarios.

Key highlights include the introduction of coding challenges, where users must identify and fix code vulnerabilities. This interactive approach enhances the learning experience and bridges the gap between theoretical knowledge and practical application. Additionally, Bjorn delves into the integration of Web3 and smart contracts within the Juice Shop, reflecting the project's adaptation to emerging technologies in the blockchain domain. This integration poses new challenges and learning opportunities, making the Juice Shop a continually relevant and evolving platform for cybersecurity training.

The episode concludes with an acknowledgment of the project's maintenance efforts and the introduction of a novel cheating detection mechanism. This system assesses the patterns and speed of challenge completions, ensuring the integrity of the learning process. Bjorn's discussion also highlights the inclusion of 'shenanigan' challenges, adding a layer of fun and creativity to the application. The significant impact of the Juice Shop on the cybersecurity community, as a tool for honing skills and understanding complex security vulnerabilities, is evident throughout the discussion, marking this episode as an essential watch for those in the field.

Links:
OWASP Juice Shop - https://owasp.org/www-project-juice-shop/

Pwning OWASP Juice Shop by Bjrn Kimminich. The official companion guide to the OWASP Juice Shop - https://leanpub.com/juice-shop

"OWASP Juice Shop Jingle" by Brian Johnson of 7 Minute Security - https://soundcloud.com/braimee/owasp-juice-shop-jingle

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 05 Dec 2023 05:00:00 -0500

Arshan Dabirsiaghi -- Security Startups, AI Influencing AppSec, and Pixee/Codemodder.io


Arshan Dabirsiaghi of Pixee joins Robert and Chris to discuss startups, AI in appsec, and Pixee's Codemodder.io. The conversation begins with a focus on the unrealistic expectations placed on developers regarding security. Arshan points out that even with training, developers may not remember or apply security measures effectively, especially in complex areas like deserialization. This leads to a lengthy and convoluted process for fixing security issues, a problem that Arshan and his team have been working to address through their open-source tool, Codemodder.io.

Chris and Arshan discuss the dynamic nature of the startup world. Chris reflects on the highs and lows experienced in a single day, emphasizing the importance of having a resilient team that can handle these fluctuations. They touch upon the role of negativity in an organization and its potential to hinder progress. Arshan then delves into the history of Contrast Security and its pioneering work in defining RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing) as key concepts in appsec.

The group also explores the future of AI in application security. Arshan expresses his view that AI will serve more as a helper than a replacement in the short term. He believes that those who leverage AI will outperform those who don't. The conversation also covers the potential risks of relying too heavily on AI, such as the introduction of vulnerabilities and the loss of understanding in code development. Arshan emphasizes the importance of a feedback loop in the development process, where each change is communicated to the developer, fostering a learning environment. This approach aims to improve developers' understanding of security issues and promote better coding practices.

Links:
Pixee https://www.pixee.ai/
Pixee's Codemodder.io: https://codemodder.io/

Book Recommendation:
Hacking: The Art of Exploitation, Vol. 2 by John Erickson: https://nostarch.com/hacking2.htm

Aleph One's "Smashing The Stack for Fun and Profit":
http://phrack.org/issues/49/14.html

Tim Newsham's "Format String Attacks":
https://seclists.org/bugtraq/2000/Sep/214

Matt Conover's "w00w00 on Heap Overflows" (reposted):
https://www.cgsecurity.org/exploit/heaptut.txt

Jeremiah Grossman, aka rain forest puppy (rfp):
https://www.jeremiahgrossman.com/#writing

Justin Rosenstein's original codemod on GitHub:
https://github.com/facebookarchive/codemod

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 28 Nov 2023 05:00:00 -0500

Dr. Jared Demott -- Cloud Security & Bug Bounty


Chris and Robert are thrilled to have an insightful conversation with Dr. Jared Demott, a seasoned expert in the field of cybersecurity. The discussion traverses a range of topics, from controversial opinions on application security to the practical aspects of managing bug bounty programs in large corporations like Microsoft.

We dive into the technicalities of bug bounty programs, exploring how companies like Microsoft handle the influx of reports and the importance of such programs in a comprehensive security strategy. Dr. Demott provides valuable insights into the evolution of bug classes and the never-ending challenge of addressing significant bug types, emphasizing that no bug class can ever be fully eradicated.

This episode is a must-listen for anyone interested in the nuances of software security, the realities of cybersecurity employment, and the ongoing challenges in bug mitigation. Join us for an enlightening journey into the heart of application security with Dr. Jared Demott.

Links:

Microsoft Security Response Center MSRC: https://www.microsoft.com/en-us/msrc

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 20 Nov 2023 20:00:00 -0500

Katharina Koerner -- Security as Responsible AI


Dr. Katharina Koerner, a renowned advisor and community builder with expertise in privacy by design and responsible AI, joins Chris and Robert to delve into the intricacies of responsible AI in this episode of the Application Security Podcast. She explores how security intersects with AI, discusses the ethical implications of AI's integration into daily life, and emphasizes the importance of educating ourselves about AI risk management frameworks. She also highlights the crucial role of AI security engineers, the ethical debates around using AI in education, and the significance of international AI governance. This discussion is a deep dive into AI, privacy, security, and ethics, offering valuable insights for tech professionals, policymakers, and individuals.

Links:

Recommended Book:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 15 Nov 2023 05:00:00 -0500

Ray Espinoza -- The AppSec CISO, Vendor Relationships, and Mentoring


For Security Pros & Business Leaders | Strategic Insights & Leadership Lessons

When Ray Espinoza joined Chris and Robert on the Application Security Podcast, he gave a treasure trove of insights for both security professionals and business leaders alike! Whether you're deep in the trenches of information security or steering the ship in business leadership, this episode is packed with valuable takeaways. Dive in to discover why this is a must-listen for professionals across the spectrum.

For Security Professionals:
1. CISO Insights: Gain a glimpse into the strategic mind of a Chief Information Security Officer. Learn from their real-world experiences and challenges in aligning security with business goals.
2. Career Development: Get inspired by the speaker's career journey and learn the importance of mentorship in your professional growth.
3. Data-Driven Security: Embrace a data-driven approach to security solutions, focusing on tangible results and measurable outcomes.

For Business Leaders:
1. Strategic Security Understanding: Learn how information security is integral to overall business strategy and decision-making.
2. Universal Risk Management: Gain insights into risk management strategies applicable across various business aspects.
3. Communication & Relationship Building: Enhance your skills in effective communication and professional relationship building.
4. Leadership & Mentorship: Absorb valuable lessons in guiding and inspiring your team, crucial for effective leadership.
5. Adaptability in Leadership: Understand the importance of flexibility and adaptability in today's rapidly evolving business landscape.
6. Data-Driven Decisions: Embrace the power of data in driving efficient and accountable business processes.

Why Listen?
For security pros, this is your chance to deepen your understanding of strategic security management and enhance your interpersonal skills.
For business leaders, this episode offers a unique perspective on how security strategies impact broader business objectives and leadership practices.

Don't Miss Out!
Tune in now for an enlightening discussion filled with actionable insights. Whether you're an aspiring CISO, a seasoned security professional, or a business leader looking to broaden your horizons, this podcast has something for everyone.

Like, Share, and Subscribe for more insightful content!
Drop your thoughts and takeaways in the comments below!

#SecurityLeadership #BusinessStrategy #RiskManagement #CareerGrowth #DataDrivenDecisions #LeadershipSkills

---

Remember, your engagement helps us bring more such content. So, hit that like button, share with your network, and subscribe for more insightful episodes!

Ray's Book Recommendation:
Extreme Ownership by Jocko Willink and Leif Babin
https://echelonfront.com/books/extreme-ownership/


FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 07 Nov 2023 05:00:00 -0500

Chris John Riley -- MVSP: Minimum Viable Secure Product


Chris John Riley joins Chris and Robert to discuss the Minimum Viable Secure Product. MVSP is a minimalistic security checklist for B2B software and business process outsourcing suppliers. It was designed by a team that included experts from Google, Salesforce, Okta, and Slack. The MVSP objectives are targeted at startups and other companies creating new applications, helping such organizations meet security standards expected by larger enterprises like Google. The MVSP is designed to be accessible for users, as a way to streamline the process of vendor assessment and procurement from the start to the contractual control stages.

Using MVSP, developers and application security enthusiasts can establish a baseline for building secure applications. MVSP includes controls about business operations, application design, implementation, and operational controls. For instance, it encourages third-party penetration testing on applications, as it believes that every product has an issue somewhere and needs regular testing to maintain a good security posture. The controls are designed to be reasonable and achievable, but also evolutionary to keep up with changes in the cybersecurity landscape.

Moving forward, MVSP intends to continue updating its guidelines to reflect the realities of the software development landscape but to keep the number of controls manageable to maintain wide acceptance. Chris encourages firms to consider MVSP as a baseline during the Request for Proposal (RFP) process to ensure prospective vendors meet the required security guidelines.

Links:

Recommended Books:


FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 31 Oct 2023 05:00:00 -0400

Steve Wilson and Gavin Klondike -- OWASP Top Ten for LLM Release


Steve Wilson and Gavin Klondike are part of the core team for the OWASP Top 10 for Large Language Model Applications project. They join Robert and Chris to discuss the implementation and potential challenges of AI, and present the OWASP Top Ten for LLM version 1.0. Steve and Gavin provide insights into the issues of prompt injection, insecure output handling, training data poisoning, and others. Specifically, they emphasize the significance of understanding the risk of allowing excessive agency to LLMs and the role of secure plugin designs in mitigating vulnerabilities.

The conversation dives deep into the importance of secure supply chains in AI development, looking at the potential risks associated with downloading anonymous models from community-sharing platforms like Huggingface. The discussion also highlights the potential threat implications of hallucinations, where AI produces results based on what it thinks it's expected to produce and tends to please people, rather than generating factually accurate results.

Wilson and Klondike also discuss how certain standard programming principles, such as 'least privilege', can be applied to AI development. They encourage developers to conscientiously manage the extent of privileges they give to their models to avert discrepancies and miscommunications from excessive agency. They conclude the discussion with a forward-looking perspective on how the OWASP Top Ten for LLM Applications will develop in the future.

Links:

OWASP Top Ten for LLM Applications project homepage:
https://owasp.org/www-project-top-10-for-large-language-model-applications/

OWASP Top Ten for LLM Applications summary PDF:
https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-slides-v1_1.pdf

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 24 Oct 2023 05:00:00 -0400

Tanya Janca -- What Secure Coding Really Means


Tanya Janca, also known as SheHacksPurple, joins the Application Security Podcast again to discuss secure coding, threat modeling, education, and other topics in the AppSec world. With a rich background spanning over 25 years in IT, coding, and championing cybersecurity, Tanya delves into the essence of secure coding.

Tanya highlights the difference between teaching developers about vulnerabilities and teaching them the practices to avoid these vulnerabilities in the first place. Instead of focusing on issues like SQL injection, she emphasizes the importance of proactive measures like input validation and always using parameterized queries. She believes teaching developers how to build secure applications is more effective than merely pointing out vulnerabilities.

She also explains the importance of a secure system development life cycle (SDLC). Software companies often state "We take your security seriously." Tanya believes the phrase should only be used by companies that have a secure SDLC in place. Without it, the phrase is rendered meaningless.

Discussing the intersection of coding and threat modeling, Tanya shares personal anecdotes that underscore the need to view systems with a critical eye, always anticipating potential vulnerabilities and threats. She recounts her initial reactions during threat modeling sessions, where she is surprised by the myriad ways applications can be exploited.

One of her most crucial takeaways for developers is the principle of distrust and verification. Tanya stresses that when writing code, developers should not trust any input or connection blindly. Everything received should be validated to ensure its integrity and safety. This practice, she believes, not only ensures the security of applications but also makes the lives of incident responders easier.

Toward the end of the podcast, Tanya recommends This is How They Tell Me the World Ends," which offers a deep dive into the zero-day industry. She lauds the book for its meticulous research and compelling narrative. The episode wraps up with Tanya encouraging listeners to stay connected with her work and to anticipate her upcoming book.


Links:

Alice and Bob Learn Application Security by Tanya Janca
https://www.wiley.com/en-us/Alice+and+Bob+Learn+Application+Security-p-9781119687405

This is How They Tell Me the World Ends by Nicole Perlroth
https://thisishowtheytellmetheworldends.com/

WeHackPurple
https://wehackpurple.com/

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 16 Oct 2023 10:00:00 -0400

Hasan Yasar -- Actionable SBOM via DevSecOps


Hasan Yasar believes that everyone shares the responsibility of creating a secure environment, and this can only be achieved by working collaboratively. He underscores the idea that security is not an isolated endeavor but a collective effort, urging everyone to come together and build a world where safety and security are paramount.

Yasar also shares his thoughts about education and security. He highlights the need for integrating security concepts right from the foundational levels of teaching programming languages. By introducing concepts like input validation and sanitization early on, students can be better equipped to handle security challenges in their professional lives. Yasar also mentions the importance of bridging the gap between real-world problems and academic research. By organizing workshops and connecting researchers with real-world challenges, there's an opportunity to create more awareness and solutions that are grounded in practicality.

He contrasts the challenges faced in developing complex systems like simulators with those of web applications. In the context of simulators, every aspect, from memory management to user interface, needs to be meticulously crafted, keeping both safety and security in mind. This holistic approach ensures that safety and security are intertwined, ensuring a robust system. On the other hand, with web applications, developers often only see the tip of the iceberg, unaware of the underlying dependencies, making security a more challenging endeavor.

Hasan Yasar introduces Chris and Robert to the concept of "actionable SBOM" (Software Bill of Materials). He passionately argues against viewing the SBOM as just a static file tucked away in repositories. Instead, Yasar champions the idea that it should be actively integrated into the infrastructure as code. This ensures that when deploying tools like Docker containers, there's a consistent alignment between the software components and their documented versions in the SBOM.

Yasar further underscores the importance of real-time monitoring of the SBOM, especially in a production environment. This proactive approach not only keeps track of the software components but also alerts organizations to new vulnerabilities as they arise. By integrating the SBOM with vulnerability management tools, organizations can maintain a secure environment, ensuring timely updates and patches when potential threats are detected.

The podcast also touches upon the challenges of maintaining an actionable SBOM in fast-paced development environments, where software updates can occur multiple times a day. However, Yasar remains optimistic. He believes that with the right mindset and tools, it's entirely possible to keep the SBOM updated and relevant, making it an invaluable asset in the ever-evolving world of software development and security.

Links:

Software Transparency: Supply Chain Security in an Era of a Software-Driven Society
by Chris Hughes, Tony Turner
https://www.amazon.com/dp/1394158483?ref_=cm_sw_r_cp_ud_dp_PHSFCKCRM7Q8KZ41RDXT

Cybersecurity First Principles: A Reboot of Strategy and Tactics by Rick Howard
https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/1394173083

Carnegie Mellon Universi

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 10 Oct 2023 05:00:00 -0400

Varun Badhwar -- The Developer Productivity Tax


Varun Badhwar is a three-time founder, a luminary in the cyber security industry, and a clear communicator. He joins Chris and Robert on the Application Security Podcast to discuss scanning with context, SBOM plus VEX, and the developer productivity tax. The concept of a "Developer Productivity Tax" acknowledges the challenges developers face when bombarded with a plethora of vulnerabilities. This "tax" represents the drain on developers' time and resources as they navigate through a myriad of potential threats, many of which lack actionable context. The inefficiencies arising from this process can lead to significant delays in software development, emphasizing the need for more refined tools and techniques.

A key solution Varun offers is the integration of SBOM plus VEX (Software Bill of Materials with Vulnerability Exploitability eXchange). While SBOM offers transparency by detailing all software components and dependencies, it can be overwhelming due to the sheer volume of potential vulnerabilities it flags. VEX, designed as a companion to SBOM, provides the much-needed context, detailing the applicability, reachability, and availability of fixes for vulnerabilities. This combination aims to streamline the vulnerability management process, ensuring that only relevant and critical threats are addressed.

Lastly, the importance of "Scanning with Context" was emphasized. Traditional vulnerability scanning can often result in a multitude of false positives or irrelevant findings due to the lack of context. The podcast delved into the two primary approaches to contextual scanning: static analysis and runtime analysis. While both methods have their merits, the discussion leaned towards static analysis for its scalability and efficiency. The episode concluded by stressing the need for further research and development in vulnerability annotation to specific code functions, ensuring a more precise and actionable vulnerability management process.

Important Links:

Recommended books:


FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 03 Oct 2023 02:00:00 -0400

OWASP Board of Directors Debate


The Application Security Podcast presents the OWASP Board of Directors Debate for the 2023 elections. This is a unique and engaging discussion among six candidates vying for a position on the board. Throughout the debate, candidates address pressing questions about their priorities as potential board members, the future direction of OWASP, and strategies for community growth and vendor neutrality. Topics such as vendor agnosticism, the allocation of profits from global OWASP events, and the importance of community involvement are among the critical issues discussed.

The questions presented by Chris and Robert include:

  1. What experience do you have running an organization like OWASP? Have you been a C-level exec? Have you served on a Board of Directors? What hard decisions about the strategic direction of an organization have you personally made?
  2. What are your priorities as a board member, and what should not be on the board's agenda?
  3. How do you envision maintaining the legacy of OWASP's open-source projects in the future, especially compared to organizations like the Linux Foundation, which has successfully nurtured community engagement and secured funding for project sustainability?
  4. The individual paid memberships are in a steady decline year over year. What is your plan to increase the number of paid members of OWASP?
  5. How do you plan on remaining vendor agnostic and maintaining the open-source character of the org without becoming an incubator for companies?
  6. With the individual events happening around the globe under the OWASP brand, what should happen with the profit from those events? Should it become part of the Global OWASP bank account?


For those interested in the future of OWASP and the perspectives of its potential leaders, this debate offers valuable insights. We want to invite all application security professionals to tune in and listen to the complete discussion to gain a deeper understanding of the candidates' visions and strategies for the advancement of OWASP in the coming years.

Chris concludes with this message:

"I can't stress enough the importance of your active participation in the upcoming board elections. These elections play a pivotal role, and you, as a valued member of the OWASP community, have the power to shape our organization's future.

I want to remind you that there's a dedicated candidate page for each contender, complete with videos where they lay out their platforms and provide written answers to various questions. You must be informed. As an OWASP member, I urge you to exercise your right to vote. The voting period for the board of directors will open on October 15 and run until October 30.

I genuinely believe that voting isn't just a rightit's a responsibility. Your vote will help determine the next generation of leaders who will steer OWASP in the coming years."

Links:

OWASP Global Board Candidates webpage: https://owasp.org/www-board-candidates/


FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 26 Sep 2023 05:00:00 -0400

Itzik Alvas -- Secrets Security and Management


Itzik Alvas, Co-founder and CEO of Entro, is an expert on secrets security.
Itzik joins Chris and Robert to discuss the significance of understanding and managing secrets, emphasizing the importance of knowing how many secrets an organization has, where they are located, and their potential impact. He elaborates on the three pillars of secrets management: listing and locating secrets, classifying and understanding their potential blast radius, and monitoring them for any abnormal behavior.

The conversation takes a turn towards the future of secrets management, where Itzik believes there's a need for a shift in mentality. He stresses the importance of education in this domain, urging listeners to seek knowledge, understand the potential risks, and start with actionable steps. Itzik's perspective on prioritizing risks, investing in processes, and the challenges of remediation offers a fresh take on application security.

As the episode wraps up, Itzik shares a key takeaway for the audience: the importance of getting educated about secrets, understanding their potential risks, and starting with quick, actionable steps. Chris Romeo, the host, and Itzik also touch upon their love for sci-fi, adding a personal touch to the conversation. This episode is a must-listen for anyone keen on enhancing their understanding of secrets security and management.


Helpful Links:
Entro -- https://entro.security/

Recommended Reading:
Foundation by Isaac Asimov -- https://www.amazon.com/Foundation-Isaac-Asimov/dp/0553293354
Ringworld by Larry Niven -- https://www.amazon.com/dp/B0B1911GL1
Seveneves by Neal Stephenson -- https://www.amazon.com/Seveneves-Neal-Stephenson/dp/0062334514

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 19 Sep 2023 05:00:00 -0400

Harshil Parikh -- Deep Environmental and Organizational Context in Application Security


Harshil Parikh is a seasoned security leader with experience building security and compliance functions from the ground up. He notably built the security and compliance team at Medallia from scratch and led it through several transitions. He is also a conference speaker, and, most recently, he co-founded Tromzo. Harshil shares insights about AppSec, running a startup, selling effectively, and provides justification for his mantra, "Context is king."

Harshil underscores the importance of understanding context in security, emphasizing that it's the bedrock for making informed decisions. He also brings to light the significance of data-driven metrics in application security.

Harshil champions the cause of enhancing the developer experience in application security. He posits that security professionals should be more than just watchdogs; they should be enablers, aiding developers in making the right security decisions. This involves equipping developers with the necessary tools and knowledge and providing them with the relevant context to understand the bigger picture. Harshil's insights into the trend of developer autonomy, especially in modern companies, are particularly enlightening. He discusses how developers today often take ownership beyond just coding, emphasizing the need for security guardrails to guide them.

Rounding off the episode, Harshil touches upon the challenges of scaling application security programs in organizations. His main message resonates powerfully: the role of security professionals extends beyond mere problem detection. It's about risk management, improving developer experiences, and navigating the complex labyrinths of organizational hierarchies. This episode is a treasure trove of insights for anyone keen on understanding the nuances of application security in today's dynamic tech landscape.

Recommended Reading:
The Metrics Manifesto by Richard Seiersen. https://www.wiley.com/en-us/The+Metrics+Manifesto%3A+Confronting+Security+with+Data-p-9781119515418

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 12 Sep 2023 05:00:00 -0400

Jeff Williams -- The Tech of Runtime Security


Jeff Willams of Contrast Security joins Chris and Robert on the Application Security Podcast to discuss runtime security, emphasizing the significance of Interactive Application Security Testing (IAST) in the modern DevOps landscape. After reflecting on the history of OWASP, the conversation turns to the challenges organizations face in managing their application security (AppSec) backlogs. Jeff highlights the alarming number of unresolved issues that often pile up, emphasizing the inefficiencies of traditional security tools.

Jeff champions IAST, and here are a few highlights that he shares. IAST is ideally suited for DevOps by seamlessly transforming regular test cases into security tests. IAST can provide instant feedback, leading to a Mean Time To Repair (MTTR) of just three days across numerous applications. Unlike Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST), which can take hours or even days, IAST can complete security testing during the build, fitting within the tight SLAs of modern pipelines.

IAST offers developers comprehensive insights, which aids in a better understanding and quicker resolution of the identified issues. It is also adaptable, as IAST can detect vulnerabilities before they are exploited. Jeff argues that IAST's ability to work with existing test cases and provide rapid feedback makes it a perfect fit for the fast-paced DevOps environment.

Jeff emphasizes that while runtime security can be a game-changer, it doesn't replace other essential aspects of AppSec programs, such as training. In conclusion, Jeff Williams champions IAST as a revolutionary tool in the application security domain. Its adaptability, efficiency, and depth of insights make it a must-have in the toolkit of modern developers and security professionals.


Links:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 05 Sep 2023 05:00:00 -0400

Mark Curphey and John Viega -- Chalk


Mark Curphey and John Viega join Chris and Robert to explain the details of Chalk, Crash Override's new tool. Mark also talks about why ZAP departed from OWASP and joined the Software Security Project, highlighting some of the value and differences of both organizations. Open Source Software is important to the industry, but Mark calls on companies to contribute to the development and support of the projects they use.

The conversation explores the challenges faced by companies, especially large tech firms, in managing their software engineering processes. Many organizations grapple with identifying code ownership, determining code versions during incidents, and prioritizing alerts from static analysis tools. Chalk emerges as a solution to these challenges, providing clarity and reducing friction in the software development and maintenance process.

Toward the end, both speakers emphasize the importance of understanding the entire software engineering process to make informed decisions. They advocate for an "outside-in" perspective, urging listeners to step into the shoes of others and view challenges from a broader perspective. This holistic approach, they suggest, can lead to more effective decision-making in the realm of software development.

Listen until the end for book recommendations on cybersecurity, business, and personal growth.

Links:

Books:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 29 Aug 2023 05:00:00 -0400

Maril Vernon -- You Get What You Inspect, Not What You Expect


Maril Vernon is passionate about Purple teaming and joins Robert and Chris to discuss the intricacies of purple teaming in cybersecurity. She underscores the significance of fostering a collaborative environment between developers and the security team. Drawing from her experiences, Maril shares the challenge of development overlooking her remediation recommendations. She chose to engage directly with the developers, understanding their perspective and subsequently learning to frame her remediations in developer-centric language. This approach made her recommendations actionable and bridged the communication gap between the two teams.

Maril also looks into the future of purple teaming, envisioning a landscape dominated by automation and AI tools. While these tools will enhance the efficiency of certain tasks, she firmly believes that the human element, especially the creativity and intuition of red teamers, will remain irreplaceable. She envisions a future where dedicated purple teams might be replaced by a more holistic approach, or white teams, emphasizing collaboration across all departments.

Maril's powerful message on the essence of security: "You get what you inspect, not what you expect." She emphasizes the importance of proactive inspection and testing rather than relying on assumptions. And she re-states the centrality of cooperation between teams. Maril's insights serve as a reminder of the dynamic nature of cybersecurity and the need for continuous adaptation and collaboration.

Helpful Links:

Book Recommendations:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 22 Aug 2023 05:00:00 -0400

Dan Kykendall -- Why All Application Security Products Suck


Dan Kykendall visits The Application Security Podcast to discuss his series "Why All AppSec Products Suck" and explain why software companies should understand the uses and limitations of any security tool. The series aims to highlight the limitations of each tool and to help users make informed decisions when selecting the right tools for their needs. In this field, there is no such thing as an expert; there is always something new to learn.

Dan, Chris, and Robert remember the late Kevin Mitnick, a well-known figure in the cybersecurity community. They share their personal experiences with Mitnick, highlighting his curiosity, humility, and the importance of remembering that everyone in the cybersecurity community is a regular person with feelings and concerns.

The hosts discuss the challenges of dealing with heavy client-side applications, such as those built with React, and the difficulties faced by Dynamic Application Security Testing (DAST) scanners in handling different data formats and client-side complexities. They share their experiences in redesigning DAST scanners to handle various data formats and the importance of separating data formats from attack payloads. Dan helps Chris see the usefulness of DAST in certain situations, such as a large enterprise, without hiding some of the limitations inherent in DAST.

The podcast also touches on the importance of training engineers in web security and the need for a collection of tools that address different security concerns. The hosts emphasize the value of designing security into applications from the beginning and the role of training in achieving this goal. Learning the basics, such as understanding TCP/IP, is still important for security and developers.

To gain more valuable insights and resources from Dan Kuykendall

The Dan On Dev website

- https://danondev.com

Social Media

- https://twitter.com/dan_kuykendall

- https://twitter.com/Dan_On_Dev

- https://instagram.com/dan_on_dev

- https://facebook.com/danondev

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 15 Aug 2023 05:00:00 -0400

Kevin Johnson -- Samurai Swords and Zap's Departure


Kevin Johnson is the CEO of Secure Ideas. He began his career as a developer but turned toward security when he discovered that the interface for an intrusion detection system, Snort, was out of date. This led him to create BASE (Basic Analysis and Security Engine), a testament to Kevin's proactive approach.

Kevin has a deep-rooted passion for open-source projects. He highlights the challenges and joys of initiating and sustaining such ventures, emphasizing the pivotal role of community contributions. Kevin also details how to install and start with SamuraiWTF, a tool tailored for those keen on mastering application security. He outlines two paths for developers: one focused on learning application security intricacies and another on actively contributing to the project's growth.

Kevin also discusses the notable departure of ZAP from OWASP. Kevin expresses his concerns and reflects on the broader implications of this decision on the cybersecurity community. The episode wraps up with a touch of nostalgia, as Kevin and Chris reminisce about their early tech adventures, showcasing Kevin's unwavering commitment to knowledge-sharing and community collaboration.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 08 Aug 2023 05:00:00 -0400

Tony Quadros -- The Life of an AppSec Vendor


Tony Quadros, the AppSec Lumberjack, shares the unique career path that led him to find his passion in Application Security. The discussion delves into the work of an AppSec vendor, with Tony explaining his role and the responsibilities it entails. He emphasizes the importance of understanding the needs and environment of the customer, and whether the product he represents can fulfill their requirements. Tony also shares his philosophy of sales, centered around solving problems and providing business value.

Tony reveals the challenges salespeople face in the cybersecurity industry, particularly the pressure to meet quotas and the need for good company culture. Chris, Robert, and Tony highlight the importance of setting realistic expectations at the executive level to avoid putting undue pressure on customers and prospects.

In addition, the conversation touches on the importance of sales leadership in setting processes and creating a positive company culture. Sales leaders need to educate themselves about their products and market segment. Tony stresses they should provide value to customers through their conversations.

He also talks about becoming involved with OWASP Maine and encourages community involvement for all members of the AppSec community.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sun, 23 Jul 2023 21:00:00 -0400

Steve Giguere -- Cloud AppSec


Cloud security is on an evolutionary path, with newer platforms embracing secure-by-default settings. This has led to a significant improvement in security but also adds complexity as developers need to understand these defaults when deploying to the cloud.

Steve Giguere defines cloud application security, describes cloud-first development and cloud complexity, security by default, and the need to broaden AppSec by creating new security personas and being secure from idea to destination. Steve provides many nuggets of insight from his travels, including pointing us to Wing, a programming language for the cloud that includes code and IaC together.

We discuss the consolidation of application security, particularly Static Application Security Testing (SAST) and Software Composition Analysis (SCA). These should not be separate products but must provide actionable insights and be tied together for practical reachability analysis.

We introduce a new segment of rapid-fire questions, asking about what Steve would put on a billboard at RSA or Blackhat and asking for book recommendations. Steve recommends "Hacking Kubernetes," praising its use-case focus and engaging narrative.

We plan to revisit this conversation in a few years to see if Steve's predictions about the security pipeline and other aspects of cloud application security have come to fruition.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 14 Jul 2023 09:00:00 -0400

Paul McCarty -- The Burrito Analogy of the Software Supply Chain


"Visualizing the Software Supply Chain" is a project which aims to kick off a discussion about the scope and breadth of the software supply chain.

Paul McCarty emphasizes the importance of understanding what's in the software supply chain to secure it effectively. He uses the burrito analogy, stating that you can't decide if you want to eat it if you don't know what's in it. We discuss the nuances around the Software Bill of Materials (SBOM) and the importance of understanding the differences between various SBOMs, especially for companies that deploy frequently.

The conversation also covers third-party components, such as APIs, SaaS solutions, payment gateways, and identity providers, which are part of the software supply chain. Paul gives the example of Stripe, a payment platform that includes software components and SaaS.

Paul's project helps people understand the different threats associated with each category in the software supply chain. The episode concludes with a call to action for organizations to prioritize understanding their software supply chain and leveraging automation as much as possible.

Gain valuable insights into securing the software supply chain and consider guidance on actionable steps organizations can take to enhance their security.

Four key takeaways from the episode:

  1. Understanding the Software Supply Chain: Paul McCarty emphasizes the importance of understanding the scope and breadth of the software supply chain. He suggests you can't secure or have a valuable conversation about the software supply chain if you don't know what's in it.
  2. The Role of Third-Party Components: Third-party components in the software supply chain are crucial. These can include APIs, SaaS solutions, payment gateways, and identity providers. Paul uses Stripe as an example to illustrate this point.
  3. The Nuances of the Software Bill of Materials (SBOM): SBOM has nuance. We highlight the importance of understanding the differences between various SBOMs, especially for companies that deploy frequently.
  4. Threat Thinking in the Software Supply Chain: We appreciate the depth of threat thinking in Paul's project. This approach helps people understand the different threats associated with each category in the software supply chain.

Links:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sun, 09 Jul 2023 19:00:00 -0400

Farshad Abasi -- Three Models for Deploying AppSec Resources


Farshad Abasi shares three models for deploying resources within application security teams:

  1. The Dedicated AppSec Person Model involves assigning an AppSec person to work with each team. Farshad shares his experience of working with developers and the challenges faced in getting them to understand and implement threat modeling. He also discusses the transition from waterfall to Agile and how it affected threat modeling.
  2. The Federated Model: A security consultant attends weekly standups and sprint planning sessions in this model. They work with a checklist to quickly determine if any user stories could be security sensitive. This model reduces the allocation required to 10 to 20% of an AppSec consultant.
  3. The Champion or Deputy Model: The AppSec team deputizes developers to do the bulk of the application security work, and the AppSec team becomes a resource and escalation point for more complex problems. Each DevOps team appoints a security champion, and these champions form a working group supported by an AppSec person. The champions handle day-to-day issues and threat modeling, with the AppSec team providing mentorship and support.

Over several years, Farshad's journey progressed from the expert-led model to a fully-deputized, champion-driven approach to AppSec.

After careful consideration, we conclude that the fully deputized model is the only path to scalability.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 29 Jun 2023 05:00:00 -0400

Kim Wuyts -- The Future of Privacy Threat Modeling


Kim Wuyts discusses her work in privacy threat modeling with LINDDUN, a framework inspired by Microsoft's STRIDE for security threat modeling. LINDDUN provides a structure to analyze privacy threats across multiple categories such as linking, detecting data disclosure, and unawareness. The framework has been updated over the years to incorporate new knowledge and developments in privacy, and it has become recognized as a go-to approach for privacy threat modeling.

Kim believes that privacy and security can be combined and highlights the importance of protecting individuals' rights and data while securing systems and assets.

Privacy by design, which focuses on reducing unnecessary data collection and considering individual needs, is discussed in relation to secure architecture and threat modeling. The Threat Modeling Manifesto is emphasized as a significant resource for promoting privacy threat modeling.

Kim addresses emerging trends in privacy, including the concerns surrounding AI and responsible AI, and stresses the need for increased awareness among individuals and companies about privacy issues and the importance of privacy protection.

Listen in as Kim explains the importance of collaboration between security and privacy teams, integrating privacy into security practices, and recognizing the value of privacy for both privacy protection and overall security.


FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 22 Jun 2023 14:00:00 -0400

Francois Proulx -- Actionable Software Supply Chain Security


Software supply chain -- how deep does the problem go? Franois is here to help us realize how deep the rabbit hole of the supply chain is and enlighten us with strategies to get out of the hole.

Franois emphasizes the importance of branch protection in source code repositories as the cornerstone of any supply chain, highlighting the need for peer review and static code analysis before merging. He also discusses the concept of tag protection, which prevents anyone with rewrite access to the repository from modifying a tag. This is particularly important in the context of build systems, where an overwritten tag could compromise the entire system.

The conversation then shifts to a "Let's Encrypt" equivalent for package signing, which Franois believes is being addressed by the SIG store project. This project introduces the concept of keyless signatures, which eliminates the need to manage private keys, a process that can be risky and cumbersome.

Franois also discusses the importance of understanding your dependency tree and using package manager lock files to ensure that the version of a package you're downloading is the one you expect. He mentions the Terraform modules, where the lack of a lock file for modules can lead to security vulnerabilities.

Toward the end of the episode, Franois recommends listeners explore the OpenSSF (Open Source Security Foundation) and its various projects, such as the Scorecard project, which provides a security posture for your repo. He also mentions https://deps.dev, a free Google service that scans open-source repos and runs the Scorecard on those projects.

Look up towards the light if you find yourself at the bottom of the rabbit hole.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 15 Jun 2023 08:00:00 -0400

Steve Wilson -- OWASP Top Ten for LLMs


How do we do security in the world of AI and LLMs? A great place to start is with an OWASP project tasked with creating a standardized guideline for building secure AI applications with large language models such as ChatGPT. Enter OWASP Top Ten for LLMs, and Steve Wilson, the project leader.

You'll experience Large Language Models (LLMs) and their implications in AI. Steve explains how the introduction of ChatGPT marked a significant shift in the AI landscape. He elaborates on the concept of LLMs, their functioning, and the unique properties that emerge when used at a large scale.

Traditional OWASP Top Ten issues like SQL injection and broken authorization are still applicable when dealing with AI applications, and the OWASP API Top Ten could be layered onto these considerations. Think about it -- AI applications have web frontends.

A new discipline of AI security engineering is on the horizon, focusing on the security of large language models and the applications that access them. A focus on both AI safety AND security must occur.

We look forward to the release of the 1.0 version of the OWASP Top Ten for LLMs. Join the discussion today on OWASP Slack, and help form the new list.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 07 Jun 2023 12:00:00 -0400

JB Aviat -- The State of Application Security


What is the state of application security? JB Aviat answered that question, by creating the state of application security report based on data from Datadog customers using the application security and APM products. It provides insights into threat detection, vulnerability detection, prioritization, and general trends on where the most significant risks lie.

We discuss:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 01 Jun 2023 12:00:00 -0400

Joshua Wells -- Application Security in the Age of Zero Trust


What is zero trust, and how does it impact the world of applications and application security? We dive deep into zero trust with Joshua Wells, a seasoned cybersecurity expert with over ten years of experience. Joshua explores the intricacies of zero trust, a cybersecurity model that dictates no user or machine is trusted by default and must be authenticated every time.

Listen in as Joshua discusses his journey from aspiring to be an NFL player to becoming a leading voice in cybersecurity. He shares insights on how zero trust operates in different domains, including architectural security, endpoint detection, mobile device management, and risk assessment. He also touches on its implementation across various government bodies and private organizations.

Further, Joshua sheds light on the challenges of implementing zero trust, such as the need for a mix of different security tools and the stress of smaller teams when handling this robust framework. The episode also covers important considerations for Application Security (AppSec) professionals in a zero-trust environment and the role of attribute-based access control within this model.

Don't miss this enlightening discussion on cybersecurity's current landscape and future direction. Whether you're a cybersecurity professional, a tech enthusiast, or simply keen on understanding how your data is being kept secure, this episode will surely provide invaluable insights.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 15 May 2023 11:00:00 -0400

Jeevan Singh -- The Future of Application Security Engineers


Jeevan Singh, the director of product security at Twilio, discusses the future of application security engineers. Singh highlights the importance of embedding security into all aspects of software development and the need for a strong security culture within organizations. He also explains the skills required for a senior application security engineer, such as application security, software development, and teaching skills. Singh underscores the importance of empathy and influence, emphasizing that soft skills can significantly affect adequate application security. He also discusses the impact of AI, particularly OpenAI's GPT, in supporting the work of security engineers by providing valuable insights and information. Singh concludes by urging application security engineers to broaden their skills, particularly in software development, to ensure they can effectively handle the industry's evolving demands.

Five takeaways:

  1. The future of application security engineering requires a blend of skills: Application Security (AppSec), software development, and teaching skills. Communicating and teaching others about security best practices is becoming as important as technical know-how.
  2. The role of application security engineers is evolving: They are expected to identify and fix security issues and embed security considerations into the entire software development process. They are also tasked with educating other staff on security best practices.
  3. Empathy and influence are crucial soft skills for application security engineers: It's essential to understand the perspectives of various stakeholders, from developers to executives, and influence them to prioritize security. This involves presenting data effectively and advocating for security measures.
  4. Future demand for application security engineers is anticipated. As organizations increasingly realize the importance of securing their applications, there will be a growing need for professionals in this field. This is particularly the case for startups and smaller organizations.
  5. Scaling application security efforts requires a team-based approach: To keep pace with growing engineering teams and increasing security demands, application security efforts must be scaled. This could involve creating "security champions" within development teams, implementing automated tools, and involving executive leadership to incentivize security improvements.

Jeevan's first appearance on the Application Security Podcast was entitled Jeevan Singh -- Threat modeling based in democracy.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 03 May 2023 11:00:00 -0400

Tony Turner -- Threat Modeling and SBOM


Have you ever considered using an SBOM to inform your threat modeling? Tony Turner has. Tony joins us to discuss SBOMs, threat modeling, and the importance of Cyber Informed Engineering.

Tony delves into the SBOM (Software Bill of Materials) concept, highlighting their value proposition in identifying vulnerabilities, demonstrating compliance with software licenses, and informing M&A activities and incident response indicators related to cyberattacks. We also explore the integration of SBOMs into the system engineering process and security engineering.

Tony further introduces the concept of Consequence-Driven Cyber Informed Engineering, which emphasizes understanding the potential consequences of cyberattacks on critical infrastructure rather than just on individuals or individual businesses. We discuss the four-step process of consequence-driven CIE. The conversation also addresses the challenges in communicating SBOM information, the importance of demanding transparency from suppliers, and the need to place trust in trusted third-party attestations.

Follow up:

- Research tools for integrating SBOMs into threat modeling
- Explore methods of communicating SBOM information
- Investigate Cyber Informed Engineering and Consequence-Driven principles in more detail

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 18 Apr 2023 17:00:00 -0400

Christian Frichot -- Threat Modeling with hcltm


Christian Frichot, an AppSec hacker, security leader, and developer of hcltm. He discusses the DevOps threat modeling tool he dreamed up and built. The tech was created to fit into developers' workflows and leverage tools they are familiar with. hcltm is designed to drive valuable change and be updated and maintained easily by software engineers. It is a developer-centric software product not heavily opinionated on diagramming, allowing users to employ their preferred methods for threat modeling. The solution is still evolving, and Frichot is open to user feedback and suggestions to improve it. He encourages people to try hcltm and see if it fits their threat modeling needs, as everyone approaches the process differently.

Critical actions for you to take from this episode:

  1. Try out hcltm: familiarize yourself with the hcltm threat modeling tool, which uses HashiCorp Configuration Language (HCL) to help manage threat models alongside software code in a developer-friendly way.
  2. Integrate threat modeling into your workflow: As a developer or security professional, explore ways to incorporate threat modeling into your current processes, such as using hcltm to manage threat models in a software repo and updating the model with each change.
  3. Improve communication and collaboration: learn from Christian's experience and focus on building relationships and networks in the security community and improving communication and influencing skills.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 03 Apr 2023 12:00:00 -0400

Zohar Shachar -- Bug Bounty from Both Sides


Zohar Shachar joins us to discuss the bug bounty process from both sides. Zohar has spent time as a bug bounty hunter and shares wisdom on avoiding bug bounty-causing issues for your AppSec posture. We hope you enjoy this conversation with...Zohar Shachar.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 23 Mar 2023 08:00:00 -0400

Sarah-jane Madden -- Threat Modeling to established teams


Sarah-Jane Madden is the Chief Information Security Officer of Sensing Technology Group. - part of Fortive. She has over 20 years of software experience, from the most formal environments to lets fix it in production type teams. She has been a longtime advocate of deliberate application security as a partnership with product management and believes security does not have to be an overhead. Sarah-Jane joins us to discuss her talk at OWASP Dublin, "Far from green fields introducing Threat Modeling to established teams." She shares lessons learned from her 3-year journey and is transparent with the mistakes she made along the way. We hope you enjoy this conversation with...Sarah-jane Madden.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 16 Mar 2023 08:00:00 -0400

Jet Anderson -- The AppSec Code Doctor


Jet Anderson's passion is teaching today's software developers to write secure code as part of modern DevOps pipelines, at speed and scale, without missing a beat. He's been a software engineer for over 25 years and believes fixing security bugs is better than finding them. Jet joins us to discuss software or security engineer first, how fixing security bugs is better than just finding them, and the Code Doctor security training program he built and deployed. We hope you enjoy this conversation with...Jet Anderson.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 09 Mar 2023 08:00:00 -0500

James Mckee -- Developer Security


James Mckee is a developer (MCPDEA) and security advocate (CISSP) whose biggest responsibility is leading developer security practices. He sets the standards and procedures for the practice's operations and leads all client engagement efforts concerning security. He also takes the lead in ensuring that company staff (developers specifically) are properly trained and following best practices concerning application security. Currently, he is responsible for training and providing product guidance for developers worldwide. James joins us to discuss offensive application security for developers. We also get into the role of security professionals in reaching developers outside of the security echo chamber. We hope you enjoy this conversation with...James Mckee.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 02 Mar 2023 08:00:00 -0500

Derek Fisher -- The Application Security Handbook


Derek is the author of The Application Security Handbook. He is a university instructor at Temple University, where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led security teams, large and small, at organizations in the healthcare and financial industries. Derek joins us to unpack the goals of an application security program, what is cutting edge in application security programs today, the role of open source vs. commercial, and guidance such as "decentralized application security." "enablement instead of gates; application security as a service," and "stop chasing the shiny new tool." We hope you enjoy this conversation with...Derek Fisher.

Find the book at https://www.manning.com/books/application-security-program-handbook

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 23 Feb 2023 11:00:00 -0500

Rob van der Veer -- OWASP AI Security & Privacy Guide


Rob van der Veer has a 30-year background in software engineering, building AI businesses, creating software, and assessing software. He is a senior director at the Software Improvement Group, where he established practices for AI, security, and privacy. Rob is involved in several standardization initiatives like OWASP SAMM, ENISA, CIP, and AI security & privacy guide. He leads the writing group for the new ISO standard on AI engineering: 5338. Rob co-leads the OWASP integration project, with openCRE.org as a key result, aiming to create alignment in the standards landscape. Rob joins us to introduce the OWASP AI Security and Privacy Guide. We cover Rob's observations on how AI engineering differs from regular software engineering, typical software engineering pitfalls for AI engineers, the new guide's scope, threats introduced with AI, and mitigations that orgs and teams can use to build a secure AI system. We hope you enjoy this conversation with...Rob van der Veer.

Show Notes:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 10 Jan 2023 08:00:00 -0500

Robyn Lundin -- Planning & organizing a penetration test as an AppSec team


Robyn Lundin started working in tech after a coding boot camp as a developer for a small startup. She then discovered her passion for security, pivoted into pentesting for NCC Group, and now works as a Senior Product Security Engineer for Slack.

Robyn joins us to discuss the role of penetration testing within the application security realm. Robyn provides actionable guidance you can apply directly to your application pen testing program. We hope you enjoy this conversation with....Robyn Lundin.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 03 Jan 2023 08:00:00 -0500

Michael Bargury -- Low Code / No Code Security and an OWASP Top Ten


Michael Bargury is the Co-Founder and CTO of Zenity, where he helps companies secure their low-code/no-code apps. In the past, he headed security product efforts at Azure, focused on IoT, APIs and IaC.

Michael is passionate about all things related to cloud, SaaS and low-code security and spends his time finding ways they could go wrong. He also leads the OWASP low-code security project and writes about it on DarkReading. Michael is a regular speaker at OWASP, BSides and DEFCON conferences.

Michael joins us to unpack Low Code / No Code and the new OWASP Top Ten that defines specific risks against Low/No Code. We hope you enjoy this conversation with...Michael Bargury.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 20 Dec 2022 08:00:00 -0500

Alex Olsen -- Security champions, empowering developers, and AppSec training


Alex leads the Cyber Security Consulting Group, part of Rakuten's Cyber Security Defense Department. The group's dedication is to providing global security services, including security architecture, DevSecOps tooling and integration services, delivery of technical training, and running Rakuten's Security Champion community. His focus is on empowering teams to improve security throughout the development lifecycle.

Alex joins us to discuss security champions, a topic near and dear to our hearts. We get into democratizing appsec, the value of security governance and empowerment activities for security champions and the organization, how scope, cost and effort fit, and the ROI of training and security champions. We hope you enjoy this conversation with...Alex Olsen.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 13 Dec 2022 08:00:00 -0500

Mark Curphey -- The future of OWASP


Mark Curphey is one of the creators of OWASP from the very early days. Mark worked in the background over the few decades of OWASP but has recently taken more to the spotlight. After running, he was elected and joined the OWASP Board of Directors.

This conversation starts with the historical story of Mark and his history with OWASP. Then we jump into the visions for OWASP in the future and the plans in place to reach those goals. We hope you enjoy this conversation with...Mark Curphey.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 06 Dec 2022 07:00:00 -0500

Tiago Mendo -- How to scan at scale with OWASP ZAP


Tiago Mendo is a co-founder and CTO of Probely. He has extensive experience in pentesting applications, training, and providing all-around security consultancy.

Tiago started working with security in the early 2000s, beginning with a tenure of 12 years at Portugal Telecom. While there, he built the web security team and worked with 150+ developers. He holds a Master's in Information Technology/Information Security from Carnegie Mellon University and a CISSP certification.

He is also a qualified member of AP2SI, a non-profit organization that promotes Information Security in Portugal, and Co-Leader of the Lisbon OWASP Chapter. He is a frequent speaker at security events, such as Confraria da Segurana da Informao, BSides Lisbon, BSides Krakw and LASCON.

Tiago Mendo joins us to discuss OWASP ZAP and DAST scanning at scale. Tiago shares what scanning at scale is, the common challenges development teams must overcome when scanning at scale, and how to overcome them using OWASP ZAP. We hope you enjoy this conversation with ... Tiago Mendo.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 29 Nov 2022 08:00:00 -0500

Wolfgang Goerlich -- Security beyond vulnerabilities


J. Wolfgang Goerlich is an Advisory CISO for Cisco Secure. He has been responsible for IT and IT security in the healthcare and financial services verticals. Wolfgang has led advisory and assessment practices for cybersecurity consulting firms.

Wolf joins us to talk about some security things that will stretch your mind, like security beyond vulnerabilities, how apps intended functionality can be misused, data privacy, and nudges and behavior science.

Wolf challenged my thinking in this episode and pointed out a new area of threat modeling I had never considered. We hope you enjoy this conversation with... J. Wolfgang Goerlich.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 08 Nov 2022 08:00:00 -0500

Sam Stepanyan -- OWASP Nettacker Project


Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant with over 20 years of IT experience and a background in software engineering and web application development.

Sam has worked for various financial services institutions in the City of London, specializing in Application Security consulting, Secure Software Development Lifecycle (SDLC), developer training, source code reviews and vulnerability management. He is also a Subject Matter Expert in Web Application Firewalls (WAF) and SIEM systems. Sam holds a Masters degree in Software Engineering and a CISSP certification.

Sam joins us to introduce us to OWASP Nettacker. He describes the tool's capabilities, how you can put it into use in various scenarios for asset generation and vuln scanning, and how to contribute to the project going forward. We hope you enjoy this conversation with...Sam Stepanyan.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 01 Nov 2022 13:00:00 -0400

Nick Aleks and Dolev Farhi -- GraphQL Security


Dolev Farhi is a security engineer and author with extensive experience leading security engineering teams in complex environments and scales in the Fintech and cyber security industries. Currently, he is the Principal Security Engineer at Wealthsimple. He is one of the founders of DEFCON Toronto (DC416). He enjoys researching vulnerabilities in IoT devices, participating in and building CTF challenges and contributing exploits to Exploit-DB.

Nick Aleks is a leader in Toronto's cybersecurity community and a distinguished and patented security engineer, speaker, and researcher. He is currently the Senior Director of Security at Wealthsimple, leads his security firm, ASEC.IO, and is a Senior Advisory Board member for HackStudent, George Brown, and the University of Guelph's Master of Cybersecurity and Threat Intelligence programs. A founder of DEFCON Toronto, he specializes in offensive security and penetration testing. He has over ten years of experience hacking everything from websites, safes, locks, cars, drones, and even intelligent buildings.

Dolev and Nick join us to unpack the world of GraphQL security. We introduce GraphQL, threats, and mitigations to secure your GraphQL instances. We hope you enjoy this conversation with....Dolev and Nick.


Important Links:

Link to the book https://nostarch.com/black-hat-graphql

CrackQL https://github.com/nicholasaleks/CrackQL

Damn Vulnerable GraphQL Application https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 23 Sep 2022 09:00:00 -0400

Guy Barhart-Magen -- Log4j and Incident Response


With nearly 25 years of experience in the cyber-security industry, Guy held various positions in both corporates and startups.
In his role as the CTO for the cyber crisis management firm Profero, his focus is making incident response fast and scalable, harnessing the latest technologies and a cloud-native approach.
Guy is the BSidesTLV chairman and CTF lead, a Public speaker in well-known global security events (SAS, t2, 44CON, BSidesLV, and several DefCon villages, to name a few), and the recipient of the Cisco black belt security ninja honor Ciscos highest cybersecurity advocate rank.
Guy joins us to explore his front-row seat for the incident response with Log4j. There are many AppSec lessons to learn by understanding the greater depth of Log4J. We hope you enjoy this episode with .... Guy Barhart-Magen.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 30 Aug 2022 14:00:00 -0400

Brett Smith -- Security is a Necessary Evil


Brett Smith is a Software Architect/Engineer/Developer with 20+ years of experience. Specialties: Automation, Continuous Integration/Delivery/Testing/Deployment
Expertise: Linux, packaging, and tool design. Brett joins us to discuss why he hates security and shares his vast knowledge of building a secure and cutting-edge build pipeline. We hope you enjoy this conversation with...Brett Smith.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 16 Aug 2022 10:00:00 -0400

Chen Gour-Arie -- The AppSec Map


Chen Gour-Arie is the Chief Architect and Co-Founder of Enso Security. With over 15 years of hands-on experience in cybersecurity and software development, Chen demonstrably bolstered the software security of dozens of global enterprise organizations across multiple industry verticals. An enthusiastic builder, he has focused his career on building tools to optimize and accelerate security testing and all related workflows. Ken joins us to introduce the AppSec Map and provides a live demo of the catalog and what AppSec practitioners can use it for. We hope you enjoy this conversation with...Chen Gour-Arie.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 09 Aug 2022 11:00:00 -0400

Dominique Righetto -- OWASP Secure Headers


Dominique Righetto is an AppSec enthusiast and OWASP projects contributor. Dominique joins us to discuss the OWASP Secure Headers project. We discuss headers at a high level and then dive into all the goodies you'll find within the project, from awareness, guidance, and a test suite that can be integrated into your CI/CD pipeline to test your security headers. We hope you enjoy this conversation with...Dominique Righetto.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 25 Jul 2022 10:00:00 -0400

Hillel Solow -- How to do AppSec without a security team


Hillel Solow is Chairman of the Board at ProtectOnce, where he helps guide product and security strategy. Hillel is a serial entrepreneur in the cybersecurity space, but his favorite thing is still writing code at 2 am.

Hillel joins us to discuss how to do appsec without a security team. We explore the building blocks of an appsec program, and what appsec looks like for companies of different sizes, from startup to midsize to enterprise. Then dive into Hillel's most important advice for companies who can't afford a security person. We hope you enjoy this conversation with Hillel Solow.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 02 Jun 2022 14:00:00 -0400

Chris Romeo -- The Security Journey Story


In this episode of the Application Security Podcast, Chris Romeo walks through the origin story of Security Journey and shares some experiences taking a security startup from bootstrap to acquisition. Chris talks about how and why he started the company, what defining factors made Security Journey successful and why they're being acquired now. He ends by giving an overview of what to expect from Security Journey moving forward. We hope you enjoy this conversation withChris Romeo.

Check out these resources for more information about the acquisition!
Press Release: https://www.accesswire.com/702562/HackEDU-Acquires-Security-Journey-to-Provide-the-Most-Comprehensive-Application-Security-Training-Offering-Helping-Development-Teams-Deliver-Secure-Code-and-Protect-Data

Chris's Blog Post: https://www.securityjourney.com/post/hackedu-acquires-security-journey

Joe's Blog Post: https://www.hackedu.com/blog/hackedu-acquires-security-journey-to-create-industry-leading-application-security-offering

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 10 May 2022 13:00:00 -0400

Kristen Tan and Vaibhav Garg -- Machine Assisted Threat Modeling


In this episode of the Application Security Podcast, we talk to Kristen Tan and Vaibhav Garg from Comcast. They wrote a paper called "An Analysis of Open-source Automated Threat Modeling Tools and Their Extensibility from Security into Privacy". They join us to share their story about what they were doing and why they did it. We hope you enjoy this conversation with...Kristen and VG.

https://www.usenix.org/publications/loginonline/analysis-open-source-automated-threat-modeling-tools-and-their

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 03 May 2022 14:00:00 -0400

Patrick Dwyer -- CycloneDX and SBOMs


Patrick is a Senior Product Security Engineer in the Application Security team at ServiceNow. He is also Co-Leader of the OWASP CycloneDX project. A lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 25 Apr 2022 15:00:00 -0400

Omer Gil and Daniel Krivelevich -- Top 10 CI/CD Security Risks


Daniel Krivelevich is a cybersecurity expert and problem solver, with 15+ years of enterprise security experience with a proven track record working with 100+ enterprises across multiple industries, with a strong orientation to Application & Cloud Security. Daniel co-Founded Cider Security as the companys CTO. Cider is a startup focused on securing CI/CD pipelines, flows, and systems.

Omer is a seasoned application and cloud security expert with over 13 years of experience across multiple security disciplines. An experienced researcher and public speaker, Omer discovered the Web Cache Deception attack vector in 2017. Omer leads research at Cider Security.

We hope you enjoy this conversation with...Omer and Daniel.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 19 Apr 2022 00:00:00 -0400

Josh Grossman -- Building a High-Value AppSec Scanning Program


Josh Grossman has over 15 years of experience in IT Risk and Application Security consulting, and he has also worked as a software developer. He currently works as CTO for Bounce Security, where he focuses on helping organizations build secure products by providing value-driven Application Security support and guidance.
In his spare time, he is very involved with OWASP. He is on the OWASP Israel chapter board, he is a co-leader of the OWASP Application Security Verification Standard project, and he has contributed to various other projects as well, including the Top 10 Risks, Top Ten Proactive Controls and JuiceShop projects.We hope you enjoy this conversation with...Josh Grossman.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 15 Mar 2022 15:00:00 -0400

Alex Mor -- Application Risk Profiling at Scale


Alex Mor is a passionate cybersecurity defender or breaker depending on the time of day, providing expert technical guidance to product teams and building security in their platforms. Alex joins us to talk about application risk profiling. He defines what this concept is to help us understand it. Then we talk about how can you do application risk profiling at scale? Whether you have ten applications or 1500 applications? How do you bring this together and gain real true security value from this idea of profiling your applications? We hope you enjoyed this conversation with Alex Mor.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 09 Mar 2022 09:00:00 -0500

Brenna Leath -- Product Security Leads: A different way of approaching Security Champions


Brenna Leath is currently the Head of Product Security for a data analytics company where she sets the application security strategy for R&D and leads a team of security architects. Brenna originally joined us to talk about EO 14028 and the implications for private sector programs, BUT, we were chatting about security champions and product security leads, and we changed our focus to cover these topics instead. We hope you enjoy this conversation with...Brenna Leath.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 16 Feb 2022 13:00:00 -0500

Will Ratner -- Centralized container scanning


Will Ratner is a software security professional with extensive experience building and implementing security solutions across a myriad of industries including banking, media, construction, and information technology. In his current role at Atlassian, Will focuses on improving the vulnerability management process by building highly scalable and automated solutions for the enterprise. Will joins us to discuss a centralized approach he built for container scanning. We explore the challenges and lessons learned, building a scalable, enterprise-grade solution, and how to build something that developers will see value in. We hope you enjoy this conversation with...Will Ratner.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 09 Feb 2022 14:00:00 -0500

Neil Matatall -- AppSec at Scale


Neil Matatall is an engineer with a background in security. He has previously worked at GitHub and Twitter and is a co-founder of Loco Moco Product Security Conference. Neil joins us for his second visit, to discuss account security at scale. He describes the underlying principles behind security at scale, how he worked to build a sign-in analysis feature, and how attacks were detected. We ended the conversation with an authentication lightning round, with Neil responding to various statements about authentication off the cuff! We hope you enjoy this episode with Neil Matatall.

Check out our previous conversation with Neil Matatall.
https://www.buzzsprout.com/1730684/8122595-neil-matatall-content-security-policy

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 25 Jan 2022 00:00:00 -0500

Joern Freydank -- Security Design Anti Patterns Limit Security Debt


Joern Freydank is a Lead Cyber Security Engineer with more than 20 years of experience. He is currently establishing the Threat Modeling Program at a major insurance company. Joern joins us to talk about security design anti-patterns. He defines the term, explains security debt, reviews the categories of anti-patterns, and walks us through the example of a common role misconception. We hope you enjoy this conversation with...Joern Freydank.

For more from Joern, check out his talk, Security Design Anti-Patterns -- Creating Awareness to Limit Security Debt, from Global AppSec:
https://youtu.be/o_Wq7Ga4M-0


FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 18 Jan 2022 10:00:00 -0500

Ken Toler -- Blockchain, Cloud, and #AppSec


Ken Toler is a principal consultant at Kudelski Security and is passionate about building and optimizing application security programs that stick through strong adoption and ease of use. Ken has spent considerable time on all sides of the security aisle from playing defense and managing security teams to offense by breaking applications and reviewing code. Ken is also the host and creator of the Relating to DevSecOps podcast that focuses on forging strong relationships between engineers, operations, and security through collaboration, understanding, skill-sharing, and healthy debate. Ken joins us to talk about all things Blockchain and AppSec. We define Blockchain, discuss the connections between cloud, appsec, and blockchain, common architecture failures, pen testing, and even dive into smart contracts. We hope you enjoy this conversation with...Ken Toler.

Links from the episode:

Secureum Videos

https://www.youtube.com/c/SecureumVideos/videos

BLOCKCHAIN SECURITY: A NEED FOR TODAYS BUSINESSES (COMPLETE GUIDE FOR BEGINNERS)

https://www.blockchain-council.org/blockchain/blockchain-security-a-need-for-todays-businesses-complete-guide-for-beginners/

The Rust Programming Language

https://doc.rust-lang.org/book/

Blockchain Security @ Kudelski

https://kudelskisecurity.com/services/applied-security/blockchain-security/

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 11 Jan 2022 08:00:00 -0500

Jeroen Willemsen and Ben de Haan -- Dirty little secrets


Jeroen Willemsen is a passionate, hands-on security architect with a knack for mobile security and security automation. As a "jack of all trades," he has been involved with various OWASP projects and has developed various trainings. He has spent over 10 years as a full-stack developer and has worked as a (security) architect, security lead, and risk manager.

Ben de Haan is a Freelance Security consultant and engineer. Ben's specialties are architecting and implementing cloud security and building secure CI/CD environments in Agile, DevOps, and SRE cultures. Ben believes security should be built-in and can be scaled to meet these modern ways of working. Outside of regular work, Ben enjoys hosting security trainings or workshops, and he's an AWS NL Meetup regular.

Jeroen and Ben join us to speak about their OWASP project, Wrong Secrets. We discuss the problems secrets bring into applications and explore how you can use Wrong Secrets to bolster your knowledge of what not to do with secrets. We hope you enjoy this conversation with... Jereon and Ben.

Explore these helpful resources mentioned during the interview:
https://owasp.org/www-project-wrongse...
https://xebia.com/secure-deployment-1...
github; https://github.com/commjoen/wrongsecrets
free heroku dyno hosted version; https://wrongsecrets.herokuapp.com/

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 15 Dec 2021 16:00:00 -0500

Adam Shostack -- Fast, cheap and good threat models


Adam is a leading expert on threat modeling, and a consultant, expert witness, author and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft. While not consulting or training, Shostack serves as an advisor to a variety of companies and academic institutions. Adam joins us to talk about fast, cheap, and good threat models. We discuss how Adam defines these categories, the weight of threat modeling, questionnaires/requirements, expertise, and how to make threat modeling conversational. We hope you enjoy this conversation with...Adam Shostack.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 07 Dec 2021 08:00:00 -0500

Loren Kohnfelder -- Designing Secure Software


Loren Kohnfelder has over 20 years of experience in the security industry. At Microsoft, he was a key contributor to STRIDE, the industrys first formalized proactive security process methodology, and also program-managed the .NET platform security effort. At Google, he worked as a software engineer on the Security team and as a founding member of the Privacy team. Loren joins us to talk about his new book, Designing Secure Software. We start the conversation geeking out about his work to create STRIDE and digital certificates. We then discuss facets of the book, like secure software, security design review, and what he would implement if he could only do one thing to improve software security. We hope you enjoy this conversation with...Loren Kohnfelder.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 29 Nov 2021 11:00:00 -0500

Ochaun Marshall -- IaC and SAST


Ochaun Marshall is an Application Security Consultant. In his roles of secure ideas, he works on on-going development projects utilizing Amazon web services and breaks other people's web applications. Ochaun joins us to talk about SAST and IaC, static application security testing and infrastructure as code. We talk about what they are, how they work, the security benefits, some of the tools that make them possible, and we finish our conversation talking about developer empathy and why Ochaun has developer empathy as a result of some of the experiences that he has as a developer and as a security person. We hope that you enjoy this episode with...Ochaun Marshall.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 10 Nov 2021 11:00:00 -0500

Simon Bennetts -- Using OWASP Zap across an Enterprise


Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Project Leader and a Distinguished Engineer at StackHawk, a company that uses ZAP to help users fix application security bugs before they hit production. He has talked about and demonstrated ZAP at conferences all over the world. Prior to making a move into security, he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.
Simon joins us for the second time to refresh our knowledge of Zap, explain how to use Zap as an automation tool in your pipeline, and what he knows about rolling Zap out across an Enterprise. We hope you enjoy this conversation with....Simon Bennetts.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 27 Oct 2021 14:00:00 -0400

Timo Pagel -- DevSecOps Maturity Model


Timo Pagel has been in the IT industry for over fifteen years. After a system administrator and web developer career, he advises customers as a DevSecOps consultant and trainer. His focus is on security test automation for software and infrastructure and assessment of complex applications in the cloud.In his spare time, he teaches Web and Application Security at various universities. Timo joins us to talk about the OWASP DevSecOps Maturity Model or DSOMM. We explore maturity models, this specific one, how you can use it, and how to get started. We hope you enjoy this conversation with...Timo Pagel.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 06 Oct 2021 13:00:00 -0400

Mazin Ahmed -- Terraform Security


Mazin Ahmed is a security engineer that specializes in AppSec and offensive security. He is passionate about information security and has previously found vulnerabilities in Facebook, Twitter, Linkedin, and Oracle, to name a few. Mazin is the developer of several popular open-source security tools that have been integrated into security testing frameworks and distributions. Mazin also built FullHunt.io, the next-generation continuous attack surface security platform. He is also passionate about cloud security, where he has been running dozens of experiments in the cloud security world. Mazin joins us to introduce Infrastructure as Code and TerraForm and discuss the security benefits IaC brings to our cloud environments. We hope you enjoy this conversation with...Mazin Ahmed.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 24 Sep 2021 00:00:00 -0400

James Ransome and Brook Schoenfield -- trust and verify: Building in Security at Agile Speed


Dr. James Ransome is the Chief Scientist for CyberPhos, an early-stage cybersecurity startup. He is also a member of the board of directors for the Bay Area Chief Security Officer Council and serves as an adviser to ForAllSecure and Resilient Software Security.

Dr. Ransome's career includes leadership positions in the private and public sectors. He has served in three chief information security officer and four chief security officer roles before taking on Chief Product Security Officer roles over the last 11 years. During this time, he has been building and enhancing developer-centric, self-sustaining, and scalable software security programs that are holistic, cost-effective, and operationally relevant.

Brook S.E. Schoenfield is the author of Secrets Of A Cyber Security Architect (Auerbach, 2019) and Securing Systems: Applied Security Architecture and Threat Models(CRC Press, 2015). Building In Security At Agile Speed (with James Ransome, Auerbach, 2021), focuses on software security for continuous development practices and DevOps. Brook helps clients with their software security and secure design practices. He mentors technical leaders to effectively deliver security strategy. He consults as a technical leader for True Positives, LLC and SEC Consult Americas holistic security architecture services.

https://www.amazon.com/Building-Security-at-Agile-Speed/dp/0367433265/ref=sr_1_1?dchild=1&keywords=building+in+security+at+agile+speed&qid=1631297374&sr=8-1

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 17 Sep 2021 14:00:00 -0400

OWASP Top 10 2021 Peer Review


Robert and I break down the OWASP Top 10 2021 Peer Review Edition. We walk through and give you our insights and highlights of the things that stand out to us and our questions. We feel it brings value to our audience's understanding of the OWASP Top 10 2021 and what it will likely look like when it comes out. We encourage you to go and do your own peer review of the document, submit your own poll requests, provide your feedback and issues on Github because together as a community, this is how we make this document better. Enjoy!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 14 Sep 2021 09:00:00 -0400

Anastasiia Voitova -- Encryption is easy, key management is hard


Anastasiia Voitova is the Head of customer solutions and a security software engineer at Cossack Labs. She works on data security and encryption tools and their integration into the real world apps.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 20 Aug 2021 09:00:00 -0400

Eran Kinsbruner -- DevSecOps Continuous Testing


Eran Kinsbruner is the Chief Evangelist and Senior Director at Perforce Software. His published books include the 2016 Amazon bestseller, The Digital Quality Handbook, Continuous Testing for DevOps Professionals, and Accelerating Software Quality ML and AI in the Age of DevOps. Eran is a recognized influencer on continuous testing and DevOps thought leadership, an international speaker, and blogger. Eran joins us to talk about the role of testing in a secure software pipeline. We talk about the intersection of security and quality, biggest challenges in getting started, and even a brief conversation about how SAST is used to check automotive software. We hope you enjoy this conversation with...Eran Kinsbruner.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 13 Aug 2021 09:00:00 -0400

Mark Loveless -- Threat modeling in a DevSecOps environment.


Mark Loveless - aka Simple Nomad - is a security researcher and hacker. He's spoken at numerous security and hacker conferences worldwide, including Blackhat, DEF CON, ShmooCon, and RSA. He's been quoted in the press including CNN, Washington Post, and the New York Times. Mark joins us to discuss his series of blog posts on Threat Modeling at GitLab. We discuss his philosophical approach, framework choice (spoiler alert, it's a pared down version of PASTA), and success stories / best practices he's seen for threat modeling success. We hope you enjoy this conversation with...Mark Loveless.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 06 Aug 2021 14:00:00 -0400

Jeroen Willemsen -- Security automation with ci/cd


Jeroen Willemsen is a Principal Security Architect at Xebia. Jeroen is more or less a jack of all trades with an interest in infrastructure security, risk management, and application security. With a love for mobile security, he enjoys sharing knowledge on various security topics. Jeroen joins us to unpack security automation in a DevOps world. We discuss categories of tools, typical quick wins, potential downsides, and how dependency management specifically plays into automation. We hope you enjoy this conversation with...Jeroen Willemsen.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 15 Jul 2021 12:00:00 -0400

Thinking back, Looking forward - A Balanced Approach to Securing our Software Future


Kevin Greene is the Director of Security Solutions at Parasoft and has extensive experience and expertise in software security, cyber research and development, and DevOps. He leverages his knowledge to create meaningful solutions and technologies to improve software security practices. Kevin and I had a conversation to discuss software security from the past and into the future. We cover how to make security easier for developers, SBOM, software minimalism, cyber resiliency, and so much more! We hope you enjoy this conversation with...Kevin Greene.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 11 Jun 2021 15:00:00 -0400

Jeevan Singh -- Threat modeling based in democracy


Jeevan Singh is a Security Engineer Manager at Segment, where he is embedding security into all aspects of the software development process. Jeevan enjoys building security culture within organizations and educating staff on security best practices. Before life in the security space, Jeevan had a wide variety of development and leadership roles over the past 15 years. Jeevan joins us to speak about self-serve threat modeling at Segment or threat modeling based in democracy. We discuss their focus with the program, how it fits in their dev methodology and their ultimate goal with the threat modeling program. We hope you enjoy this conversation with... Jeevan Singh.

Additional Resources:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 21 May 2021 10:00:00 -0400

Dima Kotik -- Application Security and the Zen of Python


Dima Kotik is an Application Security Engineer at Security Journey and has been programming in Python for years. As he was working on building out Security Journey's Secure Coding with Python content, he came across the Zen of Python, a set of guidelines for how to program in Python. He wrote a blog post about how to apply application security to the Zen of Python, and then we recorded this interview to talk about the concept in more depth. We hope you enjoy this interview with....Dima Kotik.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 07 May 2021 14:00:00 -0400

Dustin Lehr -- Advocating and being on the side of developers


Before taking the plunge into information security leadership, Dustin Lehr spent over a decade as a software engineer and architect in a variety of industries, including retail, DoD, and even video games. This diverse background has helped him forge close partnerships with development teams, engineering leaders, and software security advocates while pursuing the organizational culture shift of building good security habits into daily work. Dustin joins us to talk about the challenges developers face with security and so much more. We hope you enjoy this conversation with...Dustin Lehr.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 30 Apr 2021 15:00:00 -0400

Aaron Rinehart -- Security Chaos Engineering


Aaron Rinehart is expanding the possibilities of chaos engineering to cybersecurity. He began pioneering security in chaos engineering when he released ChaoSlingr during his tenure as Chief Security Architect at UnitedHealth Group (UHG). Rinehart is the O'Reilly Author on Security Chaos Engineering and has recently founded a chaos engineering startup called Verica with Casey Rosenthal from Netflix. Aaron joins us to explain what the heck security chaos engineering is. We explore the origin story of chaos engineering and security chaos engineering and how a listener starts with this new technique. We hope you enjoy this conversation with...Aaron Rinehart.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 23 Apr 2021 12:00:00 -0400

Izar Tarandach and Matt Coles-- Threat Modeling: A Practical Guide for Development Teams


In this episode of the Application Security Podcast, we're joined by friends Izar and Matt, authors of the book "Threat Modeling: A Practical Guide for Development Teams." Izar is currently the Squarespace Principal Security Engineer. He lives in NY, where he enjoys telling people who separate security from development to get off his lawn. Matt is currently a Product & Application Security Engineer at Dell Technologies. Matt lives in Massachusetts, is an avid gamer, and enjoys time with his family when not thinking or talking to others about security. We discuss why they wrote the book, what it covers, the target audience, and how to wield the information within to threat model all the things. Robert and I both love the book, and highly recommend it, and on this episode, you'll hear why.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 16 Apr 2021 14:00:00 -0400

Charles Shirer -- The most positive person in security


Charles is a Senior Security Consultant for Red Siege. He has over 18 years of experience in IT. In his spare time, Charles does retro gaming and works on the SECBSD open source project, a penetration testing distro. He currently works as Staff at several Security Conferences, podcasts (GrumpyHackers) (Positively Blue Team Cast), and is a part of the MentalHealthHackers DeadPixelSec NovaHackers and HackingisNotaCrime Family. Charles joins us to talk about positivity in InfoSec. If you've never seen Charle's videos, you're missing out. We'll unpack what drives his positivity and how we as infosec / appsec people can embrace a more positive approach to our world. We hope you enjoy this conversation with...Charles Shirer.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 09 Apr 2021 14:00:00 -0400

Leif Dreizler -- Tactical tips to shift engineering right


Leif Dreizler is the manager of the Product Security team at Segment. Leif got his start in the security industry at Redspin doing security consulting work and was later an early employee at Bugcrowd. He helps organize the Bay Area OWASP Chapter, the LocoMocoSec Conference, and the AppSec California conference. Leif caught our attention when he published an article called Shifting Engineering Right: What security engineers can learn from DevSecOps. In this interview, we focus in on the tactical tips and takeaways from the article, or how you as a security person can shift engineering right. We hope you enjoy this conversation with...Leif Driezler.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 02 Apr 2021 14:00:00 -0400

Vandana Verma -- OWASP Spotlight Series


Vandana Verma is the President of Infosec girls and Infosec Kids, a board of directors member for OWASP, and a leader for BSides Dehli. She joins us to introduce the OWASP Spotlight Series. With each video she creates, she highlights an OWASP project. We survey the projects she's covered and discuss a specific takeaway from each for the application security person. We hope you enjoy this conversation with...Vandana Verma.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 25 Mar 2021 09:00:00 -0400

Dr. Anita DAmico -- Do certain types of developers or teams write more secure code?


Dr. Anita DAmico is the CEO of Code Dx, which provides Application Security Orchestration and Correlation solutions to industry and government. Her roots are in experimental psychology and human factors. Her attention is now focused on enhancing the decisions and work processes of software developers and AppSec analysts to make code more secure. Anita joins us to discuss research she has done answering the question, "do certain types of developers or teams write more secure code?" Being a security culture fanatic, this topic is near and dear for me. We hope you enjoy this conversation with...Dr. Anita D'Amico.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 18 Mar 2021 10:00:00 -0400

Alyssa Miller -- Bringing security to DevOps and the CI/CD pipeline


Alyssa Miller is a life-long hacker, security advocate, and cybersecurity leader. She is the BISO for S&P Global ratings and has over 15 years of experience in security roles. She is heavily involved in the cybersecurity community as an international speaker, author, and advocate. Alyssa joins us to talk about bringing security to DevOps and the CI/CD pipeline. We talk about the success of the DevOps transformation, mistakes AppSec teams make with DevOps and explore the possible idea that DevSecOps is its own silo. We hope you enjoy this conversation with...Alyssa Miller.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 09 Mar 2021 16:26:12 -0500

Liran Tal Cloud native application security, whats a developer to do?


Liran Tal is an application security activist and long-time proponent of open-source software. He is a member of the Node.js security working group, an OWASP project lead, author of Essential Node.js Security, and OReillys Serverless Security. He is leading the developer advocacy team at Snyk in a mission to empower developers with better dev-first security. Liran joins us to talk about cloud-native and application security. We begin by defining cloud-native and the changes it is causing. We then get into threats in a cloud-native world and the role of developers and AppSec. We hope you enjoy this conversation with. Liran Tal.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 17 Feb 2021 06:54:07 -0500

Chris Romeo DevSecOps Fails


For this episode, Robert and I decided to talk about an article I wrote called "DevOps security culture: 12 fails your team can learn from". We hope you enjoy this walkthrough of the 12 fails. If we missed any, hit us up on Twitter and let us know what we should add to the list.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 10 Feb 2021 12:38:39 -0500

Jim Routh Secure software pipelines


Jim Routh has built software security programs at some of the biggest brands in the world. He has served as CISO or CSO six different times in his career, always staying close to his cyber and software security roots. Jim has hung up his CISO badge and now focuses on serving on boards and advising security-focused startups. Jims original AppSec podcast episode is our #1 listened to of all time. Having the opportunity to interact with Jim and absorb his vast wisdom and knowledge is a treat for everyone. At the end of this interview, my immediate thought was to go back and listen to this one again. Jim talks with us about the impact of DevSecOps on the CISO, security controls for a devsecops pipeline model, and shift left still the dominant theme for software security. We hope you enjoy this conversation with Jim Routh.



FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 20 Jan 2021 10:13:31 -0500

Andrew van der Stock Taking Application Security to the Masses


Andrew van der Stock has been around the world of Application Security for quite a long time. In 2020, he took over as the Executive Director of OWASP, and he's working from within the organization to further the mission of taking application security to the masses. We discuss Andrew's OWASP origin story and he defines OWASP and the OWASP core mission. We talk membership, the future, and drop some details about the upcoming 20th anniversary of OWASP. We hope you enjoy this conversation with Andrew van der Stock.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 12 Jan 2021 02:00:54 -0500

JC Herz and Steve Springett SBOMs and software supply chain assurance


JC Herz is the COO of Ion Channel, a software logistics and supply chain assurance platform for critical infrastructure. She is a visiting fellow at George Masons National Security Institute and co-chairs a Department of Commerce working group on software bills of materials for security-sensitive public and private sector enterprises. JC and Steve Springett join to talk all things software bill of materials. We define what an SBOM is and what its used for. We talk threats that SBOM counters, who started it, and what the OWASP tie in. JC concludes our time by explaining why now is the time YOU must care about SBOMS. We hope you enjoy this conversation with. JC Herz and Steve Springett.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 06 Jan 2021 09:20:40 -0500

Brian Reed Mobile Appsec: The Good, the Bad and the Ugly as We Head into 2021


Brian Reed is Chief Mobility Officer at NowSecure. Brian has over 30 years in tech and 15 years in mobile, security, and apps dating back to the birth of mobile including BlackBerry, Good Technology, BoxTone, and MicroFocus. Brian joins us to discuss mobile application security, the good, the bad, and the ugly as we head into 2021. We discuss recent issues in mobile apps, mobile firewalls, mobile vs. web, and how AppSec is different in a mobile world. We hope you enjoy this conversation withBrian Reed.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 24 Nov 2020 16:42:39 -0500

The Threat Modeling Manifesto Part 2


This is part two of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto. In this episode, we move on from definition to working through the values and principles that make up threat modeling, and then we ship the product.

The working group of the Threat Modeling Manifesto consists of individuals with years of experience in threat modeling for security or privacy.

Other episodes on threat modeling:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 17 Nov 2020 07:14:04 -0500

The Threat Modeling Manifesto Part 1


This is part one of the story of a diverse group of security and privacy people that love threat modeling and gathered to define threat modeling, encourage people to threat model, help them succeed, and change the world. This is our story of the Threat Modeling Manifesto. Our intention is to share a distilled version of our collective threat modeling knowledge in a way that should inform, educate, and inspire other practitioners to adopt threat modeling as well as improve security and privacy during development.

We developed this Manifesto after years of experience thinking about, performing, teaching, and developing the practice of, Threat Modeling. We have diverse backgrounds as industry professionals, academics, authors, hands-on experts, and presenters. We bring together varied perspectives on threat modeling. Our ongoing conversations, which focus on the conditions and approaches that lead to the best results in threat modeling, as well as how to correct when we fail, continue to shape our ideas.

The working group of the Threat Modeling Manifesto consists of individuals with years of experience in threat modeling for security or privacy.

Other episodes on threat modeling:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 26 Oct 2020 15:35:35 -0400

Season 7 Guests The best of Season 7


This is our final episode of Season 7, and we thought we'd share some of our favorite clips with you. We've covered lots of ground, from featuring many OWASP projects to DevSecOps, penetration testing, AWS security, SameSite cookies, crypto, and that just scratches the surface. We hope you enjoy this wrap-up episode with.... A whole bunch of Season 7 guests.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 13 Oct 2020 12:34:19 -0400

Aviat Jean-Baptiste The AppSec report


Jb Aviat is CTO and co-founder at Sqreen. Prior to this, Jb worked at Apple as a reverse engineer, pentester, and developer. Jb joins us to discuss the new Application Security Report that Sqreen has released. We review what the report contains, key takeaways and conclusions, and even consider which framework/language is the most secure. We hope you enjoy this conversation with. Jb Aviat.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 06 Oct 2020 09:29:37 -0400

Frank Rietta The convergence of Ruby on Rails and #AppSec


Frank Rietta is the CEO of Rietta.com, a Security Focused Web Application Firm. He is a web application security architect, expert witness, author, and speaker. Frank joins us to discuss secure coding with Ruby on Rails. We get into a discussion about RoR vs. other languages, primary threats, counters to threats, and tools available for the RoR developer to assist with security. We hope you enjoy this conversation with Frank Rietta.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 29 Sep 2020 21:58:22 -0400

Dmitry Sotnikov REST API Security there is no silver bullet


Dmitry Sotnikov serves as Chief Product Officer at 42Crunch an enterprise API security company. He maintains https://APISecurity.io, a popular community site with daily API Security news and weekly newsletter API vulnerabilities, breaches, standards, best practices, regulations, and tools. Dmitry joins us to discuss REST API Security. We talk about the top API security threats, counters to those threats, and the details on APISecurity.IO. We hope you enjoy this conversation with Dmitry Sotnikov.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 22 Sep 2020 10:08:44 -0400

Caroline Wong The state of Penetration Testing


Caroline Wong is the Chief Strategy Officer at Cobalt.io. Wong's close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec Product Manager, and day-to-day leadership roles at eBay and Zynga. Caroline joins us to talk about penetration testing and reviews key findings from the Cobalt.io "State of Pentesting" report. We hope you enjoy Caroline Wongs second visit to the Application Security Podcast.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 15 Sep 2020 17:44:07 -0400

Aaron Davis LavaMoat solving JavaScript software supply chain


Aaron Davis is a founder, dev, and a lead security researcher at MetaMask, a popular Ethereum wallet. He introduces us to LavaMoat, an approach to solving javascript software supply chain security for node and the browser. The LavaMoat runtime prevents modifying JavaScript's primordials, limits access to the platform API, and prevents packages from corrupting other packages. We hope you enjoy this conversation with Aaron Davis.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 10 Sep 2020 18:11:41 -0400

Anastasiia Voitova Use Cryptography; Dont Learn It


Anastasiia Voitova is a software engineer who works on data security solutions at @cossacklabs, making complex crypto easy-to-use in modern software. She joins us to explore the idea of boring crypto. She caught our attention with a talk at OWASP 24 where she encouraged developers to NOT learn crypto. You'll have to listen to understand her rationale. She explains mistakes folks make with crypto, boring crypto, and how to get started implementing boring crypto. We hope you enjoy this conversation withAnastasiia Voitova.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 03 Sep 2020 09:56:26 -0400

Michael Furman SameSite Cookies


Michael Furman is the Lead Security Architect at Tufin, and is responsible for the security and Security Development Lifecycle (SDL) of Tufin software products. Michael is passionate about application security for over 13 years already and evangelizes about application security at various conferences (including OWASP conferences) and security meetups. Michael joins us to break down SameSite cookies, which are all the rage in browsers these days. He describes what they are, the threats they counter, and how SameSite + the Synchronizer Token Pattern work together to counter CSRF. We hope you enjoy this conversation with. Michael Furman.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 27 Aug 2020 09:18:55 -0400

Chris Romeo The State of Security and the Importance of Empathy


Application security applies to everyone, network architects included. Chris had an opportunity to join a friend's Podcast called "The Hedge." Chris talks with hosts Tom and Russ about the state of security and what network engineers need to know about security from an application perspective. They talk about the importance of empathy in all jobs, walking a mile in the shoes of those that work around you.

Youll find this episode on the Hedge site at https://rule11.tech/hedge-048/.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 04 Aug 2020 09:42:11 -0400

Neil Matatall Content Security Policy


Neil Matatall is a product security engineer at GitHub. He focuses on designing and engineering user experiences solutions related to authentication and account recovery. Working remotely from Hawaii, Neil is a strong believer in the future of remote work. Neil joins us for a deep-dive into Content Security Policy. We explore what it is, the purpose, and why its so difficult to implement.

We hope you enjoy this conversation with Neil Matatall.

https://github.com/github/secure_headers

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 28 Jul 2020 09:47:34 -0400

Grant Ongers Gamification of threat modeling


Grant Ongers is co-founder of the bearded trio called Secure Delivery, with a philosophy and purpose for optimal delivery and security in one dynamic package. Grant's experience spans Dev, Ops, and Security, with over 30 years pushing the limits of (Info)Sec. Grants community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for nearly ten years and DC2721 co-founder, staff at BlackHat (USA and EU), and an OWASP Global Board member.

Grant joins us to talk about gamification and threat modeling, and introduces me to the OWASP Cornucopia card game, which you can use to teach developers and product team members threat modeling, in a fun and engaging way.

We hope you enjoy this conversation with. Grant Ongers. @rewtd

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 20 Jul 2020 21:33:44 -0400

Elie Saad OWASP WSTG, Cheat Sheets, and Integration


Elie Saad is an application security engineer, leading three different OWASP projects. He focuses on helping developers own and champion security in their projects by providing guidance, tests, secure pipeline design and aiding them in applying external security measures. In this conversation, Elie educates us about the current happenings with WSTG, Cheat Sheets, and the Integration Standard. He walks us through demos of each project.

We hope you enjoy this conversation with Elie Saad. @7hunderson

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 13 Jul 2020 14:41:53 -0400

Graham Holmes Adversarial Machine Learning


Graham Holmes is the founder and owner of AoP CyberSecurity, LLC whose mission is to enable organizations to create scalable and effective strategies for trustworthy outcomes. His career includes over 22 years as a leader at Cisco Systems, where he infamously served as my boss for a period of time, and before that he served in the US Navy as a commissioned officer for 9 years. Graham joins us to discuss adversarial machine learning. We explore the threats and attacks in an AI/ML world, and review solutions to address these challenges using trust as a foundation. Please enjoy this conversation with Graham Holmes.

Its Life 3.0

https://www.amazon.com/Life-3-0-Being-Artificial-Intelligence/dp/1101946598

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 07 Jul 2020 08:51:22 -0400

Ochaun Marshall Securing Web applications in AWS


Ochaun Marshall is a developer and security consultant. In his roles at Secure Ideas, he works on ongoing development projects utilizing Amazon Web Services and breaks other people's web applications. Ochaun joins us to talk about the changing tide of serverless and frustrations with AWS security. Before we got to the actual topic, we talked about how he currently works as a developer some times, and a pen tester/security person the rest of the time, and the conflict that arises from this split role. Please enjoy this conversation withOchaun Marshall.

@OchaunM



FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 30 Jun 2020 08:32:30 -0400

Drew Dennison Security should make the computer sweat more


Drew Dennison is the CTO & co-founder of r2c, a startup working to profoundly improve software security and reliability to safeguard human progress. Drew joins us to introduce a tool called semgrep. Semgrep is a fast source code analysis tool, potentially faster than anything you've seen before. If you want to see the live demo of semgrep, head over to the Application Security Podcast Youtube channel to see the video.

We hope you enjoy this conversation with Drew Dennison.

Twitter: DrewDennison

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 23 Jun 2020 00:48:54 -0400

Aaron Guzman IoTGoat


Aaron Guzman specializes in IoT, embedded, and automotive security. Aaron is the Co-Author of IoT Penetration Testing Cookbook. He helps lead both OWASPs Embedded Application Security and Internet of Things projects; providing practical guidance for addressing top security vulnerabilities to the embedded and IoT community. Aaron joins us to explore IoTGoat. IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices. He describes what it is, where it comes from, and does a demo for us on how to put it to use.

For season 7 and beyond, weve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. Youll want to check it out, as many interviews now have demos included, where we capture screen during the interview. We hope you enjoy this conversation withAaron Guzman.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 16 Jun 2020 09:00:23 -0400

Adam Shostack The Jenga View of Threat Modeling


Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author, and game designer. He has taught threat modeling at a wide range of commercial, non-profit, and government organizations. Adam joins us to discuss his new white paper called the Jenga View of Threat Modeling. For season 7 and beyond, we've launched our YouTube channel, Application Security Podcast, where we post the video feeds for all episodes. Youll want to check it out, as many interviews now have demos included, where we capture a screen during the interview.

You can grab a copy of the whitepaper on Adams site, https://associates.shostack.org/whitepapers.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 09 Jun 2020 09:00:48 -0400

Cindy Blake Aligning security testing with Agile development


Cindy Blake is the Senior Security Evangelist at GitLab. Cindy collaborates around best practices for integrated DevSecOps application security solutions with major enterprises. She is proud to introduce her new book, 10 Steps to Securing Next-Gen Software. The book combines her cyber security experience with a background in lean and software development, and simplifies the complexities of todays software evolution into pragmatic advice for security programs. Cindy joins us to discuss how to align security testing with Agile development.

For season 7 and beyond, weve launched our YouTube channel, Application Security Podcast, where we post the video feeds for all episodes. Youll want to check it out, as many interviews now have demos included, where we capture screen during the interview.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 02 Jun 2020 09:00:50 -0400

Jannik Hollenbach Multijuicer: JuiceShop with a side of Kubernetes


Jannik Hollenbach is a Security Automation Engineer at iteratec GmbH, working on and with open source security testing tools to continuously detect security vulnerabilities in the companies software and systems. He is also a member of the OWASP Juice Shop project team. Jannik joins us to discuss MultiJuicer, or how to run JuiceShop in a Kubernetes cluster, with a separate JuiceShop instance for each user.

For season 7 and beyond, weve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. Youll want to check it out, as many interviews now have demos included, where we capture screens during the interview.

We hope you enjoy this conversation with.. Jannik Hollenbach.

Links:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 26 May 2020 08:00:59 -0400

Sebastien Deleersnyder and Bart De Win OWASP SAMM


Sebastien Deleersnyder is co-founder, CEO of Toreon, and Bart De Win is a director within PwC Belgium. They work together to co-lead both the OWASP Belgium Chapter and the OWASP SAMM project. Sebastien and Bart join us to introduce OWASP SAMM 2.0. OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help organizations assess, formulate, and implement a strategy for software security they can integrate into an existing Software Development Lifecycle (SDLC). We explore where it came from, and walk through the framework.

For season 7 and beyond, weve launched our Youtube channel, Application Security Podcast, where we post the video feeds for all episodes. Youll want to check it out, as many interviews now have demos included, where we capture a screen during the interview.

We hope you enjoy this conversation with Sebastien and Bart.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 13 May 2020 21:10:09 -0400

Marc French, Steve Lipner, Maya Kaczorowski, DJ Schleen, Kim Wuyts Season Six Wrap up


Weve reached the end of season six, and here are a few of our favorite clips. Season seven is around the corner.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sat, 11 Apr 2020 12:50:25 -0400

Mark Merkow Secure, Resilient, and Agile Software Development


Mark Merkow works at WageWorks in Tempe, Arizona, leading application security architecture and engineering efforts in the office of the CISO. Mark has over 40 years of experience in IT in a variety of roles, including application development, systems analysis, and design, security engineering, and security management. Mark has authored or co-authored 17 books on IT and has been a contributing editor to four others.

Mark joins us to discuss how application security and Agile software development methodology fit together. We hope you enjoy this conversation with Mark Merkow.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sun, 05 Apr 2020 20:52:29 -0400

Zsolt Imre Fuzz testing is easy


Zsolt is the founder and CTO of GUARDARA with more than 15 years of experience in cybersecurity, both on the offensive and defensive side. Zsolt explains fuzz testing, who does it, and why. He also helps us to understand how to deal with fuzz testing results, and how to get started doing fuzz testing on your own. We hope you enjoy this conversation with Zolt Imre.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sat, 28 Mar 2020 15:40:16 -0400

Adam Shostack Remote Threat Modeling


Adam joins us to discuss remote threat modeling, and we do a live threat modeling exercise to figure out how remote threat modeling actually works. If you want to see the screen share as we figure out remote threat modeling, check out the Youtube version of the episode. Bio: Adam Shostack is a leading expert on threat modeling, and consultant, entrepreneur, technologist, author and game designer. He has taught threat modeling at a wide range of commercial, non-profit and government organizations. Hes a member of the Black Hat Review Board, is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 23 Mar 2020 16:23:57 -0400

Kim Wuyts Privacy Threat Modeling


Kim Wuyts is a postdoctoral researcher at the Department of Computer Science at KU Leuven (Belgium). She has more than 10 years of experience in security and privacy in software engineering. Kim is one of the main forces behind the development and extension of LINDDUN, a privacy threat modeling framework that provides systematic support to elicit and mitigate privacy threats in software systems. Kim joins us to explain the difference between security and privacy and introduce us to LINDDUN and how to use it.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sat, 14 Mar 2020 22:48:45 -0400

John Martin Preventing a Cyberpocalypse


John Martin has owned responsibilities ranging from Software Supply Chain to DevSecOps Security Champions to Cloud Security Monitoring. His career spans the years between Blue-Box MF generators, through the era of automated hacks, and into our modern age of industrialized paranoia. He is a frequent speaker on the topic of commercial software security and a contributor to many SAFECode and CSA efforts. John joins us to discuss the prevention of a cyberpocalypse. You heard it correctly. Now tune in to learn what a cyberpocalypse is and why you need to care about it. We hope you enjoy this conversation with John Martin.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 20 Feb 2020 15:53:42 -0500

Jeremy Long Its dependency check, not checker


Jeremy Long is a principal engineer specializing in securing the SDLC. Jeremy is the founder and project lead for the OWASP dependency-check project; a software composition analysis tool that identifies known vulnerable 3rd party libraries. Jeremy joins us to share the origin story of dependency check, the problems it solves, the number of companies that use it, how to integrate it, and the future of the project.


FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 13 Feb 2020 15:33:37 -0500

Alyssa Miller Experiences with DevOps + Automation and beyond


Alyssa is a hacker, security evangelist, cybersecurity professional and international public speaker with almost 15 years of experience in the security industry. A former developer, her background is application security, not only conducting technical assessments but also helping develop complete security programs. Alyssa joins us to share her take on DevOps, automation, and beyond. She also shares a great story about how she got domain admin in 3 minutes.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 07 Feb 2020 19:15:09 -0500

Vandana Verma Support each other


Vandana Verma is a passionate advocate for application security. From serving on the OWASP Board to running various groups promoting security to organizing conferences, she is engaged in making the global application security community a better place. She manages the @Infosecgirls organization and is a leader for the @OWASPBangalore chapter. Vandana joins us to discuss her work so far on the OWASP Board, to discuss her AppSec DC keynote on diversity, and to catch us up on InfoSecGirls and WIA.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 30 Jan 2020 10:24:32 -0500

DJ Schleen DevOps: The Sec is Silent


DJ Schleen is a seasoned DevSecOps advocate at Sonatype and provides thought leadership to organizations looking to integrate security into their DevOps practices. He encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey. DJ joins us to talk about the philosophy of DevOps and flow, DevSecOps and silos, and the DevSecOps reference architectures. We hope you enjoy this conversation with DJ Schleen.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 24 Jan 2020 10:41:01 -0500

Niels Tanis 3rd Party Risk in a .NET World


Niels Tanis has a background in .NET development, pen-testing, and security consultancy. He has experience breaking, defending and building secure applications. Neils joins us to continue our .NET conversation from last year. This time around we focus on the 3rd party risk we pull into our applications by using third party libraries in a .NET conversation from last year. This time around we focus on the 3rd party risk we pull into our applications by using third party libraries in a .NET world.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 16 Jan 2020 15:17:50 -0500

Maya Kaczorowski Container and Orchestration Security


Maya is a Product Manager in Security & Privacy at Google, focused on container security. She previously worked on encryption at rest and encryption key management. Maya has a Master's in mathematics, focusing on cryptography and game theory. Maya joins us to discuss how containers improve security, a high-level threat model of containers and orchestration, and tips for enhancing security as you role out containers and Kubernetes.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 09 Jan 2020 11:23:43 -0500

Geoff Hill AppSec, DevSecOps, and Diplomacy


Geoffrey Hill is an AppSec DevSecOps leader and Architect. Geoff joins us to discuss his experiences rolling out DevSecOps in both Agile and non-Agile practicing shops. We hope you enjoy this conversation with...Geoff Hill.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 03 Jan 2020 15:19:24 -0500

Erez Yalon The OWASP API Security Project


Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez joins us to speak about the new OWASP API Security Project, and more specifically, the new API Security Top 10. We hope you enjoy this conversation with Erez Yalon.

Find the Document on the OWASP GitHub: https://github.com/OWASP/API-Security

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 19 Dec 2019 22:12:53 -0500

Steve Lipner The Past, Present, and Future of SDL


Steve Lipner is a pioneer in cybersecurity, approaching 50 years experience. He retired in 2015 from Microsoft where he was the creator and long-time leader of Microsofts Security Development Lifecycle (SDL) team. While at Microsoft, Steve also created initiatives to encourage industry adoption of secure development practices and the SDL and served as a member and chair of the SAFECode board. Steve joins us to talk about all things SDL, and I must say, I was super excited for this interview, with way too many questions for someone who was there on day 1 of Secure Development Lifecycle. We hope you enjoy this conversation withSteve Lipner.

Youll find Steves Bio on the SafeCode website.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sun, 15 Dec 2019 19:18:41 -0500

David Kosorok The Three Pillars of an AppSec Program: Prevent, Detect, and React


David Kosorok is a code security expert, software tester, father of 9, and a self-described major nerd. David is the Director of AppSec at Align Tech, and a fellow member of the Raleigh Durham tech community. David joins us to speak about the three pillars of building an application security program: Prevent, Detect, and React. When we think the program, weve never heard anyone relate a program this way, and thought you needed to hear about a different approach to program building. We hope you enjoy this conversation with. David Kosorok.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sun, 01 Dec 2019 14:59:31 -0500

Chris and Robert: A Taste of Hi-5


As the hosts of the Application Security Podcast, we get the opportunity from time to time to mix it up. This week we gather a few security articles, share a summary, and offer our opinions (for what our opinions are worth). The source of the articles is Hi-5, a weekly newsletter containing five security articles that are worth your time. We scour the Interwebs looking for the best articles on application and product security and share those with you. You can subscribe to Hi-5 on the Security Journey website.

Hit us up on Twitter and let us know if you like this format and if we should do more of this type of content. We hope you enjoy this episode with, Chris and Robert.

These are the articles:

Interest In Secure Design Practices Is Increasing Leading To Two Predictions

Developers mentoring other developers: practices Ive seen work well

7 Web Application Security Best Practices

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 21 Nov 2019 16:43:28 -0500

Bill Dougherty INCLUDES NO DIRT, practical threat modeling for healthcare and beyond


Bill Dougherty is the vice president of IT and security at Omada Health, where he leads a team responsible for all aspects of internal IT including SaaS strategy, end-user support, vendor management, operational security and compliance. Bill along with Patrick Curry created the INCLUDES NO DIRT approach to threat modeling, which takes threat modeling to the next level, beyond STRIDE, and goes head on with a more modern set of real-world security considerations. We hope you enjoy this conversation with, Bill Dougherty.

Find Bill on Twitter @bdognet.

For an article about the methodology, see INCLUDES NO DIRT: A Practical Threat Modeling Approach for Digital Healthcare and Beyond

For the paper that describes the methodology and how to implement, see INCLUDES NO DIRT

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sun, 10 Nov 2019 14:33:47 -0500

Marc French The AppSec CISO


Marc French is a security person, firearms geek, scuba guy, lousy golfer, and an aspiring blacksmith. We met Marc in the hallway at the Boston Application Security Conference. Marc has extensive experience as a CISO but came from the world of AppSec to the exec suite, which is not the normal path. We discuss what is a CISO, and what does a CISO actually do, the role of AppSec in the life of the CISO, and tips Marc has for those that wish to become a CISO someday. We hope you enjoy this conversation with Marc French.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sat, 26 Oct 2019 13:32:07 -0400

Season 5 Finale A cross section of #AppSec


Threat modeling, secrets, mentoring, self-care, program building, and much more. Clips from Georgia Weidman, Simon Bennetts, Izar Tarandach, Omer Levi Hevroni, Tanya Janca, Bjrn Kimminich, Caroline Wong, Adam Shostack, Steve Springett, Matt McGrath, Brook Schoenfield, and Ronnie Flathers.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 27 Sep 2019 21:12:35 -0400

Ronnie Flathers Security programs big and small


Ronnie Flathers is a security guy, a pentester, and a researcher. In this conversation, we explore his experiences in building application security programs. He's had the opportunity to program build inside of companies big and small.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sun, 15 Sep 2019 16:33:49 -0400

Brook Schoenfield Security is a messy problem


Brook Schoenfield is a Master Security Architect @IOActive and author of Securing Systems, as well as an industry leader in security architecture and threat modeling, and a friend. "We have a static analysis tool. Why do we need a program?" This is what Brook overheard at one point in his past, from a company CTO, and it sums up the program issue. The CTO was trying to drive a technical strategy for an entire company, and security was just one piece of that. A mandate or a tool would have made life so easy.

Brook takes us on a journey based on his experience building programs, with advice, stories, comments, and quotes. We talk about architecture, culture, mindset, tools, compilers and so much more.

Catch Brooks next book, Secrets of a Cyber Security Architect which arrives in Fall 2019.

Here is Brooks first book on Amazon: Securing Systems: Applied Security Architecture and Threat Models

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 05 Sep 2019 17:26:48 -0400

Liran Tal The state of open source software security


Liran Tal is a Developer Advocate @snyksec and is the author of Essential Node.js Security. He takes #opensource and protecting the #web very seriously. Liran and I start by geeking out about BBS's in the days of old. SYSOP page, anyone? Then we go into the state of open source security based on the report that Liran contributed heavily to and discuss many of the key takeaways from that report, including the developer response to open source security, security vulnerability rates in docker containers, and the length of time that vulnerabilities lie dormant in open source. We close out with the three things Liran would do to improve open source security if he could only do three things.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 03 Sep 2019 18:11:23 -0400

Liran Tal Open Source Security 5 Minute AppSec


Why should someone care about open source security?

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 27 Aug 2019 18:45:50 -0400

Steve Springett An insiders checklist for Software Composition Analysis


Steve Springett is a technologist, husband, father, entrepreneur, and tequila aficionado. He is the creator of the OWASP @DependencyTrack and @CycloneDX_Spec. In this conversation, we begin with the problem of software supply chain risk and the failures of commercial Software Composition Analysis tools. We then go through an extensive list of criteria for purchasing a software composition analysis tool. I have never seen a list like this ever shared anywhere in the industry. Steve is definitely in the know when it comes to these types of tools, and this is a detailed checklist of what he looks for in a tool. We end with a 60-second update on Dependency Track.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sun, 25 Aug 2019 18:48:03 -0400

Steve Springett OWASP Dependency Track 5 Minute AppSec


The question is for Steve Springett, in regards to Software Composition Analysis / Software Supply Chain and OWASP Dependency Track.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sun, 18 Aug 2019 22:20:17 -0400

Elissa Shevinsky Static Analysis early and often


Elissa Shevinsky is CEO at Faster Than Light. She's had a storied career as an entrepreneur with Brave, Everyday Health, and Geekcorps. We discuss Elissa's origin story, security startups, and the value of mentoring to her career. Then we get into Static Analysis and how we make security easier for people so that security gets done.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 14 Aug 2019 13:31:57 -0400

Elissa Shevinsky Be Kind, Security People 5 Minute AppSec


Robert asks Elissa Shevinsky, why should people be nice, or why is niceness important in security?

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 05 Aug 2019 16:55:49 -0400

Matt McGrath Security coaches


Matt McGrath is an old school Java developer that made the transition into security. Matt has had success in rolling out a programmatic approach to security improvement called security coaching. A security coach is much more than a wellness or life coach for your developers. They have some commonalities, but the security coach is thinking about how you help the developer want to get better at security. In his experience, developers are not going to kick and scream away from security but will embrace it when asked.

The job description for a good coach does not require a development background. The biggest thing you need is a passion for security. Communication is one of the most important things for a coach to have as well, and technical skills do not hurt.

We hope you enjoy this conversation with Matt McGrath.

Our sponsor for this episode is Security Journey. Security Journey knows that building security culture takes time and planning. Our belts are carefully designed to help you build security culture from the ground up.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 29 Jul 2019 19:41:52 -0400

Erez Yalon and Liora Herman The Application Security Village @ DefCon


Erez Yalon and Liora Herman are both passionate security professionals. They joined forces to create the AppSec Village, an event at DefCon in Las Vegas. If you are in Vegas for BH/DC, stop by the village and say hi to Robert, who will be in attendance as well.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 29 Jul 2019 18:04:00 -0400

Erez Yalon AppSec Village 5 Minute AppSec


It's BlackHat and DefCon season, so we asked a question of Erez Yalon; why did you start the AppSec Village?

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 19 Jul 2019 16:52:19 -0400

Tommy Ross The BSA Framework for Secure Software


Tommy Ross serves as Senior Director, Policy with BSA | The Software Alliance. In this role, he works with BSA members to develop and advance global policy positions on a range of key issues, with a focus on cybersecurity, privacy, and market access barriers. Tommy is one of the coordinators/collaborators on the BSA Framework for Secure Software. This document caught our attention when it came out a few months ago, as it is a reliable representation of all the pieces an organization needs for software security. Tommy shares with us some of the background stories on how this document came to be, and also walks through the various pieces contained within.

If youd like to comment or collaborate on this document, it is available in the review form at https://github.com/thomasrbsa/BSA-Framework-for-Secure-Software

The PDF is available on the BSA website: https://www.bsa.org/files/reports/bsa_software_security_framework_web_final.pdf

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 10 Jul 2019 16:29:26 -0400

Adam Shostack Threat modeling layer 8 and conflict modeling


Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups. Adam is known for his work with threat modeling. In this episode, we take threat modeling to a whole new level as we explore the idea of threat modeling layer 8 or human beings, and explore the concept of conflict modeling.

Youll find Adams conflict modeling work on GitHub.

https://github.com/adamshostack/conflictmodeling

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 09 Jul 2019 14:43:08 -0400

Adam Shostack Threat Modeling 5 Minute AppSec


If you've done anything with threat modeling, you've heard of Adam Shostack. We asked him the question, "why would anyone threat model?".

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 01 Jul 2019 10:00:58 -0400

Zoe Braiterman AI, ML, AppSec, and a dose of data protection


Zoe Braiterman is an Innovation Intelligence Strategist focused on both the Machine and Human and also the OWASP WIA Chair. We explore the intersection of application security with artificial intelligence and machine learning and end up discussing data protection. Zoe approaches AppSec from a different angle, and her perspectives get us thinking about the importance of appsec in the future of autonomous everything.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 13 Jun 2019 22:48:49 -0400

Caroline Wong Self-care and self-aware for security people


Caroline Wong has had a long career in security, starting with eBay and leading to her role today at Cobalt.IO as Chief Strategist. Caroline shares her explanation of self-care and tells her story about how neglecting self-care led to problems. She offers ideas about how to better approach self-care as a security professional, work-life balance, and ways for approaching a successful career in security.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 31 May 2019 22:17:50 -0400

Bjrn Kimminich The new JuiceShop, GSOC, and Open Security Summit


Bjrn Kimminich is the project leader for OWASP JuiceShop. This is his second visit to the podcast, and we discuss new features in JuiceShop, including XSS in jingle promo video, marketing campaign coupon hacking, GDPR related features and challenges, working 2FA with TOTP, and the DLP failure challenges. Then we get into the cool new things that will come as a result of the GSoC, where a developer will add new functionality to the JS where new vulns can be hidden. We end discussing the upcoming Open Security Summit from OWASP.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sun, 26 May 2019 19:02:22 -0400

Bjrn Kimminich JuiceShop 5 minute AppSec


Bjrn Kimminich is the project leader for OWASP JuiceShop. He created JuiceShop out of necessity, after reviewing all the available vulnerable web apps years ago, and not finding what he needed. OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security training, awareness demos, CTFs, and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 21 May 2019 09:00:41 -0400

Nancy Garich and Tanya Janca DevSlop, the movement


Nancy Garich and Tanya Janca are two of the project leaders for the OWASP DevSlop Project. As we learn more about DevSlop, we realize that it is much more than a project: it's a movement. DevSlop is about the learning and sharing of four awesome women and is a platform for them to share what theyve learned with the community.

DevSlop consists of four different modules:

  1. Patty An Azure DevSecOps pipeline
  2. Pixi-CRS & Pixi-CRS-ZAP are two Circle-CI pipelines that demonstrate adding a WAF to your pipeline for automatic tuning before moving your apps to prod
  3. Pixi is an intentionally vulnerable app and consists of a vulnerable web app and API service,
  4. The DevSlop Show, a video streaming series where project members build things live, interview members of the OWASP and InfoSec community, and learn where they fit into DevOps.

We hope you enjoy.

Find Nancy, Tanya, and DevSlop on Twitter.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sun, 19 May 2019 20:54:35 -0400

Tanya Janca Mentoring Monday 5 Minute AppSec


Tanya Janca is excited about mentoring. She's started a hashtag on Twitter for mentors to find mentee's, and for mentee's to search for mentors. Mentoring is such an essential part of growing our community, so if you are not mentoring anyone today, I can only ask, why not? Here is Tanya's take on mentoring and her advice on how to get involved with #MentoringMonday.

5 Minute AppSec is an AppSec Podcast experiment with micro-content. Hit us up on Twitter and tell us what you think, @AppSecPodcast.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 13 May 2019 17:42:25 -0400

Matt Clapham A perspective on appsec from the world of medical software


Matt Clapham is a product security person, as a developer, security engineer, advisor, and manager. He began his career as a software tester, which led him down the path of figuring out how to break things. Matt lives in the medical software world and visited the Healthcare Information and Management Systems Society (HIMSS) conference. Matt shares his perspectives on application/cybersecurity through the eyes of the healthcare industry. There is much for us to understand by viewing how other segments approach security and privacy. Matt believes in stepping outside the echo chamber and experiencing how other industries see security, and he achieved that by visiting this non-security conference and sharing his experiences with us. (And if he visits your booth at an event, you better know how your companies make a secure product or solution!)

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 06 May 2019 03:00:14 -0400

Jon McCoy Hacker outreach


Jon McCoy is a security engineer, a developer, and a hacker; and a passionate OWASP advocate. Maybe even a hacker first. Jon has a passion to connect people and break down barriers between hackers and corporate folks. Jon explains the idea of hacker outreach and breaks down what we can expect if we venture to the DefCon event in Las Vegas. Jon also remembered a cautionary tale of Roberts Fitbit out at a DefCon event. Jon is someone we can all learn from about giving back to our community.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 30 Apr 2019 23:07:22 -0400

Omer Levi Hevroni K8s can keep a secret?


Omer Levi Hevroni has written extensively on the topic of Kubernetes and secrets, and he's a super dev. He's the author of a tool for secrets management called Kamus. Kamus is an open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enables users to easily encrypt secrets that can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS, and AES).

Find Omer on Twitter to converse about all things K8s and secrets.

Show notes:

https://blog.solutotlv.com/can-kubernetes-keep-a-secret/

https://github.com/Soluto/kamus

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 23 Apr 2019 21:52:18 -0400

Izar Tarandach Command line threat modeling with pytm


Izar Tarandach is a threat modeling pioneer, seen as one of the movers and shakers in the threat modeling world. Izar leads a small team that develops the pytm tool, which is self-described as a "A Pythonic framework for threat modeling". The GitHub page goes on to say define your system in Python using the elements and properties described in the pytm framework. Based on your definition, pytm can generate, a Data Flow Diagram (DFD), a Sequence Diagram and most important of all, threats to your system.

Reach out to Izar on Twitter and visit the pytm GitHub page to download and try this tool out for yourself!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sat, 13 Apr 2019 15:35:13 -0400

Simon Bennetts OWASP ZAP: past, present, and future


Simon Bennetts is the project leader for OWASP ZAP. Simon joined Robert at CodeMash to talk about the origin of ZAP, the new heads up display, and ZAP API. ZAP is an OWASP FlagShip Project and is available here: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sun, 07 Apr 2019 20:26:21 -0400

Bill Sempf Growing AppSec People and KidzMash


Robert meets up with Bill Sempf at the CodeMash conference and discusses how to grow AppSec people. Developers can transform into application security people. They also cover how to inspire the next generation of cybersecurity people (kids) through the example of KidzMash.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sat, 30 Mar 2019 23:29:57 -0400

Georgia Weidman Mobile, IoT, and Pen Testing


Georgia Weidman (@georgiaweidman) met with Robert at CodeMash to discuss her origin story, mobile, IoT, penetration testing, and details about her various companies. If you've never seen Georgia's book on penetration testing, we recommend you grab a copy. http://www.nostarch.com/pentesting To sign up for the newsletter mentioned at the start of this week's show, visithttps://info.securityjourney.com/hi5signup

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sun, 24 Feb 2019 20:00:18 -0500

Conclusion: Season 4 Finale


Here it is. The finale of season four. Thanks to everyone who listens in, and remember, if there are any people you want us to interview on the podcast, tweet at us @AppSecPodcast

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 01 Feb 2019 18:18:37 -0500

Geoff Hill -- Rapid Threat Model Prototyping Process


Geoff Hill joins Chris and Robert to talk about Rapid Threat Model Prototyping Process. You can find Geoff on Twitter @Tutamantic_Sec

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 25 Jan 2019 13:34:51 -0500

Bill Wilder -- Running Azure Securely


Bill Wilder joins Chris and Robert to talk about Running Azure Securely. You can find Bill on Twitter @codingoutloud

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 18 Jan 2019 17:50:44 -0500

Matt Konda -- OWASP Glue


Matt Konda joins Chris and Robert to talk about what Glue is.

You can find Matt on Twitter @mkonda

OWASP Glue

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 11 Jan 2019 18:04:42 -0500

Josh Grossman, Avi Douglen, and Ofer Maor -- AppSec in Israel and Three Talks to watch from AppSec USA


Josh Grossman, Avi Douglen, and Ofer Maor at AppSec USA join Chris. They discuss the AppSec group in Israel and a few critical talks you should watch from AppSec USA this year.

You can find Josh on Twitter @JoshCGrossman

You can find Avi on Twitter @sec_tigger

You can find Ofer on Twitter @OferMaor

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 01 Jan 2019 13:22:09 -0500

Daniel Miessler -- OWASP IoT Top 10


Daniel Miessler joins Chris and Robert to talk about the upcoming Top 10 list for IoT.

You can find Daniel on Twitter @DanielMiessler

IoT Project

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 17 Dec 2018 21:35:54 -0500

Travis McPeak -- SecOps Makes Developers Lives Easier


Travis McPeak joins Chris to talk about SecOps and how it can help make a developer's life easier.

You can find Travis on Twitter @travismcpeak

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 10 Dec 2018 14:09:29 -0500

Chris Romeo -- Security Culture Hacking: Disrupting the Security Status Quo


We listen in on the #AppSecUSA talk by Chris about Security Culture Hacking.

You can find Chris on Twitter @edgeroute

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 03 Dec 2018 16:15:34 -0500

Jim Manico -- The Extremely Unabridged History of SQLi and XSS


Jim Manico joins again to talk about how AppSec has changed over the years and gives us an in-depth look at the history of SQL Injection and XSS.

You can find Jim on Twitter @manicode

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 27 Nov 2018 15:58:06 -0500

Jeff Williams -- The History of OWASP


Chris talks with Jeff Williams about the History of OWASP and where it came from.

You can find Jeff on Twitter @planetlevel

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 19 Nov 2018 13:11:58 -0500

Bjorn Kimminich -- The Joy of the Vulnerable Web: JuiceShop


Bjorn Kimminich joins to talk about JuiceShop. He dives into what JuiceShop is and some of its use cases.

You can find Bjorn on Twitter @bkimminich

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 13 Nov 2018 13:33:28 -0500

Swaroop Yermalkar -- iGoat and iOS Mobile Pen Testing


Chris is at AppSec USA and is joined by Swaroop to talk about iGoat. They discuss how iGoat relates to WebGoat and how they can be used for pen testing.

You can find Swaroop on Twitter @swaroopsy

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 05 Nov 2018 16:36:50 -0500

Adam Bacchus and Jon Bottarini -- Two Sides to a Bug Bounty: The Researcher and The Program


Chris and Robert talk with Adam and John from HackerOne about Bug Bounty. They dive into bug bounty from the programming and security researcher sides to show how you can combine these pieces with being successful with a bug bounty.

You can find Adam on Twitter @SushiHack and Jon @jon_bottarini

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 29 Oct 2018 20:18:14 -0400

Erlend Oftedal -- What You Require, You Must Also Retire


Chris talks with Erlend Oftedal about the Norway Chapter of OWASP and continues on to what retire.js is and how it works.

You can find Erlend on Twitter @webtonull

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 23 Oct 2018 17:45:41 -0400

Abhay Bhargav -- Threat Modeling as Code


Abhay Bhargav joins Robert to talk about threat modeling as code. He dives into how this can help you in your threat models.

You can find Abhay on Twitter @abhaybhargav

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 16 Oct 2018 16:21:31 -0400

Tony UV -- Threat Libraries in the Cloud


Tony UV joins Robert to discuss all things threat libraries in the cloud.

You can find Tony on Twitter @t0nyuv

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 08 Oct 2018 20:53:19 -0400

Aaron Rinehart -- Chaos Engineering and #AppSec


Chris and Robert talk to Aaron Rinehart about how the security community can embrace chaos engineering.

You can find Aaron on Twitter @aaronrinehart

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 01 Oct 2018 14:18:10 -0400

Jessica Robinson and Vandana Verma-- WIA: Women in #AppSec


Jessie and Vandana join Chris from Women in #AppSec to discuss the project! They dive into what the project is and how the numerous OWASP Chapters around the world can participate!

You can find them on Twitter @InfosecVandana and @jessrobin96

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 25 Sep 2018 06:00:37 -0400

Karen Staley -- A Conversation with Karen


This week we're joined by Karen Staley, the Executive Director of the OWASP Foundation. She dives into what's happening on OWASP and what we can look forward to in the future.

You can find her on Twitter @owasped

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 18 Sep 2018 06:00:10 -0400

Mohammed Imran -- Back to the Lab Again with a DevOps


Mohammed Imran joins us to discuss the DevSecOps Studio and more about the beautiful world of DevOps.

You can find him on Twitter @secfigo

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 11 Sep 2018 06:00:08 -0400

Niels Tanis -- A Slice of the Razor with ASP.Net Core


Niels Tanis joins to talk about Razor and ASP.Net Core versus General.

You can find Niels on Twitter @nielstanis

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 04 Sep 2018 13:01:21 -0400

Ofer Maor -- A Pen Testers Transition to #AppSec: #VoteForOfer


Chris is joined by Ofer Maor to talk about his journey of transitioning into the world of #AppSec from the world of Pen Testing.

You can find him on Twitter @OferMaor

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 28 Aug 2018 11:23:36 -0400

Matt Tesauro -- #AppSec Pipeline as Toolbox


We're joined by Matt Tesauro, a co-lead for the AppSec Pipeline Project. He explains how they began building this project and some ways for you to start using this in your organization.

You can find Matt on Twitter @matt_tesauro

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 20 Aug 2018 18:00:52 -0400

Stephen de Vries -- Threat Modeling with a bit of #Startup


Stephen de Vries joins to discuss Threat Modeling and the unique approach that he takes by using tooling. We also discuss application security and startups.

You can find Stephen on Twitter @stephendv

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 14 Aug 2018 06:00:02 -0400

Julien Vehent -- Securing DevOps


Julien Vehent joins us to discuss all things DevOps + Security. We talk through Julien's new book, Securing DevOps, and go in-depth about his journey to building security into DevOps at his job.

You can find Julien on Twitter @jvehent

Visit Manning Publications

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 07 Aug 2018 06:00:44 -0400

Christian Folini -- CRS and an Abstraction Layer


Christian Folini joins Chris at AppSec EU for this episode about ModSecurity and the Core Rule Set project from OWASP. They dive into the timeline for the abstraction layer piece of the project and much more.

You can find Christian on Twitter @ChrFolini.

OWASP ModSecurity Core Rule Set

ModSecurity

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 30 Jul 2018 06:00:49 -0400

Sean Wright -- Google Chrome and the Case of the Disappearing HTTP


Sean Wright joins Chris to discuss the changes Google made to handle the HTTP Protocol. They also dive into TLS and some other pieces of crypto that relate to #AppSec.

You can find Sean on Twitter @SeanWrightSec

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 12 Jun 2018 06:00:45 -0400

Conclusion: All the Pieces You Need for an #AppSec Program


The conclusion of Season 3, all the best highlights, and some great advice from our guests on what you need to build an #AppSec Program.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 05 Jun 2018 06:00:47 -0400

Martin Knobloch -- OWASP, Reach Out; We Are Known and Misunderstood


Martin Knobloch joins Chris and Robert to discuss all things OWASP. They dive into the history of OWASP and some of the plans for the future.

You can find Martin on Twitter @knoblochmartin.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 29 May 2018 06:00:41 -0400

Devin McMasters -- Bug Bounty with a Side of Empathy


Devin McMasters joins Chris to talk about bug bounties and how to make them successful.

You can find Devin on Twitter @DevinMcmasters

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 22 May 2018 06:00:11 -0400

Apollo Clark -- Malicious User Stories


In this episode, Robert speaks about Malicious User Stories and DevOps with Apollo Clark. He discusses how to properly handle user stories in a world being taken over by DevOps.

You can find Apollo on Twitter @apolloclark

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 15 May 2018 13:32:19 -0400

Megan Roddie -- Neurodiversity in Security


Megan Roddie joins Robert at the SOURCE Conference in Boston. She talks about how neurodiverse people can truly help an organization.

You can find her on Twitter @megan_roddie

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 27 Apr 2018 06:00:26 -0400

Chase Schultz -- AppSec and Hardware


Chase Schultz joins to discuss the combination of AppSec and hardware. He also dives into how the Meltdown and Spectre attacks worked.

You can find Chase on Twitter @f47h3r_B0

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 20 Apr 2018 06:00:37 -0400

John Melton -- #OWASP AppSensor


John Melton joins to discuss the #OWASP AppSensor project. He talks about how AppSensor works and how it can be used in your application.

You can find John on Twitter @_jtmelton

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 13 Apr 2018 16:11:17 -0400

David Habusha -- Third Party Software is not a Cathedral, Its a Bazaar


David Habusha joins to discuss the OWASP Top 10 A9: Using components with known vulnerabilities. He also dives into the Software Composition Analysis (SCA) market.

You can find David on Twitter @davidhabusha

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 12 Apr 2018 18:31:35 -0400

Steve Springett -- Dependency Check and Dependency Track


Steve Springett joins the show to talk about Dependency Check and Dependency Track. He also discusses how they can help prevent you from using components with known vulnerabilities.

You can find Steve on Twitter @stevespringett

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 06 Apr 2018 06:00:45 -0400

Steven Wierckx -- The #OWASP Threat Modeling Project


Steven Wierckx joins Robert and Chris this week to talk about the #OWASP Threat Modeling project that hes involved in.

You can find Steven on Twitter @ihackforfun

https://open-security-summit.org/

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 05 Apr 2018 14:59:50 -0400

Jim Manico -- The #OWASP Cheat Sheet Project


Jim Manico joins us to discuss some of the changes with the OWASP Cheat Sheets and their plans for that project's future. Jim also talks about how they are looking for experts to create or update some of the Cheat Sheets.

You can find Jim on Twitter @manicode

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 23 Mar 2018 06:00:08 -0400

Neil Smithline -- OWASP Top 10 #10: Logging


Neil Smithline joins this week to discuss one of the new items on the OWASP Top 10 List, Insufficient Logging and Monitoring.

You can find Neil on Twitter @neilsmithine

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 15 Mar 2018 20:00:23 -0400

Jim Routh -- Selling #AppSec Up The Chain


Jim Routh joins the podcast to discuss selling #AppSec up the chain. Jim has built five successful software security programs in his career and serves as a CISO now. Jim shares his real-world experience with successfully selling #AppSec to senior management (as well as many other pieces of wisdom for running an AppSec program).

You can find Jim on Twitter @jmrouth01

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 09 Mar 2018 05:00:29 -0500

Chris and Robert -- #AppSec Recommendations


Chris and Robert go over a plethora of recommendations they have accumulated over their years of experience in the industry.

Chriss recommendations

1. Book: Agile Application Security: Enabling Security in a Continuous Delivery Pipeline

by Laura Bell (Author), Michael Brunton-Spall (Author), Rich Smith (Author), Jim Bird (Author)

https://amzn.com/1491938846

2. Website: Iron Geek

Adrian Crenshaw records many major, non-commercial security conferences and posts the talks to Youtube

http://www.irongeek.com/

3. Book: The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations

by Gene Kim (Author), Patrick Debois (Author), John Willis (Author), Jez Humble (Author)

https://amzn.com/1942788002

4. News Source: The Register

News site, but has great sources and a bit of British humor attached to technology failures

http://www.theregister.co.uk/security/

5. Blog: TechBeacon

https://www.techbeacon.com

6. Book: Threat Modeling: Designing for Security

by Adam Shostack (Author)

https://amzn.com/1118809998

7. Book: The Tangled Web: A Guide to Securing Modern Web Applications

by Michal Zalewski (Author)

https://amzn.com/B006FZ3UNI

8. Book: Start with Why: How Great Leaders Inspire Everyone to Take Action

by Simon Sinek (Author)

Not a security book, but a good approach for those trying to change a security culture

https://amzn.com/B002Q6XUE4

Roberts Recommendations

1. Books by Martin Fowler (Author)

He wrote many books on understanding Architecture.

https://martinfowler.com/books/

2. Book: Software Security: Building Security In

by Gary McGraw (Author)

http://a.co/5EIlu4h

3. Book: Core Software Security: Security at the Source
by James Ransome (Author) and Anmol Misra (Author)

http://a.co/hEwCflz

4. Book: Threat Modeling: Designing for Security

by Adam Shostack (Author)

https://amzn.com/1118809998

5. Websites: Troy Hunt

https://www.troyhunt.com/

https://haveibeenpwned.com/

6. Conferences: #AppSec USA, , B-Sides, Source, Converge

https://2018.appsecusa.org/

http://www.securitybsides.com

https://sourceconference.com/

https://www.convergeconference.org/

7. Website: Google Alerts

Use this to be notified about specific topics you want to learn about.

https://www.google.com/alerts

8. Book: The Checklist Manifesto: How to Get Things Right

by Atul Gawande (Author)

http://a.co/dirHpwq

9. Book Securing Systems: Applied Security Architec

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 02 Mar 2018 05:00:03 -0500

Magen Wu -- Hustle and Flow: Dealing With Burnout in Security


Magen Wu works through the topic of burnout and mental health in security. She gives examples of handling this and recognizing if people around you are burning out.

You can find her on Twitter @infosec_tottie

Additional information on this topic:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 23 Feb 2018 05:00:02 -0500

Katy Anton -- OWASP Top 10 #4 XXE


Katy Anton joins this week to discuss number four on the OWASP Top 10. She dives into what XXE is, how to deal with it, and other new items on the OWASP Top 10 2017.

You can find Katy on Twitter @KatyAnton

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 15 Feb 2018 21:00:51 -0500

Pete Chestna -- SAST, DAST, and IAST. Oh My!


Pete Chestna is an advocate for SAST, DAST, and IAST tools and a passionate #AppSec enthusiast. Pete shared A moving quote during this episode: "an #AppSec program is the byproduct of building secure developers. #Truth

Pete describes the differences between SAST, DAST, IAST, and RASP. The struggles developers encounter using new tools, false positives and how to reduce them, and advice for building an #AppSec program from scratch versus adding tools to a mature program.

You can find Pete on Twitter @PeteChestna.

Additional information on this topic:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 09 Feb 2018 11:35:26 -0500

Irene Michlin -- We Are Not Making It Worse


Irene Michlin operates at the intersection of security and agility. She teaches about incremental threat modeling and how to make threat modeling when living in an Agile or DevOps world.

Irene ends the discussion by saying that her goal when working with a team on threat modeling is that they all conclude, We are not making it worse.

You can find Irene on Twitter @IreneMichlin, and check out Irenes talk on Incremental Threat Modeling last year at AppSec EU.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 02 Feb 2018 10:09:10 -0500

Bill Sempf -- Insecure Deserialization


Bill Sempf joins to talk about insecure deserialization. We do a deep dive and contextual review of the generalities of deserialization and the specifics of how it applies to .NET. Bill begins his journey to understand these vulnerabilities and provides some hints and tips for looking for them in your code.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 26 Jan 2018 10:08:25 -0500

Chris and Robert -- Security Champions


Security champions are the hands and feet of any well-equipped product security team. Robert and Chris introduce security champions, where to find them, why you need them, and how to set up a beginning champion program from scratch.

Here are a few other resources that weve written about Security Champions:

Do you have Security Champions in your company?

Information security needs community: 6 ways to build up your teams

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Fri, 19 Jan 2018 08:00:45 -0500

Kevin Greene -- Shifting left


Robert and Chris interview Kevin Greene from Mitre. We discuss an article Kevin wrote about shifting left and exploring codifying intuitions and new projects at Mitre that will bolster the knowledge of your developers and testers. Kevin brings up the need for accurate results from the SAST and DAST tools on the market. He brings an exciting perspective, focusing on research and development at DHS.

Kevins article on Dark Reading

CAWE

ATT&CK

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 05 Dec 2017 13:31:33 -0500

Conclusion: OWASP is for everyone


This is the conclusion of Season 02 for the AppSec PodCast. This episode focuses on all the OWASP goodness weve experienced this year. Youll hear our favorite clips and explanations from a season full of OWASP.

With the publication of this episode, season 02 is a wrap, and on to season 03, which will roll out in March.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 24 Oct 2017 10:00:31 -0400

Brian Andrzejewski -- Containers Again


This is the final interview from the #AppSecUSA Conference in Orlando, and Brian Andrzejewski joins Chris and Robert.

He talks about containers, their usage within #AppSec, and orchestrations.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 17 Oct 2017 10:00:05 -0400

Tin Zaw -- ModSecurity and #AppSec


Tin Zaw, an advocate for ModSecurity, joins Robert and Chris.

He dives into its background, the use of rules, and the many advantages.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 10 Oct 2017 14:16:24 -0400

Aditya Gupta -- The Exploitation of IoT


Aditya Gupta joins Robert and Chris.

They speak with him about the many facets of IoT and some of its effects on pen testing, training, and mobile application security.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 03 Oct 2017 10:00:19 -0400

Jim Manico and Katy Anton -- The Future of the OWASP Proactive Controls


Chris and Robert talk to Jim Manico and Katy Anton about the OWASP Proactive Controls project.

We have discussed this before, and they are looking for feedback on the upcoming update.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 25 Sep 2017 14:31:14 -0400

Andrew van der Stock and Brian Glas -- The Future of the OWASP Top 10


We talk about the future of the OWASP Top 10. We do this by meeting the new project leadership team, understanding the process for how they do governance now and into the future, and how they deal with provided feedback. We look behind the curtain at how they make decisions and use the data and feedback provided.

Side note, at the AppSec USA closing, the OWASP T10 leaders did announce that A7 and A10 from the OWASP Top 10 RC1 have been removed.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 19 Sep 2017 10:00:12 -0400

Robert Hurlbut -- Threat Modeling


On this week's episode of the #AppSec Podcast, Chris and Robert are at #AppSecUSA.

We hear a conference talk done by Robert on the topic of Threat Modeling. He goes more in-depth than ever before on the show.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 12 Sep 2017 18:28:31 -0400

Chris and Robert -- Passwords, Identity, and #AppSec


Robert and Chris talk about Passwords, something we all are familiar with.

They dive into specifics with passwords and threats that can occur with them. They also talk about how passwords interact with Identity and AppSec.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 05 Sep 2017 10:00:03 -0400

Tanya Janca and Nicole Becher -- Hacking APIs and Web Services with DevSlop


Tanya and Nicole join Chris and Robert. They talk about what APIs are, how they are used, and some of the threats involved with them. They also look at what DevSlop and ZAP are in combination with APIs.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 29 Aug 2017 10:00:52 -0400

Jon Mccoy and Jonathan Marcil -- Agile #AppSec


Robert and Chris speak with Jon Mccoy and Jonathan Marcil about using Agile #AppSec in the Secure Development Lifecycle.

They dive deeper into what agile is, how it can be used, some practical applications using security champions, and much more.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 22 Aug 2017 11:55:47 -0400

Jay Beale -- Docker Security and AppSec


A listener asked for a recommendation for a PodCast or Blog post about Docker security. We looked but couldnt find one, so we created one. Robert interviews Jay Beale from Inguardians and asks what docker is, what threats it introduces, and the specific tie-ins with AppSec.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 17 Aug 2017 16:25:26 -0400

Chris and Robert -- Proactive Controls, AppSec USA, and Gartners MQ on AppSec Testing


Robert and I try a new format for discussing a few topics per episode. We discuss changes with the Proactive Controls, AppSecUSA, and the Gartner Magic Quadrant for Application Security Testing.

We mentioned the link to OWASP Proactive Controls to review the draft and suggest updates.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 08 Aug 2017 10:00:43 -0400

Robert Hurlbut -- Blackhat Security Conference


We talk with Robert about his experiences at the Blackhat Security Conference.

He will explain some of the AppSec-focused parts of the conference and more about the Alec Stamos Keynote.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 25 Jul 2017 15:38:39 -0400

Dave Ferguson -- The OWASP Top 10 Proactive Controls


Dave Ferguson discusses the OWASP Top 10 Proactive Controls in this episode with Chris.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 04 Jul 2017 10:00:07 -0400

Jim Manico -- MORE OWASP!


Were here today with Jim Manico, a project lead with OWASP. We dive deep into some of the projects on his plate.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 27 Jun 2017 10:00:08 -0400

Mike Goodwin -- The OWASP Threat Dragon


In this episode, we speak with Mike Goodwin, the founder of the OWASP Threat Dragon.

We dive into what the threat dragon is and how it can work for you

You can find the tool here: https://github.com/mike-goodwin/owasp-threat-dragon

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 19 Jun 2017 10:00:02 -0400

Mark Willis -- I Just Like Static Analysis. Static Analysis is My Favorite


Were back with another episode of The Application Security Podcast.

This time, we talked to Mark Willis about the many facets of static analysis and how it affects the DevOps world.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 14 Jun 2017 01:24:31 -0400

Eric Johnson -- Continuous Integration in .NET


Welcome back to season two of the Application Security Podcast. In this week's episode, we talk to Eric Johnson about static analysis, pen testing, continuous integration, etc.

Thanks for listening!

Rate us on iTunes and provide a positive comment, please!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 06 Jun 2017 14:05:17 -0400

Matt Clapham -- The Technical Debt Ceiling


Our topic today is technical debt and how security plays into it. Chris was at Converge Conference 2017 in Detroit, Michigan (which he says is the best security conference around) and continued the AppSec PodCast series of hallway conversations. Matt Clapham joins Chris. This is Matts second time on the podcast.

Rate us on iTunes and provide a positive comment, please!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 30 May 2017 13:10:01 -0400

Chris and Robert -- Controversy within the OWASP Top 10 RC


On this episode of the application security podcast, Robert and I jump over a wall. Just kidding. This isnt Top Gear.

This is our second episode of season two of the #AppSec PodCast. Robert and I talk about the OWASP Top 10 2017 release candidate. We walk through what the OWASP Top 10 is and what some of the controversies surround the changes made for this year.

Rate us on iTunes and provide a positive comment, please!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 22 May 2017 18:21:19 -0400

Brook S.E. Schoenfield -- Security in the Design and Architecture


This episode is an interview Robert and I did with Brook Schoenfield (@BrkSchoenfield) during the RSA Conference 2017.

Brook S.E. Schoenfield is a Distinguished Engineer at Intel Security Group. At Intel Security (including the former McAfee), Mr. Schoenfield is the senior technical leader for delivering software products that protect themselves and Intel Securitys customers. He has been a security architecture leader at global technology companies for over 15 years of his 30+ years in high tech. He is a founding member of IEEEs Center For Secure Design.

We discuss secure design, architecture, and threat modeling. Brook has been an advocate for security across the industry for many years and has a knack for explaining complex things uncomplicatedly. What a pleasure to speak with him!

Rate us on iTunes and provide a positive comment, please!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 25 Jan 2017 20:55:00 -0500

Conclusion: The Endof Season 1


Good day, friends. The Application Security PodCast has concluded our first season. With many friends' help, we could record 18 episodes. Weve done something different for this final episode of season 1. Our producer, Daniel Romeo, has collected some of our favorite clips from this season, the things that stood out to us. Enjoy! And we look forward to the release of season 2 in a few months.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Thu, 12 Jan 2017 09:52:29 -0500

Rafal Los, James Jardine, and Michael Santarcangelo -- #DtSR and What Makes a Good Security Consultant?


Greetings all! We have a treat for you in this episode. The crew joins Robert and me from the Down the Security Rabbit Hole Podcast. This includes Rafal Los (@wh1t3rabbit), James Jardine (@jardinesoftware), and Michael Santarcangelo (@catalyst). This is a unique conversation for me because the AppSec PodCast was born from my first interview with #DtSR. I was featured on DtSR Episode 204 in July 2016 after a friend suggested me to Raf on Twitter. (Thanks, Nigel!) The DtSR episode was entitled On Changing Culture. I had listened to these guys on and off for years and now had the chance to be interviewed by them. The experience pushed me to start this podcast.

In this conversation, we answer the question, What Makes a Good Security Consultant? We quickly admit that a consultant does not have to mean someone that charges per hour for security. These guys have a wealth of knowledge and experience on the topic, and I know youll walk away with multiple ideas to apply. Enjoy!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 04 Jan 2017 14:17:37 -0500

Adam Shostack -- Think like an Attacker or Accountant?


On this episode, Robert and I are joined by Adam Shostack (@adamshostack). Adam is a well-known speaker and thought leader in application security. We speak with Adam about how to connect with development teams. This all started about a year ago when Adam tackled the issue of thinking like a hacker and why he wanted people to think differently. We dive deep into this issue, but many other exciting nuggets also fall out in conversation.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 21 Dec 2016 09:31:01 -0500

Jon McCoy -- The Mindset to Reverse Engineer


Today we talk to Jon McCoy (@thejonmccoy), a developer turned security person. Hes been helping developers learn more about security. We talk about reverse engineering malware and .NET security, as well as a bit of security community and the mindset to Reverse Engineer.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 13 Dec 2016 13:27:40 -0500

Chris Romeo -- AppSec Awareness: A Blue Print for Security Culture Change


We bring you a recorded version of Chriss security conference talk from 2016 for this episode. The talk is AppSec Awareness, A Blue Print for Security Culture Change. He covers The Problem Space, why we need application security, how to create sustainable security culture, and introduces the idea of Application Security Awareness. Chris had the luxury of building such a program while at Cisco and shares his experiences with the community.

There are slides available to correspond with this talk. They arent required, but some may want to follow along. Check out https://speakerdeck.com/edgeroute to get a copy.



FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 06 Dec 2016 12:14:44 -0500

Tracy Maleeff -- Natural Paranoia as a Career Path? A Transition to Security


In this episode, Robert and I are joined by Tracy Maleeff. Tracy is an InfoSec enthusiast with an MLIS degree. She has mad research and organizational skills. She co-hosts the PVCSec podcast. You can find Tracy on Twitter @InfoSecSherpa.

Tracy is in the midst of a career transition. She began her career in Library Sciences and is moving into Information Security. We discussed the challenges of transition, how to network and connect, a process for transition, and three actionable things for those that want to make a transition. Enjoy!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 29 Nov 2016 09:17:19 -0500

Chris Romeo -- Security Community at Any Scale


In this episode, Robert interviews Chris about the security community. Chris talks about his experiences doing security community at a large organization for 5+ years. Robert keeps pushing Chris to make this applicable to small companies as well. Youll hear best practices for building a security community in your org, including monthly training sessions, lunch and learns, and even an internal security conference. Chris also offers the profound statement that everyone eats lunch.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 15 Nov 2016 23:12:25 -0500

Deidre Diamond -- The Soft Skills of AppSec


We are joined by Deidre Diamond, Founder, and CEO @cyber_sn & the Founder of @brain_babe. We discuss employment in the world of application security. We also dive deep into soft skills, exploring why they are foundational in the workforce. Deidre explains the benefits of win-win conversation, how words and everyday language connect, and how to have fun, compassion, love, integrity, and productivity all in one at work.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 08 Nov 2016 13:50:17 -0500

Tony UcedaVelez -- PASTA: Not Just for Breakfast Anymore


This is our third interview from ISC2 Security Congress. We are joined by Tony UcedaVelez, or TonyUV, founder and CEO of VerSprite a global security consulting firm based in Atlanta, GA. Tony leads the OWASP Atlanta Chapter and BSides Atlanta.

This is a deep dive into Tonys experience with threat modeling. We explore the PASTA methodology he created.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wed, 02 Nov 2016 09:37:55 -0400

Glenn Leifheit -- An Inner Glimpse of the Microsoft SDL


This is our second interview at ISC2 Security Congress. We are joined by Glenn Leifheit (@gleifhe), an InfoSec and Development Evangelist at Microsoft. Microsoft is the grandparent to almost every secure development lifecycle across the industry.

This is an in-depth discussion about how actually to do SDL. Glenn shares some things during this conversation that Ive never heard about the internals of Microsofts SDL process in public. You will take something away from this conversation to apply to your program.

Enjoy!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 25 Oct 2016 10:19:41 -0400

Mike Landeck -- Security Must Meet the Needs of the Business


Mike Landeck joins Robert and me. Mike is a Cyber security evangelist, AppSec junky & Docker Security geek, and can be found on Twitter @MikeLandeck.

We interviewed Mike in person at the ISC2 Security Congress event in Orlando, Florida. We discussed his latest talk on breach fatigue, the need to reach outside the echo chamber of security, Twitter as a news source for security, secure coding, and many other things.

Please enjoy, and search for something you can apply directly into your day-to-day life!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 17 Oct 2016 22:45:41 -0400

Daniel Ramsbrock -- Web Application Pen Testing Part 2


On this two-part episode of the Application Security PodCast, Robert and I speak with Daniel Ramsbrock about Web App Penetration testing. In part two, we focus on the process of pen testing and web app pen testing.

I (Chris) connected with Daniel through the RVASec security conference in Richmond, Virginia. Daniel has been in security for over ten years, focusing most of that time on application security. He spent two years as a full-time consultant at Cigital and is now doing independent AppSec consulting through his company, Enigma Technologies. We hope you enjoy it!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 17 Oct 2016 22:41:15 -0400

Daniel Ramsbrock -- Web Application Pen Testing Part 1


On this two-part episode of the Application Security PodCast, Robert and I speak with Daniel Ramsbrock about Web App Penetration testing. In part one, we focus on the difference between pen testing and web app pen testing, where pen testing fits your development methodology (waterfall, agile, and DevOps), and why someone should care about it.

I (Chris) connected with Daniel through the RVASec security conference in Richmond, Virginia. Daniel has been in security for over ten years, focusing most of that time on application security. He spent two years as a full-time consultant at Cigital and is now doing independent AppSec consulting through his company, Enigma Technologies. We hope you enjoy it!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 10 Oct 2016 21:29:10 -0400

Matt Clapham -- Development Security Maturity


Robert and I are joined today by Matt Clapham. Matt makes products more secure I mean, hey, his Twitter handle is @ProdSec.

The topic of this interview is what Matt calls development security maturity. This concept is based on Matts research and his talk at RSA. Matt created a simple process to measure the maturity of development security by looking at five key behaviors. We cover the what and why of development security, the five key behaviors, and scoring and reporting. In conclusion, we discuss how to make the results of an assessment actionable.

Matts RSA slides are a great resource to review in conjunction with the interview: str-w05-estimating-development-security-maturity-in-about-an-hour-final.pdf

Bio: Matt Clapham makes products more secure. His career is a rare blend of both product development and enterprise operations. He is currently a Principal of Product Development Security at GE Healthcare. Matt previously worked as a Software Tester, IT Policy Author, and Security Advisor to all things games at Microsoft. He is familiar with the security foibles of the Industrial Device Internet of Things and how to overcome them. Matt is a frequent speaker and author of magazine articles on IT, security, games, or some combination thereof. He holds degrees in engineering and music from the University of Michigan.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 04 Oct 2016 09:46:05 -0400

Elena Elkina -- Privacy and Data Protection


Welcome to the first of many interviews on the #AppSec Podcast. In this episode, Robert and I interview Elena Elkina (@el0chka) on privacy. We cover privacy, data protection, and customer data protection. This is a quick chat for around 20 minutes. In the future, well dive deeper into the crossroads of security and privacy.

Elena is a Senior Global Privacy & Data Protection Management Executive. She has worked with financial and healthcare institutions, software and internet companies, major law firms, and the government sector on both international and domestic levels. She co-founded Women in Security and Privacy, a non-profit organization focusing on advancing women in security and privacy. She is also a board member for Leading Women in Technology, a non-profit organization dedicated to unlocking the potential of female professionals who advise technology businesses.

We hope you enjoy this conversation with Elena about privacy and data protection!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 26 Sep 2016 12:23:52 -0400

Chris and Robert -- Security in the Methodology


In this episode, we talk about product development methodologies and the impact of security. We explore how to apply security activities to waterfall and Agile and discuss the pros and cons. Weve both had experience with these methodologies and freely share what weve seen work and what weve seen fail. This applies whether you are new to security or have been doing security for decades. If you have anything to add, share your wisdom by catching us @AppSecPodcast on Twitter!

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Mon, 19 Sep 2016 22:04:28 -0400

Chris and Robert -- The Activities of the Secure Development Lifecycle


On this episode of the Application Security PodCast, we continue our journey through the foundations of application security. We explore the activities of the secure development life cycle. We cover requirements, secure design, secure coding, 3rd party SW, static analysis, vulnerability scanning, and others.

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Tue, 13 Sep 2016 08:06:34 -0400

Chris and Robert -- Introductions and why #AppSec?


In the inaugural episode of the Application Security PodCast, Robert and I introduce ourselves to the audience, explain our journeys into the security world, and answer the burning question, What the heck is application security?

The key takeaways from this episode are:

FOLLOW OUR SOCIAL MEDIA:

Twitter: @AppSecPodcast
LinkedIn: The Application Security Podcast
YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Critical Thinking - Bug Bounty Podcast

Thu, 11 Jul 2024 10:01:42 GMT

Episode 79: The State of CSS Injection - Leaking Text Nodes & HTML Attributes


Episode 79: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive CSS injection, and explore topics like sequential import chaining, font ligatures, and attribute exfiltration.

Follow us on twitter at: @ctbbpodcast

Send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

SpaceRaccoon's Universal Code Execution Extensions

Escalating Client Side Path Traversal

Full-time Bug Bounty Blueprint

Sequential Import Chaining

CSS Exfiltation

Link that Justin was talking about

Font Ligatures

Lava Dome bypass

Stealing Data in Great Style

Steal Script Contents

Masato Kinugawa's tweet

Attacking with Just CSS

CSS Injection Primitives

Timestamps:

(00:00:00) Introduction

(00:02:32) Universal Code Execution

(00:11:32) Escalating Client Side Path Traversal

(00:16:56) Justin's Defcon talk & Bug Bounty Blueprint

(00:23:32) CSS Injection

(00:39:23) Font Ligatures

(00:54:30) Descent Override and display:block


Thu, 04 Jul 2024 10:00:57 GMT

Episode 78: Less Writing, More Hacking - Reporting Efficiency Techniques


Episode 78: In this episode of Critical Thinking - Bug Bounty Podcast were talking about writing reports. We share some tips that weve learned, and discuss ways that AI can (and cant) help with that process. We also talk about the benefit of using tools like Fabric, Loom, and ShareX.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

XSS WAF Bypass by multi-char HTML entities

Shazzer

Next.js and cache poisoning

Nagli's Nuclei Template

hey why can't you fix this one bug

Justin's reporting templating software

Fabric

BB Report Formatter

2to3 Automated Python Converter

ShareX

Skitch

Timestamps:

(00:00:00) Introduction

(00:04:00) XSS WAF Bypass by Multi-char HTML Entities

(00:11:59) Next.js and Cache Poisoning

(00:18:03) Nagli's Nuclei Template and Sean Yeoh's Blog

(00:27:34) Report Writing and AI

(00:50:02) Reporting tips


Thu, 27 Jun 2024 10:01:49 GMT

Episode 77: Bug Bounty Mental - Practical Tips for Staying Sharp & Motivated


Episode 77: In this episode of Critical Thinking - Bug Bounty Podcast Joel and Justin discuss some fresh writeups including some MongoDB injections, ORMs, and exploits in Kakao and iOS before pivoting into a conversation about staying motivated and avoiding burnout while hunting.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

MongoDB NoSQL Injection

https://soroush.me/blog/2024/06/mongodb-nosql-injection-with-aggregation-pipelines/

Mongo DB Is Web Scale

https://www.youtube.com/watch?v=b2F-DItXtZs

1-click Exploit in Kakao

https://stulle123.github.io/posts/kakaotalk-account-takeover/

Unsecure time-based secret and Sandwich Attack

https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html

Reset Tolkien

https://github.com/AethliosIK/reset-tolkien

iOS URL Scheme Hijacking Revamped

https://evanconnelly.github.io/post/ios-oauth/

PLORMBING YOUR DJANGO ORM

https://www.elttam.com/blog/plormbing-your-django-orm/#content

Timestamps:

(00:00:00) Introduction

(00:02:07) MongoDB NoSQL Injection

(00:12:42) 1-click Exploit in Kakao

(00:33:21) Time-based secrets and Reset Tolkien

(00:39:26) iOS URL Scheme Hijacking Revamped

(00:51:42) ORMs

(00:58:57) Community Bug Submission

(01:07:45) Motivation, Mental Sharpness, and Burnout avoidance


Thu, 20 Jun 2024 10:00:47 GMT

Episode 76: Match & Replace - HTTP Proxies' Most Underrated Feature


Episode 76: In this episode of Critical Thinking - Bug Bounty Podcast were talking about Match and Replace and the often overlooked use cases for it, like bypassing paywalls, modifying host headers, and storing payloads. We also talk about the HackerOne Ambassador World Cup and the issues with dupe submissions, and go through some write-ups.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources

Zoom Session Takeover

https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html

SharePoint XXE

https://x.com/thezdi/status/1796207012520366552

Shazzer

https://shazzer.co.uk/

Timestamps:

(00:00:00) Introduction

(00:05:06) H1 Ambassador World Cup

(00:13:57) Zoom ATO bug

(00:33:28) SharePoint XXE

(00:39:36) Shazzer

(00:46:36) Match and Replace

(01:13:01) Match and Replace in Mobile

(01:21:13) Header Replacements


Thu, 13 Jun 2024 10:01:32 GMT

Episode 75: *Rerun* of The OG Bug Bounty King - Frans Rosen


Episode 75: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are sick, So instead of a new full episode, we're going back 30 episodes to review.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

Today's Guest: https://twitter.com/fransrosen

Detectify

Discovering s3 subdomain takeovers

https://labs.detectify.com/writeups/hostile-subdomain-takeover-using-heroku-github-desk-more/

bucket-disclose.sh

https://gist.github.com/fransr/a155e5bd7ab11c93923ec8ce788e3368

A deep dive into AWS S3 access controls

Attacking Modern Web Technologies

Live Hacking like a MVH

Account hijacking using Dirty Dancing in sign-in OAuth flows

Timestamps:

(00:00:00) Introduction

(00:11:41) Franz Rosen's Bug Bounty Journey and Detectify

(00:20:21) Pseudo-code, typing, and thinking like a dev

(00:27:11) Hunter Methodologies and automationists

(00:42:31) Time on targets, Iteration vs. Ideation

(00:58:01) S3 subdomain takeovers

(01:11:53) Blog posting and hosting motivations

(01:20:21) Detectify and entrepreneurial endeavors

(01:36:41) Attacking Modern Web Technologies

(01:52:51) postMessage and MessagePort

(02:05:00) Live Hacking and Collaboration

(02:20:41) Account Hijacking and OAuth Flows

(02:35:39) Hacking + Parenthood


Thu, 06 Jun 2024 10:01:29 GMT

Episode 74: Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin)


Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Todays Guest: https://x.com/0xLupin

Resources:

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

git-dump

https://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dump

Depi

https://www.landh.tech/depi

Weak links of Supply Chain

https://arxiv.org/pdf/2112.10165

Timestamps:

(00:00:00) Introduction

(00:07:13) Overveiw of Supply Chain Flow

(00:15:14) Getting our Scope

(00:23:46) Depi

(00:29:12) Types of attacks and finding the 80/20

(00:45:06) Maintainer attacks

(01:10:40) Regestries, artifactories, and an npm bug

(01:31:51) Grafana NPX Confusion


Thu, 30 May 2024 10:01:21 GMT

Episode 73: Sandboxed IFrames and WAF Bypasses


Episode 73: In this episode of Critical Thinking - Bug Bounty Podcast we give a brief recap of Nahamcon and then touch on some topics like WAF bypass tools, sandboxed iframes, and programs redacting your reports.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

?. Tweet

https://x.com/garethheyes/status/1786836956032176215

NoWafPls

https://github.com/assetnote/nowafpls

Redacted Reports

https://x.com/deadvolvo/status/1790397012468199651

Breaking CORS

https://x.com/MtnBer/status/1794657827115696181

Sandbox-iframe XSS challenge solution

https://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/

iframe and window.open magic

https://blog.huli.tw/2022/04/07/en/iframe-and-window-open/#detecting-when-a-new-window-has-finished-loading

domloggerpp

https://github.com/kevin-mizu/domloggerpp

Timestamps

(00:00:00) Introduction

(00:03:29) ?. Operator in JS and NoWafPls

(00:07:22) Redacting our own reports

(00:11:13) Breaking CORS

(00:17:07) Sandbox-iframes

(00:24:11) Dom hook plugins


Thu, 23 May 2024 10:01:26 GMT

Episode 72: Research TLDRs & Smuggling Payloads in Well Known Data Types


Episode 72: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss some hot research from the past couple months. This includes ways to smuggle payloads in phone numbers and IPv6 Addresses, the NextJS SSRF, the PDF.JS PoC drop, and a GitHub Enterprise Indirect Method Information bug. Also, we have an attack vector featured from Monke!

Follow us on twitter at: @ctbbpodcast

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

PDF.JS Bypass to XSS

https://github.com/advisories/GHSA-wgrm-67xf-hhpq

https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/

PDFium

NextJS SSRF by AssetNote

Better Bounty Transparency for hackers

Slonser IPV6 Research

Smuggling payloads in phone numbers

Automatic Plugin SQLi

DomPurify Bypass

Bug Bounty JP Podcast

Github Enterprise send() bug

https://x.com/creastery/status/1787327890943873055

https://x.com/Rhynorater/status/1788598984572813549

Timestamps:

(00:00:09) Introduction

(00:03:20) PDF.JS XSS and NextJS SSRF

(00:12:52) Better Bounty Transparency

(00:20:01) IPV6 Research and Phone Number Payloads

(00:28:20) Community Highlight and Automatic Plugin CVE-2024-27956

(00:33:26) DomPurify Bypass and Github Enterprise send() bug

(00:46:12) Caido cookie and header extension updates


Thu, 16 May 2024 10:01:24 GMT

Episode 71: More VDP Chats & AI Bias Bounty Strats with Keith Hoodlet


Episode 71: In this episode of Critical Thinking - Bug Bounty Podcast Keith Hoodlet joins us to weigh in on the VDP Debate. He shares some of his insights on when VDPs are appropriate in a company's security posture, and the challenges of securing large organizations. Then we switch gears and talk about AI bias bounties, where Keith explains the approach he takes to identify bias in chatbots and highlights the importance of understanding human biases and heuristics to better hack AI.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Todays guest: Keith Hoodlet

https://securing.dev/

Resources:

Daniel Miessler's article about the security poverty line

https://danielmiessler.com/p/the-cybersecurity-skills-gap-is-another-instance-of-late-stage-capitalism/

Hacking AI Bias

https://securing.dev/posts/hacking-ai-bias/

Hacking AI Bias Video

https://youtu.be/AeFZA7xGIbE?si=TLQ7B3YtzPWXS4hq

Sarah's Hoodlet's new book

https://sarahjhoodlet.com

Link to Amazon Page

https://a.co/d/c0LTM8U

Timestamps:

(00:00:00) Introduction

(00:04:09) Keith's Appsec Journey

(00:16:24) The Great VDP Debate Redux

(00:47:18) Platform/Hunter Incentives and Government Regulation

(01:06:24) AI Bias Bounties

(01:26:27) AI Techniques and Bugcrowd Contest


Thu, 09 May 2024 10:01:01 GMT

Episode 70: NahamCon and CSP Bypasses Everywhere


Episode 70: In this episode of Critical Thinking - Bug Bounty Podcast were once again joined by Ben Sadeghipour to talk about some Nahamcon news, as well as discuss a couple other LHEs taking place. Then they cover CI/CD and drop some cool CSP Bypasses.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Todays Guest: https://twitter.com/NahamSec

https://www.nahamcon.com/

Resources:

Depi

https://www.landh.tech/depi

Youtube CSP:

https://www.youtube.com/oembed?callback=alert()

Maps CSP:

https://maps.googleapis.com/maps/api/js?callback=alert()-print

Google APIs CSP

https://www.googleapis.com/customsearch/v1?callback=alert(1)

Google CSP

https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//

CSP Bypass for opener.child.child.child.click()

https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/

Timestamps:

(00:00:00) Introduction

(00:02:55) BSides Takeaways and hacking on Meta

(00:12:12) NahamCon News

(00:23:45) CI/CD and the launch of Depi

(00:33:29) CSP Bypasses


Thu, 02 May 2024 10:01:17 GMT

Episode 69: Johan Carlsson - 3 Month Check-in on Full-time Bug Bounty.


Episode 69: In this episode of Critical Thinking - Bug Bounty Podcast were joined by Johan Carlsson to hear about some updates on his bug hunting journey. We deep-dive a CSP bypass he found in GitHub, a critical he found in GitLab's pipeline, and also talk through his approach to using script gadgets and adapting to highly CSP'd environments. Then we talk about his transition to full-time bug hunting, including the goals hes set, the successes and challenges, and his current focus on specific bug types like ReDoS and OAuth, and the serendipitous nature of bug hunting.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Nuclei 3.2 Release: https://nux.gg/podcast

Todays Guest:

https://twitter.com/joaxcar

https://joaxcar.com/blog/

Resources

Github CSP Bypass

https://gist.github.com/joaxcar/6e5a0a34127704f4ea9449f6ce3369fc

CSP Validator

https://cspvalidator.org/

Cross Window Forgery

https://www.paulosyibelo.com/2024/02/cross-window-forgery-web-attack-vector.html

Gitlab Crit

https://gist.github.com/joaxcar/9419b2df8778f26e9b02a741a8ec12f8

Timestamps

(00:00:00) Introduction

(00:09:34) Github CSP Bypass

(00:38:48) Script Gadgets and growth through Gitlab

(00:53:53) Gitlab pipeline bug

(01:12:32) Full-time Bug Bounty


Thu, 25 Apr 2024 10:01:17 GMT

Episode 68: 0-days & HTMX-SS with Mathias


Episode 68: In this episode of Critical Thinking - Bug Bounty Podcast Mathias is back with some fresh HTMX research, including CSP bypass using HTMX triggers, converting client-side response header injection to XSS, bypassing HTMX disable, and the challenges of using HTMX in larger applications and the potential performance trade-offs. We also talk about the results of his recent CTF Challenge, and explore some more facets of CDN-CGI functionality.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Project Discovery Conference: https://nux.gg/hss24

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Todays Guest:

https://twitter.com/avlidienbrunn

Resources:

Masato Kinugawa's research on Teams

https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=33

subdomain-only 307 open redirect

https://avlidienbrunn.se/cdn-cgi/image/onerror=redirect/http://anything.avlidienbrunn.se

Timestamps

(00:00:00) Introduction

(00:05:18) CSP Bypass using HTML

(00:14:00) Converting client-side response header injection to XSS

(00:23:10) Bypassing hx-disable

(00:32:37) XSS-ing impossible elements

(00:38:22) CTF challenge Recap and knowing there's a bug

(00:51:53) hx-on (depreciated)

(00:54:30) CDN-CGI Research discussion


Thu, 18 Apr 2024 10:01:45 GMT

Episode 67: VDPs & Accidental Program VS Hacker Debate Part 2


Episode 67: In this episode of Critical Thinking - Bug Bounty Podcast we deepdive on the topic of Vulnerability Disclosure Programs (VDPs) and whether they are beneficial or not. We also touch on the topic of leaderboard accuracy, and continue the Program VS Hacker debate regarding allocating funds for bounties.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Project Discovery Conference: https://nux.gg/hss24

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

Nagli's Braindump on VDPs

https://twitter.com/galnagli/status/1780174392003031515

Timestamps:

(00:00:00) Introduction

(00:05:37) VDP programs

(00:34:10) Leaderboards

(00:43:52) Hacker vs. Program debate Part 2

(01:07:24) Walling Off Endpoints


Thu, 11 Apr 2024 10:00:58 GMT

Episode 66: CDN-CGI Research, Intent To Ship, and Louis Vuitton


Episode 66: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the recent YesWeHack Louis Vuitton LHE, the importance of failure as growth in bug bounty, and Justin shares his research on CDN CGI.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Project Discovery Conference: https://nux.gg/hss24

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

YesWeHack Luis Vuitton LHE

https://twitter.com/yeswehack/status/1776280653744554287

https://event.yeswehack.com/events/hack-me-im-famous-2

Caido Workflows

https://github.com/caido/workflows

Oauth Redirects

https://twitter.com/Akshanshjaiswl/status/1724143813088940192

Bagipro Golden URL techniques

https://hackerone.com/reports/431002

Roadmap I followed to make 15,000+$ Bounties in my first 8 months https://shreyaschavhan.notion.site/Roadmap-I-followed-to-make-15-000-Bounties-in-my-first-8-months-of-starting-out-and-my-journey-98b1b9ff621645c0b97d1e774992f300

Monke Hacks Blog

https://monkehacks.beehiiv.com/

PortSwigger post

https://x.com/PortSwiggerRes/status/1766087129908576760

post from Masato Kinugawa

https://x.com/kinugawamasato/status/916393484147290113

Timestamps:

(00:00:00) Introduction

(00:04:19) Louis Vuitton LHE

(00:13:57) Browser Market share

(00:21:13) Justin's Bug of the Week

(00:24:49) Caido Workflows

(00:27:24) Oauth Redirects

(00:32:24) Bug Bounty learning Methodology

(00:41:03) 'Intent To Ship'

(00:48:08) CDN-CGI Research


Thu, 04 Apr 2024 10:01:04 GMT

Episode 65: Motivation and Methodology with Sam Curry (Zlz)


Episode 65: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with Sam Curry to discuss the ethical considerations and effectiveness of hacking, the importance of good intent, and the enjoyment Sam derives from pushing the boundaries to find bugs. He shares stories of his experiences, including hacking Tesla, online casinos,Starbucks, his own is ISP router, and even getting detained at the airport.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Project Discovery Conference: https://nux.gg/hss24

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Todays Guest:

https://samcurry.net/

Resources:

Dont Force Yourself to Become a Bug Bounty Hunter

hackcompute

Starbucks Bug

recollapse

Timestamps:

(00:00:00) Introduction

(00:02:25) Hacking Journey and the limits of Ethical Hacking

(00:28:28) Selecting companies to hack

(00:33:22) Fostering passion vs. Forcing performance

(00:54:06) Collaboration and Hackcompute

(01:00:40) The Efficacy of Bug Bounty

(01:09:20) Secondary Context Bugs

(01:25:01) Mindmaps, note-taking, and Intuition.

(01:46:56) Back-end traversals and Unicode

(01:56:16) Hacking ISP

(02:06:58) Next.js and Crypto

(02:22:24) Dev vs. Prod JWT


Thu, 28 Mar 2024 10:01:38 GMT

Episode 64: .NET Remoting, CDN Attack Surface, and Recon vs Main App


Episode 64: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Justin and Joel delve into .NET remoting and how it can be exploited, a recent bypass in the Dom Purify library and some interesting functionality in the Cloudflare CDN-CGI endpoint. They also touch on the importance of collaboration and knowledge sharing, JavaScript Deobfuscation, the value of impactful POCs, hiding XSS payloads with URL path updates.

Follow us on twitter at: @ctbbpodcast

send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Check out Project Discoverys nuclei 3.2 release blog at nux.gg/podcast

Resources:

.NET Remoting

https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/

https://github.com/codewhitesec/HttpRemotingObjRefLeak

DOM Purify Bug

Cloudflare /cdn-cgi/

https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/

https://portswigger.net/research/when-security-features-collide

https://twitter.com/kinugawamasato/status/893404078365069312

https://twitter.com/m4ll0k/status/1770153059496108231

XSSDoctor's writeup on Javascript deobfuscation

renniepak's tweet

Naffy's tweet

Timestamps:

(00:00:00) Introduction

(00:07:15) .Net Remoting

(00:17:29) DOM Purify Bug

(00:25:56) Cloudflare /cdn-cgi/

(00:37:11) Javascript deobfuscation

(00:47:26) renniepak's tweet

(00:55:20) Naffy's tweet


Thu, 21 Mar 2024 10:00:48 GMT

Episode 63: JHaddix Returns


Episode 63: In this episode of Critical Thinking - Bug Bounty Podcast we welcome back Jason Haddix (From Episode 12) to talk about some updates to his The Bug Hunter's Methodology, as well as his own personal life and hacking journey. We talk about the start of his new company, and then venture into topics such as using threat intelligence and buying credentials from the dark web, recon techniques, and ways to integrate AI into your workflow (or target list).

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

Todays Guest:

https://twitter.com/Jhaddix

https://www.arcanum-sec.com/

Resources:

Dehashed

https://www.dehashed.com/

Flare

https://flare.io/

CSP Recon

https://github.com/edoardottt/csprecon

Timestamps:

(00:00:00) Introduction

(00:05:37) Updates to The Bug Hunter's Methodology

(00:14:46) Red Teaming

(00:21:29) Bug Bounty on the Dark Web

(00:36:19) FIS hunting

(00:47:59) New Recon Techniques 

(00:58:32) AI integrations and bounties


Thu, 14 Mar 2024 10:00:36 GMT

Episode 62: Frontend Language Oddities


Episode 62: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with some additional research resources that didnt make the Portswigger Top-Ten, but that are worth looking at.

Follow us on twitter at: @ctbbpodcast

Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

Resources:

Cool HTML Shit

https://twitter.com/jcubic/status/1764311080661082201

https://twitter.com/encodeart/status/1764218128374943764

Bug bounty Hunting Journeys

https://twitter.com/ajxchapman/status/1762101366057525521

https://monkehacks.beehiiv.com/p/monkehacks-02

Yelp Cookie Bridge Report

Deobfuscating/Unminifying Obfuscated Code

ChatGPT Source Watch

Web Security Research Reddit

Nahamsec Resources

Portswigger Nominations list

Abusing perspectives: https://hackerone.com/reports/2401115

PortSwigger CSS Exfiltration

https://github.com/PortSwigger/css-exfiltration

Timestamps:

(00:00:00) Introduction

(00:02:06) Cool HTML Shit

(00:15:31) Bug Bounty Journeys

(00:28:01) Yelp Cookie Bridge Bug

(00:37:56) Additional Research Resources

(00:46:34) CSS and abusing perspectives


Thu, 07 Mar 2024 11:00:37 GMT

Episode 61: A Hacker on Wall Street - JR0ch17


Episode 61: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Jasmin Landry to share some stories about startup security, bug bounty, and the challenges of balancing both. He also shares his methodology for discovering OAuth-related bugs, highlights some differences between structured learning and self-teaching, and then walks us through a couple arbitrary ATOs and SSTI to RCE bugs hes found lately.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Todays Guest: Jasmin Landry

https://twitter.com/JR0ch17

Resources:

Dirty Dancing blog post

https://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/

OAuth 2.0 Threat Model and Security Considerations

https://datatracker.ietf.org/doc/html/rfc6819

OAuth 2.0 Security Best Current Practice

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics

Timestamps:

(00:00:00) Introduction

(00:02:20) Meta Tag + DomPurify Bug

(00:09:36) Jasmin's Origin story

(00:28:23) Full time Bug bounty challenges

(00:36:57) Career jumps in Security and current Role

(00:47:32) OAuth Bug methodology and cool bug stories

(01:02:35) Social Engineering and Bug Bounty

(01:13:41) Arbitrary ATO bug

(01:19:41) SSTI to RCE bug


Thu, 29 Feb 2024 11:00:42 GMT

Episode 60: Our Take on PortSwigger's Top 10 Web Hacking Techniques of 2023


Episode 60: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel review the Portswigger Research list of top 10 web hacking techniques of 2023.

Follow us on twitter at: @ctbbpodcast

Send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources:

Top 10 web hacking techniques of 2023

1: Smashing the state machine

8: From Akamai to F5 to NTLM

3: SMTP Smuggling

4: PHP filter chains

(Bonus Read)

5: HTTP Parsers Inconsistencies

6: HTTP Request Splitting

7: How I Hacked Microsoft Teams

9: Cookie Crumbles

(Bonus Read)

10: Hacking root EPP servers to take control of zones

Timestamps:

(00:00:00) Introduction

(00:04:26) 1: Smashing the state machine

(00:11:56) 8: From Akamai to F5 to NTLM... with love

(00:17:11) 3: SMTP Smuggling

(00:26:27) 4: PHP filter chains

(00:36:40) 5: HTTP Parsers Inconsistencies

(00:44:56) 6: HTTP Request Splitting

(00:53:43) 7: How I Hacked Microsoft Teams

(01:02:25) 9: Cookie Crumbles

(01:11:36) 10: EPP Server Takeover


Thu, 22 Feb 2024 11:00:30 GMT

Episode 59: Bug Bounty Gadget Hunting & Hacker's Intuition


Episode 59: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel discuss the concept of gadgets and how they can be used to escalate the impact of vulnerabilities. We talk through things like HTML injection, image injection, CRLF injection, web cache deception, leaking window location, self-stored XSS, and much more.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. 

Resources:

Even Better

NahamSec's 5 Week Program

NahamCon News

CSS Injection Research

Timestamps:

(00:00:00) Introduction

(00:03:31) Caido's New Features

(00:15:20) Nahamcon News and 5 week Bootcamp and pentest opportunity

(00:19:54) HTML Injection, CSS Injection, and Clickjacking

(00:33:11) Image Injection

(00:37:19) Open Redirects, Client-side path traversal, and Client-side Open Redirect

(00:49:51) Leaking window.location.href

(00:57:15) Cookie refresh gadget

(01:01:40) Stored XXS

(01:09:01) CRLF Injection

(01:13:24) 'A Place To Stand' in  GraphQL and ID Oracle

(01:18:23) Auth gadgets, Web Cache Deception, & LocalStorage poisoning

(01:27:46) Cookie Injection & Context Breaks


Thu, 15 Feb 2024 11:00:28 GMT

Episode 58: Youssef Sammouda - Client-Side & ATO War Stories


Episode 58: In this episode of Critical Thinking - Bug Bounty Podcast we finally sit down with Youssef Samouda and grill him on his various techniques for finding and exploiting client-side bugs and postMessage vulnerabilities. He shares some crazy stories about race conditions, exploiting hash change events, and leveraging scroll to text fragments. 

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. 

Todays Guest: https://twitter.com/samm0uda?lang=en

https://ysamm.com/

Resources:

Client-side race conditions with postMessage: 

https://ysamm.com/?p=742 

Transferable Objects

https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objects

Every known way to get references to windows, in javascript:

https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d

Youssefs interview with BBRE

https://www.youtube.com/watch?v=MXH1HqTFNm0

Timestamps:

(00:00:00) Introduction

(00:04:27) Client-side race conditions with postMessage

(00:18:12) On Hash Change Events and Scroll To Text Fragments

(00:32:00) Finding, documenting, and reporting complex bugs

(00:37:32) PostMessage Methodology

(00:45:05) Youssef's Vuln Story

(00:53:42) Where and how to look for ATO vulns

(01:05:21) MessagePort

(01:14:37) Window frame relationships

(01:20:24) Recon and JS monitoring

(01:37:03) Client-side routing

(01:48:05) MITMProxy


Thu, 08 Feb 2024 11:01:22 GMT

Episode 57: Technical breakdown from Miami Hacking Event - H1-305


Episode 57: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are live from Miami, and recap their experience and share takeaways from the live hacking event. They highlight the importance of paying attention to client-side routing and the growing bug class of client-side path traversal. They also discuss the challenges of knowing when to cut your losses and the value of tracking time and setting goals. 

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. 

Timestamps:

(00:00:00) Introduction

(00:03:50) Miami LHE Recap and Takeaways

(00:05:57) Keeping time and cutting losses.

(00:19:07) Roles and Goals

(00:23:33) OAuth

(00:28:52) HTML5 image to img Tip


Thu, 01 Feb 2024 11:01:14 GMT

Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)


Episode 56: Using Data Science to win Bug Bounty - Mayonaise (aka Jon Colston)

Episode 56: In this episode of Critical Thinking - Bug Bounty Podcast, Justin sits down with Jon Colston to discuss how his background in digital marketing and data science has influenced his hunting methodology. We dive into subjects like data sources, automation, working backwards from vulnerabilities, applying conversion funnels to bug bounty, and the mayonaise signature 'Mother of All Bugs' 

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

WordFence - Sign up as a researcher! https://ctbb.show/wf

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount. 

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. 

Todays Guest:

https://hackerone.com/mayonaise?type=user

Timestamps:

(00:00:00) Introduction

(00:12:07) Evolving Hacking Methodologies & B2B Hacking

(00:23:57) Data Science + Bug Bounty

(00:34:37) 'Lead Generation for Vulns'

(00:41:39) Ingredients and Recipes

(00:49:45) Keyword Categorization

(00:54:30) Manual Processes and Recap

(01:07:08) Data Sources

(01:19:59) Digital Marketing + Bug Bounty

(01:32:22) M.O.A.B.s

(01:41:02) Burnout Protection and Dupe Analysis


Thu, 25 Jan 2024 11:00:49 GMT

Episode 55: Popping WordPress Plugins - Methodology Braindump


Episode 55: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is joined by Wordpress Security Researcher Ram Gall to discuss both functionality and vulnerabilities within Wordpress Plugins.

Follow us on twitter

Send us any feedback here:

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

WordFence - Sign up as a researcher! https://ctbb.show/wf

---

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Todays Guest:

Ramuel Gall

UpdraftPlus Vuln

XML-RPC PingBack

Unicode and Character Sets

Reflected XSS

POP Chain

WordpressPluginDirectory

Subscriber+ RCE in Elementor

Subscriber+ SSRF

Unauthed XSS via User-Agent header

Timestamps:

(00:00:00) Introduction

(00:05:55) Add_action & Nonces

(00:26:16) Add_filter & Register_rest_routes

(00:38:39) Page-related code & Shortcodes

(00:50:24) Top Sinks for WP

(01:02:19) Echo & SQLI Sinks

(01:15:07) Nonce Leak and wp_handle_upload

(01:18:16) Page variables & Pop Chains

(01:26:55) WP Escalations & Bug Reports


Thu, 18 Jan 2024 11:01:03 GMT

Episode 54: White Box Formulas - Vulnerable Coding Patterns


Episode 54: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel are back with news items and new projects. Joel shares about his personal scraping project to gather data on bug bounty programs and distribution Next, they announce the launch of HackerNotes, a podcast companion that will summarize the main technical points of each episode. They also discuss a recent GitLab CVE and an invisible prompt injection, before diving into a discussion (or debate) about vulnerable code patterns.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Gitlab CVE

https://github.com/Vozec/CVE-2023-7028

https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

Fix commit: https://gitlab.com/gitlab-org/gitlab/-/commit/abe79e4ec437988cf16534a9dbba81b98a2e7f18

Invisible Prompt Injection

https://x.com/goodside/status/1745511940351287394?s=20

Regex 101

https://regex101.com

Regex to Strings

https://www.wimpyprogrammer.com/regex-to-strings/

Timestamps

(00:00:00) Introduction

(00:01:54) Joels H1 Data Scraping Research

(00:19:23) HackerNotes launch

(00:21:29) Gitlab CVE

(00:27:45) Invisible Prompt Injection

(00:33:52) Vulnerable Code Patterns

(00:37:51) Sanitization, but then modification of data afterward

(00:45:39) Auth check inside body of if statement

(00:48:15) sCheck for bad patterns with if, but then don't do any control flow

(00:50:21) Bad Regex

(01:00:36) Replace statements for sanitization

(01:04:32) Anything that allows you to call functions or control code flow in uncommon ways


Thu, 11 Jan 2024 11:00:39 GMT

Episode 53: 500k/yr as Full-Time Bug Hunter & Content Creator - Nahamsec


Episode 53: In this episode of Critical Thinking - Bug Bounty Podcast,were joined by none other than NahamSec. We start by discusses the challenges he faced on his journey in bug bounty hunting and content creation, including personal struggles and the pressure of success.We also talk about finding balance and managing mental energy, going the extra mile, and the importance of planning and setting goals for yourself before he walks us through some Blind XSS techniques.

Follow us on twitter at: @ctbbpodcast

Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Timestamps:

(00:00:00) Introduction

(00:01:37) Costs of Content Creation

(00:21:12) Hacking 'identities' and Pivoting

(00:36:49) Hacking Methodology

(00:58:59) Planning, Goals, and Nahamsec's 2023 Performance

(01:10:19) Blind XSS

(01:35:19) Going the extra mile in Bug Bounty


Thu, 04 Jan 2024 11:00:22 GMT

Episode 52: Best Technical Content from Year 1 of CTBB Podcast


Episode 52: In this episode of Critical Thinking - Bug Bounty Podcast we're going back and highlighting some of the best technical moments from the past year! Hope you enjoy this best of 2023 Supercut!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Timestamps:

(00:00:00) Introduction

(00:02:55) Episode 26: Meta tags and base tags in HTML

(00:15:20) Episode 27: Client-side path traversal

(00:23:18) Episode 27: Cookie bombing + cookie jar overflow

(00:35:47) Episode 44: Cross environment authentication bugs

(00:43:17) Episode 47: The open-faced Iframe Sandwich

(00:50:19) Episode 47: js hoisting and classic Joel nerdsnipe

(00:58:28) Episode 29: Sean Yeoh on Subdomains vs IP in recon

(01:04:05) Episode 30: Shubs on reversing enterprise software

(01:24:58) Episode 30: Shubs on building out a recon flow

(01:29:36) Episode 30: Shubs on Hacking IIS Servers

(01:36:45) Episode 37: 0xLupin on smart JavaScript analysis tools

(01:45:42) Episode 45: Frans Rosen On App cache, Service workers cookie stuffing, and postMessage

(02:15:02) Episode 50: Mathias Karlsson on XSLT and MXSS

(02:39:26) Episode 27: Assetnote's sharefile RCE

(02:48:18) Episode 31: Perforce RCE

(02:53:48) Episode 48: Sam Erb's XSLT bug story

(02:58:47) Final thoughts and Special Thanks


Thu, 28 Dec 2023 11:00:44 GMT

Episode 51: Hacker Stats 2023 & 2024 Goals


Episode 51: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel are back for the last episode of 2023. We discuss some noteworthy news items including a Hacker One Crit, Caido updates, and some Blind CSS. Then we dive into our own personal Hackers Wrapped recap of the year, before laying out some goals for 2024.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Resources

Flow

Powertoys

Alfred

Pyperclip

Textgrab

CTF Payload Challenge

Hacker One Crit Report

Blind CSS Injection

Timestamps

(00:00:00) Introduction

(00:08:43) Keyboard Shortcut Utility Systems

(00:21:28) CTF Challenge By Frans

(00:32:40) Hacker One 25K Crit Disclosure

(00:36:31) Caido Searchbar Rework.

(00:40:51) Blind CSS Exfiltration

(00:44:10) 2023 Personal Bug Bounty Stats

(01:01:15) 2024 Personal Bug Bounty Goals


Thu, 21 Dec 2023 11:01:06 GMT

Episode 50: Mathias "Fall in a well" Karlsson - Bug Bounty Prophet


Episode 50: In this episode of Critical Thinking - Bug Bounty Podcast, Justin catches up with hacking master Mathias Karlsson, and talks about burnout, collaboration, and the importance of specialization. Then we dive into the technical details of MXSS and XSLT, character encoding, and give some predictions of what Bug Bounty might look like in the future

Follow us on twitter at: @ctbbpodcast

Send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Todays Guest

Episode Resources

How to Differentiate Yourself as a Hunter

MutateMethods

hackaplaneten

Article About Unicode and Character Sets

Byte Order Mark:

Character Encodings

ShapeCatcher

WAF Bypass

BountyDash

EXPLOITING HTTP'S HIDDEN ATTACK-SURFACE

Timestamps:

(00:00:00) Introduction

(00:10:06) Automation Setup and Assetnote Origins

(00:16:49) Sharing Tips, and Content Creation

(00:22:27) Collaboration and Optimization

(00:36:44) Working at Detectify

(00:51:45) Bug Bounty Burnout

(00:56:15) Early Days of Bug Bounty and Future Predictions

(01:19:00) Nerdsnipeability

(01:29:38) MXSS and XSLT

(01:54:20) Learning through being wrong

(02:00:15) Go-to Vulns


Thu, 14 Dec 2023 11:00:28 GMT

Episode 49: Getting Live Hacking Event Invites & Bug Bounty Collab with Nagli


Episode 49: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is once again joined by Nagli to discuss some of their recent hacking discoveries. They talk about finding and exploiting a backup file in an ASP.NET app, discovering vulnerabilities through Swagger files, and debating the vulnerability of a specific undisclosed domain. Then they reflect on 2023s Live Hacking Event circuit, and preview whats to come in 2024s.

This episode sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! If you wanna pop some crits and see those bounties roll in, head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Todays Guest

Episode Resources:

Shockwave

Why So Serial

New LHE Standards Dropped

Timestamps:

(00:00:00) Introduction

(00:02:37) wwwroot .zip Hack Recap

(00:13:44) Swagger File Hack Recap

(00:18:27) Undisclosed URL Hack Recap

(00:24:29) 2023 LHE Circut Recap

(00:37:14) 2024 LHE Preview and New Standards

(00:47:22) Bug Bounty Motivation


Thu, 07 Dec 2023 11:00:17 GMT

Episode 48: MVH, DEFCON Black Badge, Googler - Sam Erb


Episode 48: In this episode, joined by the spectacular Sam Erb, Google Security Engineer and DEFCON Black Badge winner. We talk about the importance of understanding how systems work to find vulnerabilities, and how his engineering background influences his hunting style and methodologies. Then we jump over to his Career Development and his work with Google, and then chat about some of the recent Google Vulnerability Programs.

This episode is sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! Head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

Links

Follow your hosts Rhynorater & Teknogeek on twitter:

Ways to Support CTBBPodcast

Sign up for Caido using code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord

Discord premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Todays Guest:

https://twitter.com/erbbysam

Sam Erbs Static Secret

Security Now Podcast

BIMI:

And

https://bimigroup.org/

Google Device Vulnerability Reward Program Initiatives

Google Invalid Reports

Hacking Google

Transcripts

(00:00:00) Introduction

(00:02:50) Hacker Methodology with Sam Erb

(00:12:20) Balancing Bug Hunting and Personal Life

(00:15:53) Deep Diving on a program and using automation.

(00:27:00) Optimizing Bug Hunting and Understanding Attack Vectors

(00:39:22) Collaboration and Boundaries

(00:45:42) Career Development and Entrepreneurship

(00:55:13) Winning Black Badges at DEFCON

(00:58:02) BufferOver

(01:09:11) Working at Google

(01:19:23) Google Bug Bounty Programs

(01:31:41) BONUS Cool Bugs


Thu, 30 Nov 2023 11:00:20 GMT

Episode 47: CSP Research, Iframe Hopping, and Client-side Shenanigans


Episode 47: In this episode of Critical Thinking - Bug Bounty Podcast, the holidays are fast approaching, and Justin and Joel discuss some of the struggles of getting back into the hacking groove during and after breaks. We also celebrate the newly launched Critical Thinking Discord Community before diving into Iframe Sandwhiches, JS Hoisting, CSP Bypasses, and a host of new tools, techniques, and tangents.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Hop on the CTBB Discord at https://ctbb.show/discord!

ThankUNext

jswzl

Rapid API

SSRF Utility tool by Bebiks

Tweet from Johan Carlsson

Burp Extension from Google VRP

Justin's Tweet about JS Hoisting

Bypass CSP Using WordPress

How to trick CSP in letting you run whatever you want

Timestamps:

(00:00:00) Introduction

(00:01:58) Overcoming Bug Bounty struggles and getting back into the hacking groove

(00:07:46) Taking notes and sticking to one program

(00:14:50) Critical Thinking Discord, Community highlights, and Competition vs Collaboration

(00:22:25) Secondary context bugs and Automationism

(00:28:42) ThankUNext and Client-side Paths

(00:33:45) Tool Tangents: Jswzl, Caido, Postman, and Rapid API

(00:46:49) New SSRF Utility tool by Bebiks and the continuing evolution of hacking tools

(00:51:45) Iframe Sandwiches

(00:58:54) News Items

(01:06:12) JS Hoisting

(01:15:05) CSP Bypasses


Thu, 23 Nov 2023 11:00:23 GMT

Episode 46: The SAML Ramble


Episode 46: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is deep diving the topic of SAML (Security Assertion Markup Language), and walks through what it is and why it can be intimidating, before going over some key attack vectors to look for. Then he closes out with a commentary on a sample payload, and some HackerOne reports.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

KazHACKstan

https://kazhackstan.com/en

Testing SAML security with DAST

https://agrrrdog.blogspot.com/2023/01/testing-saml-security-with-dast.html

How to break SAML if I have paws?

https://speakerdeck.com/greendog/how-to-break-saml-if-i-have-paws?slide=20

How to Hunt Bugs in SAML; a Methodology

https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/

SAML Raider

https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e

External Entity Injection during XML signature verification

https://bugs.chromium.org/p/project-zero/issues/detail?id=2313

mTLS: When certificate authentication is done wrong

https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/

HackerOne Uber Report

https://hackerone.com/reports/136169

Timestamps:

(00:00:00) Introduction

(00:05:25) Understanding SAML and its complexities

(00:08:30) SAML Attack Vectors

(00:14:15) XML Signature Wrapping

(00:19:50) Some SAML tests to try

(00:30:30) Sample Payload description

(00:34:10) Token Recipient confusion

(00:36:05) HackerOne Reports


Thu, 16 Nov 2023 11:00:31 GMT

Episode 45: The OG Bug Bounty King - Frans Rosen


Episode 45: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Frans Rosn, an OG bug bounty hunter and co-founder of Detectify. We kick off with Frans sharing his journey bug bounty and security startups, before diving headfirst into a host of his blog posts. We also cover the value of pseudo-code for bug exploitation, understanding developer terminology, the challenges of collaboration and delegating tasks, and balancing hacking with parenting. If you're interested in bug bounty or entrepreneurship, you won't want to miss it!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Join our Discord!

Today's Guest:

https://twitter.com/fransrosen

Detectify

Discovering s3 subdomain takeovers

Bucket Disclose

A deep dive into AWS S3 access controls

Attacking Modern Web Technologies

Live Hacking like a MVH

Account hijacking using Dirty Dancing in sign-in OAuth flows

Timestamps:

(00:00:00) Introduction

(00:04:50) Franz Rosen's Bug Bounty Journey and the creation of Detectify

(00:13:30) Benefits of pseudo-code, typing, and thinking like a developer

(00:20:20) Hunter Methodologies

(00:35:40) Time on targets, Iteration vs. Ideation, and tips for standing out

(00:51:10) S3 subdomain takeovers

(01:05:02) Blog posting and hosting motivations

(01:13:30) Detectify and entrepreneurial endeavors

(01:29:50) Attacking Modern Web Technologies

(01:46:00) postMessage and MessagePort

(01:58:09) Live Hacking and Collaboration

(02:13:50) Account Hijacking and OAuth Flows

(02:28:48) Hacking/Parenting


Thu, 09 Nov 2023 11:00:28 GMT

Episode 44: URL Parsing & Auth Bypass Magic


Episode 44: In this episode of Critical Thinking - Bug Bounty Podcast, the topic is URL structure, and Justin and Joel break down the elements that make up a URL and some common tips and tricks surrounding them which allow for all sorts of bypasses. We also round out the episode with some new tools, ato stories, and some controversial current events in the hacker scene.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

"XnlReveal" XNL h4ck3r

OAuth article by Salt Labs

H1 controversy recap

ATO through Facebook Login

https://twitter.com/Jayesh25_/status/1718543152296939861

https://twitter.com/itscachemoney/status/1721658450613346557

When URL Parsers disagree

Golden techniques to bypass host validations in Android apps

Mozilla article on HTTP Authentication

Breaking Parser Logic talk by Orange Tsai

URL Detector

SSRF Bible

Timestamps:

(00:00:00) Introduction

(00:04:10) Xnl-Reveal

(00:07:22) OAuth vulnerabilities

(00:13:17) Recap of controversy surrounding the handling of a vulnerability report on H1

(00:18:55) Hacker Success Manager Program

(00:22:30) Facebook login ATO

(00:27:45) When URL parsers disagree

(00:34:34) URL Structures

(01:02:22) Shared secrets across environments

(01:09:40) Social Media Logins


Thu, 02 Nov 2023 10:00:24 GMT

Episode 43: Caido - The Up-And-Coming HTTP Proxy


Episode 43: In this episode of Critical Thinking - Bug Bounty Podcast, we're joined by Emile from Caido, who shares his journey into the bug bounty and ethical hacking world. We kick off with a hilarious incident involving Joel, a child on an airplane, and an unfortunate cough. We then dive into the challenges of building an HTTP proxy tool, balancing basic features with nice-to-have features, and the importance of user feedback in shaping the development of Caido, a bug bounty tool.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount on the annual license.

Todays Guest:

https://twitter.com/TheSytten

Caido

https://caido.io/

Caidos Discord

https://discord.com/invite/KgGkkpKFaq

VS Code

https://code.visualstudio.com/

DNSChef

https://github.com/iphelix/dnschef

HackMD

https://hackmd.io/

Timestamps:

(00:00:00) Introduction

(00:01:34) Emiles journey from general infrastructure development to co-founding Caido

(00:07:00) The rundown on Caido, a lightweight and flexible HTTP proxy tool

(00:11:00) Current and upcoming Caido Features

(00:17:00) Caido crew and division of duties

(00:19:40) Missing features and feature requests

(00:23:49) Decision to use Rust

(00:28:25) Workflows and walkthroughs

(00:36:27) Intercepts and the Roadmap

(00:41:15) Opinions on collaborator Functionality and HTTP Callback

(00:46:19) Reporting and Collaboration


Thu, 26 Oct 2023 10:00:45 GMT

Episode 42: Renniepak Interview & Intigriti LHE Recap


Episode 42: In this episode of Critical Thinking - Bug Bounty Podcast, we're live from a hacking event in Portugal, and joined by the extremely talented Ren de Sain! He helps us cover a host of topics like NFT, XSS, LHE, and tips for success. We also talk about the correlation between creativity and hacking, shared workspaces, and last but certainly not least, hacker tattoos.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Todays Guest:

https://twitter.com/renniepak

https://www.linkedin.com/in/rene-de-sain/ https://app.intigriti.com/researcher/profile/renniepak

Hacker Hideout

https://hackerhideout.xyz

Timestamps:

(00:00:00) Introduction

(00:04:40) NFT Vulns and web3 hacking

(00:08:15) Hacker Tattoos

(00:12:30) Intigriti vs. other platforms, and LHE approaches.

(00:20:10) Loneliness, budgeting, and the pros and cons of full-time hunting

(00:28:36) Target approaches, XSS, and extension tools.

(00:37:40) Fostering hacker intuition and relationships

(00:47:15) Final thoughts on the Intigriti Event


Thu, 19 Oct 2023 10:00:27 GMT

Episode 41: Mini Masterclass: Attack Vector Ideation


Episode 41: In this episode of Critical Thinking - Bug Bounty Podcast, Justin takes a break from his busy travel schedule to walk us through a few of his Attack Vector formulation strategies. Were keeping this one short and sweet, so it can be better used as a reference when looking for new vectors.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Nahamcon talk by Douglas Day

https://youtu.be/G1RHa7l1Ys4?t=295

Timestamps:

(00:00:00) Introduction

(00:02:53) Use the application like a human, not like a hacker

(00:05:02) Reading documentation looking for "Cannot" statements

(00:08:16) Look at the grayed out areas

(00:10:08) Look for information in the API response

(00:12:38) Differences in the UI between different accounts

(00:13:42) Pay the paywall.


Thu, 12 Oct 2023 10:00:50 GMT

Episode 40: Bug Bounty Mentoring


Episode 40: In this episode of Critical Thinking - Bug Bounty Podcast, its all about mentorships! Justin sits down with Kodai and So, two hackers he helped mentor, to discuss what worked and what didnt. We talk about the importance of mentorship, what mentors might look for in a candidate, the challenges of transitioning from being mentored to self-education, and the necessity of continuous learning in this ever-evolving field that is bug bounty. This episode is a treasure trove of insights, and if youre interested in either side of the mentorship coin, you wont want to miss it.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.

Todays Guests:

https://twitter.com/weeshter

https://twitter.com/Mokusou4

Congrats to @nchickens as our giveaway winner!

The Bug Hunter's Methodology Live Course

https://jasonhaddix.gumroad.com/l/lycucs

Timestamps:

(00:00:00) Introduction

(00:04:00) Guest backgrounds and introduction into hacking

(00:17:49) Where to start Learning and Teaching

(00:25:40) Technical Training vs Conceptual Teaching

(00:28:34) Mentorship Styles and Techniques.

(00:39:15) Moving from being mentored to self-learning

(00:46:20) Developing mental resilience and healthy habits

(00:50:32) Elements in mentorships that were hard or havent worked

(01:02:21) Being influenced by other hackers through mentorship or collaboration

(01:06:20) Hacking Bilingually and language barriers

(01:11:30) Hacking and learning goals for the future


Thu, 05 Oct 2023 10:01:11 GMT

Episode 39: The Art of Architectures


Episode 39: In this episode of Critical Thinking - Bug Bounty Podcast, We're catching up on news, including new override updates from Chrome, GPT-4, SAML presentations, and even a shoutout from Live Overflow! Then we get busy laying the groundwork on a discussion of web architecture. better get started on this one, cause we're going to need a part two!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

CT shoutout from Live Overflow

https://www.youtube.com/watch?v=3zShGLEqDn8

Chrome Override updates

https://developer.chrome.com/blog/new-in-devtools-117/#overrides

GPT-4/AI Prompt Injection

https://x.com/rez0__/status/1706334160569213343?s=20 & https://x.com/evrnyalcin/status/1707298475216425400?s=20

Caido Releases Pro free for students

https://twitter.com/CaidoIO/status/1707099640846250433

Or, use code ctbbpodcast for 10% of the subscription price

Aleksei Tiurin on SAML hacking

https://twitter.com/antyurin/status/1704906212913951187

Account Takeover on Tesla

https://medium.com/@evan.connelly/post-account-takeover-account-takeover-of-internal-tesla-accounts-bc720603e67d

Joseph

https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61

Cookie Monster

https://github.com/iangcarroll/cookiemonster

HTMX

https://htmx.org/

Timestamps:

(00:00:00) Introduction

(00:04:40) Shoutout from Live Overflow

(00:06:40) Chrome Overrides update

(00:08:48) GPT-4V and AI Prompt Injection

(00:14:35) Caido Promos

(00:15:40) SAML Vulns

(00:17:55) Account takeover on Tesla, and auth token from one context in a different context

(00:24:30) Testing for vulnerabilities in JWT-based authentication

(00:28:07) Web Architectures

(00:32:49) Single page apps + a rest API

(00:45:20) XSS vulnerabilities in single page apps

(00:49:00) Direct endpoint architecture

(00:55:50) Content Enumeration

(01:02:23) gRPC & Protobuf

(01:06:08) Microservices and Reverse Proxy

(01:12:10) Request Smuggling/Parameter Injections


Thu, 28 Sep 2023 10:00:31 GMT

Episode 38: Mobile Hacking Maestro: Sergey Toshin


Episode 38: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome mobile hacking maestro Sergey Toshin (aka @bagipro). We kick off with Sergey sharing his unexpected journey into mobile security, and how he rose to become the number one hacker in both Google Play Security and Samsung Bug Bounty programs. We then delve into the evolving perception of mobile bugs, a myriad of new and existing attack vectors, and discuss Sergey's creation of mobile security company Oversecured. Youre going to want to make time for this one!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Today's Guest:

https://twitter.com/_bagipro

Oversecured

https://oversecured.com/

Oversecured Blog

https://blog.oversecured.com/

jadx

https://github.com/skylot/jadx

'Golden Android Techniques'

https://hackerone.com/reports/431002

Timestamps:

(00:00:00) Introduction

(00:01:28) Sergey Toshins hacking journey and achievements

(00:08:20) Mobile hacking: Devices and attack vectors

(00:12:35) Using Jadx

(00:15:40) The creation of Oversecured

(00:23:10) The Oversecured Blog and Sharing Information

(00:28:08) New Spheres and Strategies of Mobile Hacking

(00:35:13) Tips for getting into Mobile Hacking


Thu, 21 Sep 2023 10:00:57 GMT

Episode 37: Tokyo Hacking & Interview with 0xLupin


Episode 37: In this episode of Critical Thinking - Bug Bounty Podcast we're joined by none other than Lupin himself! We recap the Tokyo LHE and the lessons we learned from it before diving into his legendary journey into security research and bug bounty. We also talk collaboration of all kinds: pair hacking, joining a team, and starting a business together. We even touch on some great tools that can collaborate with each other! This was a fun one, and we don't want you to miss it!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Todays Guest:

https://twitter.com/0xLupin

Lupin and Holmes

https://landh.tech/

JSWZL

https://jswzl.io/

Cursor

https://cursor.so/

Clairvoyance

https://github.com/nikitastupin/clairvoyance

Tweet about Command Injections

https://twitter.com/win3zz/status/1703702550372078074

James Kettle article on security research

https://portswigger.net/research/so-you-want-to-be-a-web-security-researcher

Timestamps:

(00:00:00) Introduction

(00:01:00) Lessons learned from the latest LHE

(00:09:30) JSWZL and the Cursor Combo

(00:19:15) The Legend of Lupin

(00:34:35) Code and Collaborating

(00:38:48) Requests, Automation, and Testing

(00:50:28) Joel's Helper scripts

(00:52:50) Teamwork and Pair Hacking

(00:57:29) Tips for learning to Hack

(01:00:35) UUID and CTF

(01:08:35) Dynamics of Collaboration with French Team


Thu, 14 Sep 2023 10:00:46 GMT

Episode 36: Bug Bounty Ethics & CT Exclusive Bug Reports


Episode 36: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel take a break from LHE prep to answer questions about the ethics of bug bounty and share their recent bug finds. We talk Iframes, mobile intercept proxies, open redirects, and that time Justin got shot at

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Timeshifter:

https://www.timeshifter.com/

Tweet about Google Open Redirect

https://twitter.com/Rhynorater/status/1697357773690818844

Tweet about XSS Exploitation

https://twitter.com/Rhynorater/status/1698059391700701424

Request Minimizer

https://portswigger.net/bappstore/cc16f37549ff416b990d4312490f5fd1

Timestamps:

(00:00:00) Introduction

(00:02:45) Hacker One LHE Preview

(00:05:40) Is Bug Bounty Inherently Ethical

(00:19:25) Ethics of Going out of scope

(00:27:56) Justins story of getting shot at

(00:30:22) Setting up a mobile intercept proxy

(00:33:40) How to approach a new target

(00:40:30) Google Open Redirect

(00:43:35) Recent XSS Exploitation

(00:46:28) ATO Trick

(00:50:25) Joels Bug Report

(00:55:40) Justins Bug Report


Thu, 07 Sep 2023 10:01:36 GMT

Episode 35: King of Collaboration: Douglas Day


Episode 35: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to welcome Douglas Day, a bug bounty hunter known for his unique methodologies and collaborative spirit. We talk about his approach to finding new endpoints in applications, his ingenious technique of exploiting Intercom widgets, and collaboration preferences and tips at LHEs. We also touch on the struggle of justifying hobbies that don't generate income and the importance of finding enjoyment in the process.We hope you enjoy this episode as much as we did!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Todays Guest:

https://twitter.com/ArchAngelDDay

https://hackerone.com/the_arch_angel

https://bugcrowd.com/arch_angel

100 Short Bug Bounty Rules

https://twitter.com/ArchAngelDDay/status/1661924038875435008

Blog about Intercom

https://dday.us/2021/11/03/h1vendorATO.html

Blog about Mapping Hacking

http://dday.us/2021/10/09/Mapyourhacking.html

Timestamps: (00:00:00) Introduction

(00:03:01) Douglas Days infosec and LHE intro

(00:10:42) Evolution and philosophy of collaboration

(00:23:08) Balancing Collaboration and Money

(00:29:43) Recap of 100 Short Bug Bounty Rules

(00:37:15) Bug-hunting Methodology

(00:45:45) Using match and replace to find new endpoints in bug hunting

(00:49:07) Exploiting Intercom widgets

(00:52:35) Facing Failure and enjoying the journey

(00:57:00) Managing work-life balance

(01:05:55) Auth-Z testing and documentation

(01:12:25) Vulnerabilities in applications

(01:17:05) Mapping Hacking Sessions


Thu, 31 Aug 2023 10:00:28 GMT

Episode 34: Program vs Hacker Debate


Episode 34: In this episode of Critical Thinking - Bug Bounty Podcast, Justin and Joel have both beaten COVID and now square off against each other in a mega-debate representing hackers and program managers respectively. Among the topics included are Disclosures, Dupes, Zero-Day Policy, payouts, budgets, Triage and Retesting. So, if you want blood-pumping, insult-hurling opinion-invalidating debatethen maybe look somewhere else. But if a thought-provoking discussion about bug bounty is more your style, then take a seat and get ready!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Prompt Injection Primer for Engineers

https://twitter.com/rez0__/status/1695078576104833291

Portswigger on XSS

https://twitter.com/PortSwiggerRes/status/1691812241375424983

Gunner Andrews talk

https://www.youtube.com/watch?v=aaDe1ADh5KM

Jhaddix live training Givaway

https://tbhmlive.com/

ctbb.show/giveaway

New Website

ctbb.show

Fight music composed by Dayn Leonardson

https://www.daynleo.com/

Timestamps:

(00:00:00) Introduction

(00:02:00) Joels DEFCON Recap

(00:04:45) Prompt Injection Primer for Engineers by Rez0

(00:07:00) Portswigger Research and XSS

(00:08:36) Gunnar Andrews' talk on serverless architecture

(00:10:10) Bug Hunter Methodology Course Giveaway

The Debate

(00:13:34) Zero-Day Policy and Payment for Vulnerabilities

(00:25:40) Disclosure

(00:33:52) Dupes (00:51:23) CVSS

(01:02:25) Budgets and Payouts

(01:15:00) Triage and Retesting

(01:34:55) Withholding Reports

(01:41:50) Root Cause Analysis

(01:52:25) Interacting with hacker reports from a security standpoint.

(01:58:50) Internal Activity on a Report

(02:01:15) Cost of running Bug Bounty Programs and LHEs


Thu, 24 Aug 2023 10:01:13 GMT

Episode 33: The Master of Hacker Show&Tell: Inti De Ceukelaire


Episode 33: In this episode of Critical Thinking - Bug Bounty Podcast, we welcome Inti De Ceukelaire, a seasoned bug hunter known for his creative storytelling and impactful show-and-tell bugsand let us tell you, his stories do not disappoint! From his bug bounty journey to some pretty wild hacks, Inti captivates us as only Inti can. We discuss the potential life-saving impact of bug bounty reports, especially in areas such as transportation and medical devices. We also cover hacker mentality, the benefits of objective-based challenges, and the need for collaboration and alignment within the bug bounty community. Its a mesmerizing episode, so sit back and be swept away by Intis tales.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Todays Guest:

https://twitter.com/securinti

Inti's Shopify Show-and-Tell

https://hackerone.com/reports/1086108

Hakluke's article on Bug Bounty Standards

https://github.com/hakluke/bug-bounty-standards

Researching MissingNo Glitch in Pokemon

https://youtu.be/p8OBktd42GI

Intigriti

https://www.intigriti.com/

Timestamps:

(00:00:00) Introduction

(00:03:01) Show-and-Tells and Storytelling in Live Hacking Events

(00:08:30) Impact Assessment and the potential real-life significance of reporting vulnerabilities.

(00:13:50) Ethical dilemmas, gaming the systems, and safe harbor.

(00:23:30) Intis Hacking Journey

(00:27:26) Hacker mentality, brainstorming, and goal-setting.

(00:46:28) The benefit of mental resets, fresh perspectives, and surprise collaboration

(00:52:55) Intis Story 1: CSS Injection bugs

(01:06:20) Intis Story 2: The Ticket Trick

(01:14:00) Intis Story 3: The Gotcha PasswordBug

(01:18:30) Upcoming Intigriti Live Hacking Event


Thu, 17 Aug 2023 10:00:15 GMT

Episode 32: The Great Write-up Low-down


Episode 32: In this episode of Critical Thinking - Bug Bounty Podcast, Joel caught a nasty bug (no, not that kind) so Justin is flying solo, and catches us up to speed on what's been happening in hacking news.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Smashing the State article

https://portswigger.net/research/smashing-the-state-machine?ps_source=portswiggerres&ps_medium=social&ps_campaign=race-conditions

Nagles Algorithm

https://en.wikipedia.org/wiki/Nagle%27s_algorithm

HTTP/2 RFC

https://httpwg.org/specs/rfc7540.html

Tweet by Alex Chapman

https://twitter.com/ajxchapman/status/1691103677920968704?s=20

Cookieless Duodrop IIS Auth Bypass

https://soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899/

Xss and .Net

https://blog.isec.pl/all-is-xss-that-comes-to-the-net/

Shopify Account Takeover

https://ophionsecurity.com/blog/shopify-acount-takeover

Short Name Guesser

https://github.com/projectmonke/shortnameguesser

Hacking Points.com

https://samcurry.net/Points-com/

Hacking Starbucks

https://samcurry.net/hacking-starbucks/

Bug Bounty Tag Request

https://twitter.com/ajxchapman/status/1688892093597470720

Sandwich Attack

https://www.landh.tech/blog/20230811-sandwich-attack

Timestamps:

(00:00:00) Introduction

(00:01:25) Smashing the State

(00:11:30) HTTP/2 RFC

(00:17:30) Cookieless Duodrop IIS Auth Bypass

(00:24:45) Takeovers and Tools

(00:32:30) Sam Curry writeup

(00:53:10) Community requests

(00:55:10) Sandwich Attacks


Thu, 10 Aug 2023 10:00:53 GMT

Episode 31: Alex Chapman - The Man of Many Crits


Episode 31: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by Alex Chapman, a seasoned InfoSec hacker and bug bounty hunter. We kick off with Alex sharing his hacking journey, from a guest lecturer that inspired him, to working on internal Red Teams, to his transition to working with HackerOne, and finally as a bug bounty hunter focusing on searching out those few, high impact bugs. We also discuss the power of collaboration, the challenges of balancing hacking with other responsibilities, and the necessity of flexibility and taking breaks in bug bounty work. Don't miss this episode where we explore the depths of bug bounty with Alex Chapman!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Todays Guest:

https://twitter.com/ajxchapman

@ajxchapman@infosec.exchange

https://ajxchapman.github.io/

https://hackerone.com/ajxchapman?type=user

Perforce RCE

https://hackerone.com/reports/1830220

https://ajxchapman.github.io/bugreports/2019/04/04/perforce-local-file-disclosure.html

(00:00:00) Introduction

(00:01:50) Alex Chapman's InfoSec journey and evolution

(00:05:55) Real-world experience vs. chasing degrees, and the pivot into Bug Bounty

(00:13:12) The benefit of programming knowledge

(00:16:50) Experience in Internal Red Team and hacker mentalities.

(00:23:35) Transitioning to HackerOne and full time Bug Bounty

(00:33:37) Bug Bounty tips, time management, and best practices

(00:41:00) The importance of note-taking and organizational tools

(00:46:27) Hunting Methodologies and focusing on Critical Exploitations

(01:02:37) Collaboration in the hacking community

(01:06:00) Binary Exploitation and Source Code Review

(01:10:59) Configuration file injections

(01:17:38) Justin vs. Alex at a LHE


Thu, 03 Aug 2023 10:00:23 GMT

Episode 30: Recon Legend Shubs - From Burgers to Bounties


Episode 30: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by renowned bug bounty hunter Shubs. We kick off with him sharing his journey from burgers to bugs, and how his friendly rivalry with a fellow hacker fueled his passion for reconnaissance, as well as his love of collaboration. We then shift gears to talk about the art of debugging, ethics and economics of bug bounty hunting, the transition to Entrepreneur, and the evolution of Assetnote from a reconnaissance tool to enterprise security software suite. This ones a banger, and we dont want you to miss it!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Todays Guest:

@infosec_au

Intro Shoutouts

https://twitter.com/bebiksior

https://cvssadvisor.com/

Assetnote

https://www.assetnote.io/

https://twitter.com/assetnote

Bishop Fox

https://bishopfox.com/

Shortscan

https://github.com/bitquark/shortscan

XXE Payload

https://gist.github.com/Rhynorater/d0d19f757221a916a22476c3a5c6aba2

Timestamps

(00:00:00) Introduction

(00:05:48) History as a Hacker: Recon, rivalries, and Riot Games

(00:12:13) Collaboration and Community in Bug Bounty

(00:18:19) The Art of Debugging

(00:21:48) Assetnote News and overview

(00:30:43) CVE reversing

(00:32:58) Zero-day vulns

(00:42:48) Bug Bounty Ethics and Economics

(00:52:53) Bug Bounty and Entrepreneurship

(01:03:58) Business lessons learned

(01:07:48) Advice for Hunters looking to grow

(01:12:38) IIS Server Techniques


Thu, 27 Jul 2023 10:00:23 GMT

Episode 29: Live Episode with Sean Yeoh - Assetnote Engineer


Episode 29: In this episode of Critical Thinking - Bug Bounty Podcast sit down with Assetnote Engineer Sean Yeoh, and pick his brain about what he's learned on his development journey. We talk about the place and importance of message brokers, and which ones we like best, as well as his engineering philosophy regarding bottleneck prevention and the importance of pursuing optimization. Don't miss this episode of terrific technical tips!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Todays Guest:

https://twitter.com/seanyeoh

Assetnote

https://www.assetnote.io/

https://twitter.com/assetnote

XKCD automation graph

https://xkcd.com/1319/

Github repository

https://github.com/alex/what-happens-when

Article about Queues

https://archive.is/Nan4e

NATS

https://nats.io/

MongoDB

https://www.mongodb.com/

Timestamps:

(00:00:00) Introduction

(00:01:18) Story of Assetnote

(00:05:20) Message Brokers and event-driven architectures

(00:11:15) Preventing bottlenecks and pursuing optimization

(00:21:35) Using a profiler

(00:28:30) Choosing a Message Broker

(00:33:00) Kubernetes and Conntrack Limits

(00:37:13) Databases

(00:46:30) Bug bounty tips: Sub-domain vs. IP Address

(00:51:15) Engineering quandaries

(00:53:38) DNS Wildcards


Thu, 20 Jul 2023 11:00:23 GMT

Episode 28: Surfin' with CSRFs


Episode 28: In this episode of Critical Thinking - Bug Bounty Podcast, the CSRFs up, dude! We kick off with a debate about whether or not deep link vulns in mobile apps can be considered CSRF. We also talk browser extensions and tools like Hackbar, PwnFox, and JS Weasel, and Justin tries to invent a whole new vuln term. Theres plenty of good stuff here, so what are you waiting for? Jump on in!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

rez0's latest tip

https://twitter.com/rez0__/status/168134822190014466019

Hackbar

https://addons.mozilla.org/en-US/firefox/addon/hackbartool/

PwnFox

https://twitter.com/adrien_jeanneau/status/1681364665354289152

JS Weasel

https://www.jswzl.io/

Charlie Eriksen

https://twitter.com/CharlieEriksen

Link to talk by Rojan

https://twitter.com/uraniumhacker/status/1681381857383030785

Bypassing GitHub's OAuth flow

https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html

Great SameSite Confusion

https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/

Check out Nahamsec's Channel

https://www.youtube.com/c/nahamsec

Timestamps:

(0:01:45) The deep link debate

(00:08:00) LHE and in-person interviews

(00:09:25) SQLMAP and raw requests

(00:11:11) Hackbar, PwnFox, and browser extensions

(00:16:45) JS Weasel tool and its features

(00:25:28) Rojan's Research and Public Talks

(Start of main content)

(00:28:36) Cross-Site Request Forgery (CSRF)

(00:35:00) Bypassing GitHub's OAuth flow

(00:45:00) A Small SameSite Story

(00:48:50) CSRF Exploitation Techniques

(01:07:15) CSRF Bug Stories

(01:15:30) NahamSec and DEFCON


Thu, 13 Jul 2023 11:00:42 GMT

Episode 27: Top 7 Esoteric Web Vulnerabilities


Episode 27: In this episode of Critical Thinking - Bug Bounty Podcast, we've switched places and now Joel is home while Justin is on the move. We break down seven esoteric web vulnerabilities, and talk Cookies, Config File Injections, Client-side path traversals and more. We also briefly discuss appliance hacking, new tools, and shout out some new talent in the hacking space. Don't miss this episode full of cool vulns, and experience Justin's vocal decline in real time.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Encrypted Doesn't Mean Authenticated:

https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/

Tweet about headless chrome browser

https://twitter.com/bhavukjain1/status/1678719047209484288?t=NWnZvwHTRMyH_lVC-uXe0g&s=19

Shout out to new talent within the hacking space

https://twitter.com/haxrob

https://twitter.com/atc1441

Tweet about hacking Google Search Appliance

https://twitter.com/orange_8361/status/1677378401957724160

Bitquark releases shortscan

https://twitter.com/bitquark/status/1677647450989838338

Hacking Starbucks

https://samcurry.net/hacking-starbucks/

Justin's CookieJar Tool

https://apps.rhynorater.dev/checkCookieJarOverflow.html

HackTricks

https://book.hacktricks.xyz/pentesting-web/hacking-with-cookies/cookie-jar-overflow

XSLeak

https://xsleaks.dev

Timestamps:

(00:00:00) Introduction

(00:04:00) Assetnote on ShareFile RCE

(00:13:05) Headless Browsers

(00:17:00) Hacker Content Creators

(00:22:51) Appliance Hacking

(00:30:31) Shortscan Release

(Start of main content)

(00:35:39) Config File Injection

(00:44:00) Client-side Path Traversal

(00:51:33) Cookie Bombing

(00:58:00) Cookie Jar Overflow

(01:03:50) XSLeak

(01:10:49) UNC Path Injection

(01:15:50) Impactful Link Hijack


Thu, 06 Jul 2023 11:00:40 GMT

Episode 26: Client-side Quirks & Browser Hacks


In this episode of Critical Thinking - Bug Bounty Podcast, we're back with Joel, fresh (haha) off of back-to-back live hack events in London and Seoul. We start with his recap of the events, and the different vibes of each LHE, then we dive into the technical thick of it, and talk web browsers, XSS vectors, new tools, CVSS 4, and much more than we can fit in this character limit. Just trust us when we say you dont want to miss it!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

______

Episode 26 links:

https://linke.to/Episode26Notes

______

Timestamps:

(00:00:00) Introduction

(00:04:10) LHE Vibes

(00:07:45) "Hunting for NGINX alias traversals in the wild"

(00:12:30) Various payouts in bug bounty programs

(00:16:05) New XSS vectors and popovers

(00:24:15) The "magical math element" in Firefox

(00:27:15) LiveOverflow's research on HTML parsing quirks

(00:32:10) Mr. Tux Racer, Woocommerce, and WordPress

(00:40:00) Changes in the CVSS 4 draft spec

(00:45:00) TomNomNom's new tool Jsluise

(00:51:15) JavaScript's import function

(00:55:30) Gareth Hayes' book "JavaScript for Hackers"

(01:02:24) Injecting JavaScript variables

(01:09:15) Prototype pollution

(01:13:15) DOM clobbering

(01:18:10) Exploiting HTML injection using meta and base tags

(01:25:00) CSS Games

(01:28:00) Base tags


Thu, 29 Jun 2023 11:00:34 GMT

Episode 25: 2xMVH & Multi-million dollar hacker Inhibitor181


Episode 25: In this episode of Critical Thinking - Bug Bounty Podcast we talk to Cosmin (@Inhibitor181), fresh off of winning his 2nd MVH! We chat about the time management and strategy of hacking Multi-Target LHEs, determining when to pivot, and how to find normalcy in bug bounty hunting and Live Hacking Events. We also touch on setting up Vuln Pipelines, creating mental models, and Cosmin's terrifying naming schemes. Don't miss this episode packed with both laughs and valuable insights for beginners and seasoned bug bounty hunters alike.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Todays Guest:

https://twitter.com/inhibitor181

Justin's weird episode with all the Dr. Suess Shit

https://rss.com/podcasts/ctbbpodcast/966055/?listen-on=true

Timestamps:

(00:00:00) Introduction

(00:02:52) MVH club and Multi-Target stragety

(00:12:00) Deciding when to pivot

(00:17:00) File Organization and 'unique' naming approaches

(00:23:56) Staying up to date on features and updates

(00:25:46) Hacking Sleep Habits

(00:28:15) Finding 'Normal Life' in bug bounty and LHE

(00:33:30) Vuln Pipelines, Wordlists, and full time bug bounty tips

(00:44:15) Benefits of the Bug Bounty Community

(00:47:45) Relationships with target companies and programs

(00:53:15) Creating mental models

(01:00:30) The Importance of writing good reports

(01:04:30) How to choose what to hack


Thu, 22 Jun 2023 11:00:29 GMT

Episode 24: AI + Hacking with Daniel Miessler and Rez0


Episode 24: In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Daniel Miessler and Rez0 about the emergence and potential of AI in hacking. We cover AI shortcuts and command line tools, AI in code analysis and the use of AI agents, and even brainstorm about the possible opportunities that integrating AI into hacking tools like Caido and Burp might present. Don't miss this episode packed with valuable insights and cutting-edge strategies for both beginners and seasoned bug bounty hunters alike.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Todays Guests:

https://twitter.com/rez0__

https://twitter.com/DanielMiessler

Daniel Miesslers Unsupervised Learning

https://danielmiessler.com/

Simon Willison's Python Function Search Tool

https://simonwillison.net/2023/Jun/18/symbex/

oobabooga - web interface for models

https://github.com/oobabooga/text-generation-webui

State of GPT

https://karpathy.ai/stateofgpt.pdf

AI Canaries

https://danielmiessler.com/p/ai-agents-canaries

GPT3.5

https://community.openai.com/t/gpt-3-5-turbo-0613-function-calling-16k-context-window-and-lower-prices/263263

GPT Engineer

https://github.com/AntonOsika/gpt-engineer

Timestamps:

(00:00:00) Introduction

(00:05:40) Using AI for hacking: Developing hacking tools and workflow shortcuts

(00:11:40) GPT Engineer and Small Developer for Security Vulnerability Mapping

(00:22:40) The potential dangers of centralized vs. decentralized finance

(00:24:10) Ethical hacking and circumventing ChatGPT restrictions

(00:26:09) AI Agents, Reverse API, and Encoding/Decoding Tools

(00:31:45) Limitations of AI in context window and processing large JavaScript files

(00:36:50) Meta-prompter: Enhancing prompts for accurate responses from GPT

(00:41:00) GPT-35 and the new 616K context model

(45:08) Creating a loader for Burp Suite files or Caido instances

(00:54:02) Hacking AI Features: Best Practices

(01:00:00) AI plugin takeover and the need for verification of third-party plugins and tools


Thu, 15 Jun 2023 10:01:06 GMT

Episode 23: Hacker Loadouts


Episode 23: In this episode of Critical Thinking - Bug Bounty Podcast, we delve into a different aspect of hardware - Our personal loadouts. We go through the equipment and gear we use to get our jobs done, and share stories about why we picked what we have. We also touch on live hacking events, the growing acceptance of white hat hacking, and some pretty cool news going on in the hacker world. Don't miss this episode packed with tips and strategies for both beginners and seasoned hackers alike!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Blog post on hacking root EPP servers

https://hackcompute.com/hacking-epp-servers/

Behind this Website:

https://github.com/jonkeegan/behind-this-website

Tweet about vRealize Network Insight: https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/

Zoom's new vulnerability impact scoring system:

https://viss.zoom.com/specifications

Uplift Desks

https://www.upliftdesk.com/

Synergy

https://symless.com/synergy

Ahnestly chair reviews:

https://www.youtube.com/c/Ahnestly

Our producers new audio drama Homicide at Heavensgate

https://link.sentinelstudios.net/homicide

Timestamps:

(00:00:00) Introduction

(00:02:28) Navigating hacking events and imposter syndrome

(00:06:30) Blog post on hacking root EPP servers

(00:10:01) The growing acceptance of white-hat hacking

(00:12:25) Finding Website Owners and Contact Information

(00:16:45) VMware vRealize Network Insight CVEs and nginx reverse proxy bypass

(00:21:30) Zoom's new vulnerability impact scoring system

(00:27:24) The Importance of Analyzing Systemic Problems in Black Box Testing

(00:30:40) Documentation, Vulnerable by Design, and acceptable risk

(Start of main content)

(00:34:37) Leveling up your Hacker Setup

(00:37:13) The Importance of your body

(00:41:30) Investing in ergonomic equipment for computer work

(00:42:27) Standing Desks: Uplift Desk and DIY standing desk options

(00:46:00) Portable Tables: Flexible Workspace Solutions

(00:47:30) Monitor Setup

(00:54:40) Synergy: One keyboard and mouse across multiple devices

(00:57:20) Capture Card: Using it as a software display

(00:58:58) Keyboards and mice

(01:03:27) Using a Chromebook for lightweight hacking

(01:08:57) Chair Reviews: The Niche World of High-End Chairs


Thu, 08 Jun 2023 11:01:13 GMT

Episode 22: Chipping Away at Hardware Hacking


Episode 22: In this episode of Critical Thinking - Bug Bounty Podcast we talk about some basic/intermediate concepts related to Hardware Hacking. Specifically, we dive into extracting data from eMMC chips in order to get our hands on source code for IoT devices. Don't miss this episode packed with valuable insights, tips, and strategies for beginners and seasoned bug bounty hunters alike!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Checkout NahamCon:

https://bit.ly/42vnpMS

RiverLoop Security Write-up: https://bit.ly/3oSKL1o

Good Chip-Off Write-up:

https://bit.ly/3IWym3q

Scratching chips to expose pins:

https://bit.ly/45Tj21i

https://bit.ly/3oJJt8Z

Chat with Corben on Degrees: https://youtu.be/N9P5PUx-PNQ?t=2311

Gareth Hayes Tweet:

https://bit.ly/3qvFNYW

Huntress - John Hammond - MoveIt Response:

https://bit.ly/42vTTXv

Critical Thinking Hardware Hacking Setup - See the gear we're talking about (Affiliate links): https://linke.to/hardwarehackingset

Timestamps:

(00:00:00) Introduction

(01:03) NahamCon's Live Hacking Event and Justin's Presentation on PCI DSS

(02:40) Depreciation of Data URLs in SVG Use Element

(04:55) Gareth Hayes and knowledge sharing in the hacking community

(07:50) Move It vulnerability and and John Hammonds epic 4 am rants

(12:18) Identifying promising leads in bug bounty hunting, and knowing when to move on

(Start of main content)

(21:40) Hardware Recon, and using Test Pins to Access EMMC Chip

(26:16) Identifying Chip Pinouts and Continuity Testing

(29:01) Using Logic Analyzers for Hardware Hacking

(33:01) Importance of Fundamental Knowledge in Hacking, and the benefits of understanding Electrical Engineering

(35:46) Replay Protected Memory Block Protocol

(40:00) Bug Bounty Programs and Hardware Testing Support

(41:05) Chip Pulling techniques and Essential Equipment for Hardware Hacking

(59:50) Tips for Buying Hardware Hacking Tools: Research and Specific Use Cases

(01:06:35) Hardware Hacking: Just scratching the surface.

(01:08:45) Vulnerability Disclaimer: Pulling OS from a chip does not constitute a Vulnerability.


Thu, 01 Jun 2023 10:01:24 GMT

Episode 21: Chill Chat with Legendary DoD Hacker Corben Leo


In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Corben Leo about his journey in bug bounty hunting and ethical hacking. We discuss the state of DNS rebinding in 2023, a Twitter thread by Douglas Day (@ArchAngelDDay) on one-hundred bug bounty rules, and our own unique approaches to bug hunting. We also discuss Corben's recon-focused bug hunting methodology and how he developed it. Don't miss this episode filled with valuable tips, insights, and Corben's Boring Mattress Company.

Follow us on twitter at: @ctbbpodcast

Get on our newsletter for some exclusive content: https://www.criticalthinkingpodcast.io/subscribe

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Todays Guest:

https://twitter.com/hacker_

Article on the State of DNS Rebinding in 2023:

https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/

See @ArchAngelDDay's twitter thread about 100 bug bounty rules:

https://twitter.com/ArchAngelDDay/status/1661924038875435008

Talkback - Cybersecurity news aggregator:

https://talkback.sh/

PyPI announces mandatory 2FA:

https://www.bleepingcomputer.com/news/security/pypi-announces-mandatory-use-of-2fa-for-all-software-publishers/

Timestamps:

(00:00:00) Introduction

(01:05) State of DNS rebinding in 2023

(04:40) 100 Bug Bounty Rules by @ArchAngelDDay

(05:30) Give yourself a no bug limit

(07:00) The value of reporting Low and Medium Bugs for Bug Bounty Programs

(11:15) Reporting Out of Scope Bugs

(14:30) Reporting IDORs as Access Control Bugs

(17:28) Talkback

(18:12) PyPI's mandatory 2FA implementation for software publishers

(Start of main content)

(20:07) Starting out in bug bounty/ethical hacking

(25:00) Hacking methodology and mentorship

(28:15) Identifying Load Balancers

(33:20) Triage and live events:

(38:30) College and Computer Science vs. Cybersecurity

(45:45) Importance of writing for the Hacker Community

(51:21) Storytelling and report writing.

(55:00) When to stop doing recon and start hacking

(01:00:58) Lessons Learned from BreachlessAI and the pivot to Boring Mattress Co.


Thu, 25 May 2023 09:00:55 GMT

Episode 20: Hacker Brain Hacks - Overcoming Bug Bounty's Mental Tolls


Episode 20: In this episode of Critical Thinking - Bug Bounty Podcast, we dive into the world of "hacker brain hacks'' and overcoming challenges in bug bounty hunting. We discuss custom word lists, the rising popularity of Caido as a potential Burp Suite replacement, and Cloudflared tunnels for hosting POCs. We also tackle the mental aspects of bug bounty hunting, from procrastination to imposter syndrome, and share tips for staying motivated and avoiding burnout. Don't miss this episode packed with valuable insights and advice for both beginners and seasoned bug bounty hunters!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Caido:

https://caido.io

Tweet from D3mondev on Sequence Diagram:

https://twitter.com/d3mondev/status/1660803152755453952

Sequence diagram software:

https://sequencediagram.org

Timestamps:

(00:00:00) Introduction

(00:02:36) "Sequence Diagram": Sequence mapping for PoCs

(00:04:10) "SubReconGPT": AI and GPT in Bug Bounty Hacking

(00:08:30) "Caido": A Potential Replacement for Burp Suite

(00:11:34) HackerOne's New Features

(00:13:00) Cloudflared Tunnels for Red Team Assessments and Payload Hosting

(00:16:07) Mental challenges in Bug Bounty Hunting

(00:17:50) Procrastination Education: Letting fear of failure drive you into always learning, never doing.

(00:22:46) Analysis Paralysis: Starting with Bug Bounty Programs vs VDPs

(00:27:07) Automation Obsession: "When you're hacking, hack. When you're automating, automate."

(00:14:34) Imposter Syndrome: You may not be the best, but you're not the worst either.

(00:31:55) Motivation Deprivation: Stay curious, and set tiered goals

(00:36:07) Automation Obsession pt2: Do we need to say it again?

(00:37:25) Reconnaissance Cognizance: Spending too much time on recon and not enough time on hacking

(00:40:00) Bad Rabbit Holes, RIP Your Goals: Identifying good and bad rabbit holes

(00:46:01) Set Your Goal Poles: Setting specific goals for yourself.

(00:48:29) Impact Lacked: Fixating on something that's funky, but simply doesnt really have impact

(00:51:00) The Burn-out turn-out: Mending, maintenance, and finding identity and self-worth outside hacking

(00:58:19) Responsibility Volatility: Balancing Responsibilities and Freedom as a Bug Bounty Hunter

(01:00:30) Payout Phase-out: Don't stop once you've found one bug.

(01:02:04) Report on URN Injection


Thu, 18 May 2023 10:00:54 GMT

Episode 19: Audit Code, Earn Bounties (Part 2) + Zip-Snip, Sitecore, and more!


Episode 19: In this episode of Critical Thinking - Bug Bounty Podcast we further discuss some tips and tricks for finding vulns once youve got source code and some banger tweets/tools that popped up in our feed this week.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Part 1:

https://open.spotify.com/episode/2pdTaWHSzl9CY7PgRQtvTi

Noperators Zip-Snip: https://twitter.com/noperator/status/1658313637189111808

https://github.com/noperator/zip-snip

https://noperator.dev/posts/zip-snip/

Insecures SIP Bugs: https://twitter.com/ifsecure/status/1656591469518495745

AssetNotes Sitecore Bugs: https://blog.assetnote.io/2023/05/10/sitecore-round-two/

Fyooers Shadow Clone: https://github.com/fyoorer/ShadowClone


Thu, 11 May 2023 10:00:31 GMT

Episode 18: Audit Code, Earn Bounties


Episode 18: In this episode of Critical Thinking - Bug Bounty Podcast, we dive into everything source-code related: how to get source-code and what to do with it once you have. This episode is packed with great examples of successful source code review, tips on how to review code yourself, and the tools you'll need along the way.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Crossing the KASM:

https://www.youtube.com/watch?v=NwMY1umhpgg

PWNAssistant by Elttam:

https://www.elttam.com/blog/pwnassistant/#content

Andre's Git Arbitrary Configuration Injection:

https://blog.ethiack.com/en/blog/git-arbitrary-configuration-injection-cve-2023-29007

Jub0b's a Smorgasbord of a Bug Chain:

https://jub0bs.com/posts/2023-05-05-smorgasbord-of-a-bug-chain/

Ankur Sundara's Cookie Bugs - Smuggling & Injection:

https://twitter.com/ankursundara/status/1654556463703134208?t=7nTUSszPB6fS3MkATzxpaQ&s=19

James Kettle's Notes on Novel Pathways to Poisoning (cool quirks in here):

https://twitter.com/albinowax/status/1654767919690031106?t=vbVEOML5_QnWByi0m8Nv4A&s=19

Ignore Irrelevant Scripts During Debugging by Johan Carlsson:

https://twitter.com/joaxcar/status/1653787336105156616

Every known way to get references to windows:

https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d

VS Code Todo Highlight:

https://marketplace.visualstudio.com/items?itemName=wayou.vscode-todo-highlight

VS Code:

https://code.visualstudio.com/


Thu, 04 May 2023 10:01:07 GMT

Episode 17: LA Live Chat with Five Legendary Hackers


Episode 17: In this episode of Critical Thinking - Bug Bounty Podcast we talk with five legendary hackers about some of their favorite bugs. Live. From LA.

Corben Leo Lorben CEO @hacker_

Sam ZLZ ZOZL The King Curry @samwcyo

Frans The Legend Rosen @fransrosen

Jonathan Doc Bouman @JonathanBouman

NagliNagliNagli @naglinagli

Shoutout to Jonathan Boumans Mom!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

FOLLOW OUR LINKEDIN ACCOUNT FOR NAGLI:

https://www.linkedin.com/company/ctbbpodcast

Sam Currys shoutout - Ian Carrols Seats.Aero: https://seats.aero/


Thu, 20 Apr 2023 10:00:43 GMT

Episode 16: The Hacker's Toolkit


Episode 16: In this episode of Critical Thinking - Bug Bounty Podcast we talk about the hackers toolkit. Joel and Justin talk about their VPS setup, go-to hacking tools, most often used Linux commands, and the ways they duct tape all of these together for the big hacks.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on Twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Our Boi @rez0__ Dropping Some AI Hackz:

https://twitter.com/rez0__/status/1648685943539245056?s=20

LiveOverflow Prompt Injection:

https://www.youtube.com/watch?v=Sv5OLj2nVAQ

Joels Private Network Solution:

https://www.zerotier.com/

Stok & Tomnomnom on Vim/Bash:

https://www.youtube.com/watch?v=l8iXMgk2nnY

Latest GhostScript RCE:

https://offsec.almond.consulting/ghostscript-cve-2023-28879.html

Intigriti CSRF Basics & Jub0b's Legendary SameSite Article:

https://twitter.com/intigriti/status/1646104705561403398

https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/

Nahamcon:

http://nahamcon.com/

Pentah0wnage:

https://research.aurainfosec.io/pentest/pentah0wnage/

DNSChef:

https://github.com/iphelix/dnschef

Httpx:

https://github.com/projectdiscovery/httpx

Espanso:

https://espanso.org/

GoWitness:

https://github.com/sensepost/gowitness


Thu, 13 Apr 2023 10:00:22 GMT

Episode 15: The Israeli Million-Dollar Hacker


Episode 15: In this episode of Critical Thinking - Bug Bounty Podcast we talk with the latest Million-Dollar bug bounty hunter: @naglinagli . He talks about his climb from $1,000 in bounties to $1,000,000, recon tips and tricks, and some bug reports that made the news and landed him the "Best Bug" award at a H1 Live Hacking event.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Follow Nagli and his new startup Shockwave:

https://twitter.com/naglinagli

https://twitter.com/shockwave_sec

HackMD Collaborative Notes:

https://hackmd.io/

Ian Carroll's Airline Miles Website:

https://seats.aero

Nagli's Tweet in ChatGPT Web Cache Deception:

https://twitter.com/naglinagli/status/1639343866313601024

Timestamps:

(00:00:00) Intro

(00:04:40) Naglis Climb

(00:05:40) What kind of vulns do you look for?

(00:09:25) Working with other hackers

(00:10:20) Bug Bounty Hunters Guild

(00:12:35) Shockwave product

(00:14:12) Outsourcing tool development

(00:18:46) What got you started?

(00:21:13) Manual hacking vs recon suite + LHE focus

(00:25:00) How do you take notes

(00:29:42) Biggest things that youve learned over the past 2 years

(00:31:29) How do you ingest new techniques?

(00:31:50) Collaboration

(00:37:20) Justin Ranting about Trained Eyes

(00:40:18) Time spent coding vs hacking

(00:45:28) Travel and spending habits

(00:54:16) Grep is Naglis database

(00:56:20) Naglis ChatGPT Web Cache Deception

(00:58:44) What does your alerting look like?

(01:01:50) Naglis Most Critical SSRF

(01:04:30) Burp Active Scan


Thu, 06 Apr 2023 10:01:32 GMT

Episode 14: Mobile Hacking Dynamic Analysis w/ Frida + Random Hacker Stuff


Episode 14: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Dynamic Analysis within Mobile Hacking and a bunch of random hacker stuff. It's a good time. Enjoy the pod.

Follow us on Twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on Twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Joels Alternative to UberTooth One:

https://www.amazon.com/Bluetooth-UD100-G03-Exchangeable-Bluesoleil-Microsoft/dp/B0161B5ATM

D3monDevs Burp VPS Plug-in:

https://github.com/d3mondev/burp-vps-proxy

FireProx:

https://github.com/ustayready/fireprox

Joels Universal SSL De-pinning Frida Script:

https://gist.github.com/teknogeek/4dc35fb3801bd7f13e5f0da5b784c725

Command-line Fuzzy Finder:

https://github.com/junegunn/fzf

Justins two article recommendations for using Frida:

https://tinyurl.com/5n94d6ry

https://tinyurl.com/yfy3n5f5

Copy screen of physical device:

https://tinyurl.com/ymdrscm5

Flipper:

https://flipperzero.one/

BetterCap BLE Module:

https://www.bettercap.org/modules/ble/

Timestamps:

(00:00:00) Intro

(00:00:55) Hacker Chats

(00:03:27) Podcast Content Commentary

(00:04:09) SSRF Rebinding Error Confession

(00:06:02) Flipper Zero

(00:07:58) Bettercap BLE

(00:09:36) Sena USB Bluetooth Adapter

(00:12:41) Burp VPS Proxy Plugin

(00:13:55) Fireprox

(00:15:40) Dynamic Mobile Hacking

(00:17:40) Dynamic Analysis Overview

(00:18:18) Emulator Talk

(00:24:29) Joels APK Analysis Flow

(00:26:30) Cert Pinning

(00:32:17) Joels SSL Cert Pinning Script

(00:35:29) Hands-on look at Frida

(00:50:11) Frida on Non-rooted Devices

(00:58:22) Tracing Errors to Overwritable Functions

(01:00:39) Native Libraries

(01:09:18) GenyMobile Screen Mirroring Tool

(01:11:50) Justins Report of the Day and Custom SSL Pinning

(01:18:15) Joels First Ever Bug, Jailbreak Detection Bypass


Thu, 30 Mar 2023 10:01:13 GMT

Episode 13: How to Find a Good BBP + Acropalypse + ZDI


Episode 13: In this episode of Critical Thinking - Bug Bounty Podcast we talk about how to determine if a bug bounty program is good or not from the policy page. We also cover some news including Acropalypse, ZDI's Pwn2Own Competition, Node's Request library's SSRF Bypass, and a new scanning tool by JHaddix.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

JHaddix AWSScrape Tool:

https://twitter.com/Jhaddix/status/1637140192728612865?s=20

Acropalypse Links:

https://twitter.com/ItsSimonTime/status/1636857478263750656

https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html

https://twitter.com/David3141593/status/1638222624084951040

https://twitter.com/David3141593/status/1638293029059477505

SSRF Bypass in NodeJS:

https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.html

ZDI's Pwn2Own:

https://twitter.com/thezdi

Kuzu7shiki's Awesome Pixiv Report:

https://hackerone.com/reports/1861974

https://twitter.com/kuzu7shiki

Some of the Programs we talk about:

https://hackerone.com/instacart

https://hackerone.com/semrush

https://hackerone.com/yahoo

https://hackerone.com/paypal


Thu, 23 Mar 2023 09:00:23 GMT

Episode 12: JHaddix on Hacker->Hacker CISO, OG Hacking Techniques, and Crazy Reports


Episode 12: In this episode of Critical Thinking - Bug Bounty Podcast we talk with Jason Haddix about his eclectic hacking techniques, Hacker -> Hacker CISO life, and some crazy vulns he found. This episode is chock full of awesome tips so give it a good listen!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Follow JHaddix on Twitter:

https://twitter.com/jhaddix

BuddoBot:

https://buddobot.com/

BC Hunt:

https://github.com/bugcrowd/HUNT/blob/master/README.md

One List For All:

https://github.com/six2dez/OneListForAll

AssetNote Wordlists:

https://wordlists.assetnote.io/

Backslash Powered Scanner:

https://portswigger.net/bappstore/9cff8c55432a45808432e26dbb2b41d8

Jasons Handy Dandy Acronyms:

SSWLR - Sensitive Secrets Were Leaked Recently

COTS Software - Common Off-The-Shelf Software


Thu, 16 Mar 2023 09:01:03 GMT

Episode 11: CV$$, Web Cache Deception, and SSTI


Episode 11: In this episode of Critical Thinking - Bug Bounty Podcast we talk about CVSS (the good, the bad, and the ugly), Web Cache Deception (an underrated vuln class) and a sick SSTI Joel and Fisher found.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

MDSec Outlook Vuln:

https://twitter.com/MDSecLabs/status/1635791863478091778

Jub0bs User-Existance Oracle Tweet:

https://twitter.com/jub0bs/status/1633786349529513986

James Kettle's Tweet About BB ID Header Standardization:

https://twitter.com/albinowax/status/1635951506791755776

15K Snapchat Numeric IDOR:

https://hackerone.com/reports/1819832

Bug Bounty Reports Explained:

https://www.bugbountyexplained.com/

CVSS Calculator:

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Web Cache Deception Write-up:

https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf


Thu, 09 Mar 2023 10:01:17 GMT

Episode 10: The Life of a Full-Time Bug Bounty Hunter + BB News + Reports from Mentees


Episode 10: In this episode of Critical Thinking - Bug Bounty Podcast we talk about what its like to be a full-time bug bounty hunter, a tonne of bug bounty news, and some great report summaries from Justins two mentees: Kodai and Soma.

Follow us on twitter at: https://twitter.com/ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

HackVertor https://portswigger.net/bappstore/65033cbd2c344fbabe57ac060b5dd100

Not_An_Aardvark (Teddy Katz) Blog: https://blog.teddykatz.com/

Tweets from PortSwigger Research:

https://twitter.com/PortSwiggerRes/status/1632742844535324677

https://twitter.com/PortSwiggerRes/status/1630221223874445314

https://twitter.com/PortSwiggerRes/status/1629131380473970688

HackerOne LHE Standards: https://www.hackerone.com/hackerone-community-blog/get-invited-how-live-hacking-event-invites-have-changed

Rez0 Bug Bounty Tweet: https://twitter.com/rez0__/status/1553371602770960384?t=NCr_esHcEts9PrcjxIZ5uw&s=19

Rojans Github Bug: https://twitter.com/uraniumhacker/status/1633199768263593984

Goodbye Daily Swig: https://portswigger.net/daily-swig/were-going-teetotal-its-goodbye-to-the-daily-swig

Gareth Heyes JavaScript for Hackers:https://leanpub.com/javascriptforhackers/


Thu, 02 Mar 2023 10:01:12 GMT

Episode 9: Headless Browser SSRF & RebindMultiA Tool Release + Web3 Bug


Episode 9: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Headless Browser SSRF and drop a tool called RebindMultiA. Joel also walks us through a web3 bug and we cover some bug bounty news from the past week. As always, we drop some bug bounty tips and give you some attack vectors to think about.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Truffle Security End-To-End Encryption Video:

https://www.youtube.com/watch?v=BBcZcoIZ1Jc

HackerOne World Cup:

https://www.hackerone.com/hackers/brand-ambassador-program

HackerOne World Cup Sign Up Form for USA:

https://docs.google.com/forms/d/e/1FAIpQLSeRQpH2y0J-opxlsz8dPkvnIu8BqC_DA3CJe_eFhTFroPwdcg/viewform

ChatGPT API:

https://openai.com/blog/introducing-chatgpt-and-whisper-apis

Megachad RobertMD GitHub Issue:

https://github.com/nccgroup/singularity/issues/2

Justins RebindMultiA Tool:

https://github.com/Rhynorater/rebindMultiA

Brandon Dorseys WhoNow Tool:

https://github.com/brannondorsey/whonow

NCC Groups Singularity:

https://github.com/nccgroup/singularity

Chromium Disclosed Bugs:

https://chromium-disclosed-bugs.appspot.com/

NahamSec Talk on Headless Browser SSRF:

https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/htmlpresen

Jonathan Bowman - LFI via <annotation>:

https://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f

WASM Port Scanning:

https://github.com/avilum/portsscan

Jack Halon - Chrome Browser Exploitation:

https://twitter.com/jack_halon/status/1583957704930131968

DNSChef:

https://github.com/iphelix/dnschef


Wed, 22 Feb 2023 10:00:54 GMT

Episode 8: PostMessage Bugs, CSS Injection, and Bug Drops


Episode 8: In this episode of Critical Thinking - Bug Bounty Podcast we drop some critical bugs which leak raw credit card info. We also discuss some CSS Injection & PostMessage related techniques. It's a short one but a good one! Don't miss it!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

CSS Escape Blog Post:

https://mathiasbynens.be/notes/css-escapes

Rez0s blog on ChatGPT:

https://rez0.blog/hacking/2023/02/21/hacking-with-chatgpt.html

All the ways to get a reference to a frame (shoutout to @wcbowling for the article):

https://bluepnume.medium.com/every-known-way-to-get-references-to-windows-in-javascript-223778bede2d

CSS Painting API:

https://developer.mozilla.org/en-US/docs/Web/API/CSS_Painting_API

Import Chaining:

https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b


Thu, 16 Feb 2023 10:00:26 GMT

Episode 7: PortSwigger Top 10, TruffleSecurity Drama, and More!


Episode 7: In this episode of Critical Thinking - Bug Bounty Podcast we talk about PortSwigger's Top 10 Web Hacking Techniques of 2022 (link below), some drama surrounding TruffleSecurity's XSS Hunter, and, as always, some great bug bounty tips.

Sorry if the audio is a little rough around the edges this time, should be better than ever next time.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

PortSwigger's Top 10 Web Hacking Techniques of 2022:

https://portswigger.net/research/top-10-web-hacking-techniques-of-2022

Ian Carroll Cookie Monster:

https://github.com/iangcarroll/cookiemonster

Frans Rosen's postMessage Tracker Chrome Extension:

https://github.com/fransr/postMessage-tracker

Notes from Justin on postMessages:

https://rhynorater.github.io/postMessage-Braindump

Frans Rosen's research on nginx misconfiguration that are similar to #6:

https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/

"Mount" Wycheproof :

https://github.com/google/wycheproof

https://en.wikipedia.org/wiki/Mount_Wycheproof

Nathan Davison - Abusing Hop-by-Hop headers:

https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers

Awesome example of client-side path traversal:

https://erasec.be/blog/client-side-path-manipulation/

Joohoi Ffuf 2.0:

https://infosec.exchange/@joohoi/109806822104162973

FeroxBuster:

https://github.com/epi052/feroxbuster


Thu, 09 Feb 2023 10:00:37 GMT

Episode 6: Mobile Hacking Attack Vectors with Teknogeek (Joel Margolis)


Episode 6: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with mobile hacking legend Joel Margolis and get the scoop on his approach to popping bugs on Android.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Joels HackerOne Android Hacking Introduction:

https://t.ly/f87D

Android Pixel Lock Screen Bypass

https://t.ly/Q_qq

Exploiting Deeplink URLs:

https://inesmartins.github.io/exploiting-deep-links-in-android-part1/index.html

Joels get_schemas tool:

https://github.com/teknogeek/get_schemas

Example AndroidManfest.xml we referenced:

https://t.ly/mcN1

https://t.ly/ErVV

Android docs for intent filters:

https://developer.android.com/guide/components/intents-filters.html

Android docs for setAllowContentaccess:

https://t.ly/hXOZ

Android docs for setAllowFileAccess:

https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean)

Add JavaScript Interface to Webview:

https://developer.android.com/reference/android/webkit/WebView#addJavascriptInterface(java.lang.Object,%20java.lang.String)

Joels SSL Pinning Bypass:

https://gist.github.com/teknogeek/4dc35fb3801bd7f13e5f0da5b784c725

Google Chrome Docs for Intent URLs:

https://developer.chrome.com/docs/multidevice/android/intents/#considerations

Joels Bug Bounty Report:

https://hackerone.com/reports/423467


Thu, 02 Feb 2023 10:00:37 GMT

Episode 5: AI Security, Hacking WiFi, the New XSS Hunter, and more


Episode 5: In this episode of Critical Thinking - Bug Bounty Podcast we talk about the new XSS Hunter, MD5 collisions and using ChatGPT for security, and much more!

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Save All Resources Chrome Extension: https://chrome.google.com/webstore/detail/save-all-resources/abpdnfjocnmdomablahdcfnoggeeiedb?hl=en

Corben's AMA: https://twitter.com/hacker_/status/1620514351521366016

Collisions repo: https://github.com/corkami/collisions


Thu, 02 Feb 2023 10:00:37 GMT

Episode 4: H1-407 Event Madness & Takeaways Part 2 w/ Special Guest Spaceraccoon


Episode 4: In this episode of Critical Thinking - Bug Bounty Podcast we have part two of our series on the H1-407 HackerOne Live Hacking Event. This time, we have a special guest SpaceRaccoon (@spaceraccoonsec) talking about techniques and takeaways from the event.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Spaceraccoons blog:

https://spaceraccoon.dev/

Spaceraccoons twitter:

https://twitter.com/spaceraccoonsec

Responder (NTLM Hash harvesting tool):

https://github.com/lgandx/Responder

The malware reversing course Spaceraccoon recommended:

https://courses.zero2auto.com/

Offensive Security Exploit Development Courses:

https://www.offensive-security.com/courses-and-certifications/


Thu, 26 Jan 2023 09:30:14 GMT

Episode 3: H1-407 Event Madness & Takeaways Part 1


Episode 3: In this episode of Critical Thinking - Bug Bounty Podcast we talk about some of the interesting things weve learned from participating in HackerOne's H1-407 Live Hacking event. We cover decompiling binaries in various different languages, Windows URI Handlers, Caido, and SameSite Lax + POST.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Frans Rosen S3 Bucket Authorization Blog Post: https://labs.detectify.com/2018/08/02/bypassing-exploiting-bucket-upload-policies-signed-urls/

Getting code from executables:

ILSpy

DotPeek

Jadx-GUI

Pyinstxtractor

Uncompyle6

Jub0bs SameSite Article:

https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/

Mgeekys Powershell Script to Enumerate Windows App URI Handlers

https://gist.github.com/mgeeky/5a30a0619a7486b2fb0bd5233490fa64


Wed, 18 Jan 2023 18:02:03 GMT

Episode 2: Exploit Writing & Automation / Do you need to know how to program to hack?


Episode 2: In this episode of Critical Thinking - Bug Bounty Podcast we talk about exploit writing/automation, some new tools released in the industry (Of-CORS), the age old question of "Do you have to know how to program to hack?", a walk-through of some very impactful bug bounty reports, and some tips and tricks for exploit writing.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

Of-CORS by TruffleSecurity

https://trufflesecurity.com/blog/of-cors/

https://github.com/trufflesecurity/of-cors

CyberChef

https://gchq.github.io/CyberChef/

Curl Converter

https://curlconverter.com/

Caido

https://caido.io/

Copy As Python Requests

https://portswigger.net/bappstore/b324647b6efa4b6a8f346389730df160

eMMC Card Reader:

https://www.allsocket.com/

Joel's Funny Automation XKCD:

https://xkcd.com/1319/

Flipper:

https://shop.flipperzero.one/


Mon, 09 Jan 2023 19:50:30 GMT

Episode 1: Introductions, Bug Bounty Reports, and BB Tips


Episode 1: In this episode of Critical Thinking - Bug Bounty Podcast, Joel Margolis (aka 0xteknogeek) and Justin Gardner (aka Rhynorater) cover introductions, a couple of cool bug bounty reports, and some really helpful BB Tips.

Follow us on twitter at: @ctbbpodcast

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

The report Joel was talking about: https://hackerone.com/reports/1672388


Darknet Diaries

Tue, 02 Jul 2024 07:00:00 -0000

147: Tornado


In this episode, Geoff White (https://x.com/geoffwhite247) tells us what happened to Axie Infinity and Tornado cash. Its a digital heist of epic proportions that changes everything.

This story comes from part of Geoffs book Rinsed which goes into the world of money laundering. Get yours here https://amzn.to/3VJs7pb.


Tue, 04 Jun 2024 07:00:00 -0000

146: ANOM


In this episode, Joseph Cox (https://x.com/josephfcox) tells us the story of anom. A secure phone made by criminals, for criminals.

This story comes from part of Josephs book Dark Wire which you should definitely read. Get yours here https://www.hachettebookgroup.com/titles/joseph-cox/dark-wire/9781541702691.


Tue, 07 May 2024 07:00:00 -0000

145: Shannen


Shannen Rossmiller wanted to fight terrorism. So she went online and did.

Read more about her from her book The Unexpected Patriot: How an Ordinary American Mother Is Bringing Terrorists to Justice. An affiliate link to the book on Amazon is here: https://amzn.to/3yaf5sI.

Thanks to Spycast for allowing usage of the audio interview with Shannen.

Sponsors

Support for this show comes from Varonis. Do you wonder what your companys ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.

Support for this show comes from ThreatLocker. ThreatLocker is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker Allowlisting and Ringfencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.


Tue, 02 Apr 2024 07:00:00 -0000

144: Rachel


Rachel Tobac is a social engineer. In this episode we hear how she got started doing this and a few stories of how she hacked people and places using her voice and charm.


Learn more about Rachel by following her on Twitter https://twitter.com/RachelTobac or by visiting https://www.socialproofsecurity.com/


Daniel Miessler also chimes in to talk about AI. Find out more about him at https://danielmiessler.com/.


Sponsors

Support for this show comes from Varonis. Do you wonder what your companys ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.


Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Support for this show comes from ThreatLocker. ThreatLocker is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker Allowlisting and Ringfencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.



Tue, 05 Mar 2024 08:00:00 -0000

143: Jim Hates Scams


Jim Browning has dedicated himself to combatting scammers, taking a proactive stance by infiltrating their computer systems. Through his efforts, he not only disrupts these fraudulent operations but also shares his findings publicly on YouTube, shedding light on the intricacies of scam networks. His work uncovers a myriad of intriguing insights into the digital underworld, which he articulately discusses, offering viewers a behind-the-scenes look at his methods for fighting back against scammers.


Jims YouTube channel: https://www.youtube.com/c/JimBrowning



Sponsors

Support for this episode comes from NetSuite. NetSuite gives you visibility and control of your financials, planning, budgeting, and of course - inventory - so you can manage risk, get reliable forecasts, and improve margins. NetSuite helps you identify rising costs, automate your manual business processes, and see where to save money. KNOW your numbers. KNOW your business. And get to KNOW how NetSuite can be the source of truth for your entire company. Visit www.netsuite.com/darknet to learn more.


This episode is sponsored by Intruder. Growing attack surfaces, dynamic cloud environments, and the constant stream of new vulnerabilities stressing you out? Intruder is here to help you cut through the chaos of vulnerability management with ease. Join the thousands of companies who are using Intruder to find and fix what matters most. Sign up to Intruder today and get 20% off your first 3 months. Visit intruder.io/darknet.


This show is sponsored by Shopify. Shopify is the best place to go to start or grow your online retail business. And running a growing business means getting the insights you need wherever you are. With Shopifys single dashboard, you can manage orders, shipping, and payments from anywhere. Sign up for a one-dollar-per-month trial period at https://shopify.com/darknet.


CLAIM=a6e199f5f9fd5954e532117c829c8f0a8f0f1282=CLAIM




Tue, 06 Feb 2024 08:00:00 -0000

142: Axact


Axact sells fake diplomas and degrees. What could go wrong with this business plan?


Sponsors

Support for this episode comes from NetSuite. NetSuite gives you visibility and control of your financials, planning, budgeting, and of course - inventory - so you can manage risk, get reliable forecasts, and improve margins. NetSuite helps you identify rising costs, automate your manual business processes, and see where to save money. KNOW your numbers. KNOW your business. And get to KNOW how NetSuite can be the source of truth for your entire company. Visit www.netsuite.com/darknet to learn more.


Support for this show comes from ThreatLocker. ThreatLocker is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker Allowlisting and Ringfencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.


This show is sponsored by Shopify. Shopify is the best place to go to start or grow your online retail business. And running a growing business means getting the insights you need wherever you are. With Shopifys single dashboard, you can manage orders, shipping, and payments from anywhere. Sign up for a one-dollar-per-month trial period at https://shopify.com/darknet.


Tue, 02 Jan 2024 08:00:00 -0000

141: The Pig Butcher


The #1 crime which results in the biggest financial loss is BEC fraud. The #2 crime is pig butchering. Ronnie Tokazowski https://twitter.com/iHeartMalware walks us through this wild world.


Sponsors

Support for this episode comes from NetSuite. NetSuite gives you visibility and control of your financials, planning, budgeting, and of course - inventory - so you can manage risk, get reliable forecasts, and improve margins. NetSuite helps you identify rising costs, automate your manual business processes, and see where to save money. KNOW your numbers. KNOW your business. And get to KNOW how NetSuite can be the source of truth for your entire company. Visit www.netsuite.com/darknet to learn more.


Support for this show comes from Drata. Drata streamlines your SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR & many other compliance frameworks, and provides 24-hour continuous control monitoring so you focus on scaling securely. Listeners of Darknet Diaries can get 10% off Drata and waived implementation fees at drata.com/darknetdiaries.


This show is sponsored by Shopify. Shopify is the best place to go to start or grow your online retail business. And running a growing business means getting the insights you need wherever you are. With Shopifys single dashboard, you can manage orders, shipping, and payments from anywhere. Sign up for a one-dollar-per-month trial period at https://shopify.com/darknet.


Tue, 05 Dec 2023 08:00:00 -0000

140: Revenge Bytes


Madison's nude photos were posted online. Her twin sister Christine came to help. This begins a bizarre and uneasy story.


Tue, 07 Nov 2023 08:00:00 -0000

139: D3f4ult


This is the story of D3f4ult (twitter.com/_d3f4ult) from CWA. He was a hacktivist, upset with the state of the way things were, and wanted to make some changes. Changes were made.


Sponsors

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Support for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out at https://canary.tools.


Support for this show comes from Quorum Cyber. Their mantra is: We help good people win. If youre looking for a partner to help you reduce risk and defend against the threats that are targeting your business and especially if you are interested in Microsoft Security reach out to Quorum Cyber at www.quorumcyber.com/darknet-diaries.


Sources

https://www.vice.com/en/article/z3ekk5/kane-gamble-cracka-back-online-after-a-two-year-internet-ban

https://www.wired.com/2015/10/hacker-who-broke-into-cia-director-john-brennan-email-tells-how-he-did-it/

https://www.hackread.com/fbi-server-hacked-miami-police-data-leaked/

https://archive.ph/Si79V#selection-66795.5-66795.6

https://wikileaks.org/cia-emails/John-Brennan-Draft-SF86/page-7.html


Tue, 03 Oct 2023 07:00:00 -0000

138: The Mimics of Punjab


This episode is about scammers in the Punjab region. Tarun (twitter.com/taruns21) comes on the show to tell us a story of what happened to him. Naomi Brockwell (twitter.com/naomibrockwell) makes an appearance to speak about digital privacy.


To learn more about protecting your digital privacy, watch Naomis YouTube channel https://www.youtube.com/@NaomiBrockwellTV. And check out the books Extreme Privacy (https://amzn.to/3L3ffp9) and Beginners Introduction to Privacy (https://amzn.to/3EjuSoY).




Sponsors

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Support for this show comes from SpyCloud. Its good practice to see what data is getting passed around out there regarding you, your employees, your customers, and your business. The dark web is a place where this data is traded and shared. SpyCloud will help you find what out there about you and give you a report so you can be aware. Then theyll continuously monitor the dark web for any new exposures you should be aware of. To learn more visit spycloud.com/darknetdiaries.


Support for this show comes fromThreatLocker. ThreatLocker has built-in endpoint security solutions that strengthenyour infrastructure from the ground up with a zero trust posture. ThreatLockers Allowlisting gives you a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level. Learn more atwww.threatlocker.com.


Tue, 05 Sep 2023 07:00:00 -0000

137: Predator


A new type of mercenary spyware came on the radar called Predator. Itll infect a mobile phone, and then suck up all the data from it. Contacts, text messages, location, and more. This malware is being sold to intelligence agencies around the world.


In this episode we hear from Crofton Black at Lighthouse Reports who spent 6 months with a team of journalists researching this story which was published here: https://www.lighthousereports.com/investigation/flight-of-the-predator/.


We also hear from Bill Marczak and John Scott-Railton from Citizen Lab.


If you want to hear about other mercenary spyware, check out episodes 99 and 100, about NSO group and Pegasus. To hear another episode about Greece check out episode 64 called Athens Shadow Games.


Sponsors

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Support for this show comes from Varonis. Do you wonder what your companys ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.


Support for this show comes from Akamai Connected Cloud (formerly Linode). Akamai Connected Cloud supplies you with virtual servers. Visit linode.com/darknet and get a special offer.


Tue, 01 Aug 2023 07:00:00 -0000

136: Team Xecuter


Team Xecuter was a group involved with making and selling modchips for video game systems. They often made mods that allowed the video game system to rip games or play pirated games. It was a crowd favorite in the modding scene. Until it all fell apart. The story of what happened to Team Xecuter must be heard to believe.


This episode features Gary Bowser. You can find more about Gary here:


https://twitter.com/Bowser_GaryOPA

https://garyopa.com/

https://www.gofundme.com/f/garyopa-restarting-his-life?utm_location=darknetdiaries


Sponsors

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Support for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out at https://canary.tools.


Support for this show comes fromThreatLocker. ThreatLocker has built-in endpoint security solutions that strengthenyour infrastructure from the ground up with a zero trust posture. ThreatLockers Allowlisting gives you a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level. Learn more atwww.threatlocker.com.


Sources

https://www.washingtonpost.com/archive/politics/1994/10/27/ringleader-pleads-guilty-in-phone-fraud/56e551bb-a727-43e8-a3ca-1c1f4cf6ef82/

https://www.justice.gov/sites/default/files/usao/legacy/2010/10/12/usab4304.pdf

https://www.eurogamer.net/nintendo-to-appeal-not-guilty-judgement-of-flash-cart-sellers-7

https://www.gamesindustry.biz/nintendo-pounces-on-global-piracy-outfit

https://www.justice.gov/opa/pr/two-members-notorious-videogame-piracy-group-team-xecuter-custody

https://medium.com/swlh/watch-paint-dry-how-i-got-a-game-on-the-steam-store-without-anyone-from-valve-ever-looking-at-it-2e476858c753#.z05q2nykc

https://www.lemonde.fr/police-justice/article/2022/05/27/voler-des-societes-qui-font-des-milliards-qu-est-ce-que-j-en-ai-a-faire-max-louarn-c-ur-de-hackeur_6127821_1653578.html

https://www.theverge.com/2020/11/20/21579392/nintendo-big-house-super-smash-bros-melee-tournament-slippi-cease-desist

https://www.youtube.com/watch?v=U7VwtOrwceo

https://www.youtube.com/watch?v=5sNIE5anpik


Tue, 04 Jul 2023 07:00:00 -0000

135: The D.R. Incident


Omar Avilez worked in the CSIRT of the Dominican Republic when a major cyber security incident erupted. Omar walks us through what happened and the incident response procedures that he went through.


Breakmaster Cylinders new album: https://breakmastercylinder.bandcamp.com/album/the-moon-all-that.


Sponsors

Support for this show comes from Varonis. Do you wonder what your companys ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.


Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Support for this show comes from Flare. Flare automates monitoring across the dark & clear web to detect high-risk exposure, before threat actors have a chance to leverage it. Their unified solution makes it easy to rapidly identify risks across thousands of sources, including developers leaking secrets on public GitHub Repositories, threat actors selling infected devices on dark web markets, and targeted attacks being planned on illicit Telegram Channels. Visit https://flare.io to learn more.


Sources

https://www.wired.com/story/costa-rica-ransomware-conti/

https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook

https://www.youtube.com/watch?v=QHYH0U66K5Q

https://www.youtube.com/live/prCr7Z94078

https://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america

https://www.bleepingcomputer.com/news/security/quantum-ransomware-attack-disrupts-govt-agency-in-dominican-republic/

https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/


Attribution

Darknet Diaries is created by Jack Rhysider.

Assembled by Tristan Ledger.

Episode artwork by odibagas.

Mixing by Proximity Sound.

Theme music created by Breakmaster Cylinder. Theme song available for listen and download at bandcamp. Or listen to it on Spotify.


Tue, 06 Jun 2023 07:00:00 -0000

134: Deviant


Deviant Ollam is a physical penetration specialist. That means hes paid to break into buildings to see if the building is secure or not. He has done this for a long time and has a lot of tricks up his sleeve to get into buildings. In this episode we hear 3 stories of him breaking into buildings for a living.


You can find more about Deviant on the following sites:


https://twitter.com/deviantollam


https://www.instagram.com/deviantollam


https://youtube.com/deviantollam


https://defcon.social/@deviantollam


https://deviating.net/


Sponsors

Support for this show comes fromThreatLocker. ThreatLocker has built-in endpoint security solutions that strengthenyour infrastructure from the ground up with a zero trust posture. ThreatLockers Allowlisting gives you a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level. Learn more atwww.threatlocker.com.


This show is sponsored by Packetlabs. Theyve created the Penetration Testing Buyers guide - a comprehensive resource that will help you plan, scope, and execute your Penetration Testing projects. Inside, youll find valuable information on frameworks, standards, methodologies, cost factors, reporting options, and what to look for in a provider. https://guide.packetlabs.net/.


Support for this show comes from Drata. Drata streamlines your SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR & many other compliance frameworks, and provides 24-hour continuous control monitoring so you focus on scaling securely. Listeners of Darknet Diaries can get 10% off Drata and waived implementation fees at drata.com/darknetdiaries.


Tue, 02 May 2023 07:00:00 -0000

133: I'm the Real Connor


One day Connor Tumbleson got an email saying his identity has been stolen. And this was one of the strangest days hes ever had.


Sponsors

Support for this show comes from Quorum Cyber. Their mantra is: We help good people win. If youre looking for a partner to help you reduce risk and defend against the threats that are targeting your business and especially if you are interested in Microsoft Security reach out to Qurotum Cyber at quorumcyber.com.


Skiff is a collaboration platform built for privacy from the ground up. Every document, note, and idea you write is end-to-end encrypted and completely private. Only you and your trusted collaborators can see what youve created. Try it out at https://skiff.com.


Support for this show comes from AttackIQ. AttackIQs security optimization platform emulates the adversary with realism to test your security program, generating real-time performance data to improve your security posture. They also offer free training. Head to attackiq.com to get a closer look at how AttackIQ can help you today.



Sources

https://connortumbleson.com/

https://krebsonsecurity.com/2022/10/glut-of-fake-linkedin-profiles-pits-hr-against-the-bots/

Snippet from Darknet Diaries ep 119 about North Koreans getting tech jobs to steal bitcoin https://www.youtube.com/watch?v=v1ik6bAwELA



Attribution


Assembled by Tristan Ledger.

Sound design by Garrett Tiedemann.

Episode artwork by odibagas.

Mixing by Proximity Sound.

Theme music created by Breakmaster Cylinder.


Tue, 04 Apr 2023 07:00:00 -0000

132: Sam the Vendor


Sam Bent, a.k.a. DoingFedTime, brings us a story of what it was like being a darknet market vendor.


Learn more about Sam at https://www.doingfedtime.com/.


Sponsors

Support for this show comes from Akamai Connected Cloud (formerly Linode). Akamai Connected Cloud supplies you with virtual servers. Visit linode.com/darknet and get a special offer.


Support for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out at https://canary.tools.


Tue, 27 Dec 2022 08:00:00 -0000

131: Welcome to Video


Andy Greenberg (https://twitter.com/a_greenberg) brings us a gut wrenching story of how criminal investigators used bitcoin tracing techniques to try to find out who was at the center of a child sexual abuse darkweb website.


This story is part of Andys new book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. An affiliate link to the book on Amazon is here: https://amzn.to/3VkjSh7.




Sponsors

Support for this show comes from Varonis. Do you wonder what your companys ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.


Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Tue, 13 Dec 2022 08:00:00 -0000

130: Jason's Pen Test


Join us as we sit down with Jason Haddix (https://twitter.com/Jhaddix), a renowned penetration tester who has made a name for himself by uncovering vulnerabilities in some of the worlds biggest companies. In this episode, Jason shares his funny and enlightening stories about breaking into buildings and computers, and talks about the time he discovered a major security flaw in a popular mobile banking app.


Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.


Support for this show comes from Arctic Wolf. Arctic Wolf is the industry leader in security operations solutions, delivering 24x7 monitoring, assessment, and response through our patented Concierge Security model. They work with your existing tools and become an extension of your existing IT team. Visit arcticwolf.com/darknet to learn more.


Tue, 29 Nov 2022 08:00:00 -0000

129: Gollumfun (Part 2)


Brett Johnson, AKA Gollumfun (twitter.com/GOllumfun) was involved with the websites Counterfeit Library and Shadow Crew. He tells his story of what happened there and some of the crimes he committed.


In part 2, his past catches up to him.


Listen to more of Brett on his own show. https://www.thebrettjohnsonshow.com/.




Tue, 15 Nov 2022 08:00:00 -0000

128: Gollumfun (Part 1)


Brett Johnson, AKA Gollumfun (twitter.com/GOllumfun) was involved with the websites Counterfeit Library and Shadow Crew. He tells his story of what happened there and some of the crimes he committed.


Sponsors

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.


Tue, 01 Nov 2022 07:00:00 -0000

127: Maddie


Maddie Stone is a security researcher for Googles Project Zero. In this episode we hear what its like battling zero day vulnerabilities.


Sponsors

Support for this show comes from Zscalar. Zscalar zero trust exchange will scrutinize the traffic and permit or deny traffic based on a set of rules. This is so much more secure than letting data flow freely internally. And it really does mitigate ransomware outbreaks. The Zscaler Zero Trust Exchange gives YOU confidence in your security to feel empowered to focus on other parts of your business, like digital transformation, growth, and innovation. Check out the product at zscaler.com.


Support for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out at https://canary.tools.



Sources

https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/yu-vb2013.pdf

https://www.youtube.com/watch?v=s0Tqi7fuOSU

https://www.vice.com/en/article/4x3n9b/sometimes-a-typo-means-you-need-to-blow-up-your-spacecraft


Tue, 18 Oct 2022 07:00:00 -0000

126: REvil


REvil is the name of a ransomware service as well as a group of criminals inflicting ransomware onto the world. Hear how this ransomware shook the world.


A special thanks to our guest Will, a CTI researcher with Equinix.


Sponsors

Support for this show comes from Zscalar. Zscalar zero trust exchange will scrutinize the traffic and permit or deny traffic based on a set of rules. This is so much more secure than letting data flow freely internally. And it really does mitigate ransomware outbreaks. The Zscaler Zero Trust Exchange gives YOU confidence in your security to feel empowered to focus on other parts of your business, like digital transformation, growth, and innovation. Check out the product at zscaler.com.


Support for this show comes from Arctic Wolf. Arctic Wolf is the industry leader in security operations solutions, delivering 24x7 monitoring, assessment, and response through our patented Concierge Security model. They work with your existing tools and become an extension of your existing IT team. Visit arcticwolf.com/darknet to learn more.


Tue, 04 Oct 2022 07:00:00 -0000

125: Jeremiah


Jeremiah Roe is a seasoned penetration tester. In this episode he tells us about a time when he had to break into a building to prove it wasnt as secure as the company thought.


You can catch more of Jeremiah on the Were In podcast.


Sponsors

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Support for this show comes from Snyk. Snyk is a developer security platform that helps you secure your applications from the start. It automatically scans your code, dependencies, containers, and cloud infrastructure configs finding and fixing vulnerabilities in real time. Create your free account at snyk.co/darknet.


Tue, 20 Sep 2022 07:00:00 -0000

124: Synthetic Remittance


What do you get when you combine social engineering, email, crime, finance, and the money stream flowing through big tech? Evaldas Rimaauskas comes to mind. He combined all these to make his big move. A whale of a move.


Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.


Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Tue, 06 Sep 2022 07:00:00 -0000

123: Newswires


Investing in the stock market can be very profitable. Especially if you can see into the future. This is a story of how a group of traders and hackers got together to figure out a way to see into the future and make a lot of money from that.


Sponsors

Support for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out at https://canary.tools.


Support for this show comes from Juniper Networks. Juniper Networks is dedicated to simplifying network operations and driving superior experiences for end users. Visit juniper.net/darknet to learn more about how Junipers Zero Trust Data Center provides uncompromising visibility across all your data center environments. Visit juniper.net/darknet to learn more.


Tue, 23 Aug 2022 07:00:00 -0000

122: Lisa


In this episode we hear some insider threat stories from Lisa Forte.


Sponsors

Support for this show comes from Axonius. Securing assets whether managed, unmanaged, ephemeral, or in the cloud is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Support for this show comes from Varonis. Do you wonder what your companys ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.


Support for this show comes from Snyk. Snyk is a developer security platform that helps you secure your applications from the start. It automatically scans your code, dependencies, containers, and cloud infrastructure configs finding and fixing vulnerabilities in real time. Create your free account at snyk.co/darknet.


Attribution

Darknet Diaries is created by Jack Rhysider.


Editing by Damienne. Assembled by Tristan Ledger. Sound designed by Andrew Meriwether.


Episode artwork by odibagas.


Mixing by Proximity Sound.


Theme music created by Breakmaster Cylinder. Theme song available for listen and download at bandcamp. Or listen to it on Spotify.


Tue, 26 Jul 2022 07:00:00 -0000

121: Ed


In this episode we hear some penetration test stories from Ed Skoudis (twitter.com/edskoudis). We also catch up with Beau Woods (twitter.com/beauwoods) from I am The Cavalry (iamthecavalry.org).


Sponsors

Support for this show comes from Axonius. Securing assets whether managed, unmanaged, ephemeral, or in the cloud is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Support for this show comes from Zscalar. Zscalar zero trust exchange will scrutinize the traffic and permit or deny traffic based on a set of rules. This is so much more secure than letting data flow freely internally. And it really does mitigate ransomware outbreaks. The Zscaler Zero Trust Exchange gives YOU confidence in your security to feel empowered to focus on other parts of your business, like digital transformation, growth, and innovation. Check out the product at zscaler.com/darknet.


Support for this podcast comes from Cybereason. Cybereason reverses the attackers advantage and puts the power back in the defenders hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.


View all active sponsors.


Attribution

Darknet Diaries is created by Jack Rhysider.


Editing by Damienne. Assembled by Tristan Ledger. Sound designed by Andrew Meriwether.


Episode artwork by odibagas.


Audio cleanup by Proximity Sound.


Theme music created by Breakmaster Cylinder.


Tue, 28 Jun 2022 07:00:00 -0000

120: Voulnet


This is the story about when Mohammed Aldoub, AKA Voulnet, (twitter.com/Voulnet) found a vulnerability on Virus Total and Tweeted about it.


Sponsors

Support for this podcast comes from Cybereason. Cybereason reverses the attackers advantage and puts the power back in the defenders hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.


Support for this show comes from Varonis. Do you wonder what your companys ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.


Sources

https://www.cyberscoop.com/story/trial-error-kuwait-mohammed-aldoub-case/


Tue, 14 Jun 2022 07:00:00 -0000

119: Hot Wallets


In this episode we interview journalist Geoff White to discuss some of the recent crypto currency heists that have been happening. Geoff has been tracking a certain group of thieves for some time and shares his knowledge of what hes found.


Much of what we talk about in this episode has been published in Geoffs new book The Lazarus Heist: From Hollywood to High Finance: Inside North Koreas Global Cyber War (https://amzn.to/3mKf1qB).


Sponsors

Support for this show comes from Axonius. Securing assets whether managed, unmanaged, ephemeral, or in the cloud is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. axonius.com/darknet


Support for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out at https://canary.tools.


Tue, 31 May 2022 07:00:00 -0000

118: Hot Swaps


This is the story of Joseph Harris (https://twitter.com/akad0c). When he was a young teen he got involved with stealing video game accounts and selling them for money. This set him on a course where he flew higher and higher until he got burned.


Joseph sometimes demonstrates vulnerabilities he finds on his YouTube channel https://www.youtube.com/channel/UCdcuF5Zx6BiYmwnS-CiRAng.


Listen to episode 112 Dirty Coms to hear more about what goes on in the communities Joseph was involed with.


Sponsors

Support for this show comes from Axonius. Securing assets whether managed, unmanaged, ephemeral, or in the cloud is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks.


Support for this show comes from Synack. Synack is a penetration testing firm. But they also have a community of, people like you, who earn regular money by legally hacking. If youre interested in getting paid to hack, visit them now at synack.com/red-team, and click apply now.


Tue, 17 May 2022 07:00:00 -0000

117: Daniel the Paladin


Daniel Kelley (https://twitter.com/danielmakelley) was equal parts mischievousness and clever when it came to computers. Until the day his mischief overtook his cleverness.


Sponsors

Support for this show comes from Keeper Security. Keeper Securitys is an enterprise password management system. Keeper locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented Zero-Knowledge encrypted vault. And, it takes less than an hour to deploy across your organization. Get started by visiting keepersecurity.com/darknet.


Support for this podcast comes from Cybereason. Cybereason reverses the attackers advantage and puts the power back in the defenders hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.


Tue, 03 May 2022 07:00:00 -0000

116: Mad Dog


Jim Lawler, aka Mad Dog, was a CIA case officer for 25 years. In this episode we hear some of the stories he has and things he did while working in the CIA.


Jim has two books out. Affiliate links below.

Living Lies: A Novel of the Iranian Nuclear Weapons Program https://amzn.to/3s0Ppca

In the Twinkling of an Eye: A Novel of Biological Terror and Espionage https://amzn.to/3y7B4OL


Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.


Support for this show comes from Juniper Networks. Juniper Networks is dedicated to simplifying network operations and driving superior experiences for end users. Visit juniper.net/darknet to learn more about how Junipers Zero Trust Data Center provides uncompromising visibility across all your data center environments. Visit juniper.net/darknet to learn more.


Tue, 19 Apr 2022 07:00:00 -0000

115: Player Cheater Developer Spy


Some video game players buy cheats to win. Lets take a look at this game cheating industry to see who the players are.


Sponsors

Support for this show comes from Axonius. Securing assets whether managed, unmanaged, ephemeral, or in the cloud is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Support for this podcast comes from Cybereason. Cybereason reverses the attackers advantage and puts the power back in the defenders hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.


Tue, 05 Apr 2022 07:00:00 -0000

114: HD


HD Moore (https://twitter.com/hdmoore) invented a hacking tool called Metasploit. He crammed it with tons of exploits and payloads that can be used to hack into computers. What could possibly go wrong? Learn more about what HD does today by visiting rumble.run/.


Sponsors

Support for this show comes from Quorum Cyber. They exist to defend organisations against cyber security breaches and attacks. Thats it. No noise. No hard sell. If youre looking for a partner to help you reduce risk and defend against the threats that are targeting your business and specially if you are interested in Microsoft Security - reach out to www.quorumcyber.com.


Support for this show comes from Snyk. Snyk is a developer security platform that helps you secure your applications from the start. It automatically scans your code, dependencies, containers, and cloud infrastructure configs finding and fixing vulnerabilities in real time. And Snyk does it all right from the existing tools and workflows you already use. IDEs, CLI, repos, pipelines, Docker Hub, and more so your work isnt interrupted. Create your free account at snyk.co/darknet.


Tue, 22 Mar 2022 07:00:00 -0000

113: Adam


Adam got a job doing IT work at a learning academy. He liked it and was happy there and feeling part of the team. But a strange series of events took him in another direction, that definitely didnt make him happy.


Sponsors

Support for this show comes from Axonius. Securing assets whether managed, unmanaged, ephemeral, or in the cloud is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Support for this podcast comes from Cybereason. Cybereason reverses the attackers advantage and puts the power back in the defenders hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.


Support for this show comes from Varonis. Do you wonder what your companys ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.


Tue, 08 Mar 2022 08:00:00 -0000

112: Dirty Coms


This episode we talk with a guy named Drew who gives us a rare peek into what some of the young hackers are up to today. From listening to Drew, we can see that times are changing for the motive behind hacking. In the 90s and 00s it was done for fun and curiosity. In the 10s Anonymous showed us what Hacktivism is. And now, in the 20s, the young hackers seem to be profit driven.




Sponsors


Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.




Support for this show comes from Juniper Networks. Juniper Networks is dedicated to simplifying network operations and driving superior experiences for end users. Visit juniper.net/darknet to learn more about how Juniper Secure Edge can help you keep your remote workforce seamlessly secure wherever they are.


Tue, 22 Feb 2022 08:00:00 -0000

111: ZeuS


ZeuS is a banking trojan. Designed to steal money from online bank users accounts. This trojan became so big, that it resulted in one of the biggest FBI operations ever.


Sponsors

Support for this show comes from Axonius. Securing assets whether managed, unmanaged, ephemeral, or in the cloud is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.


Support for this show comes from Keeper Security. Keeper Securitys is an enterprise password management system. Keeper locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented Zero-Knowledge encrypted vault. And, it takes less than an hour to deploy across your organization. Get started by visiting keepersecurity.com/darknet.


Tue, 08 Feb 2022 08:00:00 -0000

110: Spam Botnets


This episode tells the stories of some of the worlds biggest spamming botnets. Well talk about the botnets Rustock, Waledac, and Cutwail. Well discover who was behind them, what their objectives were, and what their fate was.


Sponsors

Support for this show comes fromJuniper Networks(hyperlink:juniper.net/darknet). Juniper Networks is dedicated to simplifying network operations and driving superior experiences for end users. Visitjuniper.net/darknetto learn more about how Juniper Secure Edge can help you keep your remote workforce seamlessly secure wherever they are.


Support for this podcast comes from Cybereason. Cybereason reverses the attackers advantage and puts the power back in the defenders hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.


Tue, 25 Jan 2022 08:00:00 -0000

109: TeaMp0isoN


TeaMp0isoN was a hacking group that was founded by TriCk and MLT (twitter.com/0dayWizard). They were responsible for some high profile hacks. But in this story its not the rise thats most interesting. Its the fall.


Sponsors

Support for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out at https://canary.tools.


Support for this podcast comes from Cybereason. Cybereason reverses the attackers advantage and puts the power back in the defenders hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.


Tue, 11 Jan 2022 08:00:00 -0000

108: Marq


This is the story of Marq (twitter.com/dev_null321). Which involves passwords, the dark web, and police.


Sponsors

Support for this podcast comes from Cybereason. Cybereason reverses the attackers advantage and puts the power back in the defenders hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.


Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.


View all active sponsors.


Sources

Court records and news articles were used to fact check this episode. However Marq requested that links to his full name not be made available.


https://techcrunch.com/2019/12/19/ring-doorbell-passwords-exposed/

https://www.wired.com/2010/03/hacker-bricks-cars/


Tue, 21 Dec 2021 08:00:00 -0000

107: Alethe


Alethe is a social engineer. Professionally she tries to trick people to give her passwords and access that she shouldnt have. But her journey to this point is interesting and in this episode she tells us how she became a social engineer.

Follow Alethe on Twitter: https://twitter.com/AletheDenis


Sponsors

Support for this show comes from Skiff. Skiff is a collaboration platform built for privacy from the ground up. Every document, note, and idea you write is end-to-end encrypted and completely private. Only you and your trusted collaborators can see what youve created. Try it out at https://www.skiff.org/darknet.


Support for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.


Tue, 07 Dec 2021 08:00:00 -0000

106: @Tennessee


How much online abuse are you willing to take before you decide to let your abuser have what they want? Unfortunately, this is a decision that many people have to ask themselves. If someone can threaten you physically, it bypasses whatever digital security you have in place.


Thanks to https://twitter.com/jw for sharing this harrowing story with us.


Affiliate links to books:


The Smart Girls Guide to Privacy: https://www.amazon.com/gp/product/1593276486/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1593276486&linkCode=as2&tag=tunn01-20&linkId=0a8ee2ca846534f77626757288d77e00


Extreme Privacy:https://www.amazon.com/gp/product/B0898YGR58/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B0898YGR58&linkCode=as2&tag=tunn01-20&linkId=575c5ed0326484f0b612f000621b407f


Sponsors


Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.


Support for this show comes from Ping Identity, champions of identity for the global enterprise. Give your users a loveable login solution. Visit www.pingidentity.com/.


View all active sponsors.


Tue, 23 Nov 2021 08:00:00 -0000

105: Secret Cells


Joseph Cox (https://twitter.com/josephfcox), Senior Staff Writer at Motherboard (https://www.vice.com/en/topic/motherboard), joins us to talk about the world of encrypted phones.


Books


Affiliate links to books:


The Smart Girls Guide to Privacy: https://www.amazon.com/gp/product/1593276486/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1593276486&linkCode=as2&tag=tunn01-20&linkId=0a8ee2ca846534f77626757288d77e00


Extreme Privacy:https://www.amazon.com/gp/product/B0898YGR58/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B0898YGR58&linkCode=as2&tag=tunn01-20&linkId=575c5ed0326484f0b612f000621b407f




Sponsors


Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.


Support for this show comes from Ping Identity, champions of identity for the global enterprise. Give your users a loveable login solution. Visit www.pingidentity.com/.


View all active sponsors.


Tue, 09 Nov 2021 08:00:00 -0000

104: Arya


Arya Ebrahami has had quite a personal relationship with darknet marketplaces. In this episode youll hear about his adventures on tor. Aryas current project is https://lofi-defi.com.


Sponsors

Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.


Support for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.


View all active sponsors.


Sources

https://www.nbcwashington.com/news/local/27-arrested-in-prince-william-county-narcotics-investigation/58441/

https://patch.com/virginia/manassas/undercover-narcotics-operation-nets-27-arrrests-xanax-distribution-ring


Tue, 26 Oct 2021 07:00:00 -0000

103: Cloud Hopper


Fabio Viggiani is an incident responder. In this episode he talks about the story when one of his clients were breached.


Sponsors


Support for this show, and for stretched security teams, comes from SOC.OS. Too many security alerts means alert fatigue for under-resourced SecOps teams. Traditional tools arent solving the problem. SOC.OS is the lightweight, cost-effective, and low-maintenance solution for your team. Centralise, enrich, and correlate your security alerts into manageable, prioritised clusters. Get started with an extended 3-month free trial at https://socos.io/darknet.


Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.



Sources


https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper

https://www.reuters.com/article/us-china-cyber-cloudhopper-companies-exc-idUSKCN1TR1D4

https://www.fbi.gov/wanted/cyber/apt-10-group

https://www.youtube.com/watch?v=277A09ON7mY

https://www.wsj.com/articles/ghosts-in-the-clouds-inside-chinas-major-corporate-hack-11577729061

https://www.technologyreview.com/2018/12/20/239760/chinese-hackers-allegedly-stole-data-of-more-than-100000-us-navy-personnel/


Tue, 12 Oct 2021 07:00:00 -0000

102: Money Maker


Frank Bourassa had an idea. He was going to make money. Literally. Listen to the story of a master counterfeiter.


Tue, 28 Sep 2021 07:00:00 -0000

101: Lotera


In 2014 the Puerto Rico Lottery was mysteriously losing money. Listen to this never before told story about what happened and who did it.


Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET.


Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.


Sources

https://en.wikipedia.org/wiki/Puerto_Rico_Lottery

https://www.justice.gov/usao-pr/pr/10-individuals-indicted-drug-trafficking-and-money-laundering

https://www.dea.gov/press-releases/2014/07/22/caribbean-corridor-strike-force-arrests-10-individuals-indicted-drug

https://casetext.com/case/united-states-v-delfin-robles-alvarez-7


Tue, 31 Aug 2021 07:00:00 -0000

100: NSO


The NSO Group creates a spyware called Pegasus which gives someone access to the data on a mobile phone. They sell this spyware to government agencies around the world. How is it used and what kind of company is the NSO Group?


Thanks to John Scott-Railton and Citizen Lab for investigating this and sharing their research.


Sponsors

Support for this show comes from Detectify. Try their web vulnerability scanner free. Go to https://detectify.com/?utm_source=podcast&utm_medium=referral&utm_campaign=DARKNET


Support for this show comes from Ping Identity, champions of identity for the global enterprise. Give your users a loveable login solution. Visit www.pingidentity.com/.


Support for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.


For a full list of sources used in this episode and complete transcripts visit https://darknetdiaries.com.


Tue, 17 Aug 2021 07:00:00 -0000

99: The Spy


Igor works as a private investigator in NYC. Hes often sitting in cars keeping a distant eye on someone with binoculars. Or following someone through the busy streets of New York. In this episode we hear about a time when Igor was on a case but sensed that something wasnt right.


Sponsors

Support for this show comes from Exabeam. Exabeam lets security teams see what traditional tools cant, with automated threat detection and triage, complete visibility across the entire IT environment and advanced behavioral analytics that distinguishes real threats from perceived ones, so security teams stay ahead and businesses keep moving without fear of the unknown. When the security odds are stacked against you, outsmart them from the start with Exabeam. Learn more at https://exabeam.com/DD.


Support for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.


View all active sponsors.


Sources

Article: The Case of the Bumbling Spy

Podcast: The Catch and Kill Podcast with Ronan Farrow


Tue, 03 Aug 2021 07:00:00 -0000

98: Zero Day Brokers


Zero day brokers are people who make or sell malware thats sold to people who will use that malware to exploit people. Its a strange and mysterious world that not many people know a lot about.Nicole Perlroth, who is a cybersecurity reporter for the NY Times, dove in head first which resulted in her writing a whole book on it.

Affiliate link for book:This is How They Tell Me The World Ends (https://www.amazon.com/gp/product/1635576059/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1635576059&linkCode=as2&tag=tunn01-20&linkId=0aa8c966d98b49a7927bfc29aac76bbe)

Audiobook deal:Try Audible Premium Plus and Get Up to Two Free Audiobooks (https://www.amazon.com/Audible-Free-Trial-Digital-Membership/dp/B00NB86OYE/?ref_=assoc_tag_ph_1485906643682&_encoding=UTF8&camp=1789&creative=9325&linkCode=pf4&tag=tunn01-20&linkId=31042b955d5e6d639488dc084711d033)

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET.

Support for this show comes fromPrivacy.com. Privacy allows you to create anonymous debit cards instantly to use for online shopping. Visitprivacy.com/darknetto get a special offer.

View all active sponsors.

Sources


Tue, 20 Jul 2021 07:00:00 -0000

97: The Pizza Problem


What if someone wanted to own your Instagram account? Not just control it, but make it totally theirs. This episode tells the story of how someone tried to steal an Instagram account from someone.

Sponsors

Support for this show comes fromLinode. Linode supplies you with virtual servers. Visitlinode.com/darknetand get a special offer.

Support for this show comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.

View all active sponsors.

Sources


Tue, 06 Jul 2021 07:00:00 -0000

96: The Police Station Incident


Nicole Beckwithwears a lot of hats. Shes a programmer, incident responder, but also a cop and a task force officer with the Secret Service. In this episode she tells a story which involves all of these roles.

https://twitter.com/NicoleBeckwith

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET.

Support for this show comes fromExabeam. Exabeam lets security teams see what traditional tools cant, with automated threat detection and triage, complete visibility across the entire IT environment and advanced behavioral analytics that distinguishes real threats from perceived ones, so security teams stay ahead and businesses keep moving without fear of the unknown. When the security odds are stacked against you, outsmart them from the start with Exabeam. Learn more athttps://exabeam.com/DD.

View all active sponsors.

Sources


Tue, 22 Jun 2021 07:00:00 -0000

95: Jon & Brian's Big Adventure


JonandBrianare penetration testers who both worked at a place calledRedTeam Security. Theyre paid to break into buildings and hack into networks to test the security of those buildings. In this episode they bring us a story of how they prepare and execute a mission like this. But even with all the preparation, something still goes terribly wrong.


Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET.

Support for this show comes fromPing Identity, champions of identity for the global enterprise. Give your users a loveable login solution. Visitwww.pingidentity.com/.

View all active sponsors.

Sources


Tue, 08 Jun 2021 07:00:00 -0000

94: Mariposa


Chris Davishas been stopping IT security threats for decades. Hes currently running the companyHyasthat he started. In this episode he tells a few tales of some threats that he helped stop.

Sponsors

Support for this show comes fromExabeam. Exabeam lets security teams see what traditional tools cant, with automated threat detection and triage, complete visibility across the entire IT environment and advanced behavioral analytics that distinguishes real threats from perceived ones, so security teams stay ahead and businesses keep moving without fear of the unknown. Learn more by visitingexabeam.com/dd.

Support for this show comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.

View all active sponsors.

Sources


Tue, 25 May 2021 07:00:00 -0000

93: Kik


Kik is a wildly popular chat app. Their website says that 1 in 3 American teenagers use Kik. But something dark is brewing on Kik.


Tue, 11 May 2021 07:00:00 -0000

92: The Pirate Bay


The Pirate Bay is a website, a search engine, which has an index of torrent files. A lot of copyrighted material is listed on the site, but the site doesnt store any of the copyrighted material. It just points the user to where you can download it from. So for a while The Pirate Bay has been the largest places you can find pirated movies, music, games, and apps. But this site first came up 2003. And is still up and operation now, 18 years later! You would think someone would shut this place down by now. How does the biggest source for copyrighted material stay up and online for that long? Listen to this episode to find out.

Sponsors

Support for this show comes fromLinode. Linode supplies you with virtual servers. Visitlinode.com/darknetand get a special offer.

Support for this show comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.

View all active sponsors.


Tue, 27 Apr 2021 07:00:00 -0000

91: webjedi


What happens when an unauthorized intruder gets into the network of a major bank? Amlie Koran akawebjediwas there for one of these intrusions and tells us the story of what happened.

You can find more talks from Amlie at her websitewebjedi.net.

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.

This podcast is sponsored byNavisite. Accelerate IT transformation to respond to new demands, lower costs and prepare for whatever comes next. VisitNavisite.com/go.

View all active sponsors.

Sources






Tue, 13 Apr 2021 07:00:00 -0000

90: Jenny


MeetJenny Radcliffe, the People Hacker. Shes a social engineer and physical penetration tester. Which means she gets paid to break into buildings and test their security. In this episode she tells us a few stories of some penetration testing jobs shes done.

Sponsors

Support for this show comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.

This podcast is sponsored byNavisite. Accelerate IT transformation to respond to new demands, lower costs and prepare for whatever comes next. VisitNavisite.com/go.

View all active sponsors.

Sources


Tue, 06 Apr 2021 07:00:00 -0000

89: Cybereason - Molerats in the Cloud


The threat research team at Cybereason uncovered an interesting piece of malware. Studied it and tracked it. Which lead them to believe they were dealing with a threat actor known as Molerats.

Sponsors

This episode is sponsored byCybereason. Cybereason reverses the attackers advantage and puts the power back in your hands. Their future-ready attack platform gives defenders the wisdom to uncover, understand, and piece together multiple threats. And the precision focus to end cyberattacks instantly on computers, mobile devices, servers, and the cloud. They do all this through a variety of tools theyve developed such as antivirus software, endpoint monitoring, and mobile threat detection tools. They can give you the power to do it yourself, or they can do all the monitoring and respond to threats in your environment for you. Or you can call them after an incident to get help cleaning up. If you want to monitor your network for threats, check out what Cybereason can do for you. Cybereason. End cyber attacks. From endpoints to everywhere. Learn more atCybereason.com/darknet.

View all active sponsors.

Sources


Tue, 30 Mar 2021 07:00:00 -0000

88: Victor


Victorlooks for vulnerabilities on the web and reports them responsibly. This is the story about discloser number 5780.

Listen to episodes 86, and 87 before this one to be caught up on the story leading up to this.

Sponsors

This podcast is sponsored byNavisite. Accelerate IT transformation to respond to new demands, lower costs and prepare for whatever comes next. VisitNavisite.com/go.

This podcast is sponsored by theJSCM Group. They have a service called ClosedPort: Scan, and its is a monthly Penetration Test performed by Cyber Security Experts. Contact JSCM Group today atjscmgroup.com/darknet.

Support for this show comes from IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.


Tue, 16 Mar 2021 07:00:00 -0000

87: Guild of the Grumpy Old Hackers


In 2016 the LinkedIn breach data became available to the public. What the Guild of the Grumpy Old Hackers did with it then is quite the story. Listen toVictor,Edwin, andMattijstell their story.

Sponsors

Support for this show comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.

Support for this show comes fromPrivacy.com. Privacy allows you to create anonymous debit cards instantly to use for online shopping. Visitprivacy.com/darknetto get a special offer.

View all active sponsors.


Tue, 02 Mar 2021 08:00:00 -0000

86: The LinkedIn Incident


In 2012, LinkedIn was the target of a data breach. A hacker got in and stole millions of user details. Username and password hashes were then sold to people willing to buy. This episode goes over the story of what happened.

For a good password manager, check out LastPass.

Sponsors

Support for this episode comes fromQuadrant Information Security. If you need a team of around the clock analysts to monitor for threat in your network using a custom SIEM, check out what Quadrant can do for you by visitingwww.quadrantsec.com.

Support for this show comes fromThinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out athttps://canary.tools.

Support for this show comes fromLinode. Linode supplies you with virtual servers. Visitlinode.com/darknetand get a special offer.


Tue, 16 Feb 2021 08:00:00 -0000

85: Cam the Carder


This is the story ofCam Harrison, aka kilobit and his rise and fall as a prominent carder.

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.

Support for this episode comes fromOracle for Startups. Oracle for Startups delivers enterprise cloud at a startup price tag, with free cloud credits and 70% off industry-leading cloud services to help you reel in the big fishconfidently. To learn more, visitOracle.com/goto/darknet.

View all active sponsors.

Sources


Tue, 02 Feb 2021 08:00:00 -0000

84: Jet-setters


How bad is it if you post your boarding pass on Instagram? Our guest,Alexdecides to figure this out for themself and has quite a story about what happened. You can read more from Alex on their bloghttps://mango.pdf.zone.

We also hear fromTProphetwhos here to give us some travel hacks to save tons on airfare when we start traveling again. You can learn more about TProphets travel hacks athttps://seat31b.comorhttps://award.cat.

Sponsors

Support for this show comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.

Support for this show comes fromTanium. With Tanium you can gain real-time security and operational data directly from your endpoints along with the ability to take action on, and create reports from, that data in just minutes, so that you and your teams can have the insight and capability necessary to accomplish the mission effectively. Learn more athttps://federal.tanium.com.

View all active sponsors.

Sources


Tue, 19 Jan 2021 08:00:00 -0000

83: NSA Cryptologists


In this episode we interview two NSA Cryptologists,Marcus J. CareyandJeff Man. We hear their story of how they got into the NSA and what they did while there.

To hear more stories from Jeff tune intoPauls Security Weeklywhere Jeff is a regular co-host and shares a lot of stories and insights.

Marcus has written several books on security. They areTribe of Hackers,Tribe of Hackers Blue Team,Tribe of Hackers Red Team,Tribe of Hackers Security Leaders,Think in Code, and a childrens book calledThree Little Hackers.

Also check out theTribe of Hackers podcastto hear interviews with all these amazing people!

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.

Support for this show comes fromLinode. Linode supplies you with virtual servers. Visitlinode.com/darknetand get a special offer.

View all active sponsors.


Tue, 05 Jan 2021 08:00:00 -0000

82: Master of Pwn


TheZero Day Initiativeruns a hacker contest calledPwn2Own. The contest calls the best hackers in the world to demonstrate they can hack into software that should be secure. Like browsers, phones, and even cars. A lot of vulnerabilities are discovered from this event which means vendors must fix them. Whoever can demonstrate the most vulnerabilities will be crowned the Master of Pwn.

Thanks toDustin ChildsandBrian Gorencfrom ZDI to hear all about Pwn2Own.

Thanks toRadekandPedrofor sharing their experiences of becoming the Masters of Pwn.

Sponsors

Support for this show comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.

Support for this show comes fromKars 4 Kids. Donate your car today, this organization will sell to use for their charity.

View all active sponsors.

Sources


Tue, 22 Dec 2020 08:00:00 -0000

81: The Vendor


This is the story of a darknet marketplace vendor well name V. V tells his story of how he first became a buyer, then transitioned into seller.

This episode talks about drugs. Listener discretion is advised.

If you want to contact V his email is at https://darknetdiaries.com/episode/81.

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.

Support for this show comes fromLinode. Linode supplies you with virtual servers. Visitlinode.com/darknetand get a special offer.


Tue, 08 Dec 2020 08:00:00 -0000

80: The Whistleblower


In this episode we hear a story from a social engineer whos job it is to get people to do things they dont want to do. Why? For profit.

Sponsors

Support for this episode comes fromSentinelOnewhich can protect and assistwith ransomeware attacks. On top of that, SentinelOne offers threat hunting, visibility, and remote administration tools to manage and protect any IoT devices connected to your network. Go toSentinelOne.com/DarknetDiariesfor your free demo. Your cybersecurity future starts today with SentinelOne.

Support for this show comes fromThinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out athttps://canary.tools.

Support for this show comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.

View all active sponsors.


Tue, 24 Nov 2020 08:00:00 -0000

79: Dark Basin


What do you do when you find yourself the target of a massive hacking campaign, and you are getting thousands of phishing emails and someone following you in your car. You might turn to Citizen Lab who has the ability to research who is behind this and help bring the hackers to justice.

Our guests this episodes are Adam Hulcoop and John Scott-Railton ofCitizen Lab. This episode also has an interview with Matthew Earl ofShadowfall.

Sponsors

Support for this show comes fromLastPassby LogMeIn. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. VisitLastPass.com/Darknetto start your 14 day free trial.

Support for this show comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.


Tue, 10 Nov 2020 08:00:00 -0000

78: Nerdcore


Nerdcore music is music for nerds. In this episode we hear from some of the musicians who make Nerdcore music.

This episode features guestsytcracker,Ohm-I, andDual Core.


Content warning: This episode has explicit lyrics.


Music

For a playlist of music used in this episode visit darknetdiaries.com/episode/78.

Sponsors

Support for this show comes from IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.

Support for this show comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.


Tue, 27 Oct 2020 07:00:00 -0000

77: Olympic Destroyer


In February 2018, during the Winter Olympics in Pyeongchang South Korea, a cyber attack struck, wiping out a lot of the Olympics digital infrastructure. Teams rushed to get things back up, but it was bad. Malware had repeatedly wiped the domain controllers rendering a lot of the network unusable. Who would do such a thing?

We will talk withAndy Greenbergto discuss Olympic Destroyer, a chapter from his bookSandworm (affiliate link).

Sponsors

Support for this show comes fromLinode. Linode supplies you with virtual servers. Visitlinode.com/darknetand get a special offer.

Support for this show comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.


Tue, 13 Oct 2020 07:00:00 -0000

76: Knaves Out


This is the story about how someone hacked into JP Morgan Chase, one of the biggest financial institutions in the world. Its obvious why someone would want to break into a bank right? Well the people who hacked into this bank, did not do it for obvious reasons. The hackers are best described as knaves. Which are tricky, deceitful fellows.

Sponsors

Support for this show comes fromLastPassby LogMeIn. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. VisitLastPass.com/Darknetto start your 14 day free trial.

Support for this episode comes fromSentinelOnewhich can protect and assistwith ransomeware attacks. On top of that, SentinelOne offers threat hunting, visibility, and remote administration tools to manage and protect any IoT devices connected to your network. Go toSentinelOne.com/DarknetDiariesfor your free demo. Your cybersecurity future starts today with SentinelOne.

Support for this show comes from IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.


For a complete list of sources and a full transcript of the show visit darknetdiaries.com/episode/76.


Tue, 29 Sep 2020 07:00:00 -0000

75: Compromised Comms


From 2009 to 2013 the communication channels the CIA uses to contact assets in foreign countries was compromised. This had terrifying consequences.

Guests this episodes areJenna McLaughlinandZach Dorfman.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.

This episode was sponsored byThinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out athttps://canary.tools.

View all active sponsors.

Sources

Attribution

Darknet Diaries is created byJack Rhysider.

Research assistance this episode fromYael Grauer.


Tue, 15 Sep 2020 07:00:00 -0000

74: Mikko


Poker is a competitive game. Unlike other casino games, poker is player vs player. Criminal hackers have understood this for a while and sometimes hack the other players to get an edge. And that small edge can result in millions of dollars in winnings.

This episode contains a story fromMikko HypponenofF-Secure. We also interview Mikko to know more about him and the history of malware.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.

This episode was sponsored byThinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out athttps://canary.tools.

Sources


Tue, 01 Sep 2020 07:00:00 -0000

73: WannaCry


It is recommend to listen to episodes53 Shadow Brokers,71 FDFF, and72 Bangladesh Bank Heistbefore listening to this one.


In May 2017 the world fell victim to a major ransomware attack known as WannaCry. One of the victims was UKs national health service. Security researchers scrambled to try to figure out how to stop it and who was behind it.

Thank you toJohn HultquistfromFireEyeand thank you toMatt Suichefounder ofComae.

Sponsors

Support for this episode comes fromLastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. VisitLastPass.com/Darknetto start your 14 day free trial.

This episode was sponsored byLinode. Linode supplies you with virtual servers. Visitlinode.com/darknetand when signing up with a new account use code darknet2020 to get a $20 credit on your next project.


Tue, 18 Aug 2020 07:00:00 -0000

72: Bangladesh Bank Heist


A bank robbery with the objective to steal 1 billion dollars. This is the story of the largest bank robbery in history. And it was all done over a computer.

Our guest this episode wasGeoff White. Learn more about him atgeoffwhite.tech.

Check out Geoffs new bookCrime Dot Com. Affiliate link: https://www.amazon.com/gp/product/1789142857/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1789142857&linkCode=as2&tag=darknet04-20&linkId=bb5a6aa7ba980183e0ce7cee1939ea05


Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.

Support for this episode comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.


Tue, 04 Aug 2020 07:00:00 -0000

71: Information Monopoly


In this episode, were going into the depths of North Korea to conduct one of the greatest hacks of all time. To find a way to inject information into a country run by totalitarian regime.

A big thanks toYeonmi Parkfor sharing her story with us. Also thanks toAlex Gladsteinfor telling us the inside story.

You can find more about Flash Drive For Freedom atflashdrivesforfreedom.org.


Yeonmis book "In Order to Live": https://www.amazon.com/gp/product/014310974X/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=014310974X&linkCode=as2&tag=darknet04-20&linkId=88ebdc087c6ce041105c479b1bb6c3d2


Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.

Support for this episode comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.


Tue, 21 Jul 2020 07:00:00 -0000

70: Ghost Exodus


Ghost Exodus is a hacker. He conducted various illegal activities online. Some of which he documents on YouTube. Hes also a great musician. He got into some trouble from his hacking. This is his story.

A big thanks toGhost Exodusfor sharing his story with us. Also thanks toWesley McGrewfor telling us the inside story.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.

Support for this episode comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.

This episode was sponsored by Detectify. What vulnerabilities will their crowdsource-powered web vulnerability scanner detect in your web applications? Find out with a 14-day free trial. Go tohttps://detectify.com/Darknet

Sources


Tue, 07 Jul 2020 07:00:00 -0000

69: Human Hacker


We all know that computers and networks are vulnerable to hacking and malicious actors, but what about us, the humans who interface with these devices? Con games, scams, and strategic deception are far older than computers, and in the modern era, these techniques can make humans the weakest link in even the most secure system. This episode, security consultant and master social engineer, Christopher Hadnagy, joins us to share his stories and wisdom. He describes what it was like to be a social engineer before the world knew what social engineering was and tells some of his amazing stories from his long career in penetration testing.

A big thanks toChristopher Hadnagyfromsocial-engineer.orgfor sharing his stories with us.

Check out his bookSocial Engineering: The Science of Human Hacking, affiliate link here.

Check out his podcast calledThe Social-Engineerpodcast.

Sponsors

This episode was sponsored byThinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out athttps://canary.tools.

Support for this episode comes fromLastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. VisitLastPass.com/Darknetto start your 14 day free trial.

Sources


Book Recommendations with affiliate links:


Tue, 23 Jun 2020 07:00:00 -0000

68: Triton


A mysterious mechanical failure one fateful night in a Saudi Arabian chemical plant leads a cast of operational technology researchers down a strange path towards an uncommon, but grave, threat. In this episode, we hear how these researchers discovered this threat and tried to identify who was responsible for the malware behind it. We also consider how this kind of attack may pose a threat to human life wherever there are manufacturing or public infrastructure facilities around the world.

A big thanks toJulian Gutmanis,Naser Aldossary,Marina Krotofil, andRobert M. Leefor sharing their stories with us.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.

This episode was sponsored byLinode. Linode supplies you with virtual servers. Visitlinode.com/darknetand when signing up with a new account use code darknet2020 to get a $20 credit on your next project.

Sources


Tue, 09 Jun 2020 07:00:00 -0000

67: The Big House


John Strandis a penetration tester. Hes paid to break into computer networks and buildings to test their security. In this episode we listen to stories he has from doing this type of work.

Thanks toJohn Strandfor coming on the show and telling your story.

Sponsors

Support for this episode comes fromLastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. VisitLastPass.com/Darknetto start your 14 day free trial.

Support for this episode comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.

Sources


Tue, 26 May 2020 07:00:00 -0000

66: freakyclown


Freakyclown is a physical penetration tester. His job is to break into buildings to test the security of the building. In this episode we hear stories of some of these missions hes been on.

Thanks toFreakyclownfor coming on the show and telling your story.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visitingITPro.tv/darknet. And use promo code DARKNET25.

This episode was sponsored by Molekule, a new air purifier that completely destroys air pollutants to help you breath easier.https://molekule.com.


Tue, 12 May 2020 07:00:00 -0000

65: PSYOP


PSYOP, or Psychological Operations, is something the US military has been doing to foreign audiences for decades. But what exactly is it? And whats the difference between white, gray, and black PSYOP missions? We talk to PSYOP specialists to learn more.

Thanks toJon Nicholsfor telling us about this fascinating world.

Sponsors

Support for this episode comes fromLastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. VisitLastPass.com/Darknetto start your 14 day free trial.

Support for this episode comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.

Sources

Videos


Tue, 28 Apr 2020 07:00:00 -0000

64: The Athens Shadow Games


Vodafone Greece is the largest telecom provider in Greece. But in 2004 a scandal within the company would pin them to be top of the news cycle in Greece for weeks. Hackers got in the network. And what they were after took everyone by surprise.

Sponsors

Support for this episode comes fromOkta. Learn more about how you can improve your security posture with the leader in identity-driven security atokta.com/darknet.

This episode is supported byPlexTrac. PlexTrac is the purple teaming platform and is designed to streamline reporting, tracking and attestation so you can focus on getting the realcybersecurity work done. Whether you're creating pen test reports on the red team, or tracking and remediating on the blue team, PlexTrac can help.

Support for this episode comes fromBlinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check outBlinkist.com/DARKNETto start your 7 day free trial and get 25% off when you sign up.


Tue, 14 Apr 2020 07:00:00 -0000

63: w0rmer


The hacker named w0rmer was active within AnonOps. These are Anonymous Operations which often organize and wage attacks on websites or people often with the purpose of social justice. Eventually w0rmer joined in on some of these hacking escapades which resulted in an incredible story that he will one day tell his kids.

Thanks to w0rmer for telling us your story.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Support for this episode comes from LastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. Visit LastPass.com/Darknet to start your 14 day free trial.

SourcesArchived Tweets

Feb 7, 2012 Twitter user @Anonw0rmer posts @MissAnonFatale I managed to pwn1 a site , get my papers , find my required primary IDS , yeah baby, i deservers em :)

Feb 8, 2012 1:17 AM, Twitter user @Anonw0rmer posted, ROFL! WaS that us? https://www.wvgazettemail.com/news/legal_affairs/hackers-group-posts-police-chiefs-information-online/article_77f79fd5-f76f-5825-ae19-43a398361fdf.html o yeah oops #OpPigRoast #CabinCr3w

Feb 9, 2012 12:35 AM, Twitter user @Anonw0rmer posted, DB Leak http://dps.alabama.gov https://pastehtml.com/view/bnik8yo1q.html. The bottom of this post originally showed this NSFW image.

Feb 9, 2012 at 8:42 PM, Twitter user @Anonw0rmer posted, Mobile Alabama Police Criminal Record Database Logins Failing To Protect And Serve I Via @ItsKahuna I http://pastehtml.com/view/bnmjxxgfp.html #OpPiggyBank.

Feb 9, 2012 at 8:39 PM, Twitter user @CabinCr3w posted, Texas Dept. of safety Hacked By @AnonWOrmer for #OpPiggyBank http://bit.ly/x1KH5Y #CabinCr3w #Anonymous Bottom of pastebin also shows a woman holding a sign saying We Are ALL Anonymous We NEVER Forgive. We NEVER Forget. <3 @Anonw0rmer

Feb 10, 2012 at 9:07 PM, Twitter user @Anonw0rmer posted, My baby SETS standards ! wAt U got? https://i.imgur.com/FbH2K.jpg https://i.imgur.com/zsPvm.jpg https://i.imgur.com/S2S2C.jpg https://i.imgur.com/TVqdN.jpg #CabinCr3w.

Links


Tue, 31 Mar 2020 07:00:00 -0000

62: Cam


Cams story is both a cautionary tale and inspirational at the same time. Hes been both an attacker and defender. And not the legal kind of attacker. He has caused half a million dollars in damages with his attacks. Attacks that arose from a feeling of seeing injustices in the world. Listen to his story.

Sponsors

This episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2020 to get a $20 credit on your next project.

Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.

Sources


Tue, 17 Mar 2020 07:00:00 -0000

61: Samy


Samy Kamkar is a hacker. And while hes done a lot of stuff, hes best known for creating the Samy Worm. Which spread its way through a popular social media site and had crazy results.

Thanks to our guest Samy Kamkar for telling his story. Learn more about him by visiting https://samy.pl/.

Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Support for this episode comes from LastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. Visit LastPass.com/Darknet to start your 14 day free trial.

Sources


Tue, 03 Mar 2020 08:00:00 -0000

60: dawgyg


This is a story about the hacker named dawgyg and how he made over $100,000 in a single day, from hacking.

Thanks to our guest dawgyg for telling his story.

Sponsors

This episode is sponsored by SentinelOne - to learn more about their endpoint security solutions and get a 30-day free trial, visit sentinelone.com/darknetdiaries

This episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2020 to get a $20 credit on your next project.

Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.

Sources


Tue, 18 Feb 2020 08:00:00 -0000

59: The Courthouse


In this episode we hear from Gary and Justin. Two seasoned penetration testers who tell us a story about the time when they tried to break into a courthouse but it went all wrong.

Sponsors

This episode was sponsored by Detectify. Try their web vulnerability scanner free. Go to https://detectify.com/?utm_source=podcast&utm_medium=referral&utm_campaign=DARKNET

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.

Sources


Tue, 04 Feb 2020 08:00:00 -0000

58: OxyMonster


OxyMonster sold drugs on the darknet at Dream Market. Something happened though, and it all came crashing down.

Sponsors

This episode was sponsored by Detectify. Try their web vulnerability scanner free. Go to https://detectify.com/?utm_source=podcast&utm_medium=referral&utm_campaign=DARKNET

This episode was sponsored by Molekule, a new air purifier that completely destroys air pollutants to help you breath easier. https://molekule.com to use check out code DARKNET10 to get a discount.


See complete list of sources at https://darknetdiaries.com/episode/58.


Tue, 21 Jan 2020 08:00:00 -0000

57: MS08-067


Hear what goes on internally when Microsoft discovers a major vulnerability within Windows.

Guest

Thanks to John Lambert for sharing this story with us.

Sponsors

Support for this episode comes from ProCircular. Use the team at ProCircular to conduct security assessments, penetration testing, SIEM monitoring, help with patches, or do incident response. Visitwww.procircular.com/to learn more.

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.

Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.

Sources

Attribution

Darknet Diaries is created by Jack Rhysider.

Episode artwork by odibagas.

Theme music created by Breakmaster Cylinder. Theme song available for listen and download at bandcamp. Or listen to it on Spotify.


Tue, 07 Jan 2020 08:00:00 -0000

56: Jordan


This is the story of Jordan Harbinger. A bit of a misfit teenager, who was always on the edge of trouble. In this story we hear what happened that lead to a visit from the FBI.

Guest

Thanks to Jordan Harbinger for sharing his story with us. You can find hist podcast by searching for The Jordan Harbinger Show wherever you listen to podcasts.

Sponsors

This episode was sponsored by Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out at https://canary.tools.

Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.


More information at https://darknetdiaries.com/episode/56.


Wed, 25 Dec 2019 08:00:00 -0000

55: NoirNet


A holiday special episode. A private pen tester takes on a job that involves him with another eccentric pen tester, a mischievious smile, and his quest to gain access to the network.

Guest

Thanks to TinkerSec for telling us the story.

Sources

Attribution

Darknet Diaries is created by Jack Rhysider.

Artwork this episode by habblesthecat.


More information at DarknetDiaries.com.


Tue, 24 Dec 2019 08:00:00 -0000

54: NotPetya


The story of NotPetya, seems to be the first time, we see what a cyber war looks like. In the summer of 2017 Ukraine suffered a serious and catastrophic cyber attack on their whole country. Hear how it went down, what got hit, and who was responsible.

Guest

Thanks to Andy Greenberg for his research and sharing this story. I urge you to get his book Sandworm because its a great story.


Sponsors

This episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2019 to get a $20 credit on your next project.

Support for this episode comes from Honeybook. HoneyBook is an online business management tool that organizes your client communications, bookings, contracts, and invoices all in one place. Visit honeybook.com/darknet to get 50% off your subscription.

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit cmd.com/dark to get a free demo.


For more show notes visit darknetdiaries.com/episode/54.


Tue, 10 Dec 2019 08:00:00 -0000

53: Shadow Brokers


The NSA has some pretty advanced, super secret, hacking tools. What if these secret hacking tools were to end up in the wrong persons hands? Well, that happened.

Guest

Thanks to Jake Williams from Rendition Security for telling us the story.

Sponsors

This episode was sponsored by Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out at https://canary.tools.

Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.


Tue, 26 Nov 2019 08:00:00 -0000

52: Magecart


Credit card skimming is growing in popularity. Gas pumps all over are seeing skimmers attached to them. Its growing in popularity because its really effective. Hackers have noticed how effective it is and have began skimming credit cards from websites.

Guest

Thanks to Yonathan Klijnsma from RiskIQ.

Sponsors

This episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2019 to get a $20 credit on your next project.

Support for this episode comes from Honeybook. HoneyBook is an online business management tool that organizes your client communications, bookings, contracts, and invoices all in one place. Visit honeybook.com/darknet to get 50% off your subscription.

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.


Visit darknetdiaries.com for full show notes and transcripts.


Tue, 12 Nov 2019 08:00:00 -0000

Ep 51: The Indo-Pak Conflict


Kashmir is a region right in between India, Pakistan, and China. For the last 70 years Pakistan and India have fought over this region of the world, both wanting to take control of it. Tensions sometimes heat up which can result in people being killed. When tensions get high in the real world, some people take to the internet and hack their rivals as a form of protest. In this episode well explore some of the hacking that goes on between India and Pakistan.

Sponsors

Support for this episode comes from Check Point. Check Point makes firewalls and security appliances you can use to combat the latest generation of cyber attacks. Upgrade your cybersecurity at CheckPoint.com

Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.


For more show notes and links visit https://darknetdiaries.com/episode/51.


Wed, 30 Oct 2019 20:44:00 -0000

Ep 50: Operation Glowing Symphony


Operation Inherent Resolve was started in 2016 which aimed to combat ISIS. It was a combined joint task force lead by the US military. Operation Inherent Resolve sent troops, ships, and air strikes to Iraq and Syria to fire weapons upon ISIS military. Its widely known that US military engaged with ISIS in this way. But what you may not have heard, is the story of how the US military also combated ISIS over the Internet. This is the story of how the US hacked ISIS.

Sponsors

This episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2019 to get a $20 credit on your next project.

Support for this episode comes from Honeybook. HoneyBook is an online business management tool that organizes your client communications, bookings, contracts, and invoices all in one place. Visit [honeybook.com/darknet] to get 50% off your subscription.

Support for this episode comes from Check Point. Check Point makes firewalls and security appliances you can use to combat the latest generation of cyber attacks. Upgrade your cybersecurity at CheckPoint.com


Tue, 15 Oct 2019 07:00:00 -0000

Ep 49: Elliot


In this episode we meet Elliot Alderson (@fs0c131y) from Twitter. Who is this strange masked person? What adventures have they gotten themselves into? Many stories will be told. The mask will be lifted.


Sponsors

This episode was sponsored by Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out at https://canary.tools.

Go to https://nordvpn.com/darknet to get 70% off a 3 year plan and use code darknet for an extra month for free!



Tue, 01 Oct 2019 07:00:00 -0000

Ep 48: Operation Socialist


This is the story about when a nation state hacks into a company within another nation.


Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25 to get 25% off.

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code DARKNET to get 75% off when signing up for 3 years.



Tue, 17 Sep 2019 07:00:00 -0000

Ep 47: Project Raven


This is the story about an ex-NSA agent who went to work for a secret hacking group in the UAE.


Sponsors

This episode was sponsored by Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldnt be. Check them out at https://canary.tools.

Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.



Tue, 03 Sep 2019 07:00:00 -0000

Ep 46: XBox Underground (Part 2)


This is the story about the XBox hacking scene and how a group of guys pushed their luck a little too far.

This is part 2 of a 2 part series.


Sponsors

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet.

Learn more about stocks and investing from MyWallSt. Visit mywallst.com/darknet to learn more.



Tue, 20 Aug 2019 07:00:00 -0000

Ep 45: XBox Underground (Part 1)


This is the story about the XBox hacking scene and how a group of guys pushed the hacking a little too far.

This is part 1 of a 2 part series.

Sponsors

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code "DARKNET".

This episode was sponsored by Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn't be. Check them out at https://canary.tools.

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. Use promot code "DARKNET25".



Tue, 06 Aug 2019 07:00:00 -0000

Ep 44: Zain


Ransomware is ugly. It infects your machine and locks all the the data and to unlock you have to pay a fee. In this episode we dive into some of the people behind it.

Sponsors

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.

This episode was sponsored by MyWallSt. Their app can help you find good looking stocks to invest in. Visit MyWallSt.com/dark to start your free 30 day trial.

For more show notes and links check out darknetdiaries.com.



Tue, 23 Jul 2019 07:00:00 -0000

Ep 43: PPP


This is the story about how I acquired a black badge from DEFCON (pictured above).

We also hear the story about who PPP is, and their CTF journey at DEFCON.

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code DARKNET.

This episode was sponsored by Detectify. Try their web vulnerability scanner free. Go to https://detectify.com/?utm_source=podcast&utm_medium=referral&utm_campaign=DARKNET



Tue, 09 Jul 2019 07:00:00 -0000

Ep 42: Mini-Stories: Vol 2


Three stories in one episode. Listen in on one of Dave Kennedy's penetration tests he conducted where he got caught trying to gain entry into a datacenter. Listen to a network security engineer talk about the unexpected visitor found in his network and what he did about it. And listen to Dan Tentler talk about a wild and crazy engagement he did for a client.

Guests

A very special thanks to Dave Kennedy. Learn more about his company at trustedsec.com.

Thank you Clay for sharing your story. Check out the WOPR Summit.

Viss also brought an amazing story to share. Thank you too. Learn more about him at Phobos.io.

I first heard Clay's story on the Getting Into Infosec Podcast. Thanks Ayman for finding him and bring that story to my attention.

Sponsors

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.

This episode was sponsored by Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn't be. Check them out at https://canary.tools.

For more show notes and links check out darknetdiaries.com.



Tue, 25 Jun 2019 07:00:00 -0000

Ep 41: Just Visiting


Join JekHyde and Carl on a physical penetration test, a social engineering engagagement, a red team assessment. Their mission is to get into a building they shouldn't be allowed, then plant a rogue computer they can use to hack into the network from a safe place far away.

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code "DARKNET".

This episode was sponsored by Hostinger. Go to https://hostinger.com/darknet and use code DARKNET to get 15% off a hosting plan and check out this weeks free feature.

For more information visit darknetdiaries.com.



Tue, 11 Jun 2019 07:00:00 -0000

Ep 40: No Parking


Take a ride with a red teamer. A physical penetration tester as he tries to make his away into unauthorized areas, steal sensitive documents, hack into the computers, and escape with company property.

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.

This episode was sponsored by Hostinger. Go to https://hostinger.com/darknet and use code DARKNET to get 15% off a hosting plan and check out this weeks free feature.

For complete show notes and links go to darknetdiaries.com.



Tue, 28 May 2019 07:00:00 -0000

Ep 39: 3 Alarm Lamp Scooter


A talk at Defcon challenged people to find a way to destroy a hard drive. A young man was inspired by this challenge and was determined to find a way to destroy a hard drive. But this is not a typical young man, with a typical plan.

For pictures of Daniel and his projects visit darknetdiaries.com/episode/39.

This episode was sponsored by Nord VPN. Visit nordvpn.com/darknet and use promo code "DARKNET".

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet.



Tue, 14 May 2019 07:00:00 -0000

Ep 38: Dark Caracal


A journalist wrote articles critical of the Kazakhstan government. The government did not like this and attempted to silence her. But they may have done more than just silence her. Perhaps they tried to spy on her too. The EFF investigated this case and went down a very interesting rabbit hole.

Thanks to Cooper Q from EFF's new Threat Lab. Also big thanks to Eva from EFF, Andrew Blaich and Michael Flossman from Lookout.

For another story about the EFF listen to episode 12 "Crypto Wars".

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.



Tue, 30 Apr 2019 07:00:00 -0000

Ep 37: LVS


The Venetian casino in Las Vegas Nevada was the largest hotel in the world until 2015. The parent company is Las Vegas Sands (LVS) which owns 10 properties around the world. And the CEO and founder of LVS is Sheldon Adelson. One day the CEO said something which sparked quite a firestorm.

This episode was sponsored by Nucleus. Visit nucleussec.com to start your free trial.

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.

For more show notes visit DarknetDiaries.com.



Tue, 16 Apr 2019 07:00:00 -0000

Ep 36: Jeremy from Marketing


A company hires a penetration tester to pose as a new hire, Jeremy from Marketing, to see how much he can hack into in his first week on the job. It doesn't go as planned.

Thanks to @TinkerSec for telling us this story.

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code "DARKNET".

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet.

For more show notes visit https://darknetdiaries.com/episode/36.



Tue, 02 Apr 2019 07:00:00 -0000

Ep 35: Carbanak


ATM hacking. Hollywood has been fantasizing about this since the 1980's. But is this a thing now? A security researcher named Barnaby Jack investigated ATMs and found them to be vulnerable. Once he published his data the ATM hacking scene rose in popularity and is is a very serious business today.

One of the first big ATM robberies was done with the malware called Carbanak. Jornt v.d. Wiel joins us to discuss what this malware is.

This episode was sponsored by Nucleus. Visit nucleussec.com to start your free trial.

This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet.

For more show notes and links visit darknetdiaries.com.



Tue, 19 Mar 2019 07:00:00 -0000

Ep 34: For Your Eyes Only


Nude selfies. This episode is all about nude selfies. What happens if you take one and give it to a vengeful boyfriend. What happens when a hacker knows you have them and wants to steal them from your phone. What happens is not good.

This episode was sponsored by Nord VPN. Visit nordvpn.com/darknet and use promo code "DARKNET".

This episode was sponsored by Molekule, a new air purifier that completely destroys air pollutants to help you breath easier. Visit molekule.com to use check out code "DARKNET" to get a discount.

For references, sources, and links check out the show notes at darknetdiaries.com/episode/34/.



Tue, 05 Mar 2019 08:00:00 -0000

Ep 33: RockYou


In 2009 a hacker broke into a website with millions of users and downloaded the entire user database. What that hacker did with the data has changed the way we view account security even today.

This episode was sponsored by CuriosityStream. A streaming service showing non-fiction and documtnaries. Visit https://curiositystream.com/darknet and use promo code "darknet".

This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.

To see more show notes visit darknetdiaries.com/episode/33.



Tue, 19 Feb 2019 08:00:00 -0000

Ep 32: The Carder


A carding kingpin was tracked by the Secret Service. How did he steal the cards? Where was he stealing them from? How much was he making doing this? And where did he go wrong? Find out all this and more as we listen to how the Secret Service investigated the case.

This episode was sponsored by Eero. A solution to blanket your home in WiFi. Visit https://eero.com/darknet and use promo code "darknet".

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code "darknet".

Cover image this episode created by r lr.

Go to Darknet Diaries for additional show notes.



Tue, 05 Feb 2019 08:21:00 -0000

Ep 31: Hacker Giraffe


In late November 2018, a hacker found over 50,000 printers were exposed to the Internet in ways they shouldn't have been. He wanted to raise awareness of this problem, and got himself into a whole heap of trouble.

For show notes and links visit DarknetDiaries.com.

This episode was sponsored by CuriosityStream. A documentary streaming service. Visit curiositystream.com/darknet and use promo code "darknet".

This episode is also sponsored by Cover. Visit cover.com/darknet to get insured today.



Tue, 22 Jan 2019 08:00:00 -0000

Ep 30: Shamoon


In 2012, Saudi Aramco was hit with the most destructive virus ever. Thousands and thousands of computers were destroyed. Herculean efforts were made to restore them to operational status again. But who would do such an attack?

Very special thanks goes to Chris Kubecka for sharing her story.

She is author of the book Down the Rabbit Hole An OSINT Journey, and Hack The World With OSINT (due out soon).

This episode was sponsored by Eero. A solution to blanket your home in WiFi. Visit https://eero.com/darknet and use promo code "darknet".

This episode is also sponsored by Cover. Visit cover.com/darknet to get insured today.



Tue, 08 Jan 2019 08:00:00 -0000

Ep 29: Stuxnet


Stuxnet was the most sophisticated virus ever discovered. It's target was a nuclear enrichment facility in Iran. This virus was successfully able to destroy numerous centrifuges. Hear who did it and why.

Special thanks to Kim Zetter for joining us this episode. You can find more about Stuxnet from her book Count Down to Zero Day.



Sat, 15 Dec 2018 08:00:00 -0000

Ep 28: Unit 8200


Israel has their own version of the NSA called Unit 8200. I was curious what this unit does and tried to take a peek inside. Hear what I found by listening along to this episode.

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code darknet.

This episode is also sponsored by Mack Weldon. Visit mackweldon.com to shop for premium men's casual wear and get a 20% off discount with your first order by using promo code diaries.



Sat, 01 Dec 2018 08:00:00 -0000

Ep 27: Chartbreakers


Something is wrong with the Apple Podcasts top charts. As a podcaster, this personally annoyed and intrigued me. I investigate how this is happening and who is behind it.

For show notes visit https://darknetdiaries.com/episode/27.

This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code 'darknet'.

This episode is sponsored by LPSS Digital Marketing, your source for honest, transparent marketing services for businesses of all sizes. Visit LPSS at https://www.lpss.co/ for details.



Thu, 15 Nov 2018 08:00:00 -0000

Ep 26: IRS


The IRS processes $3 trillion dollars a year. A lot of criminals want to get a piece of that. In 2015 the IRS had a large data breach. Hundreds of thousands of tax records were leaked. What happened and who was behind this? Listen to this episode to find out.

For show notes visit https://darknetdiaries.com



Thu, 01 Nov 2018 07:00:00 -0000

Ep 25: Alberto


Alberto Hill was sent to prison for a long time for hacking. For a crime he said he did not commit. Listen to his story and you be the judge on whether he's guilty or not.



Mon, 15 Oct 2018 08:00:00 -0000

Ep 24: Operation Bayonet


Darknet markets are online black markets. They are highly illegal, and dangerous to run. Hear exactly how dangerous it was for Alphabay and Hansa dark markets.



Mon, 01 Oct 2018 08:00:00 -0000

Ep 23: Vladimir Levin


When banks started coming online, they almost immediately started being targeted by hackers. Vladimir Levin was one of the first ever known hacker to try to rob a bank. He succeeded a little, and failed a lot. Vladimir would go down in the history books as one of the most notorious hackers of all time because of his attempted online bank robberies.



Sat, 15 Sep 2018 08:00:00 -0000

Ep 22: Mini-Stories: Vol 1


Three stories in one! In this episode we hear about a penetration test from Mubix that he'll never forget, a incident response from Robert M. Lee which completely stunned him, and a social engineering mission from Snow.

Podcast recommendation: Moonshot.



Sat, 01 Sep 2018 08:00:00 -0000

Ep 21: Black Duck Eggs


Ira Winkler's specialty is assembling elite teams of special forces and intelligence officers to go after companies. Ira shares a story about a time he and his team broke into a global 5 company. A company so large that theft of intellictual property could result in billions of dollars of damage.

Ira's consulting company: Secure Mentum.

His books: Spies Among Us, Advanced Persistent Security, Through the Eyes of the Enemy.



Wed, 15 Aug 2018 08:00:00 -0000

Ep 20: mobman


Chances are, if you were downloading shady programs in the early 2000's, you were infected with malware he wrote called SubSeven. Hacking changed mobman's life. Hear how it happened by listening to this episode.

Image for this episode created by dr4w1ngluc4s. Check out his Instagram to see some amazing artwork!

Check out the podcasts Van Sounds and True Crime Island



Wed, 01 Aug 2018 08:00:00 -0000

Ep 19: Operation Aurora


In 2009, around Christmas time, something terrible was lurking in the network at Google. Google is the most popular website on the Internet. Its so popular many people just think Google is the Internet. Google hires many of the most talented minds and has been online since the 90s. Hacking into Google is no easy task. Theres a team of security engineers who test and check all the configurations on the site before they go live. And Google has teams of security analysts and technicians watching the network 24/7 for attacks, intrusions, and suspicious activity. Security plays a very vital role at Google, and everything has to have the best protections. But this attack slipped past all that. Hackers had found their way into the network. They compromised numerous systems, burrowed their way into Googles servers, and were trying to get to data they shouldnt be allowed to have. Google detected this activity. And realized pretty quickly they were dealing with an attack more sophisticated than anything theyve ever seen.

Podcast recommendation: Twenty Thousand Hertz



Sun, 01 Jul 2018 08:00:00 -0000

Ep 18: Jackpot


A man addicted to gambling finds a bug in a video poker machine that lets him win excessive amounts of money.



Sun, 03 Jun 2018 08:00:00 -0000

Ep 17: Finn


A 14-year-old kid who finds himself bored in class decides to hack someone's twitter account and ends up with more than he bargained for.



Tue, 01 May 2018 08:00:00 -0000

Ep 16: Eijah


In 2007, a hacker named Eijah got fed up with the way DRM prevented him from being able to play the content he paid for. He decided to fight back against the AACS and find a way to circumvent the DRM. By the time Eijah was done, his life wasn't the same.



Sun, 01 Apr 2018 08:00:00 -0000

Ep 15: Ill Tills


A major retailer was hacked. Their point of sales machines were riddled with malware. Listen to hear how digital forensics and incident responders handled the situation. What malware was found? Where was it found? How was it stopped? And most importantly, how much data was leaked?



Thu, 01 Mar 2018 08:00:00 -0000

Ep 14: #OpJustina


In 2013 a hospital was accused of conducting a medical kidnapping against a young girl name Justina. This enraged many people across the country, including members of anonymous. A DDOS attack was waged against the hospital.



Thu, 15 Feb 2018 08:00:00 -0000

Ep 13: Carna Botnet


In 2012 the Carna Bot was built and unleashed on the world. But it didn't have any intentions on doing anything malicious. It was built just to help us all understand the Internet better. This botnet used the oldest security vulnerable in the book. And the data that came out of it was amazing.



Thu, 01 Feb 2018 08:00:00 -0000

Ep 12: Crypto Wars


In the 1990's the Internet started to take shape. But the US goverment had strict laws regulating what type of cryptography is allowed to be used online. A few brave people stood up to the government in the name of civil rights and won the right to use strong encryption. Listen to their battle and what they had to do through to accomplish this.



Mon, 15 Jan 2018 08:00:00 -0000

Ep 11: Strictly Confidential


What happens when an innovative tech company, that's trying to develop the next big thing, detects a hacker in their network? We hear the story from a digital forensics investigator which has a surprising result.



Mon, 01 Jan 2018 08:00:00 -0000

Ep 10: Misadventures of a Nation State Actor


In today's world of intelligence gathering, governments hack other governments. This episode takes you on a ride with a nation state actor to see exactly how it's done.



Fri, 15 Dec 2017 08:00:00 -0000

Ep 9: The Rise and Fall of Mt. Gox


Mt. Gox was the largest bitcoin exchange in the world. It suddenly went offline. What happened?



Fri, 01 Dec 2017 08:01:00 -0000

Ep 8: Manfred (Part 2)


Manfred found a way to turn his passion for video games and reverse engineering into a full time business. He exploited video games and sold virtual goods and currency for real money. This was his full time job. Listen to this episode to hear exactly how he did this.



Fri, 01 Dec 2017 08:00:00 -0000

Ep 7: Manfred (Part 1)


Manfred has had the most epic story of all online video game stories. For the last 20 years, he's been hacking online games.



Wed, 15 Nov 2017 08:00:00 -0000

Ep 6: The Beirut Bank Job


Jayson E. Street tells us a story about the time he broke into a bank in Beirut Lebanon.



Wed, 01 Nov 2017 09:00:00 -0000

Ep 5: #ASUSGATE


Security researcher Kyle Lovett bought a new Asus router in 2013. He found it was riddled with security vulnerabilties. He set out on a mission to resolve these vulnerabilities not only for his own router, but for thousands of others who were also vulnerable.



Sun, 15 Oct 2017 12:00:00 -0000

Ep 4: Panic! at the TalkTalk Board Room


Mobile provider TalkTalk suffered a major breach in 2015. The CEO tried her best to keep angry customers calm and carry on. The UK government and Metropolitan Police investigate the breach. We get a rare glimpse of how the CEO handles the crisis.



Sun, 01 Oct 2017 12:00:00 -0000

Ep 3: DigiNotar, You are the Weakest Link, Good Bye!


The 2011 DigiNotar breach changed the way browsers do security. In this episode, we learn what role a CA plays, how browsers work with CAs, and what happens when a CA is breached.



Fri, 15 Sep 2017 12:00:00 -0000

Ep 2: The Peculiar Case of the VTech Hacker


VTech makes toy tablets, laptops, and watches for kids. In 2015, they were breached. The hacker downloaded gigs of children's data. Discover what the hacker did once he took the data.



Fri, 01 Sep 2017 12:00:00 -0000

Ep 1: The Phreaky World of PBX Hacking


Farhan Arshad and Noor Aziz Uddin were captured 2 years after being placed on the FBI's Cyber's Most Wanted list for PBX hacking. In this episode, we explain PBX hacking and how hackers are racking up billions of dollars in phone bills. We also learn how the two men were captured.



Defense in Depth

Thu, 11 Jul 2024 10:00:00 +0000

Telling Stories with Security Metrics


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Shirley Salzman, CEO and co-founder, SeeMetrics.

In this episode:

Thanks to our podcast sponsor, SeeMetrics

SeeMetrics

SeeMetrics automates cybersecurity metrics programs, continuously measuring and helping prioritize risks based on context. SeeMetrics unifies siloed data from your security stack and offers hundreds of ready-to-use metrics. Once connected with SeeMetrics, security teams reduce risk, minimize exposure and optimize performance while eliminating tedious repetitive manual work.

Ready to automate your security programs? start connecting your environment at seemetrics.co.


Thu, 27 Jun 2024 10:00:00 +0000

Securing Identities in the Cloud


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Joining us is our sponsored guest, Adam Bateman, CEO, Push Security.

The SaaS attacks matrix community resource mentioned by Adam in the episode can be found here.

Editorial note: Geoff Belknap is an advisor to Push Security.

In this episode:

Thanks to our podcast sponsor, Push Security

Push Security

Prevent, detect and respond to identity attacks using Push Securitys browser agent. Enable Pushs out-of-the-box controls or integrate Push with your SIEM, XDR and SOAR.

Block phishing attacks, detect session hijacking and stop SSO passwords being exposed. Find out what else the Push browser agent can do at pushsecurity.com.


Thu, 20 Jun 2024 10:00:00 +0000

How AI Is Making Data Security Possible


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Lamont Orange, CISO, Cyera.

In this episode:

Thanks to our podcast sponsor, Cyera

Cyera

Cyeras AI-powered data security platform gives companies visibility over their sensitive data, context over the risk it represents, and actionable, prioritized remediation guidance. As a cloud-native, agentless platform, Cyera provides holistic data security coverage across SaaS, PaaS, IaaS and On-premise environments. Visit www.cyera.io to learn more.


Thu, 13 Jun 2024 10:00:00 +0000

What Makes a Successful CISO?


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Christina Shannon, CIO, KIK Consumer Products. Joining us is our guest, Tomer Gershoni, CSO, Zoominfo.

In this episode:

Thanks to our podcast sponsor, SeeMetrics

SeeMetrics

SeeMetrics automates cybersecurity metrics programs, continuously measuring and helping prioritize risks based on context. SeeMetrics unifies siloed data from your security stack and offers hundreds of ready-to-use metrics. Once connected with SeeMetrics, security teams reduce risk, minimize exposure and optimize performance while eliminating tedious repetitive manual work.

Ready to automate your security programs? start connecting your environment at seemetrics.co


Thu, 06 Jun 2024 10:00:00 +0000

We Want a Solution to Remediate, Not Just Detect Problems


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Yaron Levi, CISO, Dolby. Joining us is our guest, Neil Watkins, svp technology and cybersecurity services, i3 Verticals.

In this episode:

Thanks to our podcast sponsor, GitGuardian

GitGuardian

GitGuardian is a Code Security Platform that caters to the needs of the DevOps generation. It provides a wide range of code security solutions, including Secrets Detection, Infra as Code Security, and Honeytoken, all in one place. A leader in the market of secrets detection and remediation, its solutions are already used by hundreds of thousands of developers in all industries. Try now gitguardian.com


Thu, 30 May 2024 10:00:00 +0000

Recruiting from the Help Desk


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining me is our guest, Sasha Pereira, vp of infrastructure and CISO, WASH.

In this episode:

Thanks to our podcast sponsor, Push Security!

Push Security

Prevent, detect and respond to identity attacks using Push Securitys browser agent. Enable Pushs out-of-the-box controls or integrate Push with your SIEM, XDR and SOAR.

Block phishing attacks, detect session hijacking and stop SSO passwords being exposed. Find out what else the Push browser agent can do at pushsecurity.com.


Thu, 23 May 2024 10:00:00 +0000

How Do We Build a Security Program to Thwart Deepfakes?


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our guest, Russ Ayers, svp of cyber & deputy CISO, Equifax.

In this episode:

Thanks to our podcast sponsor, Sonrai Security

Sonrai Security

A one-click solution that removes excessive permissions and unused services, quarantines unused identities, and restricts specific regions within the cloud. Later, maintain this level of security by automatically enforcing policies as new accounts, roles, permissions, and services are added to your environment.

Start a free trial today! sonrai.co/ciso


Thu, 16 May 2024 10:00:00 +0000

Where Are Secure Web Gateways Falling Short?


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Vivek Ramachandran, founder, SquareX.

In this episode:

Thanks to our podcast sponsor, SquareX

SquareX

SquareX helps organizations detect, mitigate and threat-hunt web attacks happening against their users in real-time, including but not limited to malicious sites, files, scripts, and networks.

Find out more at sqrx.com.


Thu, 09 May 2024 10:00:00 +0000

Understanding the Zero-Trust Landscape


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining me is our guest Richard Stiennon, chief research analyst, IT-Harvest.

In this episode:

In this episode:

Thanks to our podcast sponsor, SquareX

SquareX

SquareX helps organizations detect, mitigate and threat-hunt web attacks happening against their users in real-time, including but not limited to malicious sites, files, scripts, and networks.

Find out more at sqrx.com.


Thu, 02 May 2024 10:00:00 +0000

Scaling Least Privilege for the Cloud


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our sponsored guest, Sandy Bird, co-founder and CTO, Sonrai Security.

In this episode:

Thanks to our podcast sponsor, Sonrai Security

Sonrai Security

A one-click solution that removes excessive permissions and unused services, quarantines unused identities, and restricts specific regions within the cloud. Later, maintain this level of security by automatically enforcing policies as new accounts, roles, permissions, and services are added to your environment.

Start a free trial today! sonrai.co/ciso


Thu, 25 Apr 2024 10:00:00 +0000

Should CISOs Be More Empathetic Towards Salespeople?


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining me is our guest, Emily Heath, general partner, Cyberstarts.

In this episode:

Thanks to our podcast sponsor, SquareX

SquareX

SquareX helps organizations detect, mitigate and threat-hunt web attacks happening against their users in real-time, including but not limited to malicious sites, files, scripts, and networks.

Find out more at sqrx.com.


Thu, 18 Apr 2024 10:00:00 +0000

Managing Data Leaks Outside Your Perimeter


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining me is our sponsored guest, Mackenzie Jackson, developer advocate, GitGuardian.

In this episode:

Thanks to our podcast sponsor, GitGuardian

GitGuardian

GitGuardian is a Code Security Platform that caters to the needs of the DevOps generation. It provides a wide range of code security solutions, including Secrets Detection, Infra as Code Security, and Honeytoken, all in one place. A leader in the market of secrets detection and remediation, its solutions are already used by hundreds of thousands of developers in all industries. Try now gitguardian.com


Thu, 11 Apr 2024 10:00:00 +0000

What Are the Risks of Being a CISO?


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining me is our guest, Phil Davis, attorney, healthcare cybersecurity and privacy, Hall Render.

In this episode:

Thanks to our podcast sponsor, Sonrai Security

Sonrai Security

A one-click solution that removes excessive permissions and unused services, quarantines unused identities, and restricts specific regions within the cloud. Later, maintain this level of security by automatically enforcing policies as new accounts, roles, permissions, and services are added to your environment.

Start a free trial today! sonrai.co/ciso


Thu, 04 Apr 2024 10:00:00 +0000

Onboarding Security Professionals


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining me is our guest, Paul Connelly, former CISO, HCA HealthcareGot feedback?

In this episode:

Thanks to our podcast sponsor, OffSec

OffSec

OffSec helps companies like Cisco, Google, and Salesforce upskill cybersecurity talent through comprehensive training and resources. With programs ranging from red team and blue team training and more, your team will be ready to face real-world threats. Request a free trial for your team to explore OffSecs learning library and cyber range.


Thu, 28 Mar 2024 10:00:00 +0000

How to Improve Your Relationship With Your Boss


All links and images for this episode can be found on CISO Series.

Check out this post Monte Pedersen of The CDA Group for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our guest, Jerry Davis, division director for cyber defense at Truist Bank.

In this episode:

Thanks to our podcast sponsor, OffSec

OffSec

OffSec helps companies like Cisco, Google, and Salesforce upskill cybersecurity talent through comprehensive training and resources. With programs ranging from red team and blue team training and more, your team will be ready to face real-world threats. Request a free trial for your team to explore OffSecs learning library and cyber range.


Thu, 21 Mar 2024 10:00:00 +0000

Improving the Responsiveness of Your SOC


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.Joining me is our sponsored guest, Spencer Thompson, CEO, Prelude.

In this episode:

Thanks to our podcast sponsor, Prelude

Prelude

Prelude Detect is the world's only production-scale detection and response testing platform. Automatically transform your threat intelligence into validated detections and preventions in less than five minutes. Integrate with CrowdStrike, Microsoft Defender, SentinelOne, and more to enable machine speed detection and response engineering Learn more at preludesecurity.com.


Thu, 14 Mar 2024 10:00:00 +0000

The Demand for Affordable Blue Team Training


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.Joining me is our guest, Ron Gula, president and co-founder, Gula Tech Adventures.

In this episode:

Thanks to our podcast sponsor, Query

Query

Query Federated Search gets to your security relevant data wherever it is - in data lakes, security tools, cloud services, SIEMs, or wherever. Query searches and normalizes data for use in security investigations, threat hunting, incident response, and everything you do. And we plug into Splunk. Visit query.ai.


Thu, 07 Mar 2024 11:00:00 +0000

Why are CISOs Excluded from Executive Leadership?


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining me is our guest, Ben Sapiro, head of global cyber security services, Manulife.

In this episode:

Thanks to our podcast sponsor, Query

Query

Query Federated Search gets to your security relevant data wherever it is - in data lakes, security tools, cloud services, SIEMs, or wherever. Query searches and normalizes data for use in security investigations, threat hunting, incident response, and everything you do. And we plug into Splunk. Visit query.ai.


Thu, 29 Feb 2024 11:00:00 +0000

What Is Your SOC's Single Search of Truth?


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.Joining us is our sponsored guest, Matt Eberhart, CEO, Query.

In this episode:

Thanks to our podcast sponsor, Query

Query

Query Federated Search gets to your security relevant data wherever it is - in data lakes, security tools, cloud services, SIEMs, or wherever. Query searches and normalizes data for use in security investigations, threat hunting, incident response, and everything you do. And we plug into Splunk. Visit query.ai.


Thu, 22 Feb 2024 11:00:00 +0000

When Is Data an Asset and When Is It a Liability?


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining me is my guest, Mario Trujillo, staff attorney, Electronic Frontier Foundation.

In this episode:

Thanks to our podcast sponsor, Material Security

Material Security

Material Security is purpose-built to stop attacks and reduce risk across Microsoft 365 and Google Workspace with unified cloud email security, data loss prevention, and posture management. Learn more at material.security.


Thu, 15 Feb 2024 11:00:00 +0000

Tracking Anomalous Behaviors of Legitimate Identities


All links and images for this episode can be found on CISO Series.

The Verizon DBIR found that about half of all breaches involved legitimate credentials. Its a huge attack surface that were only starting to get a handle of.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining me is our guest, Adam Koblentz, field CTO, Reveal Security.

In this episode:

Thanks to our podcast sponsor, Reveal Security

Reveal Security

Reveal Security ITDR detects identity threats - post authentication - in and across SaaS applications and cloud services. Powered by unsupervised machine learning, it continuously monitors and validates the behavior of trusted human users, APIs and other entities, accurately detecting anomalies that signal an in-progress identity threat. Visit reveal.security


Thu, 08 Feb 2024 11:00:00 +0000

Why Do Cybersecurity Startups Fail?


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining me is our guest, Mike Levin, deputy CISO, 3M.

In this episode:

Thanks to our podcast sponsor, RevealSecurity!

RevealSecurity

Reveal Security ITDR detects identity threats - post authentication - in and across SaaS applications and cloud services. Powered by unsupervised machine learning, it continuously monitors and validates the behavior of trusted human users, APIs and other entities, accurately detecting anomalies that signal an in-progress identity threat. Visit reveal.security


Thu, 01 Feb 2024 11:00:00 +0000

Is "Compliance Doesn't Equal Security" a Pointless Argument?


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining me is our guest, Derek Fisher, Executive director of product security, JPMorgan.

In this episode:

Thanks to our podcast sponsor, RevealSecurity!

RevealSecurity

Reveal Security ITDR detects identity threats - post authentication - in and across SaaS applications and cloud services. Powered by unsupervised machine learning, it continuously monitors and validates the behavior of trusted human users, APIs and other entities, accurately detecting anomalies that signal an in-progress identity threat. Visit reveal.security


Thu, 25 Jan 2024 11:00:00 +0000

CISOs Responsibilities Before and After an M&A


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining me is our guest, Alexandra Landegger, Executive Director and CISO, Collins Aerospace.

In this episode:

Thanks to our podcast sponsor, Aphinia!

AphiniaJoin Aphinia, a professional tribe of superheroes fighting cybercriminals. If you are a CISO, VP or a Director of cybersecurity, get instant free access to thousands of your peers, career advice, networking opportunities, consulting gigs and more. Join the good guys team because the only way to succeed is together: https://aphinia.com/#signup_form


Thu, 18 Jan 2024 11:00:00 +0000

Use Red Teaming To Build, Not Validate, Your Security Program


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.Joining us is our sponsored guest, Richard Ford, CTO, Praetorian.

In this episode:

Thanks to our podcast sponsor, Praetorian

Praetorian

Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.


Thu, 11 Jan 2024 11:00:00 +0000

The Do's and Don'ts of Approaching CISOs


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.Joining us is our guest, Adam Glick, CISO, PSG.

In this episode:

Thanks to our podcast sponsor, Praetorian

Praetorian

Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.


Thu, 04 Jan 2024 11:00:00 +0000

Doing Third Party Risk Management Right


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining me is our guest, Erik Decker, CISO, Intermountain Health.

In this episode:

Thanks to our podcast sponsor, Praetorian

Praetorian

Praetorian helps companies adopt a prevention-first cybersecurity strategy by actively uncovering vulnerabilities and minimizing potential weaknesses before attackers can exploit them.


Thu, 14 Dec 2023 11:00:00 +0000

Warning Signs You're About To Be Attacked


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining me is our sponsored guest, Trevor Hilligoss, senior director of security research, SpyCloud.

In this episode:

Thanks to our podcast sponsor, SpyCloud

SpyCloud

Get ahead of ransomware attacks by acting on a common precursor: infostealer malware. SpyCloud recaptures whats stolen from infostealer-infected systems, and alerts your team to take action before compromised authentication data can be used by criminals to target your business. Get our latest research and check your malware exposure at spycloud.com/ciso.


Thu, 07 Dec 2023 11:00:00 +0000

Do We Have to Fix ALL the Critical Vulnerabilities?


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining me is our guest, David Christensen, VP, CISO, PlanSource.

In this episode:

Thanks to our podcast sponsor, SpyCloudSpyCloud

Get ahead of ransomware attacks by acting on a common precursor: infostealer malware. SpyCloud recaptures whats stolen from infostealer-infected systems, and alerts your team to take action before compromised authentication data can be used by criminals to target your business. Get our latest research and check your malware exposure at spycloud.com/ciso.


Thu, 30 Nov 2023 11:00:00 +0000

Mitigating Generative AI Risks


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining us is our guest, Jerich Beason, CISO, WM.

In this episode:

Thanks to our podcast sponsor, SpyCloud

SpyCloud

Get ahead of ransomware attacks by acting on a common precursor: infostealer malware. SpyCloud recaptures whats stolen from infostealer-infected systems, and alerts your team to take action before compromised authentication data can be used by criminals to target your business. Get our latest research and check your malware exposure at spycloud.com/ciso.


Thu, 16 Nov 2023 11:00:00 +0000

Building a Cyber Strategy for Unknown Unknowns


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our sponsored guest, Himaja Motheram, Censys.

In this episode:

Thanks to our podcast sponsor, Censys

Censys

Censys is the leading Internet Intelligence Platform for Threat Hunting and Exposure Management. We provide the most comprehensive, accurate, and up-to-date map of the internet, which scans 45x more services than the nearest competitor across the worlds largest certificate database (>10B). Learn more at www.censys.com.


Thu, 09 Nov 2023 11:00:00 +0000

Responsibly Embracing Generative AI


All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.Joining us is our sponsored guest, Russell Spitler, CEO and co-founder, Nudge Security.

In this episode:

Thanks to our podcast sponsor, Nudge Security

Nudge Security

Nudge Security provides complete visibility of every SaaS and cloud account ever created by anyone in your org, in minutes. No agents, browser plug-ins or network proxies required. With this visibility, you can discover shadow IT, manage your SaaS attack surface, secure SaaS access, and respond effectively to SaaS breaches.


Thu, 02 Nov 2023 10:00:00 +0000

People Are the Top Attack Vector (Not the Weakest Link)


All links and images for this episode can be found on CISO Series.

In increasingly complex technical defenses, threat actors frequently target the human element. This makes them a top attack vectors, but are they actually the weak leak in your defenses?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining us is our guest, Christina Shannon, CIO, KIK Consumer Products.

Thanks to our podcast sponsor, SPHERE

SPHERE

SPHERE is the Identity Hygiene pioneer. It closes the loop on ownership, certification, and remediation challenges through an automated remediation process.

By working with the IAM and PAM solutions organizations have in place, SPHEREboard automates discovery and remediation on an ongoing basis. Learn more at sphereco.com!

In this episode:


Thu, 26 Oct 2023 10:00:00 +0000

What's Entry Level in Cybersecurity?


All links and images for this episode can be found on CISO Series.

We often talk about the contradiction of seemingly entry-level security jobs requiring years of experience. But maybe that's because entry-level jobs don't actually exist.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining us this week is our guest Jay Wilson, CISO, Insurity.

Thanks to our podcast sponsor, SlashNext

SlashNext

SlashNext Complete delivers zero-hour protection for how people work today across email, mobile, and browser apps. With SlashNexts generative AI to defend against advanced business email compromise, smishing, spear phishing, executive impersonation, and financial fraud, your people are always protected anywhere they work. Request a demo today.

In this episode:


Thu, 19 Oct 2023 10:00:00 +0000

New SEC Rules for Cyber Security


All links and images for this episode can be found on CISO Series.

The Securities and Exchange Commission issued new cyber rules. What do these new rules mean for CISOs and will they ultimately improve our cybersecurity posture?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.Joining us is our guest, Jamil Farshchi, CISO, Equifax.

Thanks to our podcast sponsor, Nudge Security

Nudge Security

Nudge Security provides complete visibility of every SaaS and cloud account ever created by anyone in your org, in minutes. No agents, browser plug-ins or network proxies required. With this visibility, you can discover shadow IT, manage your SaaS attack surface, secure SaaS access, and respond effectively to SaaS breaches.

In this episode:


Thu, 12 Oct 2023 10:00:00 +0000

The Value of RSA, Black Hat, and Mega Cyber Tradeshows


All links and images for this episode can be found on CISO Series.

Are trade shows like RSA getting so big that there's not enough economic value for a CISO to attend? Or do these events have enough industry gravity to justify the spend?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining us is our special guest Lee Parrish, CISO, Newell Brands.

Thanks to our podcast sponsor, Censys

Censys

In this episode:


Thu, 05 Oct 2023 10:00:00 +0000

Is Remote Work Helping or Hurting Cybersecurity?


All links and images for this episode can be found on CISO Series.

Work from home flourished during the pandemic. Many workers love it and don't want to go back. Some organizations are pushing for a return to the office. Is in-office work necessary to improve productivity and cybersecurity posture?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining us for the episode is our guest, Shawn Bowen, CISO, World Kinect Corporation.

Thanks to our podcast sponsor, Nudge Security

Nudge Security

Nudge Security provides complete visibility of every SaaS and cloud account ever created by anyone in your org, in minutes. No agents, browser plug-ins or network proxies required. With this visibility, you can discover shadow IT, manage your SaaS attack surface, secure SaaS access, and respond effectively to SaaS breaches.

In this episode:


Thu, 28 Sep 2023 10:00:00 +0000

How to Manage Users' Desires for New Technology


All links and images for this episode can be found on CISO Series.

Large language models and generative AI are today's disruptive technology. This is not the first time companies just want to ban a new technology that everyone loves. Yet, we're doing it all over again. Whether its ChatGPT or BYOD, people are going to use desirable new tech. So if our job isn't to stop it, how do we secure it?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining us is our special guest, Carla Sweeney, SVP, InfoSec, Red Ventures.

Thanks to our podcast sponsor, Censys

Censys

Censys is the leading Internet Intelligence Platform for Threat Hunting and Exposure Management. We provide the most comprehensive, accurate, and up-to-date map of the internet, which scans 45x more services than the nearest competitor across the worlds largest certificate database (>10B). Learn more at www.censys.com.

In this episode:


Thu, 21 Sep 2023 10:00:00 +0000

Cybersecurity Questions Heard Around the Kitchen Table


All links and images for this episode can be found on CISO Series.

What do the people least in the know about cyber, want to know? What are they asking?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest, Caitlin Sarian, AKA cybersecuritygirl on TikTok.

Thanks to our podcast sponsor, DataBee from Comcast Technology Solutions

Comcast Technology Solutions

DataBee, from Comcast Technology Solutions, is a cloud-native security, risk and compliance data fabric platform that transforms your security data chaos into connected outcomes.

Built by security professionals for security professionals, DataBee enables users to examine the past, react to the present, and protect the future of the business.

In this episode:


Thu, 14 Sep 2023 10:00:00 +0000

How to Prime Your Data Lake


All links and images for this episode can be found on CISO Series.

A security data lake, a data repository of everything you need to analyze and get analyzed sounds wonderful. But priming that lake, and stocking it with the data you want to get the insights you need is a more difficult task than it seems.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining us is our sponsored guest, Matt Tharp, Head of Field Engineering, Comcast DataBee.

Thanks to our podcast sponsor, Comcast Technology Solutions

Comcast Technology Solutions

In this episode:


Thu, 07 Sep 2023 10:00:00 +0000

Getting Ahead Of Your Threat Intelligence Program


All links and images for this episode can be found on CISO Series.

A threat intelligence program sounds like a sound effort in any security program. But, can you pull it off? There are so many phases to execute properly. Blow it with any one of them and your threat intelligence effort is moot.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.Joining us today is our special guest Jon Oltsik, distinguished analyst and fellow, Enterprise Strategy Group.

Thanks to our podcast sponsor, Comcast

Comcast

DataBee, from Comcast Technology Solutions, is a cloud-native security, risk and compliance data fabric platform that transforms your security data chaos into connected outcomes.

Built by security professionals for security professionals, DataBee enables users to examine the past, react to the present, and protect the future of the business.

In this episode:


Thu, 31 Aug 2023 10:00:00 +0000

How Security Leaders Deal with Intense Stress


All links and images for this episode can be found on CISO Series.

When you have an incident and you're engulfed by the stress that lasts more than a day, how do you manage and deal with it? And not only how do you manage your stress, but how do you manage everyone else's?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining us is our special guest, Tim Brown, CISO, Solarwinds.

Thanks to our podcast sponsor, Push Security

Push Security

Do you have visibility of all the SaaS apps your employees are storing corporate data on? Are employees protecting all their accounts against identity-based attacks?

Discover all the SaaS your employees use - including shadow apps and identities - and secure your data. Find out more at pushsecurity.com.

In this episode:


Thu, 24 Aug 2023 10:00:00 +0000

How Do We Influence Secure Behavior?


All links and images for this episode can be found on CISO Series.

We all know that our employees need to be more security aware, but what are the methods to get them there? How can we make our employees more security conscious?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.Joining us is our sponsored guest Jack Chapman, vp, threat intelligence, Egress.

Thanks to our podcast sponsor, Egress

Egress

Egress helps organization stop email security risks is by addressing both inbound and outbound threats together,. We recognize that people get hacked, make mistakes, and break the rules. Egress's Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss. Learn more at egress.com.

In this episode:


Thu, 17 Aug 2023 10:00:00 +0000

Security Concerns with ChatGPT


All links and images for this episode can be found on CISO Series.

Users have tried to upload sensitive company information and PII, personally identifiable information, into ChatGPT. Those who are successful getting the data in, have now made that data free to all. Will people's misuse of these generative AI programs be our greatest downfall to security and privacy?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining us is our special guest Suha Can, CISO, Grammarly.

Thanks to our podcast sponsor, Opal

Opal

Opal is building the next generation of intelligent identity. Identity is one of the last great enterprise frontiers. Its fragmented with legacy architecture. Opal's mission is to empower teams to understand and calibrate access end to end, and to build identity security for scale. Learn more by at www.opal.dev.

In this episode:


Thu, 10 Aug 2023 10:00:00 +0000

Create A Pipeline of Cyber Talent


All links and images for this episode can be found on CISO Series.

The demand for cybertalent is sky high. It's very competitive to get those people with skills. What if you were to train your staff and give them the skills you want? Essentially, what if you were to grow your own unicorn?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Joining us is our special guest, Jesse Whaley, CISO, Amtrak.

Thanks to our podcast sponsor, Opal

Opal

Opal is building the next generation of intelligent identity. Identity is one of the last great enterprise frontiers. Its fragmented with legacy architecture. Opal's mission is to empower teams to understand and calibrate access end to end, and to build identity security for scale. Learn more by at www.opal.dev.

In this episode:


Thu, 03 Aug 2023 10:00:00 +0000

Improving Adoption of Least Privileged Access


All links and images for this episode can be found on CISO Series.

What are we doing to improve access management? Make it too loose and it's the number one way organizations get breached. Put on too many controls and now you've got irritated users just trying to do their job. How does each organization find their sweet spot?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.We welcome our sponsored guest Paul Guthrie (@pguthrie), information security officer, Blend.

Thanks to our podcast sponsor, Opal

Opal

Opal is building the next generation of intelligent identity. Identity is one of the last great enterprise frontiers. Its fragmented with legacy architecture. Opal's mission is to empower teams to understand and calibrate access end to end, and to build identity security for scale. Learn more by at www.opal.dev

In this episode:


Thu, 27 Jul 2023 10:00:00 +0000

Securing SaaS Applications


All links and images for this episode can be found on CISO Series.

With the growth of business-led IT, does SaaS security need to be a specific focus in a CISOs architectural strategy?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.Our guest is Steve Zalewski who also hosts Defense in Depth.

Thanks to our podcast sponsor, AppOmni

AppOmni

Do you know which 3rd party apps are connected to your SaaS platforms? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk.

Get visibility to all 3rd party apps and their level of data access with AppOmni. Visit AppOmni.com to request a free risk assessment.

In this episode:


Thu, 20 Jul 2023 10:00:00 +0000

How Do We Get Better Control of Cloud Data?


All links and images for this episode can be found on CISO Series.

When it comes to data, compliance, and reducing risk, where are we gaining control? Where are we losing control? And what are we doing about that?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.We welcome our sponsored guest Amer Deeba, CEO and Co-founder, Normalyze.

Thanks to our podcast sponsor, Normalyze

Normalyze

Normalyze is a cloud data security platform that continuously discovers sensitive data and their access paths across your cloud environments. Normalyze provides the ability to analyze, prioritize and respond to data threats to prevent damaging data breaches.

Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium.

In this episode:


Thu, 13 Jul 2023 10:00:00 +0000

Finding Your Security Community


All links and images for this episode can be found on CISO Series.

If you're struggling to get your first job in security or you're trying to get back into the industry after being laid off, you need to lean on your security community. But like networking, you should find it before you need it.

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.

Thanks to our podcast sponsor, Egress

Egress

Egress helps organization stop email security risks is by addressing both inbound and outbound threats together,. We recognize that people get hacked, make mistakes, and break the rules. Egress's Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss. Learn more at egress.com.

In this episode:


Thu, 06 Jul 2023 10:00:00 +0000

Let's Write Better Cybersecurity Job Descriptions


All links and images for this episode can be found on CISO Series.

What should a cyber job description require, and what shouldn't it? What's reasonable and not reasonable?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Rob Duhart (@robduhart), deputy CISO, Walmart.

Thanks to our podcast sponsor, Normalyze

Normalyze

Normalyze is a cloud data security platform that continuously discovers sensitive data and their access paths across your cloud environments. Normalyze provides the ability to analyze, prioritize and respond to data threats to prevent damaging data breaches.

Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium.

In this episode:


Thu, 29 Jun 2023 10:00:00 +0000

How Should Security Better Engage with Application Owners?


All links and images for this episode can be found on CISO Series.

Since so much technology today is not launched by the IT department, but by business units themselves. How do security professionals engage with business and application owners and have a conversation about security policy and procedures?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.We welcome our sponsored guest Harold Byun (@haroldnhoward), chief product officer, AppOmni.

Thanks to our podcast sponsor, AppOmni

AppOmni

Do you know which 3rd party apps are connected to your SaaS platforms? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk.
Get visibility to all 3rd party apps and their level of data access with AppOmni. VisitAppOmni.comto request a free risk assessment.

In this episode:


Thu, 22 Jun 2023 10:00:00 +0000

How To Get More People Into Cybersecurity


All links and images for this episode can be found on CISO Series.

There are millions of cybersecurity jobs open. Over time, that number has just been growing. What we're doing now does not seem to be working. So what's it going to take to fill all these jobs quickly?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Rich Gautier, former CISO for the U.S. Department of Justice, Criminal Division.

Thanks to our podcast sponsor, Brinqa

Brinqa

Understand your cyber assets, prioritize vulnerabilities, automate remediation, and continuously monitor cyber hygiene across the entire attack surface infrastructure, applications and cloud with Brinqa. See how at brinqa.com.

In this episode:


Thu, 15 Jun 2023 10:00:00 +0000

How to Create a Positive Security Culture


All links and images for this episode can be found on CISO Series.

How do you create a positive security culture? It's rarely the first concept anyone wants to embrace, yet it's important everyone understands their responsibility. So what do you do, and how do you overcome inevitable roadblocks?

Check out this post and this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.We welcome our sponsored guest, Jadee Hanson, CISO/CIO for Code42.

Thanks to our podcast sponsor, Code42

Code42 is focused on delivering solutions built with the modern-day collaborative culture in mind. Code42 Incydr tracks activity across computers, USB, email, file link sharing, Airdrop, the cloud and more, our SaaS-based solution surfaces and prioritizes file exposure and data exfiltration events. Learn more at Code42.com.

In this episode:


Thu, 08 Jun 2023 10:00:00 +0000

How Should We Trust Entry Level Employees?


All links and images for this episode can be found on CISO Series.

All experienced security professionals were at one time very green. Entry level status means risk to your organization. That's if you give them too much access. What can you trust an entry level security professional to do that won't impose unnecessary risk? And how can those green professionals build trust to allow them to do more?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Kemas Ohale, vp, global information security, Lippert.

Thanks to our podcast sponsor, Normalyze

Normalyze

Normalyze is a cloud data security platform that continuously discovers sensitive data and their access paths across your cloud environments. Normalyze provides the ability to analyze, prioritize and respond to data threats to prevent damaging data breaches.
Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium.

In this episode:


Thu, 01 Jun 2023 10:00:00 +0000

How Must Processes Change to Reduce Risk?


All links and images for this episode can be found on CISO Series.

What do we need to do to fix our processes to truly reduce risk and vulnerabilities?

Check out this post for the discussion that is the basis of our conversation on this weeks episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.Our sponsored guest is Amad Fida (@brinqa), CEO, Brinqa.

Thanks to our podcast sponsor, Brinqa

BrinqaUnderstand your cyber assets, prioritize vulnerabilities, automate remediation, and continuously monitor cyber hygiene across the entire attack surface infrastructure, applications and cloud with Brinqa. See how at brinqa.com.

In this episode:


Thu, 25 May 2023 10:00:00 +0000

Reputational Damage from Breaches


All links and images for this episode can be found on CISO Series.

Security professionals talk a lot about the reputational damage from breaches. And it seems logical, but major companies still do get breached and their reputation seems spared. What's the reality of what breaches can do to a company's reputation?

Check out this postfor the discussion that is the basis of our conversation on this weeks episode co-hosted by me,David Spark(@dspark), the producer ofCISO Series, andGeoff Belknap(@geoffbelknap), CISO,LinkedIn. We welcome our guest Cecil Pineda, CISO, R1.

Thanks to our podcast sponsor, Brinqa

Brinqa

Understand your cyber assets, prioritize vulnerabilities, automate remediation, and continuously monitor cyber hygiene across the entire attack surface infrastructure, applications and cloud with Brinqa. See how at brinqa.com.

In this episode:


Thu, 18 May 2023 10:00:00 +0000

Do RFPs Work?


All links and images for this episode can be found on CISO Series.

Do RFPs or request for proposals work as intended? It seems they're loaded with flaws yet for some organizations who must follow processes, they become necessary evils for both buyers and sellers. What can we do to improve the process?

Check out this postfor the discussion that is the basis of our conversation on this weeks episode co-hosted by me,David Spark(@dspark), the producer ofCISO Series, andGeoff Belknap(@geoffbelknap), CISO,LinkedIn. We welcome our guestKeith McCartney (@kmflgator), vp, security and IT, DNAnexus.

Thanks to our podcast sponsor, TrustCloud

TrustCloud

TrustCloud is the all-in-one platform to accelerate sales and security reviews, automate compliance efforts, and map contractual liability across your business. Connect with us to learn how you can transform security from a cost center into a profit driver with TrustClouds programmatic risk and compliance verification tools.

In this episode:


Thu, 11 May 2023 10:00:00 +0000

Successful Cloud Security


All links and images for this episode can be found on CISO Series.

What are the moves we should be making in cloud to improve our security? What constitutes a good cloud security posture?

Check out this postfor the discussion that is the basis of our conversation on this weeks episode co-hosted by me,David Spark(@dspark), the producer ofCISO Series, andAndy Ellis, operating partner,YL Ventures. We welcome our sponsored guest Yoav Alon, CTO, Orca Security.

Thanks to our podcast sponsor, Orca Security

Orca Security

Orca Security is the pioneer of agentless cloud security that is trusted by hundreds of enterprises globally. With continuous first-to-market innovations and expertise, the Orca Platform ensures security teams quickly identify and remediate risks to keep their businesses secure. Connect your first account in minutes by visitingwww.orca.security.

In this episode:


Thu, 04 May 2023 10:00:00 +0000

How Should Security Vendors Engage With CISOs?


All links and images for this episode can be found on CISO Series.

One CISO has had enough of the security vendor marketing emails and cold sales calls. He's blocking them all. But it's not a call to avoid all salespeople. He just doesn't have the time to be a target anymore. So how should vendors engage with such a CISO? And does CISO represent most CISOs today?

Check out this postfor the discussion that is the basis of our conversation on this weeks episode co-hosted by me,David Spark(@dspark), the producer ofCISO Series, andGeoff Belknap(@geoffbelknap), CISO,LinkedIn. We welc