As we near RSA conference season, tons of security startups are coming out of stealth! The RSA Innovation Sandbox has also announced the top 10 finalists, also highlighting early stage startups that will be at the show.

In this week's news segment,

• We discuss the highlights of the Cyber Safety Review Board's detailed and scathing report on Microsoft's 2023 breach
• We spend a bit of time on the xz backdoor, but not too much, as it has been covered comprehensively elsewhere
• We discover half a dozen of the latest startups to receive funding or come out of stealth: Coro, Skyflow, Zafran, Permiso, Bedrock Security, Abstract Security, and Sandfly
• Apple is reportedly going to have some big AI announcements this summer, and we discuss how overdue voice assistants are for an LLM makeover.
• Finally, we discuss the amazing innovation that is the Volkswagen RooBadge!

By the way, the thumbnail is a reference to the xz backdoor link we include in the show notes: https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor

Show Notes: https://securityweekly.com/esw-356

NVD checked out, then they came back? Maybe?

Should the xz backdoor be treated as a vulnerability?

Is scan-driven vulnerability management obsolete when it comes to alerting on emerging threats?

What were some of the takeaways from the first-ever VulnCon?

EPSS is featured in over 100 security products, but is it properly supported by those that benefit from it?

How long do defenders have from the moment a vulnerability is disclosed to patch or mitigate it before working exploits are ready and in the wild?

There's SO much going on in the vulnerability management space, but we'll try to get to the bottom of some of in in this episode. In this interview, we talk to Patrick Garrity about the messy state of vulnerability management and how to get it back on the rails.

Segment Resources:

• Exploitation TImelines
• NVD
• Sources for known exploitation
• Exploitation in the Wild - Rockstar

Show Notes: https://securityweekly.com/esw-356

pfSense switches to Linux (April Fools?), Flipper panic in Oz, Tales from the Krypt, Funding to secure the Internet, Abusing SSH on Windows, Blinding EDR, more hotel hacking, Quantum Bleed, and more!

Show Notes: https://securityweekly.com/psw-823

As most of you have probably heard there was a scary supply chain attack against the open source compression software called "xz". The security weekly hosts will break down all the details and provide valuable insights.

• https://blog.qualys.com/vulnerabilities-threat-research/2024/03/29/xz-utils-sshd-backdoor
• https://gynvael.coldwind.pl/?id=782
• https://isc.sans.edu/diary/The+xzutils+backdoor+in+security+advisories+by+national+CSIRTs/30800
• https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
• https://github.com/amlweems/xzbot
• https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/
• https://unicornriot.ninja/2024/xz-utils-software-backdoor-uncovered-in-years-long-hacking-plot/
• https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
• https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
• https://xeiaso.net/notes/2024/xz-vuln/
• https://infosec.exchange/@AndresFreundTec@mastodon.social
• https://github.com/notselwyn/cve-2024-1086?tab=readme-ov-file
• https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd

Show Notes: https://securityweekly.com/psw-823

The OWASP Top 10 gets its first update after a year, Metasploit gets its first rewrite (but it's still in Perl), PHP adds support for prepared statements, RSA Conference puts passwords on notice while patching remains hard, and more!

Show Notes: https://securityweekly.com/asw-279

Lena, XZ, WallEscape, AT&T, OWASP, Google, Microsoft, AI, Josh Marpet, and more, on this Edition of the Security Weekly News.

Show Notes: https://securityweekly.com/swn-374

Sometimes infosec problems can be summarized succinctly, like "patching is hard". Sometimes a succinct summary sounds convincing, but is based on old data, irrelevant data, or made up data. Adrian Sanabria walks through some of the archeological work he's done to dig up the source of some myths. We talk about some of our favorite (as in most disliked) myths to point out how oversimplified slogans and oversimplified threat models lead to bad advice -- and why bad advice can make users less secure.

Segment resources:

• https://www.oreilly.com/library/view/cybersecurity-myths-and/9780137929214/

Show Notes: https://securityweekly.com/asw-279

Harold Rivas has held multiple CISO roles. In his current CISO role, he's championing Trellix's overall mission to address the issues CISOs face every day, encouraging information sharing and collaborative discussions among the CISO community to help address challenges and solve real problems together - part of this is through Trellix's Mind of the CISO Initiative and the Trellix CISO Council. In this interview, we do a little CISO soul-searching. Harold will bring insights from the initiative to cover some of the top challenges CISOs face in this ever-evolving role, including:

• Earning a seat at the table
• Talking the language of business
• Addressing the risks and opportunities of business evolution
• Reading the tea leaves of the future

and more! If you're a CISO or want to be a CISO, don't miss this episode.

Segment Resources: https://www.trellix.com/blogs/perspectives/introducing-trellixs-mind-of-the-ciso-initiative/ https://www.trellix.com/solutions/mind-of-the-ciso-report/ https://www.trellix.com/solutions/mind-of-the-ciso-behind-the-breach/

Show Notes: https://securityweekly.com/bsw-344

In the leadership and communications section, The Strategic Implications of Cybersecurity: A C-Level Perspective, Leadership Misconceptions That Hinder Your Success , "Mastering Communication: Lessons from Two Years of Learning", and more!

Show Notes: https://securityweekly.com/bsw-344

AI Dreams of Electric Sheep, Exchange, Darcula, NuGet, Rockwell, FTX, Aaran Leyland, and More, on this edition of the Security Weekly News.

Show Notes: https://securityweekly.com/swn-373

This week, in the enterprise security news:

1. Early stage funding is all the rage
2. AI startups continue to pop out of stealth
3. The buyer's market continues with more interesting acquisitions
4. Purpose-built large language models for security
5. Benchmarking LLMs for security
6. GoFetch? More like... Get outta here (I couldn't think of anything clever)
7. Crowdstrike and NVIDIA team up
8. Why do people trust AI?
9. What do Google Sheets and Carlos Sainz Jr. have in common?

All that and more, on this episode of Enterprise Security Weekly!

Show Notes: https://securityweekly.com/esw-355

Many years ago, I fielded a survey focused on the culture of cybersecurity. One of the questions asked what initially drew folks to cybersecurity as a career. The most common response was a deep sense of curiosity. Throughout my career, I noticed another major factor in folks that brought a lot of value to security teams: diversity.

Diversity of people, diversity of background, and diversity of experience. I've seen auto mechanics, biologists, and finance experts bring the most interesting insights and forehead-slapping observations to the table. I think part of the reason diversity is so necessary is that security itself is incredibly broad. It covers everything that technology, processes, and people touch. As such, cybersecurity workers need to have a similarly broad skillsets and background.

Today, we talk to someone that embodies both this non-typical cybersecurity background and sense of curiosity - Clea Ostendorf. We'll discuss:

• The importance for organizations to actively seek and welcome curious newcomers in the security field who may not conform to traditional cybersecurity norms.
• Strategies for organizations to foster an environment that encourages individuals with curiosity, motivation, and a willingness to challenge conventional norms, thereby promoting innovative thinking in addressing security risks.

Segment Resources:

Evolving Threats from Within - Insights from the 2024 Code42 Data Exposure Report

Show Notes: https://securityweekly.com/esw-355

The PSW crew discusses some crypto topics, such as post-quantum and GoFetch, new Flipper Zero projects, RFID hacking and hotel locks, BlueDucky, side channel attacks and more!

Show Notes: https://securityweekly.com/psw-822

Jason Healey comes on the show to discuss new ideas on whether the new national cybersecurity strategy is working.

Segment Resources:

• DEFRAG Hacker Film Festival short documentary (https://youtu.be/NYvHWcQsIRE) on hackers and their favorite films. For educational purposes only, as we don’t have the rights to the clips.
• YouTube link to Wargames event with Jen Easterly, Matt Devost, Amelia Koran and Kevin Huyck (head of ops for NORAD) (https://youtu.be/iqx6STDYJ7c?si=73WQtSG4RnCGsBcT).
• https://www.lawfaremedia.org/article/which-cyber-regulations-fit-which-sectors
• https://www.lawfaremedia.org/article/the-national-cybersecurity-strategy-breaking-a-50-year-losing-streak
• https://www.lawfaremedia.org/article/twenty-five-years-of-white-house-cyber-policies
• https://www.lawfaremedia.org/article/understanding-offenses-systemwide-advantage-cyberspace

Show Notes: https://securityweekly.com/psw-822

Patrick Stewart, Colorama, Strelastealer, CVSS scores, CHUDS, Josh Marpet, and more, on this Edition of the Security Weekly News.

Show Notes: https://securityweekly.com/swn-372

With hundreds or thousands of SaaS apps to secure with no traditional perimeter, Identity becomes the focal point for SaaS Security in the modern enterprise. Yet with Shadow IT, now recast as Business-Led IT, quickly becoming normal practice, it’s more complicated than trying to centralize all identities with an Identity Provider (IdP) for Single Sign-On (SSO). So the question becomes, “How do you enable the business while still providing security oversight and governance?”

This segment is sponsored by Savvy. Visit https://securityweekly.com/savvy to learn more about them!

Show Notes: https://securityweekly.com/bsw-343

The GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more!

Show Notes: https://securityweekly.com/asw-278

In the leadership and communications section, The CISO Role Is Changing. Can CISOs Themselves Keep Up? , Why do 60% of SEC Cybersecurity Filings Omit CSO, CISO Info?, How Co-Leaders Succeed, and more!

Show Notes: https://securityweekly.com/bsw-343

While awareness and attention towards cybersecurity are on the rise, some popular and persistent myths about cybersecurity have almost become threats themselves. API security requires a modern understanding of the threat landscape, with the context that most API providers desire to be more open and accessible to all. We will debunk the 5 worst myths about protecting your APIs.

Segment Resources:

• API Security Basics - Everything You Need to Know
• Graylog API Security - Gain Visibility & Control Over Your API Attack Surface

This segment is sponsored by Graylog. Visit https://securityweekly.com/graylog to learn more about API security!

Show Notes: https://securityweekly.com/esw-354

One of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only important to understand how to make a user's life easier, but in defining who that user is in the first place.

Segment resources:

• https://www.usenix.org/conference/8th-usenix-security-symposium/why-johnny-cant-encrypt-usability-evaluation-pgp-50

Show Notes: https://securityweekly.com/asw-278

Robots gone wild, UDP, GoFetch, Domain Controllers, Pwn2Own, Verner Vinge, Reddit, Aaran Leyland, and More on this edition of the Security Weekly News.

Show Notes: https://securityweekly.com/swn-371

In the enterprise security news,

Lots of funding news, including: - Nozomi Networks Raises $100 Million to Expand Industrial Cybersecurity Business - BigID Raises $60 Million at $1 Billion Valuation - J.P. Morgan Growth Leads $39 Million Investment in Eye Security - CyberSaint raises $21 million to accelerate market expansion Zscaler Acquires Avalor for $350 Million Cisco completes $28 bn acquisition of cybersecurity firm Splunk Airbus Calls Off Planned Acquisition of Atos Cybersecurity Group Cybersecurity firm Cato Networks hires banks for 2025 IPO, sources say

Show Notes: https://securityweekly.com/esw-354

We discuss the always controversial Flipper Zero devices the hidden risks in the undersea cables, and the landscape of government oversight, revealing the intricacies of CVE, KEV, and NVD systems that are the linchpins of our digital safety. The conversation takes a turn to the practicalities of risk management and the impact of individuals on the industry, like Daniel from the curl project, striking a chord with the significance of cybersecurity vulnerabilities compared to environmental pollution. We tackle the challenges of vulnerability prioritization and the importance of a comprehensive approach to managing the ever-evolving threats that target our digital infrastructure.

(00:01) Security Practices and Flipper Zero (07:01) Technology and Privacy Concerns in Cars (17:33) Undersea Cables and NVD Issues (27:45) Government Oversight and Funding for Cybersecurity (33:33) Improving Vulnerability Prioritization in Cybersecurity (45:37) Risk Management and CVE Implementation (58:06) Cybersecurity Budget and Risk Management (01:10:48) Unique Challenges in Cybersecurity Industry (01:16:41) Discussion on Open Source and CNAs (01:26:44) Bluetooth Vulnerabilities and Exploits Discussed (01:39:46) Email Security and Compromised Accounts (01:46:23) Cybersecurity Threats and Vulnerabilities (01:52:06) GPU Security Vulnerabilities Explained

Show Notes: https://securityweekly.com/psw-821

Josh Corman joins us to explore how we can make things more secure, making companies make things more secure, and making regulations that make us make things more secure! We will also touch on supply chain security and the state of vulnerability tracking and scoring.

Show Notes: https://securityweekly.com/psw-821

Piggybacking off of our interview with Dave DeWalt, Tom Parker from Hubble joins Business Security Weekly to discuss a few of the key trends CISOs should be paying attention to. Yes, we'll cover Artificial Intelligence, but more from a business risk and governance perspective. We'll also cover quantum computing, technical debt, and how budgets will impact how organizations can or cannot prepare for these emerging trends. Buckle up and hang on for part two of our jam packed episode.

Show Notes: https://securityweekly.com/bsw-342