PODCAST NOTES

Every Wednesday, I summarize a podcast about cybersecurity so you can read it in about five minutes or less. This week features Andrew van der Stock, managed services technical leader at Synopsys and senior application security leader at the OWASP Foundation. He spoke with John Verry of The Virtual CISO Podcast (#15) about the OWASP Top 10 web application security risks. [Note: Questions and answers were edited for brevity and clarity.]

John Verry: What is the OWASP Top Ten?

08:40 - Van der Stock explains the OWASP Top Ten is an awareness document. It provides web application developers and security teams what they need to know to avoid being hacked. He stressed that the primary audience is developers. Even though it has a more than 15-year history, the developers, in the beginning, didn't know about it.

09:04 - OWASP worked with application security teams to get the word out about it. The goal is to give people who are starting out on their application development journey a security map, he related. OWASP is not trying to provide all of the security answers, it is trying to provide warnings about the most common and dangerous threats. To read more upgrade to premium!

A declassified internal CIA report found that the agency failed to secure its systems, resulting in the 2017 "Vault 7" leak of classified data to WikiLeaks. A CIA employee stole up to 34 terabytes of classified data about the agency's hacking tools and sent it to WikiLeaks.

More: 

• The report, released by Sen. Ron Wyden (D.-Ore.), concluded that security practices at the CIA's Center for Cyber Intelligence (CCI), which developed the hacking tools, had become "woefully lax" leading up to the breach.
• Sen. Wyden urged Congress to reconsider a law that exempts intelligence agencies from federal cybersecurity requirements.
• In a letter to National Intelligence Director John Ratcliffe, Wyden asked Ratcliffe to detail security lapses by the intelligence community since the WikiLeaks breach. 

Two-thirds of 1,600 IT pros surveyed by IT software vendor Ivanti have seen an increase in security threats due to the shift to telework because of COVID-19. Malicious emails, risky employee behavior, and software vulnerabilities were identified as the most significant security threats resulting from the move to remote working. 

More on the survey:

• Close to half of respondents said that 75% of their employees are not working remotely.
• Over two-thirds of respondents said they increased virtual private network (VPN) access to more employees.
• 63% of respondents said they have seen an increased workload since the move to remote work.

Adobe patched 18 critical vulnerabilities in After Effects, Illustrator, Premiere Pro, Premiere Rush and Audition in an out-of-band update. 

Treck patched 19 zero-day vulnerabilities in its Treck IP stack implementation for embedded systems with release of the latest version. The number of devices affected by the bug will blow your mind.

To read more, upgrade to premium!

CYBERSECURITY MASTERCLASS:

Forrester analyst Sandy Carielli urges organizations to create and fund developer security champion programs to help application developers understand the need for security early on.  To read more upgrade to premium!