Michael Coates, a volunteer with OWASP is leading a project that helps developers inject code into applications to give them self-defense
Monitor -- January 12, 2010
Buffer overflow tutorial: How to find vulnerabilities, prevent attacks
Buffer overflow exploits and vulnerabilities can lead to serious harm to corporate Web applications, as well as embarrassing and costly data security breaches and system compromises.
Podcasts for the week of December 29, 2009
cybersecurity stories of 2009 (Part 2)
In part 2 of this two-part Security Squad, security expert and blogger Adam Shostack joins the SearchSecurity editorial team to talk about the security stories that resonated in 2009. (Part 2 of 2)
Top cybersecurity stories of 2009
Security expert Adam Shostack joins the SearchSecurity.com editorial team to talk about the cybersecurity stories that had the biggest impact on the security industry in 2009. (Part 1 of 2)
Podcasts for the week of December 22, 2009
Schmidt named to WH post
Howard Schmidt gives his opinion on ongoing federal cybersecurity efforts in a 2008 interview. Also, Wade Baker of Verizon on the firm's data breach investigations.
Threat Monitor -- December 21, 2009
How to prevent memory dump attacks
Because databases are often encrypted, some attackers have switched to memory dump attacks. Michael Cobb explains how to protect your unencrypted transactions.
Podcasts for the week of December 13, 2009
worm sill infects millions
Security expert Mikko Hypponen of F-Secure talks about the latest on the Conficker worm. The Shadowserver Foundation finds up to 7 million machines still infected worldwide. Also, Mozilla Firefox, Opera and Apple Safari make a list of risky applications. Tom Murphy of Bit9 explains why.
Podcasts for the week of December 6, 2009
issues IE security overhaul
Microsoft patched five vulnerabilities including a serious zero-day flaw in Internet Explorer. Jason Miller of patch management vendor Shavlik Technologies explains the impact.
Threat Monitor -- December 7, 2009
Best practices for (small) botnets
Your enterprise might have a strategy to deal with a large-scale botnet attack, but how would you deal with a micro-botnet that knows how to bypass antivirus and firewalls? Get botnet help with this expert advice.
Podcasts for the week of November 29, 2009
cities demand data breach penalties?
SearchSecurity.com editors discuss Los Angeles' inclusion of a data breach clause in their contract. Also, the importance of vendor security threat reports and consolidation in the Web security gateway market.
Podcasts for the week of November 22, 2009
Threat Monitor-- November 24, 2007
Cut down on calls to help desk with cybersecurity awareness training
It's no secret that human error accounts for many security blunders. But what's the best way to implement cybersecurity awareness training in your enterprise to keep employees from clicking on phishing links or downloading viruses? In this tip, learn how sending out cyber security tips can help.
Podcasts for the week of November 15, 2009
creator H.D. Moore
Metasploit creator H.D. Moore talks about the future of the attack platform. Also Cisco's Dave Dalva on security and the Smart Grid.
Type: Surreptitious Software
In this month's "Hot Type" podcast, authors Christian Collberg and Jasvir Nagra talk about why their book Surreptitious Software is particularly important for security professionals who may not have a strong interest in code development.
Podcasts for the week of November 8, 2009
certifications pay remains strong
David Foote of Foote Partners on his latest skill and certification research. Security skills remain strong despite the bad economy.
Podcasts for the week of October 25, 2009
Squad: Tokenization, Phishing and the Feds
SearchSecurity editors discuss the importance of Microsoft's record breaking number of October vulnerabilities, the federal government's plan to hire 1,000 cybersecurity pros, the FBI's crackdown on a massive phishing ring and the latest payment industry tokenization plans.
Trojan strikes Internet Explorer users
Amit Klein, CTO of Trusteer Inc. on a new two-headed Trojan striking Inernet Explorer users to steal login credentials.
Podcasts for the week of October 18,2009
CIO on PCI, E3 project
Heartland Payment Systems CIO Steve Elefant talks about the processor's new E3 security processes, end-to-end encryption, deployment and adoption issues.
Podcasts for the week of October 11, 2009
and pave to eradicate botnets
Security researcher Gunter Ollmann of Damballa discusses the scourge of dangerous enterprise botnets and why the only method to eradicate them is by a method he calls "nuke and pave."
Podcasts for the week of October 4, 2009
Richard Jacobs, chief technology officer of Sophos on encryption for compliance, DLP and the case for involving end users in security decisions.
Podcasts for the week of September 27, 2009
Threat Monitor -- October 1, 2009
Threat Monitor: An enterprise strategy for Web application security threats
People Security founder Hugh Thompson reviews the tools and tactics, from routine assessments to Web application firewalls, that are essential to an application security strategy.
Podcasts for the week of September 20, 2009
forensics, breach incident response
Jim Jaeger, a retired Air Force brigadier general who heads the digital forensics operation at defense industry giant General Dynamics, explains best practices around data breach response and digital forensics.
SearchSecurity editors discuss Internet privacy issues, the Apache disclosure, VMworld and Apple security.
Podcasts for the week of September 13, 2009
Top Cybersecurity Risks
Experts discuss the findings of the SANS Institute 2009 Top Cyber Risks Report. The SANS report, The Top Cyber Security Risks found that IT security professionals are failing to adequately address client-side application flaws and website vulnerabilities. Meanwhile, cybercriminals are using spear phishing attacks and automated SQL injection attacks to infect employee machines and ultimately gain access to company networks.
Podcasts for the week of September 6, 2009
– Challenges and pitfalls
Security experts and officials involved in DNSSEC implementations share their successes and the challenges they face.
Program notes: DNSSEC
deployments gain momentum since Kaminsky DNS bug
Kaminsky interview: DNSSEC
addresses cross-organizational trust and security
Podcasts for the week of August 30, 2009
2009: Virtualization security
Eric Ogren of The Ogren Group talks about the focus on security fundamentals and some virtualization technologies that increase security including virtual desktops. Ogren is attending VMworld this week in San Francisco.
Podcasts for the week of August 23, 2009
job market heating up
SearchSecurity.com's Carolyn Gibney interviews David Foote of Foote Partners on his latest skills and certification data. Foote says there's reason for those in the security industry to be optimistic.
Squad: The QSA and the Heartland breach
Editors discuss the missing federal cybersecurity coordinator, the recent debate over comments made by Heartland CEO Robert Carr blaming the PCI QSA for the breach and whether the U.S. Marines should ban social networks.
Podcasts for the week of August 16, 2009
and the enterprise: Is the threat real?
Recently, there has been a great deal of press about massive botnets and killer denial-of-service attacks. So how concerned should you really be about cyberwarfare? The threat is real, says contributor Sherri Davidoff, but the underlying problems are weaknesses in our own infrastructure. Outages can be prevented with a level head and a solid plan.
highlights secure coding needs
Jim Molini, a Microsoft security professional and longtime security expert explains his work as the key architect of a new secure software certification. Also, Forrester Research analyst Rob Whiteley talks about weighing risks versus attempting to secure all data.
Podcasts for the week of August 9, 2009
fixes ActiveX troubles, kill-bit bypass
Security researcher David Dewey of IBM ISS explains his team's discovery of interoperability flaws affecting Microsoft and third-party vendors. Dewey estimates that as many as 10,000 components on the Internet may be affected.
Podcasts for the week of July 26, 2009
Hat 2009: Researchers converge; Conficker update
Michael Mimoso, editor of Information Security magazine and Robert Westervelt, news editor of SearchSecurity.com discuss what to expect at this year's Black Hat conference. Also, listen to an interview with Mikko H. Hyppönen of F-Secure. Hyppönen plans to give an update on Conficker during a presentation at Black Hat. Visit our Black Hat 2009 news coverage page at: searchsecurity.com/blackhat2009
Podcasts for the week of July 19, 2009
Adobe Flash flaw being exploited
Purewire principal researcher Paul Royal explains the ins and outs of the Adobe Flash vulnerability. The flaw is being exploited via PDF files and drive-by attacks. Adobe said it plans to fix the flaw by July 30.
Podcasts for the week of July 12, 2009
Black Hat and Social Security numbers
The SearchSecurity.com editors discuss TJX's settlment with 41 states over its data breach, Juniper's decision to pull a Black Hat presentation and whether our Social Security numbers are at risk.
Monitor -- July 16,2009
Software security threats and employee awareness training
How secure is the software produced today? Is it possible to keep attackers out of your network if they're determined to get in? What strategies for employee security awareness training are most effective at stopping malware? Greg Hoglund explains how enterprises can face these challenging questions in order to strengthen their security programs and keep sensitive data in the right hands.
Patch Tuesday, ActiveX risks
Sheldon Malm and Josh Abraham of Rapid7 explain some of the serious vulnerabilities addressed by Microsoft this month. Also, Eric Voskuil of BeyondTrust on ways to protect against ActiveX vulnerabilities. Microsoft has been dealing with a slew of ActiveX flaws of late.
Podcasts for the week of July 5, 2009
Threat Monitor -- July 6, 2009
How to defend against rogue DHCP server malware
Rogue DHCP server malware is a new twist on an old concept. The good news is that effective threat mitigation strategies exist; the bad news is that many organizations haven't bothered to deploy them.
Podcasts for the week of June 28, 2009
Like it or not Web-based social networking services are here to stay. Amit Klein, founder and chief technology officer of Trusteer talks about the latest Twitter threats, how browser makers are responding to phishing and other attacks and the adoption of DNSSEC.
Podcasts for the week of June 21, 2009
darknet unveiled; TJX settles dispute
Security researcher Matt Wood of HP talks about a new browser-based darknet he co-developed called Veiled. Also, Pete Lindstrom of Spire Security on TJX's latest data breach news.
Monitor -- June 22, 2009
When BIOS updates become malware attacks
Most security pros don't give the system BIOS a second thought, or even a first one, but today's BIOS types are highly susceptible to malicious hackers. Information security threats expert Sherri Davidoff explains how attackers can plant BIOS malware and how security pros can thwart such attacks.
Podcasts for the week of June 14, 2009
Report: How to find jobs in information security
Is the recession holding back your career plans? In this free 30-minute podcast, experts Lee Kushner and Mike Murray offer infosec job advice that will help you survive and thrive in tough times.
fraud threatens Web advertising
Click fraud is threatening online advertising, according to experts. This week, Anchor Intelligence lead scientist Daniel Walling and Richard Sim, vice president of product management talk about how fraudsters are getting more sophisticated. Also Jeremiah Grossman of WhiteHat Security explains why it's so easy for people to carry out click fraud.
Podcasts for the week of June 7, 2009
Obama, ISP shutdowns and Web security threats
SearchSecurity.com editors discuss the Obama administration's cybersecurity plans, the FTC shutdown of Triple Fiber Network and what IT security pros can do to address the growing threat posed by the use of social networks and other Web-based services.
Security consultant Lenny Zeltser of Savvis Security Consulting Services explains the threats posed by employee use of social networking websites and what security pros can do to address them. Zeltser is a faculty member at the SANS Institute. Also, a brief overview of Microsoft Patch Tuesday.
Newsmaker: Sophos CEO Steve Munford
Steve Munford took over Sophos' leadership as the U.K.-based AV company mounted an aggressive effort to expand its market share, particularly in North America, against industry giants Symantec and McAfee. Munford was president of ActiveState when it was acquired by Sophos in 2003 and served as president for North America from 2003-2005.
In this interview, Information Security magazine's Neil Roiter talks with Munford about the
company's acquisition and integration of encryption vendor Utimaco and Sophos strategy for
leveraging the acquisition to boost sales in North America and Europe. Munford describes how Sophos
engineering culture helps it integrate acquisitions and develop technology in-house.
Podcasts for the week of June 3, 2009
Obama Cybersecurity Plan
Information Security magazine's Michael Mimoso reports on the Obama cybersecurity announcement. He speaks with security luminary Howard Schmidt, Paul Kocher, chief scientist of Cryptography Research and Unisys CISO Patricia Titus.
Podcasts for the week of May 31, 2009
Wire Weekly: Virtualization Security Apocalypse
Christofer Hoff, chief security architect, Systems & Technology Division at Unisys, previews his upcoming Black Hat briefing, "The four horsemen of the virtualization security apocalypse." Hoff says virtualization security could prove to be very costly for companies as they try to sort out the new governance, oversight and manageability issues being introduced by the technology.
Podcasts for the week of May 24, 2009
House cybersecurity czar faces big challenges
Security luminary Bruce Schneier and former cybersecurity czars Amit Yoran and Gregory Garcia share their views on a possible new White House cybersecurity czar. UK-based Paul Wood, senior analyst at Symantec's MessageLabs, gives the international perspective.
Podcasts for the week of May 17, 2009
Monitor -- May 22, 2009
Cybercrime and threat management
It's no secret that cybercrime is an ever-growing issue for today's security professionals, but what roles and responsibilities need to change as a result of the glut in illicit cyber activity?
In this video, Bill Boni, VP of information security and technology at Motorola, discusses the changing landscape of cybercrime, and how to react to it.
hackers is hard
Sophos senior security consultant Graham Cluley talks about the antivirus industry, the threat landscape, the Conficker worm and why it has been difficult to defeat international cybercriminal gangs.
Podcasts for the week of May 10, 2009
Data breach burn-out
SearchSecurity.com editors discuss whether the Berkeley data breach warranted so much news coverage and whether people are becoming desensitized to data breaches. Also, Heartland Payment Systems' push for better industry wide security and whether software vendors should push silent updates to users.
threats and countermeasures
AT&T Labs' Brian Rexroad shares how the telecommunications giant detects and defends its network against botnets. Rexroad talks about the most prevalent botnets being monitored, including Conficker, how privacy concerns strain detection and eradication efforts and explains how future technologies could be used to battle the cybercriminals behind the threat. Rexroad is principal architect at AT&T Labs.
Podcasts for the week of May 3, 2009
CISO on virtualization, compliance
Eastman Kodak CISO Bruce Jones on compliance issues, cloud computing and virtualization use. Also, security analyst Eric Ogren on virtualization and other trends from the 2009 RSA Conference.
Podcasts for the week of April 26, 2009
skills and certification pay
SearchSecurity's Carolyn Gibney interviews David Foote of Foote Partners LLC about the firm's latest skills and certification pay research. Some security skills are holding their own in the tough economy.
Federal cybersecurity defenses
In this edition, SearchSecurity editors talk about the electrical grid compromise, restructuring of the federal cybersecurity authorities, who to blame for the Conficker hype and recent criticisms of the Payment Card Industry Data Security Standard.
response and forensics
Trend Micro buys Third Brigade. Also Agile Risk Management's Matthew Shannon talks about incident response best practices, including ways to accelerate the process, how compliance enables better incident response, and what makes a successful incident response.
Trend Micro to acquire Third Brigade for virtualization: Trend Micro said Third Brigade's technology bolsters its datacenter security strategy by helping its customers protect virtual servers and cloud computing initiatives.
Security incident response 101: Even the best procedures fail to overcome the stresses in the
initial throes of an incident. Security consultant Lenny Zeltser explains how to run a well
cryptographer Ari Juels on RFID, encryption
SearchSecurity.com's Neil Roiter interviews well known cryptographer Ari Juels about RFID security, cloud storage innovations and his new novel.
Podcasts for the week of April 19, 2009
sees Internet IDs ahead
Kaspersky Lab CEO Eugene Kaspersky predicts that one day people will need an ID card to access the Internet. In this wide ranging interview at the 2009 RSA Conference, Kaspersky talks about the Conficker worm, attacker sophistication and tracking cybercriminals.
platform injects security
Kyle Adams and Al Huizenga of new startup Mykonos talk about their new platform that injects security into the software development lifecycle for AJAX applications. Also, security expert David Mortman on cloud computing.
Council readying new virtualization requirements
In an interview at the 2009 RSA Conference, Troy Leach, technical director of the PCI Security Standards Council said the organization is exploring ways to address the security challenges with virtualization and cloud computing. He said new requirements are likely.
Podcasts for the week of April 12, 2009
preview: Google makes its case for defending the cloud
Eric Feignebaum, director of security for Google Apps, asserts cloud computing can be as secure as or even more secure than traditional corporate security. Feigenbaum will participate in a panel at the 2009 RSA Conference, "Cloud computing – secure enough for primetime today?"
preview: Budget issues to dominate
Andreas Antonopoulos of Nemertes Research, Charles Kolodgy of IDC and Chenxi Wang of Forrester Research talk about the major trends to dominate the RSA Conference. Shrinking budgets, application security, virtualization and encryption could dominate the event, the industry analysts said.
Salem takes charge at Symantec
Enrique Salem, who took over as Symantec CEO for the retiring John Thompson on April 4, talks about the Symantec he worked for in the 1990s, the Symantec he inherits today, and the Symantec he envisions for the future.
Podcasts for the week of April 5, 2009
Jim Reavis of the Cloud Security Alliance talks about the new organization's goals and the challenges ahead for cloud computing. Also, David Goldstone of Goodwin Procter on the failure of data breach class action lawsuits.
model supports secure software coding
Brian Chess of Fortify Software and Sammy Migues of Cigital talk about the "Building Security In Maturity Model" (BSIMM), a blueprint for secure software development, a collection of best practices distilled from nine of the best programs in the world.
Monitor -- April 6, 2009
Short-lived Web malware: Fading fad or future trend?
Attackers are increasingly spreading their malicious code through fly-by-night websites that seem legitimate to unsuspecting users, but are actually laden with malware. Marcos Christodonte II explains how short-lived Web malware works, and how enterprises can use Web filtering, honeytokens and good policy to mitigate the threat.
Podcasts for the week of March 29, 2009
Conficker worth the hype?
We talk about the hype surrounding the Conficker worm with Pete Lindstrom, research director at Spire Security. Also, Dave Marcus of McAfee joins us to talk about malware in a down economy.
Podcasts for the week of March 22, 2009
OWASP security benchmark study; Mobile threats real?
This week's featured podcast is from SearchSecurity.com's Data Protection School.
Boaz Gelbord, who heads the OWASP Security Spending Benchmarks project, explains the survey results. Also, Ivan Arce of Core Security Technologies talks about smartphone threats and penetration testing.
Type': The Truth about Identity Theft
In the latest edition of "Hot Type: Security Books in Audio," author Jim Stickley reveals just how easy it is for a cybercriminal to get access to your employees' passwords.
And don't forget to read an excerpt from Jim Stickley's book: The Truth about Identity Theft.
Podcasts for the week of March 15, 2009
incident response tips; L0phtCrack is back
Security expert Lenny Zeltser gives tips on how to appropriately respond to a security incident. Also, a discussion on the relaunch of L0phtCrack password cracking tool with Chris Wysopal of Veracode.
Podcasts for the week of March 8, 2009
Nazario on botnets, cyberwarfare
(SOURCE Boston 2009) Botnets are being used more frequently to silence political dissenters, explains Jose Nazario of Arbor Networks. Nazario has been studying the rise of botnets as a tool used in cyberwarfare.
Podcasts for the week of March 1, 2009
Monitor -- March 6, 2009
How to use (almost) free tools to find sensitive data
No matter how much security awareness training employees get, some of them will still store sensitive data in insecure places. As a security manager, finding that data becomes of paramount importance — but how to do it? In this tip, John Soltys offers advice on ways to find insecurely stored data.
officials on data breaches, PCI DSS
PCI Council general manager Bob Russo and Council chairman Lib de Veyra talk about the PCI Council's goals in 2009. Russo is frank about the latest data breaches. Also a discussion about virtualization security with Steve Herrod of VMware.
Podcasts for the week of February 22, 2009
Cryptography expert Taher Elgamal of Axway Inc. defends SSL in the wake of research that bypasses it. Elgamal's research led to the development of SSL.
Monitor -- February 23, 2009
How to block adult websites from enterprise users by logging content
Inappropriate content has always been a problem for enterprise security teams. What are some best practices for blocking adult content and websites from systems? In this security management tip, learn strategies for keeping users' Web habits in check.
Podcasts for the week of February 15, 2009
Wysopal on secure coding
Secure coding expert Chris Wysopal talks about dynamic and static testing and the state of secure software development tools. Wysopal also explains why he's a big proponent of the SANS/CWE Top 25 Dangerous Programming Errors List.
top lists don't work
Gary McGraw of Cigital explains why the CWE/SANS Top 25 dangerous programming errors list will fail to have a major effect on secure software development.
Podcasts for the week of February 8, 2009
cybersecurity priorities for the Obama administration
Core Security's Tom Kellermann, who served on the Commission for Cybersecurity for the 44th Presidency, talks about President Obama's cybersecurity priorities. Also, Gary McGraw of Cigital explains why the CWE/SANS Top 25 list won't do much to aid secure software development.
Podcasts for the week of February 1, 2009
Monitor -- February 6, 2009
How Threat Monitor: Are Windows Vista security features up to par?
Expert Michael Cobb explains why attempts to bypass Windows Vista memory protections don't necessarily mean that the operating system lacks security.
breach cost analysis
Larry Ponemon of the Ponemon Institute explains his firm's Cost of Data Breach study. While costs are increasing, companies are struggling to avoid a second breach. Also, Henry Helgeson, CEO of payment processor Merchant Warehouse, talks about PCI and encryption in the wake of the Heartland breach.
Data breach costs rise as firms brace for next loss: Companies are struggling to prevent data breaches, according to a new survey that found most firms are dealing with multiple breaches.
lawsuit filed in Heartland data security breach: A class action lawsuit was filed against
Heartland claiming that the payment processor issued belated and inaccurate statements when it
announced a security breach of its systems.
Podcasts for the week of Jan. 25, 2009
Conficker dangers ahead
Thomas Cross, X-Force security researcher for IBM ISS, discusses the possible dangers posed by the Conficker/Downadup worm. Researchers are waiting for the payload.
Microsoft Conficker worm hits peak, but payload awaits: Security researchers are fascinated by the spreading Conficker/Downadup worm, but are unsure what kind of damage it will do to corporate networks.
Microsoft RPC worm spreads in corporate networks: A worm, exploiting the Microsoft RPC vulnerability, is wreaking havoc on some corporate networks, according to researchers at security vendor, F-Secure.
Podcasts for the week of Jan. 18, 2009
data security breach
Gartner Analayst Avivah Litan talks about the massive Heartland data security breach. Also, a discussion with Ernst & Young's Sagi Leizerov on data privacy in the retail industry.
Payments processor discloses massive data breach: Company says an intrusion of its processing system may be part of a broader fraud operation.
Study ties fraud losses to Hannaford, TJX breaches: Experts say breach costs are far reaching and could lead banks and merchants to find alternative payment methods.
vulnerability lists helpful?
In this edition of Security Squad the editorial team debates the usefulness of the CWE/SANS Top 25 List, the state of virtualization security and they discuss the top cybersecurity news stories of 2008.
Podcasts for the week of Jan. 11, 2009
25 dangerous coding errors
Security experts explain the new Top 25 Errors list. Includes Bob Martin of MITRE Corp., Paul Kurtz, a principal author of the U.S. National Strategy to Secure Cyberspace and application security testers Jacob West of Fortify Software and Chris Wysopal of Veracode.
Podcasts for the week of Jan. 4, 2009
Monitor -- January 8, 2009
Threat Monitor: Future security threats: Enterprise attacks of 2009
Will organizations be ready for next year's enterprise security threats? Expert John Strand reviews what's in store for 2009, including new weapons, old vulnerabilities, and new takes on old attack techniques.
access control: A look ahead
Patrick Wheeler of Symantec looks back at the market for NAC technologies in 2008 and explains what he sees ahead in 2009.
INFORMATION SECURITY PODCAST ARCHIVES
This was first published in December 2009