Hosted By
Attendees
Guest: Or Kamara
Guest Title: Senior team lead
Company: Synk
Abstract
Cloud computing can bring interesting and new attack vectors. In this episode, we talk with Or Kamara, Senior team lead at Synk, about the Capital-one hacking and what can be learned from the event in order to better protect our networks. We will analyze the attack step by step and add mitigating controls that can help in preventing the next attack.
Timing:
0:35 Introducing our guest
4:10 introducing the story the capital one hack
5:45 The phases of the Capital One hack
7:50 The first misconfiguration - servers exposed to the internet unintentionally
11:05 the SSRF vulnerability and understanding meta-data service
19:38 Using API keys for browsing S3 and how to mitigate it
26:00 things that Capital One did right and additional insights
28:00 how should developers and IT
30:50 shifting from traditional security to new cloud security mindset
36:00 summary and final words
Attendees Guest: Ory Segal, Puresec Guest title: CTO & Co-Founder at PureSec Company: Puresec is the global leader in serverless architectures security. Serverless functions are one the most interesting things that is happening in architecture of application development. With Serverless, application developers can stop worry about the underlying infrastructure and scalability of the application, but they must address other risks at application level. In this podcast we are interviewing Puresec CTO, Ory Segal , co-author of the top 12 risks to serverless applications Timing 0:00 – 2:35 – intro 2:35 – 8:05 - what are Serverless functions 8:05- 12:20 - how Serverless is different (security wise) 12:20 - 19:40 - Serverless risks & threats 19:40 - 24:00 - common mistakes and misconfiguration with Serverless 24:00 – 29:30 - Serverless effect on people, process and technology 29:30 – 37:00 – Summary and conclusions ...
Attendees Guest: Oz Avenstein Guest Title: Founder & CEO @ Avensec - Cloud & Application Security Topic: Securing API Services Abstract The applicative infrastructure is becoming more and more complex due to different requirements, design patterns, and technologies. In many of these cases, one of those requirements is to connect other parties to systems, and in other cases, to connect systems to other parties. Nowadays, the most common connection method is to use Application Programming Interfaces (APIs). In this episode we spoke with Oz Avenstein, co-author of the CSA Security Guidelines for Providing and Consuming APIs about the guidelines creation process and how organizations should secure access to API resources. ...
Attendees Guest: Guy Flechter Guest title: CISO Company: AppFlayer Abstract One of the biggest challenges facing software companies is how to make sure security policies are enforced across the development cycle without holding R&D ability to innovate. In this episode, Guy Flechter, CISO for Appsflyer, will elaborate on the way he is providing R&D guidelines and support while keeping them motivated and committed to security. Timing 0:00 Intro and introducing Appsflyer and its digital business 10:29 Understanding Appsflyer underlying technology and security challenges 14:20 “We came in peace” Building security foundation at Appsflyer - understanding Guy’s methodology 19:55 the people angle: Building the right team and how to work efficiently with R&D team. 27.40 The technology angel: How to make sure developers don’t need security in everyday life, but they are still on the right tracks 37.10 The process angel: building developers autonomy 40.25 Summary and conclusion ...
