#107 Niall Merrigan, Hacking, Bug Bounties and Responsible Disclosure

Summary
Niall Merrigan, security researcher tells me about bug hunting and the best hacks he has seen.

Details
Who he is, what he does. Bug hunting, crowd sourcing the hunters, bug bounties, should you invite attacks on production, Hacker One and Bug Crowd. IoT is the most attacked software; smart cars, aircraft. Security.txt. Responsible disclosure, what do if you find a bug, Niall's experience when reporting a particular bug. Even when bugs are known and acknowledged they are not necessarily fixed; industry code systems, hacks designed to kill. Is every hack is a "sophisticated hack", the @mat hack. Are you a target for hacks. The most impressive hack Niall has seen. Physical access to device, hak5 rubber duckie. Supply chain injection*. Hacking a cat.

* We recorded this episode before the Super Micro story broke.

Links
Niall's homepage
Niall's Twitter

Download mp3 of podcast

#88 Aaron Bedra, Threat Modelling

Summary
Aaron Bedra talks to me about threat modelling, why you should do and what to cover.

Details
Who he is, what he does. What is threat modeling and how he approaches it. Types of security, loss of money, loss of life. Should you secure something if it is not valuable. Are we in a post security world? How often your site is attacked. How to decide what to protect. Regulations and breaches. How to protect your system, watch for outgoing data. How to build secure software from the start (it starts with a hug from Aaron!). Hashed passwords are not as secure as you think. Encryption and input validation. How to check third party libraries. Better software practices lead to better security. How much security is enough, "if you are investing more than you could lose, you're doing it wrong".

Links
Aaron's homepage

Download mp3 of podcast

#48 Peter Waegemann, Security in the Medical Industry

Summary
Peter Waegemann author of Knowledge Capital in the Digital Society and I discuss security in the medical industry and why he advocates for less privacy.

Details
Who he is; Peter's background; overview of security in the medical field, more secure than the media suggests, less secure than it should be; Peter's views on privacy/security have changed over the years; why he was booed off stage; fear of breaches vs reality of damage done; the importance of data integrity; how privacy adversely affects outcomes; what the laws or regulations should look like; wrap up.

Download mp3 of podcast

#17 Robert Hurlbut, Software security

Summary
Robert Hurlbut and I discuss various aspects of software security

Details
Background, why security isn’t thought about enough, out of the box security with MVC, XSS, CSRF, model binding and parameter tampering; https everything or just on parts of a site; Microsoft improving security, open source issues, inclusion of open source in hardware security devices; unmanaged code in web apps; typical weaknesses in software, password security; software review process, threat models, code reviews, fuzz testing; healthcare security, medical devices, attack vectors, Barnaby Jack, how to build secure devices; finding good security professionals, conferences and tradeshows; books; dont roll your own security; Robert’s presentation at Boston Code Camp.

Download mp3 of podcast

Book Recommendations
Iron-Clad Java: Building Secure Web Applications

Writing Secure Code (2nd Edition) (Developer Best Practices)

Software Security: Building Security In

#15 Linus Olsson, Hemlis project

Summary
Linus Olsson of the Hemlis project discusses what Hemlis is, why they are building it and how it works.

Details
Linus I and discuss his background, what is Hemlis, why build it; open source; need for security and privacy, does encryption make you a target, good encryption vs bad encryption; why trust Hemlis, legal requests for data, would he go to jail to protect users; how it works, public key encryption, easier than PGP, type of encryption, back door on phone, base band hacking; open source vulnerabilities; servers, just for relaying, graphs, peer-to-peer not viable; scaling; release date, usability; how to promote your software; pricing, premium features, enterprise solution.

Download mp3 of podcast

Book Recommendations
The Mom Test: How to talk to customers & learn if your business is a good idea when everyone is lying to you

The Lean Startup: How Today’s Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses