This week we’re talking about big security breaches with Neil Daswani, renowned security expert, best-selling author, and Co-Director of Stanford University’s Advanced CyberSecurity Program. His book, Big Breaches: Cybersecurity Lessons for Everyone helped to guide this conversation. We cover the six common key causes (aka vectors) that lead to breaches, which of these causes are exploited most often, recent breaches such as the Equifax breach (2017), the Capital One breach (2019), and the more recent Solarwinds breach (2020).
Guy Podjarny is the Founder of Snyk, a security platform that empowers software-driven businesses to develop fast and stay secure. Prior to Snyk, Guy founded Blaze which was acquired by Akamai and became CTO. We talked through the topic of acquisition — the sale, the merge, the learnings, and why Guy might not be planning for Snyk to be acquired anytime soon. We started the conversation with Snyk’s recent raise of $150 million dollars.
Did you know Feross taught Web Security at Stanford last Fall? On this episode, Divya and Nick enroll in his security school to learn about XSS, CSP, ambient authority, and a whole lot more.
Put on your dark hoodie, turn all the lights off, and join the author of Black Hat Go as we explore the darker side of Go.
We’re talking with Josh Aas, the Executive Director of the Internet Security Research Group, which is the legal entity behind the Let’s Encrypt certificate authority. In June of 2017, Let’s Encrypt celebrated 100 Million certificates issued. Now, just about 2.5 years later, that number has grown to 1 Billion and 200 Million websites served. We talk with Josh about his journey and what it’s taken to build and grow Let’s Encrypt to enable a secure by default internet for everyone.
The commercial VPN industry is a minefield to navigate and many open source solutions are a pain to use or ill-suited for the task. Algo VPN, on the other hand, is a self-hosted personal VPN designed for ease of deployment and security. It uses the securest industry standards, builds on rock-solid solutions like WireGuard and Ansible, and runs on an ever-growing list of cloud hosting providers.
On this episode Dan Guido –CEO of security firm Trail of Bits and Algo’s creator– joins Jerod to discuss the project in depth.
Mat, Filippo, Johan, and Roberto discuss security in Go. Does Go make it easy to secure your code? What common mistakes are Gophers making? What is fuzzing? How can attackers abuse your code if you use the default http mux?
Jerod, Feross, and Nick discuss the latest npm security fiasco, opine on the strengths and weaknesses of spreadsheets, explain CORS like they’re 5 (sorta), and give shout outs to deserving purveyors of fine software.
We’re talking with Mike McQuaid about Homebew 2.0.0, supporting Linux and Windows 10, the backstory and details surrounding the security issue they had in 2018, their new governance model, Mike’s new role, the core team meeting in-person at FOSDEM this year, and what’s coming next for Homebrew.
Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts.
They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack.
Perry Mitchell joined the show to talk about the importance of password management and his project Buttercup — an open source password manager built around strong encryption and security standards, a beautifully simple interface, and freely available on all major platforms.
We talked through encryption, security concerns, building for multiple platforms, Electron and React Native pros and woes, and their future plans to release a hosted sync and team service to sustain and grow Buttercup into a business that’s built around its open source.
Aaron Hnatiw joined the show to talk about being a security researcher, teaching application security with Go, and a deep dive on how engineers and developers can get started with infosec. Plus: white hat, black hat, red team, blue team…Aaron sorts it all out for us.
Jacob Hoffman-Andrews, Senior Staff Technologist at the EFF and the lead developer of Let’s Encrypt, joined the show to talk about the history of SSL, the start of Let’s Encrypt, why it’s important to encrypt the web and what happens if we don’t, Certbot, and the impact Let’s Encrypt has had on securing the web.
Trevor Rosen and James “Egypt” Lee joined the show to talk about Metasploit, a collaboration of the open source community and Rapid7 – its penetration testing software that helps you verify vulnerabilities and manage security assessments.