Below the Surface (Audio) - The Supply Chain Security Podcast

• The Hidden Risks of Open Source Components - BTS #49

  In this episode, Paul Asadorian and Josh Bressers delve into the complexities of open source supply chain security, discussing the prevalence of open source components in modern software, the challenges posed by legacy systems, and the critical importance of vulnerability management. They explore the regulatory landscape surrounding software liability and the need for better tools and practices to ensure secure product development. The conversation highlights the necessity of understanding dependencies and the implications of consumer security in a market driven by features rather than security. In this conversation, Josh Bressers and Paul discuss the importance of Software Bill of Materials (SBOMs) in enhancing supply chain security and vulnerability management. They explore the role of metadata in programming languages like Go and Rust, the challenges of accurately identifying vulnerabilities through CVEs, and the need for better automation in vulnerability detection. The discussion also touches on the potential of AI in identifying vulnerabilities, the introduction of tools like SIFT and GRIPE for generating SBOMs and scanning for vulnerabilities, and the future implications of these technologies in software security.  

  --------  

  52:52
• Hardware Hacking Tips & Tricks - BTS #48

  In this episode, Paul and Chase delve into the world of hardware hacking, focusing on devices like the Flipper Zero and ESP32. They discuss the various applications of these tools, their impact on awareness in the hacking community, and the security implications surrounding their use. The conversation also touches on vulnerabilities in hotel security systems, challenges in remediating legacy systems, and the commoditization of hacking tools. Through practical examples and insights, the hosts explore the evolving landscape of cybersecurity and the role of hardware in it. In this conversation, Paul and Chase delve into the world of hardware hacking, discussing the accessibility of devices like the Flipper Zero and ESP32, the importance of supply chain security, and the real-world implications of vulnerabilities in firmware and bootloaders. They emphasize the need for validation in the supply chain and explore the growing interface between hardware hacking and enterprise risk. 

  --------  

  54:24
• BMC&C Part 3 - BTS #47

  In this episode, Paul Asadoorian, Vlad Babkin, and Chase Snyder delve into the latest vulnerability disclosures related to Baseboard Management Controllers (BMCs), specifically focusing on AMI Megarac and Redfish. They discuss the nature of the vulnerabilities, the discovery process, and the potential impacts of a BMC compromise. The conversation highlights the importance of understanding BMCs in the context of supply chain security and the risks associated with exposing these components to the internet. The conversation delves into the vulnerabilities associated with Baseboard Management Controllers (BMCs), particularly focusing on the Redfish API and the potential for exploitation. The speakers discuss the implications of these vulnerabilities on hardware, the challenges faced by vendors in patching, and the importance of network segmentation and monitoring. They also highlight the limitations of logging and the effectiveness of Web Application Firewalls (WAFs) in this context. The discussion emphasizes the need for robust security measures to protect enterprise networks from potential attacks.

  --------  

  49:24
• Black Basta - Threat Intelligence Insights - BTS #46

  In this episode, Paul Asadoorian, Vlad Babkin, and Chase Snyder delve into the recent leaks from the Black Basta ransomware group, exploring the implications of the leaked chat logs, the operational tactics of the group, and the evolving landscape of ransomware attacks. The conversation highlights the importance of understanding threat intelligence derived from these leaks, the significance of targeting exposed devices, and the necessity of robust security measures to mitigate risks. In this conversation, the speakers delve into the evolving tactics of ransomware groups, emphasizing the importance of understanding their operational scale and methodologies. They discuss the significance of early detection and the necessity for organizations to adopt robust defensive strategies, particularly in credential management and vulnerability monitoring. The conversation highlights the need for enterprises to harden their defenses against potential intrusions and the critical role of effective password management in mitigating risks.

  --------  

  51:33
• Understanding Firmware Vulnerabilities in Network Appliances - BTS #45

  In this episode, Paul, Vlad, and Chase discuss the security challenges of Palo Alto devices and network appliances. They explore the vulnerabilities present in these devices, the importance of best practices in device management, and the need for automatic updates. The conversation highlights the evolving nature of firmware vulnerabilities and the necessity for compensating controls to mitigate risks. The hosts emphasize the responsibility of vendors to ensure their products are secure and the need for a shift in user expectations regarding security appliances. In this conversation, the speakers discuss the pressing need for improved security standards in network appliances, the challenges posed by auto updates and supply chain security, and the importance of implementing zero trust principles. They also delve into the role of firmware encryption and key management in enhancing security while emphasizing the necessity of monitoring and detection to safeguard against vulnerabilities.  

  --------  

  59:35

More Technology podcasts

Trending Technology podcasts

About Below the Surface (Audio) - The Supply Chain Security Podcast