OwlTail

Cover image of Daniel Cuthbert

Daniel Cuthbert

11 Podcast Episodes

Latest 9 Oct 2021 | Updated Daily

Weekly hand curated podcast episodes for learning

Episode artwork

64 - Daniel Cuthbert & Pen Testing with the ASVS

The InfoSec & OSINT Show

In episode 64, Daniel Cuthbert joins us to talk about the OWASP Application Security Verification Standard. My 3 main takeaways were 1) Why the ASVS will make you a better pen tester and even bounty hunter 2) How to use the ASVS for threat modelling and 3) His tips on getting your talk accepted at a security conference For more information, including the show notes check out: https://breachsense.io/podcast 

24mins

8 Jul 2021

Episode artwork

How Santander’s Mark Carney and Daniel Cuthbert Are Working to Demystify Quantum Cryptography

Security Nation

https://community.signalusers.org/t/signal-should-warn-users-who-are-likely-using-insecure-ime-apps/10272

51mins

21 Jan 2021

Similar People

Episode artwork

Ep. 82, Oh, wasp (with Daniel Cuthbert)

The Many Hats Club

(2020-03-19), Hardware, Photography, Chernobyl, CMA, CFP (00:09:05) “[…] it's OK to specialize, you don't have to know everything. And I think in today's age, it's obscene. You just wouldn't be able to know everything, you know. And I think this is expectation that, oh, you know, if you're a pentester, you need to know everything. I know a lot of good pentersters (who won't admit it) but they don't know the Cloud. They don't know the real Cloud. I would if I was doing it now, I'd look for what really gets me excited […] So I think pick what really gets you excited and concentrate on that. Ignore what everyone else thinks. They don’t matter. What matters is what you're going to pull your effort into.” Stu had the pleasure to listen to the incredibly humbling story of Daniel Cuthbert. He is a co-author of the OWASP ASVS standard and currently holds the position of the Global Head of Security Researcher for a large corporate. This incredible conversation touches on the following subjects: OWASP and the humbling journey till now Times when World Wide Web was not a thing Importance of self-development How to start in hardware (some great advice there!) Money vs job satisfaction Threat modelling and bug bounties Experiencing Chernobyl as a creative Photography in a conflict zone Court case and changes to Computer Misuse Act 1990 Con talks and how to properly prepare to those Links: Twitter - https://twitter.com/dcuthbert Website - http://danielcuthbert.com/ OWASP ASVS - https://owasp.org/www-project-application-security-verification-standard/ (01:06:13) “…submit it and if you see who's on the review board and you want help, reach out. And my offer still stands. My DM’s are open. […] But I will, you know, if I can help the submission, understand it and help you rewrite it and go from that, it doesn't have to be for Black Hats or BruCON or DEFCON or 44CON that I am involved in - it could be for any con” Listen here: download Hosted by: Stu, Production: Meadow, Proofing, writeup: Mon Please subscribe! Apple: http://bit.ly/TMHC-Podcast-Apple Spotify: http://bit.ly/TMHC-Podcast-Spotify Google Podcasts: http://bit.ly/TMHC-Podcast-Google Android: http://bit.ly/TMHC-Podcast-Android RSS Feed: http://bit.ly/TMHC-Podcast-RSS

2 Dec 2020

Episode artwork

CyberSecurity Is On And In The Minds Of Europe | Black Hat Europe 2020 | ITSPmagazine Coverage | With Daniel Cuthbert

ITSPmagazine

2020 has been a colossal roller coaster of a year in many ways, and the numbers and depth of submissions hitting the Black Hat events review board for the 2020 European installment this year demonstrate the unique times in which we are all living.Taking into account the runaway trains of ransomware and misinformation to hacking the Sony PS4 and the world's critical infrastructure components, citizens and businesses and countries have seen a lot, and the researchers presenting at this year's Black Hat Europe event demonstrate just how important it is that the industry do the hard work to stay ahead of the curve. And with 900 people behind the submissions—many of which were comprised of 2-3 presenters—it appears the topics being presented this year cover the gamut including hardware, firmware, software, services, and cloud.Connecting the research back to the real world through stories is what ultimately matters, and we have the pleasure of chatting with Black Hat review board member, Daniel Cuthbert, to help us make this connection. With a career spanning over 20 years on both the offensive and defensive side, Daniel's seen the evolution of hacking from small groups of curious minds to organized criminal networks and the nation-states we see today and has a number of relevant, timely stories to share in today's episode: the 72 million data points of Disney's user tracking, North Korea as a global superpower, Snoopy (a distributed surveillance framework), and 131,00 blocked domains on the home network.And, I can't believe we forgot to ask Daniel about hacking a late-80's drum machine. Maybe next time...Guest(s)Daniel Cuthbert, Global Head of Cyber Security Research, Banco Santander (@dcuthbert on Twitter)ResourcesBlack Hat Europe 2020: https://itsprad.io/b1d53This Episode’s Sponsors:If you’d like to sponsor this or any other podcast episode on ITSPmagazine, you can learn more here: https://www.itspmagazine.com/podcast-series-sponsorshipsTo see and hear more event coverage content on ITSPmagazine, visit:https://www.itspmagazine.com/itspmagazine-event-coverageAre you interested in sponsoring our event coverage or another ITSPmagazine Channel?https://www.itspmagazine.com/podcast-series-sponsorships Gfz9xA3Ds02M1cEMVdxI

28mins

28 Nov 2020

Most Popular

Episode artwork

11. OWASP ASVS: The Go-To Standard for Application Security w/ Daniel Cuthbert

The Virtual CISO Podcast

Your application is probably vulnerable.  “But how?! We hired a company to pen test our application. They did a thorough test against the OWASP top 10!”  On this episode of the Virtual CISO podcast, we talk with Daniel Cuthbert. He's one of the premier authors of the OWASP ASVS, and he says OWASP Top 10 is not enough. We chat about: Why the ASVS is so important Why we shouldn’t be putting all our faith in the OWASP top 10 (only) How to incorporate threat modelling into your assessments and your ASVS test To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don’t use Apple Podcasts, you can find all our episodes here.

56mins

5 May 2020

Episode artwork

Daniel Cuthbert

Human Factor Security

Daniel is responsible for leading the research direction for cyber security technology platforms, tradecraft and capabilities and partnering with a variety of organisations and individuals to help make Santander as a world class cyber security organisation. Added to that he is a co-author of the Open Web Application Security Project (OWASP) ASVS Standard. Not content with that he is also an excellent documentary photographer. Listen to Jenny and Daniel chat about how the industry needs to not only release vulnerability information but solutions to the problems found, how blaming 'the human' is a tired cliché and understanding them as well as the work they do is required, and advice to anyone starting out in Infosec.  To follow Daniel on LinkedIn, click the link here. To follow Daniel on Twitter, click the link here.  To view the amazing Cocaine Cowboy photographs, click the link here. Don't forget you can also follow Jenny on Twitter by clicking the link here. 

45mins

11 Oct 2019

Episode artwork

2019-013-ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 2

Brakeing Down Security Podcast

Announcements: SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/ Austin Cybernauts meetup - https://www.eventbrite.com/e/cybernauts-ctf-meetup-indeed-tickets-58816141663 SHOW NOTES: Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer. https://github.com/OWASP/ASVS “is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “ #ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3  - Older BrakeSec Episode ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.” What are the biggest differences between V3 and V4? Why was a change needed?  https://xkcd.com/936/ - famous XKCD password comic David Cybuck: Appendix C:  IoT     Why was this added?     These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization. You added IoT, but not ICS or SCADA? https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3 Seems incomplete… (Section 1.13 “API”)     Will this be added later?     What is needed to fill that in? (manpower, SME’s, etc?) 3 levels of protection… why have levels at all?     Why shouldn’t everyone be at Level 3?     I just don’t like the term ‘bare minimum’ (level 1)--brbr Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

56mins

7 Apr 2019

Episode artwork

2019-012: OWASP ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 1

Brakeing Down Security Podcast

Show Notes SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/ Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer. https://github.com/OWASP/ASVS “is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “ ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx Don’t post these links in show notes ASVS list (google sheet): https://drive.google.com/open?id=1xFLmvNoR2tohk08cQDLU46FWNgpx28wd ASVS PDF: https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3  - Older BrakeSec Episode ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.” What are the biggest differences between V3 and V4? Why was a change needed? https://xkcd.com/936/ - famous XKCD password comic David Cybuck: Appendix C:  IoT     Why was this added?     These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization. You added IoT, but not ICS or SCADA? https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3 Seems incomplete… (Section 1.13 “API”)     Will this be added later?     What is needed to fill that in? (manpower, SME’s, etc?) 3 levels of protection… why have levels at all?     Why shouldn’t everyone be at Level 3?     I just don’t like the term ‘bare minimum’ (level 1)--brbr Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

51mins

1 Apr 2019

Episode artwork

Daniel Cuthbert, Banco Santander - Application Security Weekly #38

Paul's Security Weekly TV

Daniel Cuthbert is the Global Head of Security Research for Banco Santander. He joins Keith and Paul this week for an interview! Full Show Notes: https://wiki.securityweekly.com/ASW_Episode38 Follow us on Twitter: https://www.twitter.com/securityweekly

23mins

7 Nov 2018

Episode artwork

Daniel Cuthbert, Banco Santander - Application Security Weekly #38

Application Security Weekly (Video)

Daniel Cuthbert is the Global Head of Security Research for Banco Santander. He joins Keith and Paul this week for an interview! Full Show Notes: https://wiki.securityweekly.com/ASW_Episode38 Follow us on Twitter: https://www.twitter.com/securityweekly

23mins

6 Nov 2018

Loading