Scribbler Logo

    You have 4 summaries left

    Application Security Weekly (Audio)

    Enhancing Security: App Modernization, Identity Orchestration, & Big IAM Challenge - Eric Olden - ASW #244

    Wed Jun 14 2023
    Identity ManagementAccess ControlSecurity PracticesThreat ModelingZero TrustDeclarative PoliciesCommon VulnerabilitiesSecurity RisksImproving WorkflowsFormal Verification MethodsZero Trust VPNEffective MeasurementCVSS 4.0Industrial ApproachesRust Binary Analysis

    Description

    This episode covers a wide range of topics related to identity management, access control, and security practices. From threat modeling using Jurassic Park as a reference to implementing passwordless authentication and avoiding lock-in, the episode explores the challenges and best practices in modern identity management. It also delves into the importance of distributed policies, zero trust principles, common vulnerabilities, and security risks. The episode concludes with discussions on trust issues, formal verification methods, improving security workflows, and effective measurement in the field of security.

    Insights

    Identity is the new perimeter

    In the current distributed multi-cloud world, identity has become the new perimeter for access control. It encompasses authentication, access control, authorization, and auditing.

    Zero Trust principles

    Zero Trust is not just a product but a set of principles focusing on achieving high levels of confidence and trust in access control. Concepts like least privilege, continuous authentication, and continuous access control are key components of Zero Trust.

    Declarative policies for distributed systems

    To address the issue of distributed policies and avoid lock-in, organizations can use declarative policies that are easier to understand and ensure correct configuration. Open-source solutions like IDQL provide a standardized representation of policy across different platforms.

    Common vulnerabilities and security risks

    SQL injection, compromised credentials, and inadequate access controls are still prevalent security risks in many applications. It is crucial to prioritize threat modeling, code reviews, and conversation among development teams to address these risks.

    Improving security workflows and metrics

    Cloud Service Providers are focusing on improving the user experience of security workflows. Metrics that capture actions reducing risk are important for delivering security at scale. Industrial approaches with automation and repeatable processes can help avoid burnout.

    Formal verification methods for confidentiality

    Formal verification methods like TLA+ are important for organizations that want to guarantee confidentiality and meet claims in their systems. These methods allow for precise mathematical specifications and ensure system behavior before programming.

    Zero Trust VPN and access requirements

    Amazon's Cedar is a zero trust VPN that uses a policy language to define access requirements for applications. Automated reasoning and differential testing ensure scalability and reliability of policies.

    Effective measurement and improving processes

    Metrics play a crucial role in identifying problems and measuring progress in making changes within an organization. Improving organization processes and tooling is important for effective measurement and delivering security at scale.

    CVSS 4.0 and industrial approaches

    CVSS 4.0 is being developed with improvements in attack requirements and better metrics. Startups are working on prioritizing and fixing vulnerabilities based on CVSS scores. Industrial approaches with automation and scalable processes are essential for effective security practices.

    Rust binary analysis challenges

    Rust binary analysis presents unique challenges due to its compilation process and memory structures. Organizations interested in debugging or responding to security issues in Rust should refer to a detailed blog post recommended by the podcast.

    Chapters

    1. Jurassic Park and Threat Modeling
    2. Identity Management in the Distributed Multi-Cloud World
    3. Implementing Passwordless Authentication and Avoiding Lock-in
    4. Addressing Identity Lock-in and Distributed Policies
    5. Authentication, Authorization, and Access Control
    6. Lessons Learned from SAML and Verizon DBIR
    7. Common Vulnerabilities and Security Risks
    8. Trust Issues and Improving Security Workflows
    9. Zero Trust VPN and Formal Verification Methods
    10. Improving Security Workflows and Metrics
    11. CVSS 4.0 and Industrial Approaches in Security
    12. Effective Measurement and Rust Binary Analysis
    Summary
    Transcript

    Jurassic Park and Threat Modeling

    00:01 - 07:46

    • Jurassic Park is a good reference for threat modeling, with examples of confidentiality, integrity, and availability.
    • The park's computer system had about two million lines of code, and if a code review was the only way to turn the safety systems back on, everyone would have died.

    Identity Management in the Distributed Multi-Cloud World

    07:19 - 15:25

    • Identity is important for apps and users in the current distributed multi-cloud world.
    • In the Zero Trust world, identity has become the new perimeter for access control.
    • Identity encompasses authentication, access control, authorization, and auditing.
    • Compromised credentials are a common way for attackers to gain access to systems.
    • Implementing strong MFA and auditing can help mitigate phishing threats.
    • Integrating identity with applications can be complex and time-consuming.
    • Identity orchestration provides an abstraction layer to decouple applications from identity providers (IDPs).
    • Abstraction layer allows legacy applications using HTTP headers to communicate with IDPs using modern standards like OpenID Connect.
    • Using an abstraction layer saves time and effort when upgrading identity across multiple applications at scale.

    Implementing Passwordless Authentication and Avoiding Lock-in

    15:04 - 22:20

    • Passwordless authentication can be implemented in legacy applications by swapping out manual effort with software.
    • Startups often prioritize getting their application working quickly and delay thinking about authentication or identification, but it's important to consider security from the beginning.
    • When building a new application, using standards is recommended to avoid being tied into proprietary systems.
    • OpenID Connect is easier to implement than SAML and provides more flexibility for future changes.
    • Thinking about how to avoid lock-in and handle future choices of flexibility is crucial when selecting an identity provider.
    • IDQL (Identity Query Language) is a new standard designed to solve the problem of fragmented policy across different platforms.

    Addressing Identity Lock-in and Distributed Policies

    22:09 - 29:30

    • Identity became a point of lock-in, hindering portability between clouds.
    • Strata developed a standardized representation of policy to address this issue.
    • The new policy representation is declarative and human-readable.
    • Declarative policies are easier to understand and ensure correct configuration.
    • SAML took a long time to reach widespread adoption due to implementation challenges.
    • To solve the problem of distributed policies, an open-source implementation called IDQL was created.
    • IDQL works with all clouds and eliminates the need for cloud providers to build their own solutions.
    • Policies as code can be linted and reasoned about for better security practices.
    • Teams are maturing in their approach to identity and considering RBAC and ABAC principles.
    • Zero Trust is seen as a set of principles rather than a product, focusing on achieving high levels of confidence and trust in access control.
    • Concepts like least privilege, continuous authentication, and continuous access control are key components of Zero Trust.
    • The concept of Zero Trust has evolved to include powerful protocols like Cape for continuous access enforcement.

    Authentication, Authorization, and Access Control

    29:01 - 36:48

    • Authorization and authentication are key components of access control.
    • Frameworks like Cape and Fido 2 allow for the integration of different security systems.
    • Implementing concepts like continual authentication, least privilege, and detailed audit can achieve zero trust without buying a specific product.
    • The issue of paying for security features in enterprise licenses is a conundrum.
    • Decentralizing identity and giving individuals more control over their privacy could be the future of scale.
    • Storing public keys instead of passwords reduces the impact if they get exposed.
    • Application security can be summarized as zero trust identity.

    Lessons Learned from SAML and Verizon DBIR

    36:21 - 43:31

    • Eric Olden discusses identity management and lessons learned from SAML, including incentivizing adoption with easy implementations and using human readable formats.
    • The Verizon Data Breach Investigations report for 2023 was released, but it didn't have many application security insights.
    • Attackers use the exploit vulnerability technique in only 5% of breaches, while stolen credentials account for half of the compromises.
    • The report includes snarky humor and subnotes that make it an interesting read.
    • Web applications are still a top attack vector, even if attackers gain access through stolen credentials.
    • The report mentions specific controls, such as control 16 for application software security, that could improve response to breaches.
    • APT actors exploited vulnerabilities in the MoveIT file transfer software after sitting on them for two years.
    • The company found additional SQL injection flaws during a vendor code review, highlighting the need to address this common vulnerability.

    Common Vulnerabilities and Security Risks

    43:06 - 50:31

    • Many applications still have SQL injection problems
    • Approximately 30-35% of applications go through any type of code review
    • Honda's power equipment Marine, lawn, and garden e-commerce platform had a password reset API that only required the username, making it vulnerable
    • Data isolation or tenant isolation is an important design consideration for preventing unauthorized access to data
    • Threat modeling and conversation among development teams are necessary to address security risks
    • Similar vulnerabilities may exist in other automakers' platforms, such as Acura, Teotis series, Nissan series, GM series, Ford, etc.
    • Barracuda's appliance had a vulnerability that allowed remote code execution and malware upload
    • Running email servers can be a security risk for SMBs who cannot afford cloud-based solutions like Microsoft 365 or Google Workspaces

    Trust Issues and Improving Security Workflows

    50:03 - 56:50

    • Devices with firmware updates may pose a trust issue for responders
    • Barracuda has not mentioned replacing their devices for free
    • Rapid7 found a critical vulnerability in Fortinet's Fortigate product suite
    • Some vendors are shifting from hardware-focused to software and cloud-based sales
    • Cloud-based email is not affected by latency issues
    • The Go language introduced memory arenas to improve performance

    Zero Trust VPN and Formal Verification Methods

    56:24 - 1:02:59

    • Amazon created something called Cedar, which is a zero trust VPN.
    • Cedar is a policy language used to define access requirements for applications.
    • Amazon has also developed automated reasoning and differential testing to ensure scalability and reliability of their policies.
    • TLA+ is a specification language used by organizations like Amazon, Azure, NASA, and Oracle to define system behavior before programming.
    • TLA+ allows for precise mathematical specifications and formal verification methods.
    • Formal verification methods are important for organizations that want to guarantee confidentiality and meet claims in their systems.

    Improving Security Workflows and Metrics

    1:02:30 - 1:09:01

    • ESA and cloud providers using nitro systems to ensure claims are met
    • Article on getting rid of AWS access keys and moving towards least privilege
    • Cloud Service Providers focusing on user experience of security workflows
    • Screenshot of AWS dialogue for creating secret key with different options
    • Discussion on improving user interface and user experience in security workflows
    • Teachable moment in Firefox version 114 regarding clickjacking and TLS errors
    • Combining clickjacking with predicting page load time to trick users into clicking buttons
    • Questioning how to fix the issue of invisible buttons being clicked

    CVSS 4.0 and Industrial Approaches in Security

    1:08:43 - 1:15:11

    • Randomizing the timing of buttons on a website can prevent click-jacking attacks.
    • Manipulating the user interface to obscure security feedback can lead to missed warnings.
    • CVSS 4.0 is being developed with improvements in attack requirements and better metrics.
    • Public comments on CVSS 4.0 are open until July 31st.
    • Some people find CVSS more complex, but it supports temporal and environmental aspects.
    • Startups are working on prioritizing and fixing vulnerabilities based on CVSS scores.
    • CVSS is trying to understand how it is used in real-world environments.
    • Metrics that capture actions reducing risk are important for delivering security at scale.

    Effective Measurement and Rust Binary Analysis

    1:14:52 - 1:19:55

    • Metrics should capture the range of actions that reduce risk, not just stop at CVSS scores.
    • Improving organization processes and tooling is important for effective measurement.
    • Industrial approaches require scale, repeatable processes, and automation to avoid burnout.
    • Automating tedious tasks allows humans to focus on more interesting and impactful work.
    • Metrics can help identify problems and measure progress in making changes within an organization.
    • The podcast mentions a table comparing artisanal versus industrial approaches in development maturity.
    • Rust binary analysis presents unique challenges due to its compilation process and memory structures.
    • The podcast recommends a detailed blog post on Rust binary analysis for those interested in debugging or responding to security issues.
    1