Application Security Weekly (Audio)
Latest Web Vulnerability Trends & Best Practices - Patrick Vandenberg - ASW #245
Wed Jun 28 2023Description
This episode covers a range of topics including the 20th anniversary of '28 Days Later' and its impact on the zombie genre, web vulnerability trends and best practices with Patrick Vandenberg from Invicti, news highlights on XSS in Azure and debunking myths about application security. It also delves into insights on organizations scanning more having fewer vulnerabilities, efficiency and proficiency in addressing vulnerabilities, improvements in vulnerability classes like cross-site scripting, collaboration and operational efficiency in risk containment, allocation of effort in fixing vulnerabilities, trends and profiles in application security, IoT security and shifting left, continuous automated scanning and production environments, risk conversations and business safe software, KeyCloak and IAM challenges, exploring new areas of research in security, bug bounties and security developer in residence programs, Linux kernel vulnerabilities and strategic vulnerability management, a security issue with Amazon CDK, and the importance of practical experience in production environments for job applications.
Insights
Organizations that scan more have fewer vulnerabilities
Scanning for vulnerabilities can significantly reduce an organization's risk by identifying and addressing vulnerabilities.
Efficiency and proficiency in addressing vulnerabilities can improve over time
As organizations gain experience in addressing vulnerabilities, they become more efficient and proficient in the process.
Collaboration and operational efficiency are key in risk containment
By collaborating and improving operational efficiency, organizations can effectively contain risks and prevent the introduction of new vulnerabilities.
Focus on severe vulnerabilities while low and medium vulnerabilities are left untouched
Application security tends to focus on severe vulnerabilities, while low and medium vulnerabilities are often neglected.
Trends in scanning across different industries
Major industries like consumer goods, communications, healthcare, technology, and transportation show an increasing trend in scanning, while public sector and financial services exhibit a flat trend indicating maturity. Manufacturing stands out with significantly higher scanning due to increased adoption of dynamic scanning into the CI/CD pipeline.
IoT security requires involving developers and adopting positive practices
To enhance IoT security, it is important to involve developers in the conversation and adopt positive security practices. Shifting left by bringing security into the development process earlier can also contribute to improved IoT security.
Continuous monitoring and automated scanning are crucial for application security
Continuous monitoring and automated scanning play a vital role in ensuring application security by detecting vulnerabilities more quickly.
Risk conversations should consider productivity and risk tolerance
When discussing risk with developers, it is important to consider productivity concerns and determine risk tolerance based on organizational factors.
Bug bounties require proper scoping and aligned incentives
To make bug bounties effective, they need to be properly scoped and responded to. Aligned incentives and organizational maturity are crucial for successful bug bounty programs.
Practical experience in production environments is valuable for job applications
Having practical experience in production environments is highly valuable when applying for jobs in development or cloud roles.
Chapters
- 20th Anniversary of '28 Days Later' and Reinvigoration of Zombie Genre
- Web Vulnerability Trends and Best Practices with Patrick Vandenberg
- News Segment Highlights
- Organizations Scanning More Have Fewer Vulnerabilities
- Efficiency and Proficiency in Addressing Vulnerabilities
- Improvements in Vulnerability Classes
- Collaboration and Operational Efficiency in Risk Containment
- Allocation of Effort in Fixing Vulnerabilities
- Trends and Profiles in Application Security
- Focus on Severe Vulnerabilities in Application Security
- Scanning Trends in Different Industries
- IoT Security and Shifting Left
- Continuous Automated Scanning and Production Environments
- Risk Conversations and Business Safe Software
- KeyCloak and IAM Challenges
- Exploring New Areas of Research in Security
- Bug Bounties and Security Developer in Residence
- Linux Kernel Vulnerabilities and Strategic Vulnerability Management
- Security Issue with Amazon CDK and Practical Experience in Production Environments
20th Anniversary of '28 Days Later' and Reinvigoration of Zombie Genre
00:01 - 06:59
- Podcast discusses the 20th anniversary of the movie '28 Days Later' and how it reinvigorated the zombie genre
- AppSec is compared to a stale zombie and the need for reinvigoration is discussed
Web Vulnerability Trends and Best Practices with Patrick Vandenberg
00:01 - 06:59
- Interview with Patrick Vandenberg from Invicti about web vulnerability trends and best practices
News Segment Highlights
00:01 - 06:59
- In the news segment, topics include XSS in Azure, OpenSSF hiring a security developer, and debunking myths about application security
Organizations Scanning More Have Fewer Vulnerabilities
06:31 - 14:02
- Organizations that scan more for vulnerabilities tend to have fewer vulnerabilities, reducing their risk.
Efficiency and Proficiency in Addressing Vulnerabilities
06:31 - 14:02
- Efficiency and proficiency in addressing vulnerabilities can improve over time within an organization.
Improvements in Vulnerability Classes
06:31 - 14:02
- Certain vulnerability classes, like cross-site scripting, have seen improvements due to better guardrails and frameworks.
Collaboration and Operational Efficiency in Risk Containment
06:31 - 14:02
- Collaboration and operational efficiency can help contain risk and prevent the introduction of new vulnerabilities.
Allocation of Effort in Fixing Vulnerabilities
06:31 - 14:02
- Effort spent on fixing vulnerabilities may be reallocated to low-risk issues or other areas like education or helping junior developers.
Trends and Profiles in Application Security
13:33 - 21:39
- A data set of 1.7 million scans was used for this report, showing trends and profiles emerging.
- Medium and low vulnerability issues are often left untouched, with around 90% prevalence year after year.
Focus on Severe Vulnerabilities in Application Security
13:33 - 21:39
- Low and medium vulnerability apps are not being fixed, despite being found at a rate of about 90% in scans.
- Application security is heavily focused on severe vulnerabilities, while high and critical severity vulnerabilities have low prevalence.
Scanning Trends in Different Industries
13:33 - 21:39
- Major industries like consumer goods, communications, healthcare, technology, and transportation show a steady increase in scanning over the four-year period.
- Public sector and financial services show flat trends in scanning, indicating maturity and investment in security.
- Manufacturing stands out with three times the amount of scanning compared to other industries due to increased adoption of dynamic scanning into the CI/CD pipeline.
- Media, entertainment, and broad services industries show a downward trend in scanning over three years.
IoT Security and Shifting Left
21:12 - 28:56
- Manufacturing stands out as a big leap in IoT security due to more regulation and supply chain attacks.
- IoT devices have longer life cycles and are attractive targets for hackers.
- Expanding the scope of security means involving developers in the conversation instead of just blaming them.
- Buying and deploying a scanner is not enough, organizations need to implement positive practices.
- Shifting left means bringing security into the development process earlier.
- Friction between security and development has been an ongoing challenge.
- Real-world functionality testing can complement other methods and reduce friction with developers.
- Adopting security tools involves conversations with AppSec teams, engineering, DevOps, CTOs, etc.
- There is increasing buy-in from the development side for secure software practices.
- Continuous monitoring and continuous automated scanning are important for application security.
Continuous Automated Scanning and Production Environments
28:29 - 36:38
- Continuous automated scanning in application security is equivalent to continuous monitoring in other segments of security.
- Smaller windows between scans make applications less vulnerable to updates, third-party apps, and exploited vulnerabilities.
- Production environments provide a real-state view of applications, making it important to set up controlled states for testing.
Risk Conversations and Business Safe Software
28:29 - 36:38
- Risk conversations with developers often focus on productivity rather than setting baselines or drawing risk lines.
- Risk tolerance and acceptance of vulnerabilities are determined by the CSO's organization or the C-suite.
- Businesses may rely on cybersecurity insurance and accept severe vulnerabilities while pursuing mediums and lows.
- Developers prioritize functionality over security due to limited time resources.
- Scanning more helps exercise the process of identifying and fixing vulnerabilities more quickly.
- 'Business safe software' describes the impact of application security on the business and prioritizes functionality over security.
KeyCloak and IAM Challenges
42:54 - 49:55
- KeyCloak is a tool related to IAM that will be discussed in future episodes.
Exploring New Areas of Research in Security
49:33 - 56:12
- James Kettle discusses how he chooses security topics, emphasizing the importance of exploring new areas of research.
- He encourages researchers to fail quickly and move on if they don't find vulnerabilities.
- Kettle suggests looking beyond well-known web vulnerabilities like cross-site scripting and XXE.
- He mentions request smuggling and web race conditions as interesting areas to explore.
- The distinction between direct impact and audience impact is discussed, with the latter being more universal and impactful for developers.
Bug Bounties and Security Developer in Residence
55:51 - 1:02:42
- Bug bounties can be ineffective if not scoped or responded to properly
- In the crypto world, bug bounties often result in negotiations between hackers and companies
- Designing a bug bounty requires aligned incentives and maturity to handle it effectively
- OpenSSF's alpha omega project partners with open source software to find and fix vulnerabilities
- The Python Security Foundation has hired its first security developer in residence
- Hiring a security-minded developer can be beneficial for organizations
- The concept of a 'security developer in residence' is promising for the industry
Linux Kernel Vulnerabilities and Strategic Vulnerability Management
1:02:23 - 1:09:30
- A bug in I/O Uring was found by examining newer parts of the Linux kernel that haven't been thoroughly reviewed yet
- More data, technology, cybersecurity professionals, and controls do not necessarily lead to better protection; budget should be used smarter
- Having more scanners and security measures doesn't always find all vulnerabilities; strategic vulnerability management is important
- An issue with Amazon CDK was discovered by a company called Garden
Security Issue with Amazon CDK and Practical Experience in Production Environments
1:09:07 - 1:14:57
- The folks at a company called Garden discovered an issue with Amazon CDK.
- Amazon CDK is a multi-language framework for deploying and creating cloud infrastructure.
- It has a library that provides high-level interfaces to convert infrastructure into CloudFormation.
- Garden found that when creating an EKS cluster through CDK, the permissions were more open than they should be.
- They reported the issue and highlighted the importance of making it more secure by default.
- The podcast also discussed free cybersecurity training resources and the challenge of finding useful ones in limited time.
- They asked listeners to share valuable resources specific to cloud or AWS/GCP.
- The hosts emphasized the importance of practical experience in production environments when applying for jobs in development or cloud roles.