Scribbler Logo

    You have 4 summaries left

    Application Security Weekly (Audio)

    Latest Web Vulnerability Trends & Best Practices - Patrick Vandenberg - ASW #245

    Wed Jun 28 2023
    Application SecurityWeb VulnerabilitiesScanning TrendsIoT SecurityRisk ContainmentBug BountiesLinux Kernel VulnerabilitiesAmazon CDK

    Description

    This episode covers a range of topics including the 20th anniversary of '28 Days Later' and its impact on the zombie genre, web vulnerability trends and best practices with Patrick Vandenberg from Invicti, news highlights on XSS in Azure and debunking myths about application security. It also delves into insights on organizations scanning more having fewer vulnerabilities, efficiency and proficiency in addressing vulnerabilities, improvements in vulnerability classes like cross-site scripting, collaboration and operational efficiency in risk containment, allocation of effort in fixing vulnerabilities, trends and profiles in application security, IoT security and shifting left, continuous automated scanning and production environments, risk conversations and business safe software, KeyCloak and IAM challenges, exploring new areas of research in security, bug bounties and security developer in residence programs, Linux kernel vulnerabilities and strategic vulnerability management, a security issue with Amazon CDK, and the importance of practical experience in production environments for job applications.

    Insights

    Organizations that scan more have fewer vulnerabilities

    Scanning for vulnerabilities can significantly reduce an organization's risk by identifying and addressing vulnerabilities.

    Efficiency and proficiency in addressing vulnerabilities can improve over time

    As organizations gain experience in addressing vulnerabilities, they become more efficient and proficient in the process.

    Collaboration and operational efficiency are key in risk containment

    By collaborating and improving operational efficiency, organizations can effectively contain risks and prevent the introduction of new vulnerabilities.

    Focus on severe vulnerabilities while low and medium vulnerabilities are left untouched

    Application security tends to focus on severe vulnerabilities, while low and medium vulnerabilities are often neglected.

    Trends in scanning across different industries

    Major industries like consumer goods, communications, healthcare, technology, and transportation show an increasing trend in scanning, while public sector and financial services exhibit a flat trend indicating maturity. Manufacturing stands out with significantly higher scanning due to increased adoption of dynamic scanning into the CI/CD pipeline.

    IoT security requires involving developers and adopting positive practices

    To enhance IoT security, it is important to involve developers in the conversation and adopt positive security practices. Shifting left by bringing security into the development process earlier can also contribute to improved IoT security.

    Continuous monitoring and automated scanning are crucial for application security

    Continuous monitoring and automated scanning play a vital role in ensuring application security by detecting vulnerabilities more quickly.

    Risk conversations should consider productivity and risk tolerance

    When discussing risk with developers, it is important to consider productivity concerns and determine risk tolerance based on organizational factors.

    Bug bounties require proper scoping and aligned incentives

    To make bug bounties effective, they need to be properly scoped and responded to. Aligned incentives and organizational maturity are crucial for successful bug bounty programs.

    Practical experience in production environments is valuable for job applications

    Having practical experience in production environments is highly valuable when applying for jobs in development or cloud roles.

    Chapters

    1. 20th Anniversary of '28 Days Later' and Reinvigoration of Zombie Genre
    2. Web Vulnerability Trends and Best Practices with Patrick Vandenberg
    3. News Segment Highlights
    4. Organizations Scanning More Have Fewer Vulnerabilities
    5. Efficiency and Proficiency in Addressing Vulnerabilities
    6. Improvements in Vulnerability Classes
    7. Collaboration and Operational Efficiency in Risk Containment
    8. Allocation of Effort in Fixing Vulnerabilities
    9. Trends and Profiles in Application Security
    10. Focus on Severe Vulnerabilities in Application Security
    11. Scanning Trends in Different Industries
    12. IoT Security and Shifting Left
    13. Continuous Automated Scanning and Production Environments
    14. Risk Conversations and Business Safe Software
    15. KeyCloak and IAM Challenges
    16. Exploring New Areas of Research in Security
    17. Bug Bounties and Security Developer in Residence
    18. Linux Kernel Vulnerabilities and Strategic Vulnerability Management
    19. Security Issue with Amazon CDK and Practical Experience in Production Environments
    Summary
    Transcript

    20th Anniversary of '28 Days Later' and Reinvigoration of Zombie Genre

    00:01 - 06:59

    • Podcast discusses the 20th anniversary of the movie '28 Days Later' and how it reinvigorated the zombie genre
    • AppSec is compared to a stale zombie and the need for reinvigoration is discussed

    Web Vulnerability Trends and Best Practices with Patrick Vandenberg

    00:01 - 06:59

    • Interview with Patrick Vandenberg from Invicti about web vulnerability trends and best practices

    News Segment Highlights

    00:01 - 06:59

    • In the news segment, topics include XSS in Azure, OpenSSF hiring a security developer, and debunking myths about application security

    Organizations Scanning More Have Fewer Vulnerabilities

    06:31 - 14:02

    • Organizations that scan more for vulnerabilities tend to have fewer vulnerabilities, reducing their risk.

    Efficiency and Proficiency in Addressing Vulnerabilities

    06:31 - 14:02

    • Efficiency and proficiency in addressing vulnerabilities can improve over time within an organization.

    Improvements in Vulnerability Classes

    06:31 - 14:02

    • Certain vulnerability classes, like cross-site scripting, have seen improvements due to better guardrails and frameworks.

    Collaboration and Operational Efficiency in Risk Containment

    06:31 - 14:02

    • Collaboration and operational efficiency can help contain risk and prevent the introduction of new vulnerabilities.

    Allocation of Effort in Fixing Vulnerabilities

    06:31 - 14:02

    • Effort spent on fixing vulnerabilities may be reallocated to low-risk issues or other areas like education or helping junior developers.

    Trends and Profiles in Application Security

    13:33 - 21:39

    • A data set of 1.7 million scans was used for this report, showing trends and profiles emerging.
    • Medium and low vulnerability issues are often left untouched, with around 90% prevalence year after year.

    Focus on Severe Vulnerabilities in Application Security

    13:33 - 21:39

    • Low and medium vulnerability apps are not being fixed, despite being found at a rate of about 90% in scans.
    • Application security is heavily focused on severe vulnerabilities, while high and critical severity vulnerabilities have low prevalence.

    Scanning Trends in Different Industries

    13:33 - 21:39

    • Major industries like consumer goods, communications, healthcare, technology, and transportation show a steady increase in scanning over the four-year period.
    • Public sector and financial services show flat trends in scanning, indicating maturity and investment in security.
    • Manufacturing stands out with three times the amount of scanning compared to other industries due to increased adoption of dynamic scanning into the CI/CD pipeline.
    • Media, entertainment, and broad services industries show a downward trend in scanning over three years.

    IoT Security and Shifting Left

    21:12 - 28:56

    • Manufacturing stands out as a big leap in IoT security due to more regulation and supply chain attacks.
    • IoT devices have longer life cycles and are attractive targets for hackers.
    • Expanding the scope of security means involving developers in the conversation instead of just blaming them.
    • Buying and deploying a scanner is not enough, organizations need to implement positive practices.
    • Shifting left means bringing security into the development process earlier.
    • Friction between security and development has been an ongoing challenge.
    • Real-world functionality testing can complement other methods and reduce friction with developers.
    • Adopting security tools involves conversations with AppSec teams, engineering, DevOps, CTOs, etc.
    • There is increasing buy-in from the development side for secure software practices.
    • Continuous monitoring and continuous automated scanning are important for application security.

    Continuous Automated Scanning and Production Environments

    28:29 - 36:38

    • Continuous automated scanning in application security is equivalent to continuous monitoring in other segments of security.
    • Smaller windows between scans make applications less vulnerable to updates, third-party apps, and exploited vulnerabilities.
    • Production environments provide a real-state view of applications, making it important to set up controlled states for testing.

    Risk Conversations and Business Safe Software

    28:29 - 36:38

    • Risk conversations with developers often focus on productivity rather than setting baselines or drawing risk lines.
    • Risk tolerance and acceptance of vulnerabilities are determined by the CSO's organization or the C-suite.
    • Businesses may rely on cybersecurity insurance and accept severe vulnerabilities while pursuing mediums and lows.
    • Developers prioritize functionality over security due to limited time resources.
    • Scanning more helps exercise the process of identifying and fixing vulnerabilities more quickly.
    • 'Business safe software' describes the impact of application security on the business and prioritizes functionality over security.

    KeyCloak and IAM Challenges

    42:54 - 49:55

    • KeyCloak is a tool related to IAM that will be discussed in future episodes.

    Exploring New Areas of Research in Security

    49:33 - 56:12

    • James Kettle discusses how he chooses security topics, emphasizing the importance of exploring new areas of research.
    • He encourages researchers to fail quickly and move on if they don't find vulnerabilities.
    • Kettle suggests looking beyond well-known web vulnerabilities like cross-site scripting and XXE.
    • He mentions request smuggling and web race conditions as interesting areas to explore.
    • The distinction between direct impact and audience impact is discussed, with the latter being more universal and impactful for developers.

    Bug Bounties and Security Developer in Residence

    55:51 - 1:02:42

    • Bug bounties can be ineffective if not scoped or responded to properly
    • In the crypto world, bug bounties often result in negotiations between hackers and companies
    • Designing a bug bounty requires aligned incentives and maturity to handle it effectively
    • OpenSSF's alpha omega project partners with open source software to find and fix vulnerabilities
    • The Python Security Foundation has hired its first security developer in residence
    • Hiring a security-minded developer can be beneficial for organizations
    • The concept of a 'security developer in residence' is promising for the industry

    Linux Kernel Vulnerabilities and Strategic Vulnerability Management

    1:02:23 - 1:09:30

    • A bug in I/O Uring was found by examining newer parts of the Linux kernel that haven't been thoroughly reviewed yet
    • More data, technology, cybersecurity professionals, and controls do not necessarily lead to better protection; budget should be used smarter
    • Having more scanners and security measures doesn't always find all vulnerabilities; strategic vulnerability management is important
    • An issue with Amazon CDK was discovered by a company called Garden

    Security Issue with Amazon CDK and Practical Experience in Production Environments

    1:09:07 - 1:14:57

    • The folks at a company called Garden discovered an issue with Amazon CDK.
    • Amazon CDK is a multi-language framework for deploying and creating cloud infrastructure.
    • It has a library that provides high-level interfaces to convert infrastructure into CloudFormation.
    • Garden found that when creating an EKS cluster through CDK, the permissions were more open than they should be.
    • They reported the issue and highlighted the importance of making it more secure by default.
    • The podcast also discussed free cybersecurity training resources and the challenge of finding useful ones in limited time.
    • They asked listeners to share valuable resources specific to cloud or AWS/GCP.
    • The hosts emphasized the importance of practical experience in production environments when applying for jobs in development or cloud roles.
    1