Building Successful Security Champions Programs – Marisa Fagan – ASW #294
Full Audio
View Show IndexSegments
1. Building Successful Security Champions Programs – Marisa Fagan – ASW #294
Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions and the benefits that come from so many people being engaged with security.
Segment Resources:
- OWASP Security Champions Guide - Get Involved! - https://owasp.org/www-project-security-champions-guidebook/#div-getinvolved
- OWASP Security Champions Guide - LinkedIn page - https://www.linkedin.com/company/owasp-security-champions-guide/
- The Security Champions Success Guide - https://securitychampionsuccessguide.org/
- "Building a Successful Security Champions Program... What Does it Take?" - https://www.katilyst.com/post/building-a-successful-security-champions-program-what-does-it-take
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Guest
Marisa is a self-described Security Culture Expert, having spent the last 16 years driving culture change and building communities around security programs. She is currently Head of Product at a “security champion programs as-a-service” startup called Katilyst, and before that she has built security culture programs at companies like Atlassian, Synopsys, and Salesforce.
She’s based in SF and prefers Peets to Philz for coffee fixes.
Hosts
2. Dead Code, CrowdStrike’s Kernel Lessons, VMs & Security Boundaries, SLUBStick Attack – ASW #294
The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more!
Hosts
- 1. jbp.io :: CVE-2024-5535: `SSL_select_next_proto` buffer overread
This stands out as a nice side-effect of rewriting (or sometimes refactoring code). A memory safety bug was introduced in 2011, a work-around was created in Android in 2014, and the underlying cause discovered in 2024 during a rewrite to Rust.
Another aspect of this bug is that the feature, NPN, "was abandoned in 2012." Which means the code has been unnecessary for a decade. Or at least could have been disabled by default. It hasn't posed much risk for a long time, but it also likely could have been removed a long time ago. Removing unused and legacy code is one of the best appsec approaches.
- 2. Windows Security best practices for integrating and managing security tools | Microsoft Security Blog
- 3. Our audit of Homebrew | Trail of Bits Blog
- 4. everything curl book: Backdoors and supply chain risks
The book's source is at https://github.com/curl/everything-curl
Nod to Risky Biz News for highlighting this.
- 5. Avoiding downtime: modern alternatives to outdated certificate pinning practices
“Shorter lifetimes and frequent rotations limit the impact of compromised certificates, while certificate transparency allows for real time monitoring and detection of misissued certificates. These advancements are automated, scalable, and robust and eliminate the need for the manual and error-prone process of certificate pinning.”
- 6. EPSS A Visual Exploration of Exploits in the Wild – Cyentia Institute | Data-Driven Cybersecurity Research
- 7. DESIGN: Unfashionably secure: why we use isolated VMs
Another chance to talk about secure design and architecture choices, including trade-offs between security boundaries and operational efficiencies. In this case, it also sounds like a throwback to designs from a decade or so ago -- which isn't bad, but also may not be representative of modern design options.
- 8. Apple Intelligence Foundation Language Models
- 9. Falcon Content Update Remediation and Guidance Hub | CrowdStrike
Using this more as a chance to talk about secure design, kernels, and architecture choices.
Some additional references for discussion:
- What is eBPF? An Introduction and Deep Dive into the eBPF Technology -- validation and avoiding the halting problem
- Apple deprecating macOS kernel extensions (KEXTs) is a great win for security | ZDNET -- Apple's move in 2019 to develop System Extensions as a means to move extensions out of the kernel
- 1. Consumer Reports begins naming and shaming IOT vendors
"Several manufacturers of common consumer connected devices, including those making locks and faucets, are not taking an essential step to ensure that their products remain secure" CR starts off their rant with. Well this is something I did not expect to see, but very excited to see IOT security getting this much traction.
- 2. SLUBStick: A Cross-Cache attack
Deep but interesting paper. Basically, but using a new timing attack to access and manipulate generic cache, an attacker is able to manipulate the kernel to over-manage (my phrase) the cache so the attacker can more consistently exploit vulnerabilities.
