Community Knowledge Sharing with CyberNest – Ben Siegel, Aaron Costello – ESW #379
Full Audio
View Show IndexSegments
1. Community Knowledge Sharing with CyberNest – Ben Siegel – ESW #379
For this interview, Ben from CyberNest joins us to talk about one of my favorite subjects: information sharing in infosec. There are so many amazing skills, tips, techniques, and intel that security professionals have to share. Sadly, a natural corporate reluctance to share information viewed as privileged and private has historically had a chilling effect on information sharing.
We'll discuss how to build such a community, how to clear the historical hurdles with information sharing, and how to monetize it without introducing bias and compromising the integrity of the information shared.
Guest
Ben Siegel is the founder of The CyberNest, a peer-review and information-sharing platform for IT and cybersecurity professionals. Guided by a core principle that the effectiveness of people, processes, and technology in cybersecurity fundamentally depends on the acquisition and application of relevant knowledge, Ben identified a significant gap in accessible, trusted information for security professionals during his time as an early leader in Gartner’s emerging tech team. Today, The CyberNest serves over 550 IT and cybersecurity professionals, offering a platform to discover curated, peer-validated knowledge and quickly access experience-based insights to make more informed decisions.
Host
2. Discovering a common Salesforce mistake launched this security professional’s career – Aaron Costello – ESW #379
Aaron was already a skilled bug hunter and working at HackerOne as a triage analyst at the time. What he discovered can't even be described as a software bug or a vulnerability. This type of finding has probably resulted in more security incidents and breaches than any other category: the unintentional misconfiguration.
There's a lot of conversation right now about the grey space around 'shared responsibility'. In our news segment later, we'll also be discussing the difference between secure design and secure defaults. The recent incidents revolving around Snowflake customers getting compromised via credential stuffing attacks is a great example of this. Open AWS S3 buckets are probably the best known example of this problem. At what point is the service provider responsible for customer mistakes? When 80% of customers are making expensive, critical mistakes? Doesn't the service provider have a responsibility to protect its customers (even if it's from themselves)?
These are the kinds of issues that led to Aaron getting his current job as Chief of SaaS Security Research at AppOmni, and also led to him recently finding another common misconfiguration - this time in ServiceNow's products. Finally, we'll discuss the value of a good bug report, and how it can be a killer addition to your resume if you're interested in this kind of work!
Segment Resources:
- Aaron's blog about the ServiceNow data exposure.
- The ServiceNow blog, thanking AppOmni for its support in uncovering the issue.
Guest
Aaron Costello is a renowned trailblazer in the field of SaaS security. At AppOmni (https://appomni.com/), he leads groundbreaking initiatives to fortify cloud landscapes against emerging threats, and empowers organizations to navigate the intricate challenges of securing cloud-based platforms. Widely recognized for his invaluable contributions to public security research, Aaron has recently shone a spotlight on the intricacies of SaaS security within Salesforce and ServiceNow. Through meticulous analysis and a commitment to transparency, he has unveiled vulnerabilities, shared crucial insights, and played a pivotal role in shaping best practices within these key platforms. Outside of his role at AppOmni, Aaron is a sought-after speaker, and a vocal advocate for both open source software and the advancement of cybersecurity education for young individuals.
Host
3. Funding, acquisitions, DFIR reports, bad products, secure by design, and more! – ESW #379
In the enterprise security news,
- Eon, Resolve AI, Harmonic and more raise funding
- Dragos acquires Network Perception
- Prevalent acquires Miratech
- The latest DFIR reports
- A spicy security product review
- Secure by Whatever
- New threats
- Hot takes
All that and more, on this episode of Enterprise Security Weekly.
Hosts
- 1. FUNDING – New funding for Eon, Resolve AI, Harmonic, Apono, reAlpha, and a quartet of privacy engineering startups
From Return on Security's Security Funded newsletter, we've got
- Eon Launches out of Stealth with $127 Million to Reinvent Cloud Infrastructure Backup - coming out of stealth AFTER raising Seed, Series A, and Series B? Definitely not your typical situation. Last time I saw something like this, it was a Cloudflare/Fastly competitor, and didn't end well.
- Introducing Resolve AI - $35M Seed round, led by Greylock
- [Gearing up for Success: Fueling Harmonic’s Journey with New Series A Funding] (https://www.harmonic.security/blog-posts/gearing-up-for-success-fueling-harmonics-journey-with-new-series-a-funding?_bhlid=7fb1b4fd22917c25952b9eb3d97bc4e1198dafd3) ($17.5M)
- Apono Secures $15.5M Series A Funding to Revolutionize Cloud Access Security
- reAlpha Invests in Xmore AI to Advance AI-Powered Cybersecurity Solutions - another odd one. A real estate tech company investing in a AI-powered SOC automation company? Definitely not your usual investment.
- News Release: DHS S&T Awards Contracts to Four Startups to Develop Privacy-Enhancing Synthetic Data Generation Capabilities - we haven't seen privacy engineering in a while, super interesting!
- 2. ACQUISITIONS: Dragos Acquires Network Perception, Delivers the Industry’s Most Comprehensive Visibility of OT Environments
- 3. ACQUISITIONS: Prevalent Acquired by Mitratech: A New Era for TPRM
- 4. REPORTS: Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
- 5. PRODUCT REVIEWS: Security Hub gives me imposter syndrome – Chris Farris
- 6. ESSAYS: Secure-by-Design vs. Secure-by-Default: What’s the Difference?
- 7. ESSAYS: The three-body problem of SaaS security – Nudge Security
- 8. THREATS: perfctl: A Stealthy Malware Targeting Millions of Linux Servers
- 9. HOT TAKES: The Myth of Security Market Consolidation: Counter Drivers
