Modernizing AppSec – Melinda Marks – ASW #307
Full Audio
View Show IndexSegments
1. Modernizing AppSec – Melinda Marks – ASW #307
In this week's interview, Melinda Marks' joins us to discuss her latest research. Her recent report Modernizing Application Security to Scale for Cloud-Native Development delves into many aspects and trends affecting AppSec as it matures, particularly in cloud-first organizations.
We also discuss the fuzzy line between "cloud-native" AppSec and everything else that refuses to disappear, particularly for organizations that weren't born cloud-native and still have legacy workloads to worry about.
Integrating security into the SDLC and CI/CD pipelines, infrastructure as code (IaC) trends, best of breed vs platform, and other aspects of AppSec get discussed as well!
Guest
Melinda Marks is the cybersecurity practice director at Enterprise Strategy Group, a leading IT analyst, strategy, and research firm, where she leads the cybersecurity analyst team and drives new research to provide insight on key cybersecurity topics and trends. Her coverage area includes cloud-native application protection platforms, cloud workload protection, cloud security posture management, DevSecOps, and application security, including web application security testing (SAST, DAST, IAST, SCA) and API security. She has over 20 years of experience in tech marketing and strategy. Most recently, she was chief marketing and strategy officer for Soluble, a startup focused on automating application security testing for developers (acquired by Lacework). She was also VP of Marketing at Armorblox, VP of Marketing at Styra, and head of marketing for StackRox (acquired by Red Hat). Her experience includes running competitive/market intelligence and product marketing teams at Tenable and running global communications for four years at Qualys. She also has a background in infrastructure from working at VMware, where she ran their original customer reference program, and later ran US PR.
Hosts
2. Typosquatting NPM, vulnerability analysis, and AI challenges – ASW #307
This week, in the Application Security News, we spend a lot of time on some recent vulnerabilities. We take this opportunity to talk about how to determine whether or not a vulnerability is worth a critical response.
Can AI fully automate DevSecOps Governance? Adrian has his reservations, but JLK is bullish.
Is it bad that 70% of DevSecOps professionals don't know if code is AI generated or not?
All that and more on this week's news segment.
Hosts
- 1. What happens to Linux when Linus Torvalds dies?
The answer to the question isn't terribly dramatic, but it's still a good question to consider. Most of the tech in our hands everyday and the tech that makes it possible to access and use the Internet were invented by folks that are still alive today.
Will their legacy be to serve as bar trivia questions, or will it be more substantial? Will there be a Linus Torvalds AI bot, trained on his hundreds of thousands of emails, posts, and pull request comments? I'm predicting no - not unless we learn how to make LLMs properly sassy. They just refuse to be mean or negative in any way today.
- 2. Max-Critical Cisco Bug Enables Command-Injection Attacks
I love a good chance to evaluate the risk of vulnerabilities. It often isn't clear until you dig into the vulnerability details. What's the access vector? What does the exploit do? What level of privilege would the attacker gain?
In this case, it sounds really bad - wireless access points with a CVSS 10 vulnerability! The access vector is network, attack complexity is low, no authentication required. Sounds like an urgent one, right?
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
But then, why is the EPSS score 0.04? Probably because exploiting the vulnerability requires access to the access point's web management console, which isn't going to be available outside the network.
So that means, you need to be on the inside to hack them. But if you're on the internal network already, you have no need for hacking them.
Many vulnerabilities have this paradoxical effect. Vulnerabilities look terrifying, until you take a closer look and realize that no attacker would ever leverage it, because it doesn't make sense from the attacker's perspective.
- 3. 6 Infotainment Bugs Allow Mazdas to Be Hacked With USBs
This is another area where, as the article's author points out several times, that vulns haven't typically been exploited in the wild. Like, ever. Diving into the details again tells us why - it requires physical access to the car and the ability to turn it on. If you have those two things, you can steal the car - you don't really have a need for exploits on a USB key (maybe, if cars had a USB port accessible on the outside of the car?)
It's a useful thought exercise though - are there legit attack scenarios with cars that could start getting hit at scale? Nearly all modern cars have some connectivity to the public Internet, and we've seen hacks via the Internet, mobile apps, or APIs in the past. It seems like a fleet of cars would be a great potential ransomware attack. A fleet of semi trucks belonging to a long haul shipping carrier? Amazon's Rivian delivery trucks? All Ford 150s?
- 4. 70 percent of DevSecOps professionals can’t identify AI source code origins
"Almost 70 percent of DevSecOps professionals can't detect AI source code origins, creating massive security risks, according to a new report"
Is it really though? Who cares where the code comes from - it has to go through the same gauntlet of quality, functional, and security testing, right?
The source report is here
- 5. AI Will Soon Automate DevSecOps Governance – DevOps.com
what year is it.gif
- 6. Dookie Demastered
Hilarious. I'm only sad it's all gone and I didn't get a chance to grab a Welcome to Paradise Gameboy cartridge!
- 1. Stop me if you heard this before: Malicious npm packages target Roblox devs
Socket Security researchers discovered five malicious npm packages deploying malware to steal credentials and other data through typo squatting (such as node-dll, which I'm guessing is attempting to spoof dll for dynamically linked lists). It looks like the packages were "only" downloaded 320 times before removal.
- 2. Palo Alto gives early warning to secure management interfaces
In a refreshing change, a software vendor tells customers to secure the management interfaces to their PANW devices. While they don't know all the details yet, they've gotten word of a RCE vulnerability being exploited in the wild, and are trying to help customers stay safe.
And the linked web page on how to secure the management interface looks decent, too.