Enterprise Security Weekly Subscribe

Vulnerability Management, Bug Bounties, Patch/Configuration Management

Discovering a common Salesforce mistake launched this security professional’s career – Aaron Costello – ESW #379

October 9, 2024

Aaron was already a skilled bug hunter and working at HackerOne as a triage analyst at the time. What he discovered can't even be described as a software bug or a vulnerability. This type of finding has probably resulted in more security incidents and breaches than any other category: the unintentional misconfiguration.

There's a lot of conversation right now about the grey space around 'shared responsibility'. In our news segment later, we'll also be discussing the difference between secure design and secure defaults. The recent incidents revolving around Snowflake customers getting compromised via credential stuffing attacks is a great example of this. Open AWS S3 buckets are probably the best known example of this problem. At what point is the service provider responsible for customer mistakes? When 80% of customers are making expensive, critical mistakes? Doesn't the service provider have a responsibility to protect its customers (even if it's from themselves)?

These are the kinds of issues that led to Aaron getting his current job as Chief of SaaS Security Research at AppOmni, and also led to him recently finding another common misconfiguration - this time in ServiceNow's products. Finally, we'll discuss the value of a good bug report, and how it can be a killer addition to your resume if you're interested in this kind of work!

Segment Resources:

Aaron's blog about the ServiceNow data exposure.
The ServiceNow blog, thanking AppOmni for its support in uncovering the issue.

Full episode and show notes

Guest

Chief of SaaS Security Research at AppOmni

@_aaroncostello

Aaron Costello is a renowned trailblazer in the field of SaaS security. At AppOmni (https://appomni.com/), he leads groundbreaking initiatives to fortify cloud landscapes against emerging threats, and empowers organizations to navigate the intricate challenges of securing cloud-based platforms. Widely recognized for his invaluable contributions to public security research, Aaron has recently shone a spotlight on the intricacies of SaaS security within Salesforce and ServiceNow. Through meticulous analysis and a commitment to transparency, he has unveiled vulnerabilities, shared crucial insights, and played a pivotal role in shaping best practices within these key platforms. Outside of his role at AppOmni, Aaron is a sought-after speaker, and a vocal advocate for both open source software and the advancement of cybersecurity education for young individuals.

Host

Adrian Sanabria

Principal Researcher at The Defenders Initiative

https://adriansanabria.com

Related

Vulnerability Management

Google DeGoogled, Hammerbarn, Blofeld, VMWare, DeepData, SafePay, Josh Marpet and… – SWN #432

November 19, 2024

Google DeGoogled, Hammerbarn, Blofeld, VMWare, DeepData, SafePay, Josh Marpet and more on the Security Weekly News.

Industry Regulations

Similarities Between SOX And SEC’s Cyber Rule – Padraic O’Reilly – BSW #373

November 18, 2024

The Sarbanes-Oxley (SOX) Act was a watershed moment in corporate governance, fundamentally altering how companies approached financial reporting and internal operational controls. By holding executives personally accountable for the accuracy of financial reports, SOX restored investor confidence in the wake of corporate malfeasance. The SEC's new...

Vulnerability Management

Granny Bots, Microsoft, Shrinklocker, SlugResin, BlueSky, Aaran Leyland, and More… – SWN #431

November 15, 2024

Granny Bots, Microsoft, Shrinklocker, SlugResin, BlueSky, Aaran Leyland, and More, on this edition of the Security Weekly News.