hello everyone and welcome to this special edition episode of the security repo you'll notice that we're coming out to you on a Friday and not a Monday but don't worry we do have a regular episode coming out on Monday this one's going to be with Jason Haddix and you do not want to miss it it's awesome but in this episode we're coming out on the heels of RSA and I'm going to share with you some of the key takeaways from that conference I'm wearing my favorite RSA shirt which is the Miss korean's field hacking manual shirt if you just listen to me you're going to have to imagine what it's like it's black it has green images and text and it's awesome and if you want some cool hacking merch you can go to shopmissgreens.com but surprisingly there was more to RSA Than Just Swag if you've been to RSA you'll know it's a very intense few days some of the best Talks Of The Year and an expo haul that can only be described as death by vendor but one of the important things about conferences like RSA and later on in the year black hat is that we get to position ourselves and the latest trends in the industry where are the weaknesses and security as a whole right now and what can we do to plug them we're the technology heading and what latest Innovations can we see I'm happy to say that nin and also around RSA there's a lot of events smaller conferences networking opportunities and dinners and in these events I managed to track down really some of the key thought leaders in this space people building technology experts and practitioners in the field and of course people that are giving the talks and workshops and I asked a lot of them two simple questions one what is the biggest security threat we're facing in 2023 and two what can we do to solve it and some of the answers that I got well weren't that simple but I want to share a few of my favorites with you in this episode first up is firos apocadige now Ferris is someone that I've admired for a long time I was fortunate enough to do a webinar with him last year Ferris is the founder and CEO of socket well I usually avoid plugging vendors socket is really a fantastic company they're changing the way SCA software composition analysis works by not just waiting for areas of malicious activity to be reported but by investigating it automatically programmatically and blocking malicious packages before they happen I asked Pharos what we can expect from 2023 and what can we do to prevent it and here are his answers I think it has to be the supply chain um you know obviously I have some interest in saying this but um you know Supply Chain's been in the news for a reason um I think people are waking up to the fact that their applications depend on hundreds or thousands of individuals and organizations around the world and you know in the case of uh you know open source you know we build our apps on the shoulders of giants we depend on you know hundreds or thousands of Open Source packages and this is great but with it there's some risk that comes you know with that approach um and that means that you know if you have one bad apple one maintainer that loses control of their package goes Rogue or you know package that gets hijacked that can affect thousands of organizations so um so I think supply chain it has to be the you know the thing that it's something that everybody's taking a look at right now for a good reason I also asked for us what were some recommendations to combat these risks the the first uh most important thing is to realize that uh open source security is about more than uh vulnerabilities so expand your Thinking Beyond known vulnerabilities and uh take a take a broader more holistic look at how you secure your open source and so that should include threats like malware threats like protest wear other types of supply chain attacks compromise packages obfuscated code you know you really got to think of why you know why do you trust these open source packages um so so the first thing is the mindset shift um the second thing I would say is introduce a process around how you bring open source dependencies into your organization I've spoken to just far too many teams uh and organizations where basically any developer can just add a dependency uh if they feel like it so I think that that if you change the way you think about that you introduced some some sort of uh check or um you know analysis obviously socket can help you with that um that's that's a that's a great tip and then finally I think stay vigilant and just sort of keep keep your mind uh aware of just all the different uh sources of threats that there are out there and and and stay curious pharaohs wasn't the first or the only or the last person to bring up Supply change Security in my interviews but one person that had accounted to that was Steve Shigeru from Charisma Cloud I think the biggest risk good I don't want to be cliche about this because everyone's probably saying supply chain supply chain supply chain uh it's it's the hottest risk at the moment I'm not sure it's necessarily the biggest risk I think just sometimes getting the basics right is the biggest risk and we're talking about just the implementation of basic misconfigurations and infrastructure as code and just getting the basics of understanding and triaging the Sea of vulnerabilities that is involved in prioritizing those like that is kind of fundamental at the moment yes it does all connect to supply chain because if everybody does that then everything upstream and downstream is affected by it so I think if we you know maybe abstract away from supply chain and get more specific that's where I would start if I were to give a few tips I'm going to be biased I'm gonna move people towards our open source uh that I work on which is called Chekhov and check out looks for misconfigurations in open source it also looks for exposed Secrets which I'm sure you're very familiar with and it also looks for vulnerabilities in referenced images in infrastructure as code so if you've got a kubernetes manifest or terraform or get a workflow that actually mentions an image those kind of fly under the radar a little bit so it will look at vulnerabilities in the infrastructure that is perhaps releasing or building your code as opposed to the images that are used specifically in your application I think that those will be the three things that could fall out under one umbrella another person that had an interesting and different take on these topics is that of Joseph Carlson if you're familiar in the security space and you're probably familiar with Joseph he puts out some great content is a regular speaker at events and is a host of the 404 access denied podcast so make sure you check that out as well in his day job though Joe is the chief security scientist at delinear an advisory Sizer and here's what he had to say with the biggest threats that we're facing in 2023 that's a great question well there's many risks out there I think that in 2023 I believe that ransomware will still continue to be one of the biggest threats and risks for many organizations even though it did decline slightly in 2022 um it is still a major uh risk ultimately because if you do become a victim it has a big impact in the business and it has a business impact another risk that is also going to continue is around identity and credential compromise that's something that I do believe will continue but of course it is one of the Tech path techniques rather than a risk by itself it will always have some type of additional risk whether being deploying uh malware or data theft or ransomer so I think that's for organizations is going to be something that they'll tackle and look to try to mitigate as much as possible I also asked Joe to give a few recommendations to try and combat some of these risks absolutely I mean for all organizations they might be slightly different because you know not every business does is the same and ultimately it will come down to one of the most primary things you can do is doing a risk assessment for your business knowing what the high risk assets are knowing about the applications and the data and actually ultimately how technology helps your business be successful is understanding that the better you understand the business side of things and how technology let's say empowers it the more you can actually address it in the right way to mitigate that risk so know your business know the technology know the services and ultimately understand the impact of each of those that's one of the first important things the second part is then ultimately get into the access we all talk about zero trust but ultimately I believe that we need to go beyond zero trust to get to zero friction security zero friction is really where we actually Empower users to be let's say you know part of the security culture in a business so make sure that you actually go and understand about how you make security usable that's also the next part is making sure that users understand about what is let's say the right things to do in regards to gaining access how to mitigate how to choose better and smarter passwords the third part is ultimately is understand the business outcomes you won't be able to get the budget you need to actually make these changes without showing how you actually apply it to the business and how the business can become successful so we need to become almost translators of technology and cyber risks into business Innovations and business enablement so ultimately that's one of the things that I believe that organizations can do in order to one is you know know what the risks are get the people involved to making security usable and the third part is ultimately making sure you can actually measure it in a way that actually helps the business be successful because that's ultimately how you would get the budget in order to put the right mitigation controls in place now I'm sure everyone's used to people that work for particular vendors or have a certain interest of topic that that's the area of their expertise and therefore that's where they're most focused so I wanted to bring someone into the conversation that had a completely different perspective and that was Tony lore I met Tony Laura at b-sides which is a conference that surrounds RSA where they were doing workshops on a cyber security card game which looked at the principles and steps of the Cyber kill chain Tony is someone that has a long history working for multiple different security organizations inside product we'll actually hear just to be part of the community so I was curious what someone completely neutral that understands the ins and Out Security and the threats that we're facing what they thought were the biggest challenges of 2023 here's what they said I would say it's finding all the potential places where vulnerabilities could be at this point we're using so many different micro Services we're using so many different uh infrastructures code Services um Etc and I think one of the biggest issues that we face is really finding all the places where vulnerabilities could exist monitoring them continuously and uh enforcing uh actions on those vulnerabilities as their bound or potentially discovered and here's what Tony gave us recommendations about combating some of those risks I would say for one don't buy it off more than you can chew there's nothing wrong with using a a managed service or a managed kubernetes cluster for example if your organization doesn't have the resources to not just build but support it out there's there's nothing wrong with that we've pivoted to microservices-based architecture for a reason um beyond that ensure that you are able to not just monitor uh your services but act upon any vulnerabilities that are found in a timely manager a timely manner um and I would say the third uh tip I would give is prioritize effectively so you're not editing your developers with uh potential vulnerabilities if you're going to alert your developers make sure that the alerts they get are important otherwise you're just training them to ignore alerts there's still one voice that we haven't heard from yet in this podcast and that's the voice of the people doing the hacking and what they think I was fortunate enough to track down at a party so excuse the noise Joshua kamjo who's the CEO and founder of sublime security but before Sublime Josh has 10 years of experience in offensive security so I asked him the same questions from the attacker's point of view of what he thinks we really need to look out for in the coming years one of the biggest risks in 2023 getting compromised via phishing attacks email attacks um generally it's like one of the number one initial access vectors for attackers to break into companies it's been that way for a long time and uh it still is and here's what the recommendations he gave about combating those risks number one multi-factor authentication on everything as much as you can put MFA everywhere that's going to mitigate a large portion if not all particularly if you're using Hardware keys of credential fishing attacks so attackers are sending emails to try and steal your creds use a hardware token use multi-factor authentication second tip uh invest in educating users and third deploy an email security tool to help your team respond to evolving threats and and better close attack surface on email I'm gonna be honest with everyone when I started doing these interviews and putting it together I really was hoping that I'd come up with a great set of people that were talking really about the same thing and in the end I decided not to go with 10 interviews telling you that supply chain email security ransomware is really the most important thing because ultimately it's all really important one of the biggest takeaways for me from all the conversations that I have is that we're still not getting the basics right we're still allowing malicious packages into our supply chain our employees are still falling targets to fishing campaigns ransomware is still making into our systems through the same old world trodden paths that it always has been so the biggest takeaway from RSA is amongst all the talk of artificial intelligence of the four talks I attended on Quantum encryption the talks of the super computers the cyborg hackers and everything else the biggest takeaways for me was this it's time for us to truly focus on the basics that's where the attackers are getting the most amount of traction and before we focus on all the shiny new tools we need to ensure that our house is clean we have good education for our employees and all of our Basics covered and then and only then should we worry about the shiny new thing that's coming around the corner in which the quantum AI cyborg hackers are deciding to use that's it for this episode I hope you enjoyed this special edition we're going to be doing more content about what we discovered at RSA including what are the special shiny new packages in technology that are coming your way so make sure you stay tuned and check it out what were your favorite takeaways from RSA let me know in the comments if you're listening to this on a place that allows comments just a reminder that on Monday we have our regular episode coming out this time with Jason haddock who's a sizo at butter box and a former sizo at Ubisoft we're going to be talking about all of his hacking adventures and what to look out for from the hackers perspective it's going to be a really fun episode so make sure you stay tuned for that one until then see you next time