Another great Black Hat is over, and there was no shortage of sessions and exciting topics around Application Security (AppSec) to absorb. If you were lucky enough to stop by the Invicti booth, you might have seen our special machines that guests could scan and repair for prizes. You might even have seen a presentation by Invicti’s distinguished architect, Dan Murphy – and if you haven’t, we’ve got a recap below. We hope you had a chance to say hello and chat with us about all things AppSec!
Just like last year, we could see recurring themes coming to the surface. Notably, much has been said about cyber warfare, the human element of AppSec, and the dire need for modernization if we are to keep pace with the bad guys. As threat actors increase the pace of their attacks and cyber warfare becomes the new weapon of choice in geopolitics, there’s never been a more critical time to keep your security program running like a well-oiled DevSecOps machine. .
Improve security posture in the digital battlefield
With cybersecurity directives and executive orders emanating from the Biden administration, government agencies are beginning to make serious changes to their security efforts. Cybersecurity becoming a staple of modern warfare was certainly a hot topic at BlackHat and beyond. In fact, in a recent Forbes Technology Council article, Invicti Product Manager Sonali Shah outlined the dangers and caveats of cyber warfare. “Cyber warfare has completely changed the battlefield,” she noted. “It’s cheaper to execute and harder to assign than physical warfare. Cyberwar is leveling the playing field.”
BlackHat participants agreed that in this new normal, cyber warfare, disinformation and politics go hand in hand. This makes good cybersecurity practices in government essential not only to modernize security tools, but also to implement zero-trust concepts to reduce exposure of sensitive data. Identity and access management plays a critical role, and David Treece, director of solutions architecture at Yubico, held a session on why phishing-resistant multi-factor authentication (MFA) mandates come from the government. Organizations with legacy MFA systems and processes are easier to attack, and if government agencies don’t take these mandates seriously, they are at great risk.
Highlighting that cyber warfare is very real, Senior Threat Researcher Juan Andres Guerrero-Saade and Senior Threat Researcher Tom Hegel of SentinelOne discussed the cyber warfare that unfolds every day in the conflict between Russia and Ukraine. . Since the start of 2022, Ukraine has been under intense malware attacks, many of which specifically target satellite modems and other critical infrastructure. Given that similar attacks were relatively rare before the war, it is worrying that such threats are on the rise, especially since cyberattacks can so easily go global.
Keeping the human element at the forefront of AppSec
There’s no getting around it: you simply can’t remove human expertise from the AppSec equation. While automation and integrations can (and should) remove much of the manual work around security, especially in an effective DevSecOps process, in the end, nothing automatically replaces thought, intuition, and good judgement. The pressures cybersecurity professionals face are also increasing daily, putting more and more pressure on the human element of AppSec.
We know that the cybersecurity skills gap contributes to increased unnecessary risk and even burnout. Adam Shostack, President of Shostack & Associates, moderated a session (A fully trained Jedi, you are not) that shed light on the topic of AppSec training and better prepare developers to deal with security issues. It’s a problem the industry has been facing for some time, with more than 4 million unfilled cybersecurity jobs only compounding the problem. Shostack explained how the cost and time of developer security training can increase pressure within the organization. His suggested solution is a structured, compassionate approach to learning that complements the security tools that DevSecOps professionals rely on every day to relieve some of that pressure.
In a related session, Kyle Tobener, Vice President and Head of Security and IT at Copado, emphasized the need for compassion and empathy when it comes to addressing the human element in as a security risk. In his session, Reducing Risk: A Framework for Effective and Compassionate Safety Advice, Tobener explained how cybersecurity professionals can apply risk reduction and why a compassionate approach can be more effective than prohibitive rules. High-risk behaviors like clicking links in phishing emails will happen regardless of how many security protocols you have in place just because humans are in on it. Programs that focus on abstinence-based safety advice may actually increase risk, so it is essential to provide thoughtful advice that considers a range of possible entry points.
Tackling risk reduction and security debt with Invicti
Invicti CPO Sonali Shah took the stage for a session on Trends and Best Practices in AppSec, leading a discussion on how serious the situation is for many organizations. Web applications and APIs continue to present major risks (did you know that two out of five breaches come from a web application?) and organizations are struggling to cope with the pressures of integrating security into the development process.
During his session, Shah outlined the top five AppSec risks every organization should have on their radar, along with best practices for improving your security posture. Key Takeaways: Organizations should focus on implementing comprehensive coverage by continuously scanning applications in development and in production, maximizing automation, building security into CI/CD pipelines, and opting for precision-based tools to reduce wasted time.
Shah also participated in a session with Ean Meyer, Associate Director of Security Testing and Assurance at Marriott Vacations Worldwide, where they discussed security debt and how organizations can turn it into a business experience. more positive. Meyer and Shah explained that the cost of doing nothing about persistent security debt can outweigh the price of implementing any level of application security.
Later, organizations may find that they are spending more time and money resolving issues resulting from accumulated security debt than they would have spent implementing a robust AppSec program by first place. To start paying off that debt, it’s important to define the current security posture, triage issues, integrate and automate ongoing security testing, and then make incremental improvements over time to avoid failures. introduce new debts as more apps are rolled out.
The battle is on to fix RCE in the wild
A resounding success in several sessions at our booth, Invicti Architect Emeritus Dan Murphy presented on the rise of Remote Code Execution (RCE) and how you can strengthen your defenses to protect against these attacks. Murphy pointed out that RCE cases jumped 18% year-over-year. Because RCE is a direct impact vulnerability that can lead to further attacks if left unchecked, even a single RCE weakness in a production environment puts the organization at risk of total system compromise.
While RCE isn’t a new problem in the world of software development, it causes big headaches (remember Log4Shell?) that lead to costly migraines. If left unpatched, code execution vulnerabilities are a ticking time bomb in your systems, and it’s only a matter of time before an attacker triggers it. But we know from our Log4Shell analytics data that there is a strong correlation between the frequency of security testing and the time it takes to fix code execution vulnerabilities. It’s especially important, Murphy noted, to include dynamic application security testing (DAST) in regular scans to probe your applications with realistic attack payloads and quickly show which systems are most vulnerable to security attacks. code execution.
Didn’t you surprise us at Black Hat? Don’t worry, we have a recap video for you:
And it’s a wrap! See you next year at the Black Hat conference!
The post Black Hat 2022: From Cyberwarfare to the Rise of the NCE appeared first on Invicti.
*** This is a syndicated blog from Invicti’s Security Bloggers Network written by Meaghan McBee. Read the original post at: https://www.invicti.com/blog/web-security/black-hat-2022-recap/